Nothing Special   »   [go: up one dir, main page]

CN113472758B - Access control method, device, terminal, connector and storage medium - Google Patents

Access control method, device, terminal, connector and storage medium Download PDF

Info

Publication number
CN113472758B
CN113472758B CN202110687117.1A CN202110687117A CN113472758B CN 113472758 B CN113472758 B CN 113472758B CN 202110687117 A CN202110687117 A CN 202110687117A CN 113472758 B CN113472758 B CN 113472758B
Authority
CN
China
Prior art keywords
request
terminal
information
application
identifier
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110687117.1A
Other languages
Chinese (zh)
Other versions
CN113472758A (en
Inventor
张强
张涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jingdong Century Trading Co Ltd
Beijing Wodong Tianjun Information Technology Co Ltd
Original Assignee
Beijing Jingdong Century Trading Co Ltd
Beijing Wodong Tianjun Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jingdong Century Trading Co Ltd, Beijing Wodong Tianjun Information Technology Co Ltd filed Critical Beijing Jingdong Century Trading Co Ltd
Priority to CN202110687117.1A priority Critical patent/CN113472758B/en
Publication of CN113472758A publication Critical patent/CN113472758A/en
Application granted granted Critical
Publication of CN113472758B publication Critical patent/CN113472758B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Storage Device Security (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application discloses an access control method, an access control device, a terminal, a connector and a storage medium, wherein the access control method comprises the following steps: generating a first identification based on the first information encryption; when an application corresponding to a first request belongs to a first application set, adding the first identifier in the first request; sending a first request with the first identifier added to a gateway; wherein the first information characterizes the identity of the terminal and/or the user; the first request is used for requesting to access the corresponding application; the first set of applications characterizes a set of applications determined based on the first information to allow access.

Description

Access control method, device, terminal, connector and storage medium
Technical Field
The present disclosure relates to the field of network technologies, and in particular, to an access control method, an access control device, a terminal, a connector, and a storage medium.
Background
In the related art, network security defense is performed based on the physical boundary of a firewall, provided that all office equipment and data resources of an enterprise are assumed to be in an intranet, and the intranet is completely trusted. With the popularization of remote office, after an external terminal accesses an intranet through a virtual private network (VPN, virtual Private Network), the external terminal has all access rights of the intranet, and thus the security problem of data leakage exists.
Disclosure of Invention
In view of this, embodiments of the present application provide an access control method, apparatus, terminal, connector and storage medium, so as to at least solve the security problem of data leakage in the related art.
The technical scheme of the embodiment of the application is realized as follows:
the embodiment of the application provides an access control method, which is applied to a terminal and comprises the following steps:
generating a first identification based on the first information encryption;
when an application corresponding to a first request belongs to a first application set, adding the first identifier in the first request;
sending a first request with the first identifier added to a gateway; wherein,
the first information characterizes the identity of the terminal and/or the user; the first request is used for requesting to access the corresponding application; the first set of applications characterizes a set of applications determined based on the first information to allow access.
In the above solution, the sending, to the gateway, the first request to which the first identifier is added includes:
and sending a first request added with the first identifier to the gateway through a VPN tunnel.
In the above scheme, the method further comprises:
reporting second information to the controller every other set period; the second information is used for determining the security state of the terminal.
In the above scheme, the method further comprises:
transmitting the first information to a controller;
receiving a first application set sent by the controller; the first set of applications is determined by the controller based on the first information.
The embodiment of the application also provides an access control method applied to the connector, which comprises the following steps:
receiving a first request of a first terminal forwarded by a gateway; the first request is used for requesting to access the corresponding application;
when an unloading result obtained by unloading the first request contains a first identifier, sending the first request to an application server corresponding to the first request; wherein,
the first identifier is generated by the first terminal based on first information; the first information characterizes the identity of the terminal and/or the user.
In the above scheme, the method further comprises:
and discarding the first request when the first identifier is not contained in the unloading result.
In the above scheme, the method further comprises:
transmitting third information to the controller; the third information characterizes the unloading result;
receiving a verification result about the unloading result sent by the controller; and the verification result represents whether the unloading result contains a first identifier or not.
The embodiment of the application also provides an access control device, which comprises:
an encryption unit configured to generate a first identification based on the first information encryption;
the adding unit is used for adding the first identifier in the first request when the application corresponding to the first request belongs to the first application set;
a first sending unit, configured to send a first request to which the first identifier is added to a gateway; wherein,
the first information characterizes the identity of the terminal and/or the user; the first request is used for requesting to access the corresponding application; the first set of applications characterizes a set of applications determined based on the first information to allow access.
The embodiment of the application also provides an access control device, which comprises:
the first receiving unit is used for receiving a first request of a first terminal forwarded by the gateway; the first request is used for requesting to access the corresponding application;
the second sending unit is used for sending the first request to the application server corresponding to the first request when the unloading result obtained by unloading the first request contains a first identifier; wherein,
the first identifier is generated by the first terminal based on first information; the first information characterizes the identity of the terminal and/or the user.
The embodiment of the application also provides a terminal, which comprises: a first processor and a first memory for storing a computer program capable of running on the processor,
the first processor is configured to execute any step of the access control method on the terminal side when running the computer program.
The embodiment of the application also provides a connector, which comprises: a second processor and a second memory for storing a computer program capable of running on the processor,
wherein the second processor is configured to execute the steps of any one of the access control methods on the connector side when running the computer program.
The embodiment of the application also provides a storage medium, on which a computer program is stored, the computer program implementing the steps of any access control method on the terminal side or implementing the steps of any access control method on the controller side when being executed by a processor.
According to the access control method, the device, the terminal, the connector and the storage medium, a first application set which is allowed to be accessed is determined based on the identity of the terminal and/or the user, when an application requested to be accessed by a first request of the terminal belongs to the first application set, the terminal adds a first identifier in the first request, and sends the first request added with the first identifier to a gateway. The connector receives a first request forwarded by the gateway, and unloads the first request to judge whether the terminal contains a first identifier, so as to determine whether to send the first request to a corresponding application server. Compared with an access control mode of performing network security defense based on a physical boundary of a firewall, in the embodiment of the application, when a terminal accesses an application, an application set allowed to be accessed is determined based on the identity of the terminal and/or a user, and a request of the application allowed to be accessed is forwarded to a corresponding server, so that fine-grained access control of an application level is realized.
Drawings
Fig. 1 is a flow chart of a terminal side access control method provided in an embodiment of the present application;
fig. 2 is a schematic flow chart of a connector side access control method provided in an embodiment of the present application;
fig. 3 is a flow chart of an access control method provided in an embodiment of the application of the present application;
fig. 4 is a schematic diagram of a network system provided in an embodiment of the application of the present application;
fig. 5 is a network system architecture diagram provided in an embodiment of the application of the present application;
fig. 6 is a schematic diagram of a network flow provided in an embodiment of the application of the present application;
fig. 7 is a schematic structural diagram of an access control device according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of another access control device according to an embodiment of the present application;
fig. 9 is a schematic structural diagram of a terminal provided in an embodiment of the present application;
fig. 10 is a schematic structural diagram of a connector according to an embodiment of the present application.
Detailed Description
In the related art, network security defense is performed based on the physical boundary of a firewall, provided that all office equipment and data resources of an enterprise are assumed to be in an intranet, and the intranet is completely trusted. Along with the diversification of user network environments (company intranet office and home network office), remote office is gradually popularized, and after an external terminal is accessed into an intranet through VPN, the external terminal has all access rights of the intranet, so that the security problem of data leakage exists.
Based on this, in various embodiments of the present application, a first set of applications that are allowed to be accessed is determined based on the identity of the terminal and/or the user, and when an application that the first request of the terminal requests to be accessed belongs to the first set of applications, the terminal adds a first identifier in the first request and sends the first request to which the first identifier is added to the gateway. The connector receives a first request forwarded by the gateway, and unloads the first request to judge whether the terminal contains a first identifier, so as to determine whether to send the first request to a corresponding application server. Compared with an access control mode of performing network security defense based on a physical boundary of a firewall, in the embodiment of the application, when a terminal accesses an application, an application set allowed to be accessed is determined based on the identity of the terminal and/or a user, and a request of the application allowed to be accessed is forwarded to a corresponding server, so that fine-grained access control of an application level is realized.
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be further described in detail with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application.
The embodiment of the application provides an access control method which is applied to a terminal, wherein the terminal comprises but is not limited to mobile phones, tablets and other electronic equipment. As shown in fig. 1, the method includes:
step 101: a first identification is generated based on the first information encryption.
Wherein the first information characterizes the identity of the terminal and/or the user.
In this embodiment, the terminal encrypts the first information to generate the first identifier. Here, the terminal encrypts the first information, and the controller may encrypt the authentication information of the terminal through a security certificate issued later. The first information characterizes the identity of the terminal and/or the user and may comprise one or more of a user identity such as a user universal unique identification code (UUID, universally Unique Identifier), a terminal equipment UUID, a hardware identity. The first identifier is a string identifier.
Step 102: and adding the first identifier in the first request when the application corresponding to the first request belongs to the first application set.
The first request is used for requesting to access the corresponding application; the first set of applications characterizes a set of applications determined based on the first information to allow access.
The terminal hijacking all data through the client, judging whether the application corresponding to the first request to be sent belongs to a first application set, and adding a first identifier in the first request when the application corresponding to the first request belongs to the first application set. Here, the first request is for requesting access to a corresponding application server, and may be a hypertext transfer protocol (HTTP, hypertext Transfer Protocol) or hypertext transfer security protocol (HTTPs, hyper Text Transfer Protocol over SecureSocket Layer) request. The first set of applications is a set of applications to be accessed by the terminal determined based on the first information, the first set of applications including application information to be accessed, such as an application authorization code. Adding the first identifier in the first request may be accomplished by adding the first identifier in a request header of the first request.
Step 103: a first request is sent to the gateway with the first identification added.
After the first request adds the first identification, the first request to which the first identification is added is sent to the gateway. Here, when the corresponding application does not belong to the first application set, the first request does not add the first identifier. The terminal does not send a first request to the gateway without adding the first identity.
In this way, compared with the access control method of performing network security defense based on the physical boundary of the firewall, in the embodiment of the application, when the terminal performs application access, the application set allowing access is determined based on the identity of the terminal and/or the user, the first identifier is added in the corresponding first request of the application allowing access, and based on the carried first identifier, the corresponding first request of the application authorizing the application allowing access can be forwarded to the corresponding application server, so that fine-grained access control of the application level is realized.
In an embodiment, the method further comprises:
transmitting the first information to a controller;
receiving a first application set sent by the controller; the first set of applications is determined by the controller based on the first information.
The terminal receives a first application set determined based on the first information sent by the controller before sending a first request with the first identifier added to the gateway. In this way, when the terminal performs application access, the controller determines an access policy based on the identity of the terminal and/or the user, and issues the first application set allowed to be accessed to the corresponding terminal, and the terminal determines whether to add the first identifier to the first request for requesting to access the application based on the application set authorized to be accessed, so that the first request corresponding to the application authorized to be accessed can be forwarded to the corresponding application server based on the carried first identifier, thereby realizing fine-grained access control at the application level. Meanwhile, the terminal is screened for the first request based on the first application set, and the request corresponding to the unauthorized application is not sent out, so that the gateway pressure is reduced.
In an embodiment, the sending, to the gateway, the first request to which the first identifier is added includes:
and sending a first request added with the first identifier to the gateway through a VPN tunnel.
Before the terminal sends a first request added with a first identifier to the gateway, the terminal performs user information authentication with the controller, the controller verifies information such as a user UUID, a terminal device UUID, a certificate, a secret key and the like, and after the authentication is passed, the terminal issues a security certificate for establishing a VPN tunnel, configures a gateway setting strategy, and establishes the VPN tunnel with the gateway. After the terminal adds the first identifier to the first request, the first request to which the first identifier is added is sent to the gateway through the VPN tunnel. The gateway is hidden from the outside, no fixed port is opened to the outside, so that the service server is only visible to authorized electronic equipment, the terminal can access the gateway only after the controller sets a policy for the gateway, and meanwhile, the gateway can further perform authority verification only when the policy set for the gateway allows the terminal to access a gateway internet protocol (IP, internet Protocol) of a corresponding application, otherwise, the first request is directly discarded.
In this way, the terminal establishes a VPN tunnel with the gateway, so that the application server is only visible to the authorized terminal, thereby guaranteeing the stealth of enterprise services and realizing the safe transmission of request information between the terminal and the application server.
In an embodiment, the method further comprises:
reporting second information to the controller every other set period; the second information is used for determining the security state of the terminal.
The terminal reports second information for determining the security state of the terminal to the controller every set period. Here, the terminal may report the second information to the controller after the terminal establishes a VPN tunnel with the gateway. And when the controller does not receive the second information reported by the terminal in more than two set periods or detects that the terminal is abnormal based on the reported second information, notifying the gateway to log off the VPN tunnel. The security risk of the terminal may be that the baseline check is not passed, such as the detection of suspicious processes, etc.
In this way, the real-time security of information transmission between the terminal and the application server can be improved.
The embodiment of the application provides an access control method which is applied to a connector. As shown in fig. 2, the method includes:
step 201: a first request of a first terminal forwarded by a gateway is received.
The first request is used for requesting access to a corresponding application.
The connector receives a first request sent by a first terminal forwarded by the gateway. Here, the first request sent by the first terminal is used for the first terminal to request access to the corresponding application server. The first request is for requesting access to a corresponding application server, and may be an HTTP or HTTPs request.
Step 202: and when the unloading result obtained by unloading the first request contains a first identifier, sending the first request to an application server corresponding to the first request.
Wherein the first identification is generated by the first terminal based on first information; the first information characterizes the identity of the terminal and/or the user.
The connector uninstalls the received first request to obtain an uninstalling result corresponding to the first request, judges whether the uninstalling result contains the first identifier, and forwards the first request to an application server corresponding to the first request when the connector determines that the uninstalling result contains the first identifier. Here, the first identity is generated by the terminal based on first information characterizing the identity of the terminal and/or the user. Judging whether the unloading result contains a first identifier, wherein the unloading result can be a first request head obtained by unloading the first request, and judging whether the first request head contains the first identifier.
In this way, the connector performs verification based on the unloading result corresponding to the first request, and based on whether the unloading result contains the first identifier, it can be determined whether the terminal sending the first request is authorized to access the application, and when the terminal sending the first request contains the first identifier, the first request is forwarded to the corresponding application server, so that fine-grained access control at the application level is realized.
In an embodiment, the method further comprises:
and discarding the first request when the first identifier is not contained in the unloading result.
When the connector determines that the unloading result obtained by unloading does not contain the first identifier, discarding the first request, and not forwarding the first request to the application server corresponding to the first request. Here, the case where the first identifier is not included in the offload result may be that the offload result does not include an identifier generated based on the first information, or may be that verification of the first identifier fails, for example, the identifier included in the offload result is not the first identifier corresponding to the first terminal. In this way, by discarding the first request that does not include the first identifier, the request initiated by the terminal that does not have authorized access to the application will not be forwarded to the corresponding application server, thereby reducing the stress of the application server and implementing fine-grained access control.
In an embodiment, the method further comprises:
transmitting third information to the controller; the third information characterizes the unloading result;
receiving a verification result about the unloading result sent by the controller; and the verification result represents whether the unloading result contains a first identifier or not.
After obtaining the corresponding unloading result, the connector sends third information representing the unloading result to the controller. The controller verifies whether the unloading result contains the first identifier or not based on the first information and the security certificate, and sends a verification result to the connector. The connector receives a verification result sent by the controller about whether the unloading result contains the first identifier or not, and determines whether the unloading result contains the first identifier or not based on the received verification result. Here, the connector transmits third information including the uninstall result to the controller, and the controller may be the first information obtained when determining the first application set, and the security certificate may be issued by the policy server.
In this way, whether the first request can be sent to the corresponding application server is judged by determining whether the unloading result contains the corresponding first identifier, so that the fine-grained access control of the application level is realized.
The present application is described in further detail below in connection with examples of application.
With reference to fig. 3, the corresponding access control method comprises the following steps:
step 1: baseline inspection.
After the client of the terminal is started, baseline inspection is carried out through the client, wherein the baseline inspection comprises detection reporting of operating system information, hardware basic information, system patches, antivirus software detection, virus library detection, illegal software detection, registry inspection items, account number security detection, access control detection, security configuration detection, resource control detection and security audit. Other functions may be used after the failed test item needs to be repaired. After the baseline check passes, step 2 is entered.
Step 2: and (5) information authentication.
The terminal performs control instruction interaction with the controller through the client, and first information representing the identity of the terminal and/or the user is uploaded to the controller.
Step 3: authentication feedback.
Based on the received first information, the controller verifies whether the terminal is a trusted user or a trusted device, and the client policy information (first application set) issued to the terminal is used for the controller to set the client policy of the terminal, and issues a security certificate, an IP (Internet protocol), a secret key and the like at the same time so that the terminal and the gateway can establish a tunnel.
Step 4: setting DNS and strategy, and starting virtual network card.
And the terminal configures the client based on the acquired client policy information by setting the DNS through the client. The acquired client policy information includes application information, such as an application authorization code, accessible to the terminal.
Client policy information, may describe characteristics of the first request allowed to be sent through the tunnel. For example, the client policy information may be set to a request with a domain name www.abcd.com or IP 172.10.10/24IP segment.
Step 5: and establishing a VPN tunnel.
The terminal establishes a VPN tunnel with the gateway through the client, and establishes the VPN tunnel between the terminal and the gateway after the gateway verifies the UUID of the user, the UUID of the terminal equipment, the certificate and the secret key.
Step 6: a transport layer security protocol (TLS, transport Layer Security) long connection is established.
After the security tunnel is successfully established, the terminal establishes TLS long connection with the controller and reports the security state in real time. The controller monitors the state of the terminal through TLS long connection, and after abnormality is monitored, the controller informs the security gateway and logs off the security tunnel.
The controller monitors the state of the terminal through the TLS long connection, such as whether suspicious processes exist on the terminal, whether safe antivirus software exists or not, and the like. And when the controller monitors that the two setting periods do not receive the report information or the TLS long connection is abnormal, the controller issues a command of logging out the tunnel of the client to the gateway and clears the network policy configuration information of the client on the gateway, so that a layer of guarantee of real-time safety detection is realized.
To detect if the TLS long connection is working properly, a heartbeat packet may be sent to the terminal at regular intervals, and when a reply to the heartbeat packet by the terminal is received, the normal operation is indicated.
Step 7: setting a network authority strategy.
The controller sets an application-level network policy at the gateway after interacting with the client of the terminal.
The controller issues instructions to the gateway to cancel the tunnel of the client for the session with potential risk, and clears the network policy configuration information of the client on the gateway. Because the security gateway is hidden from the outside, only the terminals which meet the policy set by the controller and pass authentication can be accessed.
Step 8: hijacking the first request and adding the first identifier.
The terminal hijacking all network traffic on the terminal through the client and filtering the network traffic:
and for network resource traffic which does not need protection, such as non-enterprise intranet and extranet resources, the network resource traffic is not transmitted through a tunnel, so that the gateway pressure is reduced.
For application resources to be protected, different processes are performed according to the protocol type: for non-HTTP requests such as user datagram protocol (UDP, user Datagram Protocol), transmission control protocol (TCP, transmission Control Protocol) or network control message protocol (ICMP, internet Control Message Protocol), direct tunneling is not performed.
For HTTP or HTTPS request, judging whether the application corresponding to the request is in the authorized application set, if so, adding the first identification in the request head, and sending the request added with the first identification through the tunnel.
The first identity is used for application authentication. The first identifier is a character string identifier, and is obtained by encrypting terminal information such as terminal IP, local user information, hardware identifier and the like by using an encryption certificate obtained from the controller.
Step 9: and transmitting the data.
The terminal transmits data of protocols such as TCP, UDP, ICMP through a tunnel.
Step 10: and judging whether the data is CName item data.
The gateway judges whether the request is CName specification name item data by using DNS:
if the data is CName data (HTTP or HTTPs), redirecting the data to a checking and proxy module of HTTP or HTTPs of the connector, unloading the HTTP or HTTPs by the checking and proxy module of the connector, and analyzing the first request header, thereby realizing user authorization checking, specifically, the connector sends the data source IP and the first request header to the controller, and the controller performs checking. For request data that does not pass the verification, the connector is directly discarded.
If the data is not CName item data, checking whether the data source IP is legal, whether the corresponding user is legal and whether the application is authorized, and forwarding the data to the application server by the connector after checking.
Step 11: an authorization check is applied.
The data resource is the intranet and extranet application server which needs to be protected. Here, the application server may further verify the first identifier, send the data source IP, the first request to the controller, and verify by the controller.
And when the terminal exits, disconnecting the TLS long connection between the client side of the terminal and the controller, and sending an instruction for logging out the tunnel of the client side to the gateway by the controller, and clearing the network policy configuration information of the client side on the gateway.
In the application embodiment, the method can be based on not changing the existing data resources (application and service system); by means of minimum authorization to the user and the terminal, the problem that the user performs remote office in a non-company intranet, such as a home network, is solved, and the effect of conveniently accessing the company intranet system is achieved. And, the application of the data resource, the service system can further verify the request. Therefore, the security problems of data leakage, malicious threat of internal personnel and the like can be solved, and access control with finer granularity is achieved, and access operation of a terminal user is simplified.
In order to implement the method of the embodiment of the present application, the embodiment of the present application further provides a network system schematic diagram, as shown in fig. 4, including a terminal, a service node, and a data resource (deployed in public cloud service and private cloud service).
The terminal, namely the terminal equipment provided with the setting client, comprises a Windows/macOS computer, a smart phone, a tablet and the like. The setup client may be a software defined boundary (SDP, software Defined Perimeter) client.
The service node, namely the server related system of the system, comprises a controller, a gateway, a DNS, a policy server, a management end and a connector.
Data resources, i.e. services, data resources of a user deployed in public cloud or private cloud/internal network.
The embodiment of the application also provides a network system architecture diagram, as shown in fig. 5, which comprises a client, a communication layer, a service layer, a connector, a data resource and full link tracking.
The client comprises a baseline inspection module, a flow filtering/hijacking module, a multi-factor verification module, an application authorization module and a continuous security detection module, and establishes a security tunnel with the security gateway. According to the configuration policy, a first identification may be added at the HTTP request header.
The base line inspection of the client comprises detection reporting of operating system information, hardware basic information, system patches, antivirus software detection, virus library detection, illegal software detection, registry inspection items, account number security detection, access control detection, security configuration detection, resource control detection and security audit. When there is a failure of the test item, other functions need to be used after the repair is successful.
The flow hijacking of the client comprises flow analysis, flow filtering and flow forwarding functions. According to the characteristics described by the client policy information, for the application resources to be protected, different processes are performed according to the protocol type: for non-HTTP, such as UDP and TCP, the tunnel is directly walked without processing, for HTTP or HTTPS request, judging whether the application corresponding to the request is in the authorized application set, if so, adding the first identification in the request head, and sending the request added with the first identification through the tunnel.
And for network resource traffic which does not need protection, such as non-enterprise intranet and extranet resources, the network resource traffic is not transmitted through a tunnel, so that the gateway pressure is reduced.
And the client performs multi-factor verification, verifies the information such as the UUID of the user, the UUID of the equipment, the certificate, the secret key and the like, and establishes a tunnel.
The client obtains the client policy information including the application accessible by the terminal and the application authorization code. Not within the authorized application set, access is not allowed. The application of HTTP/HTTPs within the authorized application set adds a first identification to the HTTP request header.
And continuously detecting the safety state of the terminal and the user before and after the tunnel is established, and prohibiting access to intranet resources when the safety risk occurs. Meanwhile, remote control of the terminal equipment is supported. The remote control of the terminal equipment can be realized by a super administrator through a remote desktop and a remote shell command to remotely control the suspicious computer.
And the remote control of the client can be performed by an administrator at the management end when the security risk of the terminal equipment occurs.
The communication layer comprises protocol support such as load balancing, TLS tunnel, socket, TCP/UDP, HTTP/HTTPS and the like.
The service layer comprises a controller, a gateway, a policy server, security management and a Web management end.
The connector provides HTTPS offload service, HTTP/HTTPS application authorization detection, and security detection of non-HTTP TCP/UDP protocol, and checks whether the HTTP request header has the first identification by the controller.
Data resources, i.e. services, data resources of a user deployed in public cloud or private cloud/internal network. The user does not need to modify the original service system. Here, the user may further verify in the service system whether the data source, such as the HTTP request, contains the first identification, thereby further protecting the data resource.
Full link tracking provides services such as behavior awareness, post-hoc behavior audit, risk assessment, early warning, and the like.
The embodiment of the application also provides a network flow diagram, as shown in fig. 6.
After the client is started, the baseline inspection is firstly carried out, after the baseline inspection is passed, the client and the controller carry out control instruction interaction, the client strategy information, the certificate and the secret key are obtained, and a secure tunnel is established with the gateway.
The client hijacking and filtering all network traffic on the terminal, and for network resource traffic which does not need to be protected, such as non-enterprise intranet and extranet resources, the network traffic is not transmitted through a tunnel, so that the gateway pressure is reduced. For application resources to be protected, different processes are performed according to the protocol type: HTTP/HTTPS requests, and correspondingly adding a first identifier based on judging the application; data of non-HTTP protocol is directly tunneled. The client establishes a virtual network based on the network driver. Here, the first identifier may be an X-SDP-Token attribute.
After the tunnel of the client is successfully established, establishing TLS long connection with the controller, and reporting the security state in real time; if the two setting periods are not reported or the TLS long connection is abnormal, the internal network request can be terminated.
The controller and the gateway are used for setting the network policy of the application level at the gateway after interacting with the client protocol.
The controller verifies whether it is a trusted user, a trusted device.
And the certificate service of the controller issues a certificate for the terminal where the client is located and is used for establishing a tunnel.
The application authorization service of the controller generates authorization codes for applications, and the authorization codes are different for different users.
And the authority policy service of the controller transmits network policies to the client and the gateway. And for the client generating the security risk, the controller directly transmits an encrypted tunnel instruction for canceling the client to the gateway, and clears the network policy configuration information of the client on the gateway.
The gateway is invisible to the outside, namely, the gateway is visible only to the terminal after passing the authentication and is invisible to other terminal devices.
And the authority of the gateway is controlled, and a releasable network strategy is set for the terminal passing the authentication. Here, user policies can be dynamically added and deleted and immediately validated; application level rights verification is also supported.
User management of policy services manages trusted user information. Device management of policy services manages trusted device information. Policy management of policy service, configuration of policy group, granularity of control in policy group as application, including domain name to be released and IP. And issuing the strategy of the strategy service, namely issuing the strategy to the terminal equipment and the gateway.
And (3) self-building a DNS, configuring an intranet domain name to be protected, and redirecting an HTTP/HTTPS request to an HTTP/HTTPS module of the connector.
The connector is positioned between the gateway and the intranet service, and proxies all data accessing the intranet. Including HTTP/HTTPs data, and non-HTTP data such as TCP, UDP protocol data. A connector. The connector further performs application authorization verification at this layer: HTTPS request is carried out, HTTPS unloading is carried out, and whether the HTTP request head has a correct first identifier or not is analyzed; and checking whether the data source IP is legal or not, whether the corresponding user is legal or not and whether the application is authorized or not according to the non-HTTP request.
Full link tracking, recording the track and behavior of business data in the whole flow direction. The abnormal behavior, the server state and the risk assessment are analyzed in real time, and operations such as post-event behavior audit, flow statistics and log inquiry can be provided.
Public cloud and intranet resources, data resources and services which are required to be protected and accessed through SDP in an external network by a user, and the user does not need to modify a service system; meanwhile, the controller can be set to send the data source IP and HTTP request to verify, so that whether the data source is legal or not is further verified, and whether the user and the device are trusted or not is verified.
In this way, the network hijacking, filtering and modifying module deployed at the terminal equipment decides whether the request needs to go through the tunnel of the gateway according to the client policy, and for the external network data which does not need protection, the tunnel of the gateway is not needed, so that the pressure of the gateway is reduced. Meanwhile, a first identifier is added to an HTTP/HTTPS request initiated by the terminal in the HTTP request header of the request, so that the connector and the user application verify whether the request is legal, and the request without the first identifier or the request with failed identifier verification is directly discarded.
Moreover, the HTTP/HTTPS is redirected to a verification and proxy module of the connector by setting up an internal DNS, so that further unloading processing is performed; and if the HTTP request is not the HTTP request, directly checking and forwarding.
In the embodiments of the present application, the following terms are explained:
(1) SDP client: run on the terminal device for communicating with the controller to request a connection and sending data such as device or software information to the controller. The SDP client terminal carries out App security, network security, system security detection and multiple user identity verification on the terminal equipment in real time so as to ensure the user identity and the credibility of the terminal equipment. The SDP client establishes a tunnel with the gateway, hives and filters all network data of the terminal equipment.
(2) And (3) a controller: the controller may authenticate and dynamically authorize all access requests. The controller may make a permission decision for all access requests and not based on simple static rules anymore, but rather on context attributes, trust levels and security policies. The dynamic authority determination of the controller is based on the data of an enterprise identity library, a security policy library, a device reputation library and the like, and the data is derived from an SDP security management and control platform.
The controller has the function of load balancing, and the terminal equipment is scheduled to access different gateways according to the pressure condition of the server.
(3) Gateway: i.e. a stealth gateway, can verify and filter access requests and can also monitor, record and report authorized access connections. The stealth gateway does not open any fixed port to the outside, so that the application server is only visible to authorized electronic equipment, and the stealth of enterprise services is ensured.
(4) A connector: an authenticated security interface is provided between the application server and the gateway. And checking whether the access data is authorized, and supporting application authorization checking of the user and equipment dimensions.
The connector may be deployed into a private cloud environment or a public cloud environment.
(5) SDP security management and control platform: an administrator can manage all SDP clients and application servers through an SDP security management platform, create and define security policies, and set authority levels for different users or user groups.
(6) Policy server: storing, analyzing and issuing administrator configured policies including network authority policies, whitelist policies, application authorization policies, certificate management, key management and the like.
(7) Full link data analysis platform: and continuously receiving log information of access control, continuously portraying the identity based on big data and artificial intelligence technology by combining an identity library, a strategy library and data, continuously evaluating the access behavior and the trust level, and finally generating and maintaining a trust library to provide decision basis for a controller and a gateway.
The full-link data analysis platform gathers the logs and audit information sent by each stealth gateway and all SDP clients, and carries out intelligent statistical analysis on big data of the gathered information so as to meet the operation and maintenance and security requirements of enterprises.
The full link data analysis platform may also receive analysis results of the external security analysis platform, including: the external risk sources can well supplement scene data required by identity analysis, so that more accurate risk identification and trust evaluation can be performed.
(8) Data resource: clients deploy services and data in public clouds and private clouds.
In order to implement the method of the embodiment of the present application, the embodiment of the present application further provides an access control device, as shown in fig. 7, where the device includes:
an encryption unit 701 for generating a first identification based on the first information encryption;
an adding unit 702, configured to add the first identifier to the first request when an application corresponding to the first request belongs to a first application set;
a first sending unit 703, configured to send a first request to the gateway, where the first identifier is added; wherein,
the first information characterizes the identity of the terminal and/or the user; the first request is used for requesting to access the corresponding application; the first set of applications characterizes a set of applications determined based on the first information to allow access.
In one embodiment, the first sending unit 703 is configured to:
And sending a first request added with the first identifier to the gateway through a VPN tunnel.
In one embodiment, the apparatus further comprises:
the reporting unit is used for reporting the second information to the controller at intervals of a set period; the second information is used for determining the security state of the terminal.
In one embodiment, the apparatus further comprises:
a third transmitting unit, configured to transmit the first information to a controller;
the second receiving unit is used for receiving the first application set sent by the controller; the first set of applications is determined by the controller based on the first information.
In practical application, the encryption unit 701 and the adding unit 702 may be implemented by a processor in the access control device, and the first sending unit 703, the reporting unit, the third sending unit, and the second receiving unit may be implemented by a communication interface in the access control device.
It should be noted that: in the access control device provided in the above embodiment, only the division of each program module is used for illustration, and in practical application, the process allocation may be performed by different program modules according to needs, that is, the internal structure of the device is divided into different program modules, so as to complete all or part of the processes described above. In addition, the access control device and the access control method provided in the foregoing embodiments belong to the same concept, and specific implementation processes of the access control device and the access control method are detailed in the method embodiments and are not repeated herein.
In order to implement the method of the embodiment of the present application, the embodiment of the present application further provides an access control device, as shown in fig. 8, where the device includes:
a first receiving unit 801, configured to receive a first request of a first terminal forwarded by a gateway; the first request is used for requesting to access the corresponding application;
a second sending unit 802, configured to send the first request to a server of an application corresponding to the first request when an unloading result obtained by unloading the first request includes a first identifier; wherein,
the first identifier is generated by the first terminal based on first information; the first information characterizes the identity of the terminal and/or the user.
In one embodiment, the apparatus further comprises:
and the processing unit is used for discarding the first request when the unloading result does not contain the first identifier.
In one embodiment, the apparatus further comprises:
a fourth transmitting unit for transmitting the third information to the controller; the third information characterizes the unloading result;
a third receiving unit, configured to receive a verification result about the unloading result sent by the controller; and the verification result represents whether the unloading result contains a first identifier or not.
In practical applications, the processing unit may be implemented by a processor in the access control device, the first receiving unit 801, the fourth sending unit, and the third receiving unit may be implemented by a communication interface in the access control device, and the second sending unit 802 may be implemented by a processor in the access control device in combination with the communication interface.
It should be noted that: in the access control device provided in the above embodiment, only the division of each program module is used for illustration, and in practical application, the process allocation may be performed by different program modules according to needs, that is, the internal structure of the device is divided into different program modules, so as to complete all or part of the processes described above. In addition, the access control device and the access control method provided in the foregoing embodiments belong to the same concept, and specific implementation processes of the access control device and the access control method are detailed in the method embodiments and are not repeated herein.
Based on the hardware implementation of the program modules, and in order to implement the terminal side access control method in the embodiment of the present application, the embodiment of the present application further provides a terminal, as shown in fig. 9, the terminal 900 includes:
a first communication interface 910 capable of information interaction with other devices such as network devices and the like;
The first processor 920 is connected to the first communication interface 910, so as to implement information interaction with other devices, and is configured to execute, when running a computer program, a method provided by one or more technical solutions on the terminal side. And the computer program is stored on the first memory 930.
Of course, in actual practice, the various components in terminal 900 are coupled together by a first bus system 940. It is appreciated that the first bus system 940 is used to enable connected communications between these components. The first bus system 940 includes a first power bus, a first control bus, and a first status signal bus in addition to the first data bus. But for clarity of illustration, the various buses are labeled as a first bus system 940 in fig. 9.
The first memory 930 in the embodiment of the present application is used to store various types of data to support the operation of the terminal 900. Examples of such data include: any computer program for operating on terminal 900.
It is to be appreciated that the first memory 930 can be either volatile memory or nonvolatile memory, and can include both volatile and nonvolatile memory. Wherein the nonvolatile Memory may be Read Only Memory (ROM), programmable Read Only Memory (PROM, programmable Read-Only Memory), erasable programmable Read Only Memory (EPROM, erasable Programmable Read-Only Memory), electrically erasable programmable Read Only Memory (EEPROM, electrically Erasable Programmable Read-Only Memory), magnetic random access Memory (FRAM, ferromagnetic random access Memory), flash Memory (Flash Memory), magnetic surface Memory, optical disk, or compact disk Read Only Memory (CD-ROM, compact Disc Read-Only Memory); the magnetic surface memory may be a disk memory or a tape memory. The volatile memory may be random access memory (RAM, random Access Memory), which acts as external cache memory. By way of example, and not limitation, many forms of RAM are available, such as static random access memory (SRAM, static Random Access Memory), synchronous static random access memory (SSRAM, synchronous Static Random Access Memory), dynamic random access memory (DRAM, dynamic Random Access Memory), synchronous dynamic random access memory (SDRAM, synchronous Dynamic Random Access Memory), double data rate synchronous dynamic random access memory (ddr SDRAM, double Data Rate Synchronous Dynamic Random Access Memory), enhanced synchronous dynamic random access memory (ESDRAM, enhanced Synchronous Dynamic Random Access Memory), synchronous link dynamic random access memory (SLDRAM, syncLink Dynamic Random Access Memory), direct memory bus random access memory (DRRAM, direct Rambus Random Access Memory). The first memory 930 described in embodiments of the present application is intended to comprise, without being limited to, these and any other suitable types of memory.
The method disclosed in the embodiments of the present application may be applied to the first processor 920 or implemented by the first processor 920. The first processor 920 may be an integrated circuit chip with signal processing capabilities. In implementation, the steps of the method described above may be performed by integrated logic circuitry of hardware or instructions in software form in the first processor 920. The first processor 920 described above may be a general purpose processor, DSP, or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. The first processor 920 may implement or perform the methods, steps, and logic blocks disclosed in embodiments of the present application. The general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiments of the present application may be directly embodied in a hardware decoding processor or implemented by a combination of hardware and software modules in the decoding processor. The software modules may be located in a storage medium in the first memory 930 and the first processor 920 reads the program in the first memory 930 to perform the steps of the method in combination with the hardware.
Optionally, when the first processor 920 executes the program, a corresponding flow implemented by the terminal in each method of the embodiments of the present application is implemented, which is not described herein for brevity.
Based on the hardware implementation of the program modules, and in order to implement the connector side access control method according to the embodiment of the present application, the embodiment of the present application further provides a connector, as shown in fig. 10, the connector 1000 includes:
a second communication interface 1010 capable of information interaction with other devices such as network devices and the like;
and a second processor 1020, connected to the second communication interface 1010, for implementing information interaction with other devices, for executing the methods provided by one or more of the connector side solutions when running a computer program. And the computer program is stored on the second memory 1030.
Of course, in practice, the various components in connector 1000 are coupled together by a second bus system 1040. It is appreciated that the second bus system 1040 is used to enable connected communications between these components. The second bus system 1040 includes a second power bus, a second control bus, and a second status signal bus in addition to the second data bus. But for clarity of illustration the various buses are labeled in fig. 10 as the second bus system 1040.
The second memory 1030 in the embodiment of the present application is used to store various types of data to support the operation of the connector 1000. Examples of such data include: any computer program for operating on the connector 1000.
It will be appreciated that the second memory 1030 can be either volatile memory or nonvolatile memory, and can include both volatile and nonvolatile memory. Wherein the nonvolatile Memory may be ROM, PROM, EPROM, EEPROM, FRAM, flash Memory, magnetic surface Memory, optical disk, or CD-ROM; the magnetic surface memory may be a disk memory or a tape memory. The volatile memory may be RAM, which acts as external cache. By way of example, and not limitation, many forms of RAM are available, such as SRAM, SSRAM, DRAM, SDRAM, DDRSDRAM, ESDRAM, SLDRAM, DRRAM. The secondary memory 1030 described in embodiments herein is intended to comprise, without being limited to, these and any other suitable types of memory.
The method disclosed in the embodiments of the present application may be applied to the second processor 1020 or implemented by the second processor 1020. The second processor 1020 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware or instructions in software form in the second processor 1020. The second processor 1020 may be a general purpose processor, DSP, or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. The second processor 1020 may implement or perform the methods, steps, and logic blocks disclosed in embodiments of the present application. The general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiments of the present application may be directly embodied in a hardware decoding processor or implemented by a combination of hardware and software modules in the decoding processor. The software modules may be located in a storage medium in the second memory 1030, and the second processor 1020 reads the programs in the second memory 1030, in combination with the hardware thereof, to perform the steps of the methods described above.
Optionally, when the second processor 1020 executes the program, a corresponding flow implemented by the connector in each method of the embodiments of the present application is implemented, which is not described herein for brevity.
In an exemplary embodiment, the present application further provides a storage medium, i.e. a computer storage medium, specifically a computer readable storage medium, for example, including a first memory 930 and a second memory 1030 for storing a computer program, where the computer program may be executed by the first processor 920 and the second processor 1020 of the electronic device, respectively, to complete the steps of the foregoing access control method. The computer readable storage medium may be FRAM, ROM, PROM, EPROM, EEPROM, flash Memory, magnetic surface Memory, optical disk, or CD-ROM.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus, electronic device, and method may be implemented in other manners. The above described device embodiments are only illustrative, e.g. the division of the units is only one logical function division, and there may be other divisions in practice, such as: multiple units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. In addition, the various components shown or discussed may be coupled or directly coupled or communicatively coupled to each other via some interface, whether indirectly coupled or communicatively coupled to devices or units, whether electrically, mechanically, or otherwise.
The units described as separate units may or may not be physically separate, and units displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units; some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may be separately used as one unit, or two or more units may be integrated in one unit; the integrated units may be implemented in hardware or in hardware plus software functional units.
Those of ordinary skill in the art will appreciate that: all or part of the steps for implementing the above method embodiments may be implemented by hardware associated with program instructions, where the foregoing program may be stored in a computer readable storage medium, and when executed, the program performs steps including the above method embodiments; and the aforementioned storage medium includes: a removable storage device, ROM, RAM, magnetic or optical disk, or other medium capable of storing program code.
Alternatively, the integrated units described above may be stored in a computer readable storage medium if implemented in the form of software functional modules and sold or used as a stand-alone product. Based on such understanding, the technical solutions of the embodiments of the present application may be essentially or partly contributing to the prior art, and the computer software product may be stored in a storage medium, and include several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a removable storage device, ROM, RAM, magnetic or optical disk, or other medium capable of storing program code.
The technical solutions described in the embodiments of the present application may be arbitrarily combined without any conflict. Unless otherwise indicated and defined, the term "connected" shall be construed broadly, and for example, may be electrical, may be in communication with the interior of two elements, may be in direct communication, may be in indirect communication via an intermediary, and may be understood by those of ordinary skill in the art in view of the specific meaning of the term.
In addition, in the examples of this application, "first," "second," etc. are used to distinguish similar objects and not necessarily to describe a particular order or sequence. It is to be understood that the "first\second\third" distinguishing objects may be interchanged where appropriate such that the embodiments of the present application described herein may be implemented in sequences other than those illustrated or described herein.
The foregoing is merely specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes and substitutions are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Various combinations of the features described in the embodiments may be implemented without contradiction, for example, different embodiments may be formed by combining different features, and various possible combinations of the features in the present application are not described further to avoid unnecessary repetition.

Claims (11)

1. An access control method applied to a terminal, the method comprising:
generating a first identification based on the first information encryption;
when an application corresponding to a first request belongs to a first application set, adding the first identifier in the first request;
sending a first request with the first identifier added to a gateway; wherein,
the first information characterizes the identity of the terminal and/or the user; the first request is used for requesting to access the corresponding application; the first set of applications characterizes a set of applications determined based on the first information to allow access;
and sending the first information to a controller, and receiving a first application set sent by the controller, wherein the first application set is determined by the controller based on the first information.
2. The method of claim 1, wherein the sending the first request to the gateway with the first identification added thereto comprises:
and sending a first request added with the first identifier to the gateway through a Virtual Private Network (VPN) tunnel.
3. The method according to claim 1, wherein the method further comprises:
reporting second information to the controller every other set period; the second information is used for determining the security state of the terminal.
4. An access control method applied to a connector, the method comprising:
receiving a first request of a first terminal forwarded by a gateway; the first request is used for requesting to access the corresponding application;
when an unloading result obtained by unloading the first request contains a first identifier, sending the first request to an application server corresponding to the first request; wherein,
the first identifier is generated by the first terminal based on first information; the first information characterizes the identity of the terminal and/or the user; the application to which the first request corresponds belongs to a first application set, which is determined by the controller based on the first information.
5. The method according to claim 4, wherein the method further comprises:
and discarding the first request when the first identifier is not contained in the unloading result.
6. The method according to claim 4, wherein the method further comprises:
transmitting third information to the controller; the third information characterizes the unloading result;
receiving a verification result about the unloading result sent by the controller; and the verification result represents whether the unloading result contains a first identifier or not.
7. An access control apparatus, comprising:
an encryption unit configured to generate a first identification based on the first information encryption;
the adding unit is used for adding the first identifier in the first request when the application corresponding to the first request belongs to the first application set;
a first sending unit, configured to send a first request to which the first identifier is added to a gateway; wherein,
the first information characterizes the identity of the terminal and/or the user; the first request is used for requesting to access the corresponding application; the first set of applications characterizes a set of applications determined based on the first information to allow access;
a third transmitting unit, configured to transmit the first information to a controller;
the second receiving unit is used for receiving the first application set sent by the controller; the first set of applications is determined by the controller based on the first information.
8. An access control apparatus, comprising:
the first receiving unit is used for receiving a first request of a first terminal forwarded by the gateway; the first request is used for requesting to access the corresponding application;
the second sending unit is used for sending the first request to the application server corresponding to the first request when the unloading result obtained by unloading the first request contains a first identifier; wherein,
The first identifier is generated by the first terminal based on first information; the first information characterizes the identity of the terminal and/or the user; the application to which the first request corresponds belongs to a first application set, which is determined by the controller based on the first information.
9. A terminal, comprising: a first processor and a first memory for storing a computer program capable of running on the processor,
wherein the first processor is adapted to perform the steps of the access control method of any of claims 1 to 3 when the computer program is run.
10. A connector, comprising: a second processor and a second memory for storing a computer program capable of running on the processor,
wherein the second processor is adapted to perform the steps of the access control method of any of claims 4 to 6 when the computer program is run.
11. A storage medium having a computer program stored thereon, wherein the computer program when executed by a processor performs at least one of:
the step of an access control method according to any one of claims 1 to 3;
the access control method of any one of claims 4 to 6.
CN202110687117.1A 2021-06-21 2021-06-21 Access control method, device, terminal, connector and storage medium Active CN113472758B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110687117.1A CN113472758B (en) 2021-06-21 2021-06-21 Access control method, device, terminal, connector and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110687117.1A CN113472758B (en) 2021-06-21 2021-06-21 Access control method, device, terminal, connector and storage medium

Publications (2)

Publication Number Publication Date
CN113472758A CN113472758A (en) 2021-10-01
CN113472758B true CN113472758B (en) 2023-05-30

Family

ID=77869023

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110687117.1A Active CN113472758B (en) 2021-06-21 2021-06-21 Access control method, device, terminal, connector and storage medium

Country Status (1)

Country Link
CN (1) CN113472758B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114125027B (en) * 2021-11-24 2024-04-05 上海派拉软件股份有限公司 Communication establishment method and device, electronic equipment and storage medium
CN114679323B (en) * 2022-03-30 2023-11-24 中国联合网络通信集团有限公司 Network connection method, device, equipment and storage medium
CN117336101B (en) * 2023-11-29 2024-02-23 南京中孚信息技术有限公司 Fine-grained network access control method, system, equipment and medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110417776A (en) * 2019-07-29 2019-11-05 大唐高鸿信安(浙江)信息科技有限公司 A kind of identity identifying method and device
CN111709023A (en) * 2020-06-16 2020-09-25 全球能源互联网研究院有限公司 Application isolation method and system based on trusted operating system

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007104358A1 (en) * 2006-03-14 2007-09-20 Telefonaktiebolaget Lm Ericsson (Publ) Access control in a communication network
US11190489B2 (en) * 2019-06-04 2021-11-30 OPSWAT, Inc. Methods and systems for establishing a connection between a first device and a second device across a software-defined perimeter
CN111756729B (en) * 2020-06-23 2022-06-17 北京网瑞达科技有限公司 Network resource access method, device, computer equipment and storage medium
CN111935169B (en) * 2020-08-20 2021-10-26 腾讯云计算(北京)有限责任公司 Business data access method, device, equipment and storage medium
CN112311788A (en) * 2020-10-28 2021-02-02 北京锐安科技有限公司 Access control method, device, server and medium
CN112738100B (en) * 2020-12-29 2023-09-01 北京天融信网络安全技术有限公司 Authentication method, device, authentication equipment and authentication system for data access
CN112671798B (en) * 2020-12-31 2022-10-04 北京明朝万达科技股份有限公司 Service request method, device and system in Internet of vehicles

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110417776A (en) * 2019-07-29 2019-11-05 大唐高鸿信安(浙江)信息科技有限公司 A kind of identity identifying method and device
CN111709023A (en) * 2020-06-16 2020-09-25 全球能源互联网研究院有限公司 Application isolation method and system based on trusted operating system

Also Published As

Publication number Publication date
CN113472758A (en) 2021-10-01

Similar Documents

Publication Publication Date Title
Panchal et al. Security issues in IIoT: A comprehensive survey of attacks on IIoT and its countermeasures
US11604861B2 (en) Systems and methods for providing real time security and access monitoring of a removable media device
US11949656B2 (en) Network traffic inspection
US20240121211A1 (en) Systems and methods for continuous fingerprinting to detect session hijacking inside zero trust private networks
US20190354709A1 (en) Enforcement of same origin policy for sensitive data
CN113472758B (en) Access control method, device, terminal, connector and storage medium
US8266672B2 (en) Method and system for network identification via DNS
Scarfone et al. Guide to intrusion detection and prevention systems (idps)
CN114615328A (en) Safety access control system and method
Souppaya et al. Guide to enterprise telework, remote access, and bring your own device (BYOD) security
CN114598540B (en) Access control system, method, device and storage medium
US11539695B2 (en) Secure controlled access to protected resources
US20090313682A1 (en) Enterprise Multi-interceptor Based Security and Auditing Method and Apparatus
Sangster et al. Network endpoint assessment (NEA): Overview and requirements
Scarfone et al. Sp 800-94. guide to intrusion detection and prevention systems (idps)
Sabella et al. MEC security: Status of standards support and future evolutions
Miloslavskaya et al. Ensuring information security for internet of things
Miller et al. Securing the internet through the detection of anonymous proxy usage
CN116248405A (en) Network security access control method based on zero trust and gateway system and storage medium adopting same
Khandelwal et al. Frontline techniques to prevent web application vulnerability
Ulz et al. Secured remote configuration approach for industrial cyber-physical systems
Tian et al. Network Security and Privacy Architecture
Koujalagi Network Security Intelligence for Small and Medium Scale Industry 4.0: Design and Implementation
Hamad et al. Secure APIs for applications in microkernel-based systems
Flå et al. Information Security Aspects of Industrial Control Systems: An Introduction for ICS Integrators and Asset Owners, V1. 0

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant