CN114363031A - Network access method and device - Google Patents
Network access method and device Download PDFInfo
- Publication number
- CN114363031A CN114363031A CN202111639623.XA CN202111639623A CN114363031A CN 114363031 A CN114363031 A CN 114363031A CN 202111639623 A CN202111639623 A CN 202111639623A CN 114363031 A CN114363031 A CN 114363031A
- Authority
- CN
- China
- Prior art keywords
- access request
- address
- server
- destination address
- destination
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 56
- 238000004891 communication Methods 0.000 claims description 46
- 230000004044 response Effects 0.000 claims description 33
- 238000012545 processing Methods 0.000 claims description 22
- 238000004590 computer program Methods 0.000 claims description 14
- 238000013475 authorization Methods 0.000 claims description 10
- 238000010276 construction Methods 0.000 claims description 3
- 230000003993 interaction Effects 0.000 abstract description 8
- 238000002955 isolation Methods 0.000 abstract description 6
- 230000008569 process Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The embodiment of the application provides a network access method and device, and relates to the technical field of computers. The specific implementation scheme is as follows: intercepting an access request sent by an application program by using a virtual network card; if the destination address of the access request is an intranet address and the destination address of the access request is an address in a preset white list, accessing a destination server corresponding to the destination address of the access request through the VPN server; and if the destination address of the access request is an external network address and the destination address of the access request is an address in a preset white list, accessing a destination server corresponding to the destination address of the access request through a physical network card of the mobile terminal. By applying the technical scheme provided by the embodiment of the application, under the condition that a user does not sense, the physical isolation of an intranet and an extranet in a complex network environment is realized through the VPN server, the safety protection capability of the intranet server is strengthened, and the information safety during interaction of the front end and the back end of the mobile APP is improved.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a network access method and apparatus.
Background
The mobile APP (Application) refers to Application software installed on a mobile terminal for use, and a target user group of the mobile APP has strong mobility and network environment diversity, so that information security risks such as network hijacking, network packet capturing, sensitive information leakage and the like exist in a communication mode of interaction of a front end and a back end of the mobile APP.
Disclosure of Invention
An object of the embodiments of the present application is to provide a network access method and apparatus, so as to improve information security when a mobile APP front-end and a mobile APP back-end interact. The specific technical scheme is as follows:
in a first aspect, an embodiment of the present application provides a network access method, which is applied to a mobile terminal, where an application program on the mobile terminal is connected to a virtual network card, and the method includes:
intercepting an access request sent by the application program by using the virtual network card;
if the destination address of the access request is an intranet address and the destination address of the access request is an address in a preset white list, accessing a destination server corresponding to the destination address of the access request through a Virtual Private Network (VPN) server;
and if the destination address of the access request is an external network address and the destination address of the access request is an address in a preset white list, accessing a destination server corresponding to the destination address of the access request through a physical network card of the mobile terminal.
Optionally, the method further includes:
and if the destination address of the access request is an external network address and is not an address in a preset white list, discarding the access request.
Optionally, a software development kit SDK is configured on the mobile terminal;
establishing a connection between the application program and the SDK, wherein a preset white list is configured in the SDK;
and after the connection between the application program and the SDK is established, the SDK is utilized to construct the virtual network card.
Optionally, the step of accessing, by the VPN server, a destination server corresponding to a destination address of the access request includes:
encrypting the access request to obtain an encryption request;
sending the encryption request to a VPN server so that the VPN server decrypts the encryption request to obtain the access request, and accessing a destination server corresponding to a destination address of the access request through a reverse proxy to obtain an access response message;
and receiving the access response message sent by the VPN server.
Optionally, before intercepting, by using the virtual network card, an access request sent by the application program, the method further includes:
intercepting a login request sent by the application program by using the virtual network card;
sending the login request to an authentication server so that the authentication server authenticates the application program according to the login request and returns an authentication response message to the mobile terminal;
and when the authentication response message indicates that the application program is successfully authenticated, opening a communication port, and sending an access request by the application program through the communication port.
Optionally, an authorization white list is set in a destination server in an intranet to which the mobile terminal belongs, where the authorization white list includes an address of the VPN server and does not include the address of the mobile terminal.
In a second aspect, an embodiment of the present application provides a network access apparatus, which is applied to a mobile terminal, where an application program on the mobile terminal is connected to a virtual network card, and the apparatus includes:
the first interception unit is used for intercepting an access request sent by the application program by using the virtual network card;
the first processing unit is used for accessing a destination server corresponding to the destination address of the access request through a Virtual Private Network (VPN) server if the destination address of the access request is an intranet address and the destination address of the access request is an address in a preset white list;
and the second processing unit is used for accessing a destination server corresponding to the destination address of the access request through a physical network card of the mobile terminal if the destination address of the access request is an external network address and the destination address of the access request is an address in a preset white list.
Optionally, the apparatus further comprises:
and the third processing unit is used for discarding the access request if the destination address of the access request is an external network address and is not an address in a preset white list.
Optionally, the apparatus further comprises:
a connection unit, configured to establish a connection between the application and the SDK, where a preset white list is configured in the SDK;
and the construction unit is used for constructing the virtual network card by utilizing the SDK after the connection between the application program and the SDK is established.
Optionally, the first processing unit is specifically configured to:
encrypting the access request to obtain an encryption request;
sending the encryption request to a Virtual Private Network (VPN) server so that the VPN server decrypts the encryption request to obtain the access request, and accessing a destination server corresponding to a destination address of the access request through a reverse proxy to obtain an access response message;
and receiving the access response message sent by the VPN server.
Optionally, the apparatus further comprises:
the second intercepting unit is used for intercepting a login request sent by the application program by using the virtual network card before intercepting an access request sent by the application program by using the virtual network card;
a fourth processing unit, configured to send the login request to an authentication server, so that the authentication server authenticates the application program according to the login request, and returns an authentication response packet to the mobile terminal;
and the fifth processing unit is used for opening a communication port when the authentication response message indicates that the authentication of the application program is successful, and the application program sends an access request through the communication port.
Optionally, an authorization white list is set in a destination server in an intranet to which the mobile terminal belongs, where the authorization white list includes an address of the VPN server and does not include the address of the mobile terminal.
In a third aspect, an embodiment of the present application provides a mobile terminal, including a processor, a communication interface, a memory, and a communication bus, where the processor and the communication interface complete communication between the memory and the processor through the communication bus;
the memory is used for storing a computer program;
the processor is configured to implement any of the above method steps when executing the program stored in the memory.
In a fourth aspect, the present application provides a computer-readable storage medium, in which a computer program is stored, and the computer program, when executed by a processor, implements any of the method steps described above.
In a fifth aspect, embodiments of the present application further provide a computer program product containing instructions, which when run on a computer, cause the computer to perform any of the above described network access methods.
The embodiment of the application has the following beneficial effects:
in the technical scheme provided by the embodiment of the application, a virtual network card is utilized to intercept an access request sent by an application program, and if the destination address of the access request is an intranet address in a preset white list, a destination server corresponding to the destination address of the access request is accessed through a VPN server; and if the destination address of the access request is the external network address in the preset white list, accessing a destination server corresponding to the destination address of the access request through the physical network card. In the embodiment of the application, under the condition that a user does not sense, the physical isolation of an internal network and an external network in a complex network environment is realized through the VPN server, the safety protection capability of the internal network server is strengthened, and the information safety during interaction of the front end and the back end of the mobile APP is improved.
Of course, not all advantages described above need to be achieved at the same time in the practice of any one product or method of the present application.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and it is also obvious for a person skilled in the art to obtain other embodiments according to the drawings.
Fig. 1 is a first flowchart of a network access method according to an embodiment of the present application;
fig. 2 is a second flowchart of a network access method according to an embodiment of the present application;
fig. 3 is a third flowchart illustrating a network access method according to an embodiment of the present application;
fig. 4 is a fourth flowchart illustrating a network access method according to an embodiment of the present application;
fig. 5 is a fifth flowchart of a network access method according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of a network access device according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of a mobile terminal according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments that can be derived by one of ordinary skill in the art from the description herein are intended to be within the scope of the present disclosure.
The mobile APP is application software installed on the mobile terminal, and a target user group of the mobile APP has strong mobility and network environment diversity, so that information security risks such as network hijacking, network packet capturing, sensitive information leakage and the like exist in a communication mode of front-end and back-end interaction of the mobile APP.
In order to solve the above problem, an embodiment of the present application provides a network access method. The network access method can be applied to a mobile terminal, and the mobile terminal can be a smart phone or a tablet computer and other devices.
In the network access method, a mobile terminal intercepts an access request sent by an application program by using a virtual network card, and if the destination address of the access request is an intranet address in a preset white list, the mobile terminal accesses a destination server corresponding to the destination address of the access request through a VPN (virtual private network) server; and if the destination address of the access request is the external network address in the preset white list, accessing a destination server corresponding to the destination address of the access request through the physical network card. In the embodiment of the application, under the condition that a user does not sense, the physical isolation of an internal network and an external network in a complex network environment is realized through the VPN server, the safety protection capability of the internal network server is strengthened, and the information safety during interaction of the front end and the back end of the mobile APP is improved.
The network access method provided by the embodiment of the present application is described in detail below by using specific embodiments. As shown in fig. 1, fig. 1 is a first flowchart of a network access method provided in an embodiment of the present application, where the network access method is applied to a mobile terminal, the mobile terminal is installed with an application program and a virtual network card is constructed, and a connection is established between the application program and the virtual network card, and the network access method includes the following steps:
and step S11, intercepting an access request sent by the application program by using the virtual network card.
In the embodiment of the application, the application program on the mobile terminal may be an APP inside an enterprise. And the APP on the mobile terminal sends an access request, and the virtual network card on the mobile terminal intercepts the access request sent by the APP.
In the embodiment of the application, the mobile terminal is provided with a white list, namely a preset white list, and the preset white list may include an internal network address and an external network address. The intranet and the extranet can be determined according to the network to which the mobile terminal belongs. For example, if the mobile terminal is in an intranet, the intranet refers to the intranet, and the extranet refers to an extranet. The upper address may include, but is not limited to, an IP (Internet Protocol) address, a MAC (Media Access Control) address, and the like.
After intercepting an access request sent by an APP (application), the virtual network card judges whether the destination address of the access request is an intranet address or not and judges whether the destination address of the access request is an address in a preset white list or not.
If the destination address of the access request is an intranet address and the destination address of the access request is an address in a preset white list, executing step S12; if the destination address of the access request is the external network address and the destination address of the access request is an address in the preset white list, step S13 is executed.
Step S12, if the destination address of the access request is an intranet address and the destination address of the access request is an address in the preset white list, accessing, by the VPN server, the destination server corresponding to the destination address of the access request.
And under the condition that the destination address of the access request is an intranet address and the destination address of the access request is an address in a preset white list, the virtual network card on the mobile terminal can send the access request to the VPN server. After receiving the access request, the VPN server accesses a destination server corresponding to a destination address of the access request through a reverse proxy, acquires an access response message returned by the destination server, and returns the access response message to the mobile terminal, so that the access of an application program on the mobile terminal to the destination server is realized.
In order to improve the security of data transmission, the virtual network card of the mobile terminal can encrypt the access request to obtain an encryption request; an encryption request is sent to the VPN server. In this case, the VPN server decrypts the encrypted request to obtain an access request, and accesses the destination server corresponding to the destination address of the access request through the reverse proxy to obtain an access response packet.
In an optional embodiment, an authorization white list is set in a destination server in an intranet to which the mobile terminal belongs, and the authorization white list includes an address of the VPN server and does not include an address of the mobile terminal. In this case, the destination server of the intranet only authorizes the access right of the VPN server to the destination server, that is, the destination server of the intranet does not respond to the access request that is not sent by the VPN server, so that the security of the destination server of the intranet is effectively improved, and the leakage of sensitive information can be effectively avoided.
And step S13, if the destination address of the access request is an external network address and the destination address of the access request is an address in a preset white list, accessing a destination server corresponding to the destination address of the access request through a physical network card of the mobile terminal.
When the destination address of the access request is an external network address and the destination address of the access request is an address in a preset white list, the virtual network card on the mobile terminal can directly forward the access request to the physical network card of the mobile terminal, and the physical network card sends the access request to a destination server corresponding to the destination address of the access request. The target server returns an access response message corresponding to the access request to the mobile terminal through the physical network card, so that the access of an application program on the mobile terminal to the target server is realized.
In the technical scheme provided by the embodiment of the application, the virtual network card is utilized to intercept an access request sent by an application program, and if the destination address of the access request is an intranet address in a preset white list, the destination server corresponding to the destination address of the access request is accessed through the VPN server; and if the destination address of the access request is the external network address in the preset white list, accessing a destination server corresponding to the destination address of the access request through the physical network card. In the embodiment of the application, under the condition that a user does not sense, the physical isolation of an internal network and an external network in a complex network environment is realized through the VPN server, the safety protection capability of the internal network server is strengthened, and the information safety during interaction of the front end and the back end of the mobile APP is improved.
An embodiment of the present application further provides a network access method, as shown in fig. 2. The method includes steps S21-S24, wherein steps S21-S23 are the same as steps S11-S13, and are not repeated here:
in step S24, if the destination address of the access request is an external network address and the destination address of the access request is not an address in the preset white list, the access request is discarded.
In the embodiment of the application, after intercepting an access request sent by an APP inside an enterprise, the mobile terminal judges whether a destination address of the access request is an intranet address and whether the destination address of the access request is an address in a preset white list. And under the condition that the destination address of the access request is determined to be the external network address and is not the address in the preset white list, the virtual network card can consider the access request to be an unsafe request, and discards the access request through policy configuration.
In the technical scheme provided by the embodiment of the application, the virtual network card discards the access request under the condition that the intercepted destination address of the access request is an external network address and the destination address of the access request is not an address in a preset white list. The method can effectively reduce the threat of network hijacking, network packet capturing and other means to the intranet data, improve the intranet security and effectively strengthen the security protection capability of enterprise-level application.
The embodiment of the application also provides a network access method, as shown in fig. 3. The method includes steps S31-S35, wherein steps S33-S35 are the same as steps S11-S13, and are not repeated herein.
Step S31, establishing a connection between the application program and the SDK, where the SDK is configured with a preset white list.
In the embodiment of the application, the mobile terminal can be uniformly packaged into an SDK (software development Kit) through the open source VPN, and a connection is established between the APP and the SDK.
And step S32, after the connection between the application program and the SDK is established, the SDK is used for establishing the virtual network card.
In the embodiment of the application, under the condition that the APP is accessed to the SDK, when the APP is started, the SDK can construct the virtual network card. And subsequently, uniformly intercepting all requests of the APP by utilizing the virtual network, wherein all requests of the current APP can comprise access requests, login requests and the like.
In the technical scheme provided by the embodiment of the application, the mobile terminal is uniformly packaged into the SDK through the open source VPN, the APP can be quickly connected with the SDK, the SDK is utilized to construct the virtual network card, all requests of the APP are uniformly intercepted, the follow-up physical isolation of an internal network and an external network in a complex network environment is realized under the condition that a user does not sense, the safety protection capability of an internal network server is strengthened, and the information safety during the interaction of the front end and the back end of the mobile APP is improved.
The embodiment of the application also provides a network access method, as shown in fig. 4. The method includes steps S41-S46, wherein steps S44-S46 are the same as steps S11-S13, and are not repeated herein.
And step S41, intercepting a login request sent by the application program by using the virtual network card.
In this embodiment of the application, before the virtual network card intercepts the access request sent by the application, the mobile terminal may authenticate the application, which may specifically be: the APP sends a login request; the virtual network card intercepts a login request sent by the APP.
Step S42, sending the login request to the authentication server, so that the authentication server authenticates the application program according to the login request, and returns an authentication response message to the mobile terminal.
Step S43, when the authentication response message indicates that the application program is successfully authenticated, the communication port is opened, and the application program sends an access request through the communication port.
In the embodiment of the application, after intercepting the login request sent by the APP, the virtual network card can directly and transparently transmit the login request to the authentication server, or after encrypting the login request, send the encrypted login request to the authentication server, which is not limited. The login request may include information such as a user name, a password, and an identifier of the mobile terminal. And after the authentication server acquires the login request, the authentication server authenticates the APP according to the information carried by the login request and returns an authentication response message to the mobile terminal.
And the virtual network card analyzes the authentication response message and returns the authentication response message to the APP of the mobile terminal. When the analysis result shows that the authentication response message indicates that the application program is successfully authenticated, step S43 is executed to open the communication port. In this case, the APP can send the access request through the communication port, and the virtual network card intercepts the APP and sends the access request through the communication port.
When the analysis result shows that the authentication response report indicates that the authentication of the application program fails, no processing is needed, namely, the communication port is kept in a closed state, and the APP is prohibited from sending an access request through the communication port to access the network.
According to the technical scheme, before the APP on the mobile terminal sends the access request, the authentication is performed, and as long as the communication port is opened under the condition that the authentication is successful, the APP can send the access request through the communication port to complete network access, so that information security related risks such as sensitive information leakage are further reduced, and the security protection capability of enterprise-level APP is strengthened.
The network access method provided in the embodiment of the present application is described in detail below with reference to the network access flow shown in fig. 5.
The mobile terminal starts an APP inside an enterprise under the Internet environment and enters a dialing authentication stage.
In the dial-up authentication phase, an APP inside an enterprise initiates a login request. And the virtual network card (namely the firewall) on the mobile terminal uniformly intercepts and manages the login request sent by the APP in the enterprise.
After intercepting a login request sent by an APP inside an enterprise, the virtual network card performs full transparent transmission processing on the login request, transmits the login request to an authentication server of the APP inside the enterprise, and the authentication server authenticates the APP inside the enterprise according to the login request and returns a login result (namely an authentication response message). The virtual network card returns a login result to the APP inside the enterprise, analyzes and authenticates the login result, and judges whether the APP inside the enterprise is successfully authenticated; if the authentication is successful, the virtual network card opens a communication port, and the APP in the enterprise can send a service message (namely an access request) to a back-end server of the APP in the enterprise through the communication port; if the authentication fails, the virtual network card does not perform authentication processing.
After the communication port is opened, the APP inside the enterprise enters a service communication stage.
In the service communication stage, the APP inside the enterprise sends a service message to a back-end server of the APP inside the enterprise through a communication port, the virtual network card intercepts an access request sent by the APP inside the enterprise, and makes an agent decision, namely, whether a destination address of the access request is an intranet address or not is judged, and whether the destination address of the access request is an address in a preset white list or not is judged.
If the destination address of the access request is an intranet address and the destination address of the access request is an address in a preset white list, the virtual network card sends the service message to an internal service gateway (such as a VPN server), and the internal service gateway performs the authentication of the authority-division domain-division user authority on the service message; under the condition of successful verification, the internal service gateway sends the service message to a back-end server; and the back-end server returns a response message to the APP in the enterprise through the internal service gateway and the virtual network card based on the service message.
And if the destination address of the access request is an external network address and the destination address of the access request is an address in a preset white list, the virtual network card accesses a destination server corresponding to the destination address of the access request through a physical network card of the mobile terminal.
And if the destination address of the access request is an external network address and is not an address in the preset white list, the virtual network card discards the access request.
Corresponding to the foregoing network access method, an embodiment of the present application further provides a network access apparatus, as shown in fig. 6, including:
the first intercepting unit 61 is used for intercepting an access request sent by an application program by using a virtual network card;
the first processing unit 62 is configured to, if the destination address of the access request is an intranet address and the destination address of the access request is an address in a preset white list, access, through the VPN server, a destination server corresponding to the destination address of the access request;
and a second processing unit 63, configured to access, if the destination address of the access request is an external network address and the destination address of the access request is an address in the preset white list, a destination server corresponding to the destination address of the access request through a physical network card of the mobile terminal.
Optionally, the first processing unit 62 may be specifically configured to:
encrypting the access request to obtain an encryption request;
sending an encryption request to a VPN server so that the VPN server decrypts the encryption request to obtain an access request, and accessing a destination server corresponding to a destination address of the access request through a reverse proxy to obtain an access response message;
and receiving an access response message sent by the VPN server.
Optionally, the network access device may further include:
and the third processing unit is used for discarding the access request if the destination address of the access request is an external network address and is not an address in a preset white list.
Optionally, the network access device may further include:
the connection unit is used for establishing the connection between the application program and the SDK, and a preset white list is configured in the SDK;
and the construction unit is used for constructing the virtual network card by using the SDK after the connection between the application program and the SDK is established.
Optionally, the network access device may further include:
the second interception unit is used for intercepting a login request sent by an application program by using the virtual network card;
the fourth processing unit is used for sending the login request to the authentication server so that the authentication server authenticates the application program according to the login request and returns an authentication response message to the mobile terminal;
and the fifth processing unit is used for opening the communication port when the authentication response message indicates that the authentication of the application program is successful, and the application program sends the access request through the communication port.
Optionally, an authorization white list is set in a destination server in an intranet to which the mobile terminal belongs, where the authorization white list includes an address of the VPN server and does not include the address of the mobile terminal.
In the technical scheme provided by the embodiment of the application, the virtual network card is utilized to intercept an access request sent by an application program, and if the destination address of the access request is an intranet address in a preset white list, the destination server corresponding to the destination address of the access request is accessed through the VPN server; and if the destination address of the access request is the external network address in the preset white list, accessing a destination server corresponding to the destination address of the access request through the physical network card. In the embodiment of the application, under the condition that a user does not sense, the physical isolation of an internal network and an external network in a complex network environment is realized through the VPN server, the safety protection capability of the internal network server is strengthened, and the information safety during interaction of the front end and the back end of the mobile APP is improved.
The embodiment of the present application further provides a mobile terminal, as shown in fig. 7, including a processor 701, a communication interface 702, a memory 703 and a communication bus 704, where the processor 701, the communication interface 702 and the memory 703 complete mutual communication through the communication bus 704;
a memory 703 for storing a computer program;
the processor 701 is configured to implement any of the above-described network access methods when executing the program stored in the memory 703.
The communication bus mentioned in the above mobile terminal may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The communication interface is used for communication between the mobile terminal and other equipment.
The Memory may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor including a Central Processing Unit (CPU), a Network Processor (NP), etc.; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.
In yet another embodiment provided by the present application, there is also provided a computer-readable storage medium having a computer program stored therein, the computer program, when executed by a processor, implementing any of the above-described network access methods.
In yet another embodiment provided by the present application, there is also provided a computer program product containing instructions which, when run on a computer, cause the computer to perform any of the network access methods of the above embodiments.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the application to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the apparatus, mobile terminal, storage medium and computer program product embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and reference may be made to some descriptions of the method embodiments for relevant points.
The above description is only for the preferred embodiment of the present application and is not intended to limit the scope of the present application. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application are included in the protection scope of the present application.
Claims (14)
1. A network access method is applied to a mobile terminal, an application program on the mobile terminal is connected with a virtual network card, and the method comprises the following steps:
intercepting an access request sent by the application program by using the virtual network card;
if the destination address of the access request is an intranet address and the destination address of the access request is an address in a preset white list, accessing a destination server corresponding to the destination address of the access request through a Virtual Private Network (VPN) server;
and if the destination address of the access request is an external network address and the destination address of the access request is an address in a preset white list, accessing a destination server corresponding to the destination address of the access request through a physical network card of the mobile terminal.
2. The method of claim 1, further comprising:
and if the destination address of the access request is an external network address and is not an address in a preset white list, discarding the access request.
3. The method of claim 1, wherein a Software Development Kit (SDK) is configured on the mobile terminal;
establishing a connection between the application program and the SDK, wherein a preset white list is configured in the SDK;
and after the connection between the application program and the SDK is established, the SDK is utilized to construct the virtual network card.
4. The method according to claim 1, wherein the step of accessing the destination server corresponding to the destination address of the access request through the Virtual Private Network (VPN) server comprises:
encrypting the access request to obtain an encryption request;
sending the encryption request to a VPN server so that the VPN server decrypts the encryption request to obtain the access request, and accessing a destination server corresponding to a destination address of the access request through a reverse proxy to obtain an access response message;
and receiving the access response message sent by the VPN server.
5. The method of claim 1, wherein prior to intercepting, with the virtual network card, an access request sent by the application, the method further comprises:
intercepting a login request sent by the application program by using the virtual network card;
sending the login request to an authentication server so that the authentication server authenticates the application program according to the login request and returns an authentication response message to the mobile terminal;
and when the authentication response message indicates that the application program is successfully authenticated, opening a communication port, and sending an access request by the application program through the communication port.
6. The method according to any of claims 1-5, wherein an authorized white list is set in a destination server in an intranet to which the mobile terminal belongs, and the authorized white list includes an address of the VPN server and does not include the address of the mobile terminal.
7. A network access device, applied to a mobile terminal, wherein an application program on the mobile terminal is connected to a virtual network card, the device comprising:
the first interception unit is used for intercepting an access request sent by the application program by using the virtual network card;
the first processing unit is used for accessing a destination server corresponding to the destination address of the access request through a Virtual Private Network (VPN) server if the destination address of the access request is an intranet address and the destination address of the access request is an address in a preset white list;
and the second processing unit is used for accessing a destination server corresponding to the destination address of the access request through a physical network card of the mobile terminal if the destination address of the access request is an external network address and the destination address of the access request is an address in a preset white list.
8. The apparatus of claim 7, further comprising:
and the third processing unit is used for discarding the access request if the destination address of the access request is an external network address and is not an address in a preset white list.
9. The apparatus of claim 7, further comprising:
a connection unit, configured to establish a connection between the application and the SDK, where a preset white list is configured in the SDK;
and the construction unit is used for constructing the virtual network card by utilizing the SDK after the connection between the application program and the SDK is established.
10. The apparatus according to claim 7, wherein the first processing unit is specifically configured to:
encrypting the access request to obtain an encryption request;
sending the encryption request to a Virtual Private Network (VPN) server so that the VPN server decrypts the encryption request to obtain the access request, and accessing a destination server corresponding to a destination address of the access request through a reverse proxy to obtain an access response message;
and receiving the access response message sent by the VPN server.
11. The apparatus of claim 7, further comprising:
the second intercepting unit is used for intercepting a login request sent by the application program by using the virtual network card before intercepting an access request sent by the application program by using the virtual network card;
a fourth processing unit, configured to send the login request to an authentication server, so that the authentication server authenticates the application program according to the login request, and returns an authentication response packet to the mobile terminal;
and the fifth processing unit is used for opening a communication port when the authentication response message indicates that the authentication of the application program is successful, and the application program sends an access request through the communication port.
12. The apparatus according to any of claims 7-11, wherein an authorization white list is installed in a destination server in an intranet to which the mobile terminal belongs, and the authorization white list includes an address of the VPN server and does not include an address of the mobile terminal.
13. A mobile terminal is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor and the communication interface are used for realizing mutual communication by the memory through the communication bus;
the memory is used for storing a computer program;
the processor, when executing the program stored in the memory, is adapted to perform the method steps of any of claims 1-6.
14. A computer-readable storage medium, characterized in that a computer program is stored in the computer-readable storage medium, which computer program, when being executed by a processor, carries out the method steps of any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111639623.XA CN114363031A (en) | 2021-12-29 | 2021-12-29 | Network access method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111639623.XA CN114363031A (en) | 2021-12-29 | 2021-12-29 | Network access method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114363031A true CN114363031A (en) | 2022-04-15 |
Family
ID=81103511
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111639623.XA Pending CN114363031A (en) | 2021-12-29 | 2021-12-29 | Network access method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114363031A (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102497632A (en) * | 2011-11-30 | 2012-06-13 | 北京百纳威尔科技有限公司 | Smart-phone-based webpage access control method, system and smart phone |
| CN107979627A (en) * | 2016-10-25 | 2018-05-01 | 北京国双科技有限公司 | A kind of processing method and processing device of network request |
| CN108063713A (en) * | 2016-11-09 | 2018-05-22 | 北京国双科技有限公司 | A kind of processing method and processing device of network request |
| WO2019062666A1 (en) * | 2017-09-29 | 2019-04-04 | 阿里巴巴集团控股有限公司 | System, method, and apparatus for securely accessing internal network |
| CN109819277A (en) * | 2017-11-20 | 2019-05-28 | 深圳市茁壮网络股份有限公司 | A kind of 4K video broadcasting method and device |
| CN109842585A (en) * | 2017-11-27 | 2019-06-04 | 中国科学院沈阳自动化研究所 | Network information security protective unit and means of defence towards industrial embedded system |
| CN111355720A (en) * | 2020-02-25 | 2020-06-30 | 深信服科技股份有限公司 | Method, system and equipment for accessing intranet by application and computer storage medium |
| CN111885075A (en) * | 2020-07-30 | 2020-11-03 | 广州华多网络科技有限公司 | Container communication method, device, network equipment and storage medium |
| CN112887444A (en) * | 2021-01-19 | 2021-06-01 | 网宿科技股份有限公司 | VPN (virtual private network) request processing method, client device and system |
-
2021
- 2021-12-29 CN CN202111639623.XA patent/CN114363031A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102497632A (en) * | 2011-11-30 | 2012-06-13 | 北京百纳威尔科技有限公司 | Smart-phone-based webpage access control method, system and smart phone |
| CN107979627A (en) * | 2016-10-25 | 2018-05-01 | 北京国双科技有限公司 | A kind of processing method and processing device of network request |
| CN108063713A (en) * | 2016-11-09 | 2018-05-22 | 北京国双科技有限公司 | A kind of processing method and processing device of network request |
| WO2019062666A1 (en) * | 2017-09-29 | 2019-04-04 | 阿里巴巴集团控股有限公司 | System, method, and apparatus for securely accessing internal network |
| CN109819277A (en) * | 2017-11-20 | 2019-05-28 | 深圳市茁壮网络股份有限公司 | A kind of 4K video broadcasting method and device |
| CN109842585A (en) * | 2017-11-27 | 2019-06-04 | 中国科学院沈阳自动化研究所 | Network information security protective unit and means of defence towards industrial embedded system |
| CN111355720A (en) * | 2020-02-25 | 2020-06-30 | 深信服科技股份有限公司 | Method, system and equipment for accessing intranet by application and computer storage medium |
| CN111885075A (en) * | 2020-07-30 | 2020-11-03 | 广州华多网络科技有限公司 | Container communication method, device, network equipment and storage medium |
| CN112887444A (en) * | 2021-01-19 | 2021-06-01 | 网宿科技股份有限公司 | VPN (virtual private network) request processing method, client device and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9674173B2 (en) | Automatic certificate enrollment in a special-purpose appliance | |
| US10091187B2 (en) | Bypassing certificate pinning | |
| CN114615328B (en) | Security access control system and method | |
| US8997208B2 (en) | Gateway device for terminating a large volume of VPN connections | |
| US8589675B2 (en) | WLAN authentication method by a subscriber identifier sent by a WLAN terminal | |
| US9305163B2 (en) | User, device, and app authentication implemented between a client device and VPN gateway | |
| US9722972B2 (en) | Methods and apparatuses for secure communication | |
| US9306933B2 (en) | Ensuring network connection security between a wrapped app and a remote server | |
| US8156231B2 (en) | Remote access system and method for enabling a user to remotely access terminal equipment from a subscriber terminal | |
| US9197420B2 (en) | Using information in a digital certificate to authenticate a network of a wireless access point | |
| US9210128B2 (en) | Filtering of applications for access to an enterprise network | |
| WO2019062666A1 (en) | System, method, and apparatus for securely accessing internal network | |
| CN101986598B (en) | Authentication method, server and system | |
| US11539695B2 (en) | Secure controlled access to protected resources | |
| WO2016188335A1 (en) | Access control method, apparatus and system for user data | |
| JP2015536061A (en) | Method and apparatus for registering a client with a server | |
| WO2019091907A1 (en) | Brokered delegation of credentials using trusted execution environments | |
| US11689517B2 (en) | Method for distributed application segmentation through authorization | |
| US10356112B2 (en) | Method of mitigating cookie-injection and cookie-replaying attacks | |
| CN106576050B (en) | Three-tier security and computing architecture | |
| Feher et al. | WebRTC security measures and weaknesses | |
| CN114363031A (en) | Network access method and device | |
| KR101448711B1 (en) | security system and security method through communication encryption |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |