CN116074125B - End-to-end password middle station zero trust security gateway system - Google Patents

End-to-end password middle station zero trust security gateway system Download PDF

Info

Publication number
CN116074125B
CN116074125B CN202310303810.3A CN202310303810A CN116074125B CN 116074125 B CN116074125 B CN 116074125B CN 202310303810 A CN202310303810 A CN 202310303810A CN 116074125 B CN116074125 B CN 116074125B
Authority
CN
China
Prior art keywords
subsystem
service authorization
service
hostid
usertoken
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202310303810.3A
Other languages
Chinese (zh)
Other versions
CN116074125A (en
Inventor
孙晓宇
黄博
李攀
吴农中
何永霞
麻亮
江坤
高飞
刘继强
宋虹苍
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Yunlitchi Technology Co ltd
Original Assignee
Chengdu Yunlitchi Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Yunlitchi Technology Co ltd filed Critical Chengdu Yunlitchi Technology Co ltd
Priority to CN202310303810.3A priority Critical patent/CN116074125B/en
Publication of CN116074125A publication Critical patent/CN116074125A/en
Application granted granted Critical
Publication of CN116074125B publication Critical patent/CN116074125B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/108Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions

Abstract

The invention provides an end-to-end password middle station zero trust security gateway system, which is characterized in that a new security access gateway system is designed, a service authorization table is respectively arranged in a core gateway and a password middle station on the basis of introducing HostID and UserID, and the flexibility and the security of the cloud computing middle station are greatly improved on the basis of realizing zero trust access to users and devices by comparing the service authorization tables of the core gateway and the password middle station.

Description

End-to-end password middle station zero trust security gateway system
Technical Field
The invention relates to the technical field of computer networks, in particular to an end-to-end password middle station zero trust security gateway system.
Background
The internet today is formed by individual nodes located in a network allowing communication between each other. The interconnection and intercommunication among the nodes make the whole network have high efficiency on one hand, and on the other hand, the whole network becomes more fragile, and attacks can be initiated to other nodes at any one node. In order to ensure network security, the password is the most common means, and only users with the password can initiate access to the designated node. For large-scale systems in a network, the distribution and management of passwords are a very complex task, and the current mainstream mode is to establish a unified password middle station, and the password middle station is used for carrying out basic password services such as unified password management, authentication and the like. Because of the importance of the stations in the password, it tends to have a higher probability of being attacked.
In the prior art, the chinese application No. 202010927253 proposes an end-to-end zero trust security gateway system, which correlates a login request with a service request, and improves the security of gateway access to a certain extent, but does not provide separate authorization records for the crypto center and the core gateway, and the gateway and the service request are coupled together, which is not secure and real-time enough relative to the present invention.
If the crypto-center is attacked such that the password is compromised, the individual systems served by the crypto-center will suffer serious consequences. Thus, the importance of the stations in the password is more important than other systems on the network. The conventional security gateway is just one gate that accesses the password entry, and any User that enters the gate can access any corner in the password entry network. That is, the conventional gateway performs security management in units of a network. Although the password and different security levels can be configured for each subsystem in the password-middle network to ensure the safe operation of the system, the method is not logically isolated, that is, an attacker can still attack the whole network by acquiring the password. Meanwhile, the cryptographic center of an enterprise or an organization generally operates on the cloud, the marginal of a network is further blurred due to application on the cloud, and the original security division mode based on different networks cannot be suitable for security management of the cryptographic center on the cloud. That is, any User accessing through the cloud cannot judge whether it is a possible attacker or not through the network environment in which it is located.
Disclosure of Invention
In order to solve the network security problem faced by the existing password middle station network, the invention provides an end-to-end password middle station zero trust security gateway system so as to realize higher security protection of the password middle station.
The application provides an end-to-end password middle station zero trust security gateway system which is characterized by comprising a client, a core gateway and a password middle station;
the client comprises a mobile phone native application, a computer native application, a Web application or a special terminal, wherein the mobile phone native application, the computer native application and the Web application comprise a graphical user interface, the special terminal comprises an instruction operation interface, and the graphical user interface and the instruction operation interface can both send instructions for operating and controlling a password middle platform;
the core gateway consists of a capturing subsystem, an analyzing subsystem, a forwarding subsystem, an access filtering subsystem, a verification code generating subsystem and a first service authorization record table;
the password middle station consists of one or more password service subsystems and a second service authorization record table, and each subsystem corresponds to the IP address of different domain names;
the client sends out a first data packet accessing the first password service subsystem, and the capturing subsystem captures the first data packet;
analyzing the first data packet by the analysis subsystem to obtain a destination domain name in the first data packet;
the resolving subsystem resolves the destination domain name through DNS to obtain a destination IP address;
the client sends out a second data packet accessing the first password service subsystem, and the capturing subsystem captures the second data packet;
analyzing the second data packet by the analysis subsystem to obtain a HostID and a UserToken in the second data packet;
a first service authorization record table in the core gateway, which records service authorization information in the latest time period T;
inquiring the first service authorization record table according to the IP address, hostID and UserToken, and acquiring a first service authorization code;
if the first service authorization code is successfully acquired, the following steps are continuously executed:
s1: transmitting HostID, userToken and the first service authorization code to a first cryptographic service subsystem by the forwarding subsystem, wherein a second service authorization record table stored in a cryptographic center station records service authorization information in a latest time period T;
s2: the password middle station inquires a second service authorization record table according to the received HostID, userToken to obtain a second service authorization code, and compares the first service authorization code with the second service authorization code;
s3: if the comparison is successful, establishing connection, updating the authorization time in the second service authorization record table to be the time of the comparison success, sending the updated authorization time to the core gateway, and updating the authorization time in the first service authorization record table;
s4: if the comparison fails, rejecting the connection, deleting the authorization information corresponding to HostID, userToken in the second service authorization record table, returning the failure information to the core gateway, and deleting the authorization information corresponding to HostID, userToken in the first service authorization record table;
if the first service authorization code is not acquired, the following steps are continuously executed:
s5: the forwarding subsystem sends the IP address, the HostID and the UserToken to the access filtering subsystem, wherein the access filtering subsystem is configured with an access restriction filtering rule, and the access restriction filtering rule specifically comprises: whether the IP address belongs to an IP address which allows access, whether the IP address allows the HostID access, whether the IP address allows the UserToken access, whether the IP address is legal, whether the HostID belongs to an accessible Host packet, whether the UserToken belongs to an accessible User packet, and the like;
s6: if the IP address, hostID and userToken meet the filtering rule, executing the following steps:
s6.1: the verification code generation subsystem generates an access verification code;
s6.2: the forwarding subsystem sends the HostID, the userID and the verification code to a first password service subsystem, and the first password service subsystem carries out hash calculation on the verification code to obtain a hash value;
s6.3: performing hash verification according to the hash value, and specifically executing the following steps:
s6.3.1: if the hash verification is passed, establishing connection and generating an authorization code, adding HostID, userToken and the authorization code into the second service authorization table, taking the passing time of the hash verification as the service authorization time and adding the service authorization time into the second service authorization table, sending the information of the passing verification to a core gateway, adding HostID, userToken and the authorization code into the first service authorization table, and adding the passing time of the hash verification as the service authorization time into the first service authorization table;
s6.3.2: if the hash verification is not passed, rejecting the connection;
s7: if the IP address, hostID and userToken do not meet the filtering rule, connection is refused;
the application also provides a computer device, which comprises one or more memories, a processor and a network card, wherein the computer device is used for carrying out communication between devices through the network card, the memories are used for storing instructions of each step in the security gateway system, and the processor is used for executing the instructions.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the following description is given of the drawings to be used in the embodiments, which are only a part of the embodiments in the present application, and other real-time examples besides those unexpected in the following embodiments may be easily obtained by those of ordinary skill in the art;
fig. 1 is a schematic diagram of a system structure according to the present invention.
Detailed Description
The present invention will be further explained below with reference to the drawings in this embodiment, and it should be noted that the embodiment provided herein is only a part of embodiments of the present invention. Based on this summary, one of ordinary skill in the art can easily obtain other methods or products from the summary that can implement the present invention, and any other embodiments according to the present disclosure fall within the scope of protection of the present application.
Today, cloud computing has become the dominant way to provide computing services for enterprises, most of which are done based on cloud services. The cost of cloud computing and flexibility of service have incomparable advantages over traditional data centers or service rooms. But at the same time, the cloud service is quite different from the previous one in terms of its security management policy, as it is visible to all people. For a password center running in the cloud, due to the specificity of the password center, the password center has more severe requirements on security than other systems running in the cloud. The application on the cloud causes further blurring of the marginal of the network, and all people have the possibility of accessing the cloud, so that any person who needs to access the platform in the password through the cloud is regarded as unreliable, and the security and the flexibility of the platform in the password are greatly improved by designing a new security access gateway system and realizing zero-trust security access to users and devices.
Referring to fig. 1, fig. 1 illustrates an end-to-end password middle station zero trust security gateway system, and the system shown in fig. 1 is composed of a client, a core gateway and a password middle station;
the client comprises a mobile phone native application, a computer native application, a Web application or a special terminal, wherein the mobile phone native application, the computer native application and the Web application comprise a graphical user interface, the special terminal comprises an instruction operation interface, and the graphical user interface and the instruction operation interface can both send instructions for operating and controlling a password middle platform;
the core gateway consists of a capturing subsystem, an analyzing subsystem, a forwarding subsystem, an access filtering subsystem, a verification code generating subsystem and a first service authorization record table;
the password middle station consists of one or more password service subsystems and a second service authorization record table, and each subsystem corresponds to the IP address of different domain names;
the mobile phone client application of the User sends out a first data packet P accessing the first password service subsystem, and the capturing subsystem captures the first data packet P1;
analyzing the first data packet by the analysis subsystem to obtain a destination domain name in the first data packet, such as https:// www.jxpasswordcenter.com/authentication;
the resolving subsystem resolves the destination domain name through DNS to obtain a destination IP address 192.168.251.107;
the client sends out a second data packet accessing the first password service subsystem, and the capturing subsystem captures a second data packet P2;
parsing the second data packet by the parsing subsystem, acquiring HostID of FX01100101001010101001 and UserToken of lspvmsj%fnk) _fnk%%fnk%;
a first service authorization record table in the core gateway, which records service authorization information in the latest time period T;
inquiring the first service authorization record table according to the IP address, hostID and UserToken, and obtaining a first service authorization code daji-6 fdnakjn;
if the acquisition is successful, the following steps are continuously executed:
s1: transmitting HostID, userToken and the first service authorization code to a first cryptographic service subsystem by the forwarding subsystem, wherein a second service authorization record table stored in a cryptographic center station records service authorization information in a latest time period T;
s2: the password middle station inquires a second service authorization record table according to the received HostID, userToken to obtain a second service authorization code daji-6 fdnakjn, and compares the first service authorization code with the second service authorization code;
s3: if the comparison is successful, establishing connection, updating the authorization time in the second service authorization record table to be the time of the comparison success, sending the updated authorization time to the core gateway, and updating the authorization time in the first service authorization record table;
s4: if the comparison fails, rejecting the connection, deleting the authorization information corresponding to HostID, userToken in the second service authorization record table, returning the failure information to the core gateway, and deleting the authorization information corresponding to HostID, userToken in the first service authorization record table;
if the acquisition fails, the following steps are continuously executed:
s5: the forwarding subsystem sends the IP address, the HostID and the UserToken to the access filtering subsystem, wherein the access filtering subsystem is configured with an access limiting rule, and the access limiting rule specifically comprises: whether the IP address belongs to an IP address which allows access, whether the IP address allows the HostID access, whether the IP address allows the UserToken access, whether the IP address is legal, whether the HostID belongs to an accessible Host packet, whether the UserToken belongs to an accessible User packet, and the like;
s6: if the IP address, hostID and userToken meet the filtering rule, executing the following steps:
s6.1: the verification code generation subsystem generates an access verification code;
s6.2: the forwarding subsystem sends the HostID, the userID and the verification code to a first password service subsystem, and the first password service subsystem carries out hash calculation on the verification code to obtain a hash value;
s6.3: performing hash verification according to the hash value, and specifically executing the following steps:
s6.3.1: if the hash verification is passed, establishing connection and generating an authorization code, adding HostID, userToken and the authorization code into the second service authorization table, taking the passing time of the hash verification as the service authorization time and adding the service authorization time into the second service authorization table, sending the information of the passing verification to a core gateway, adding HostID, userToken and the authorization code into the first service authorization table, and adding the passing time of the hash verification as the service authorization time into the first service authorization table;
s6.3.2: if the hash verification is not passed, rejecting the connection;
s7: and if the IP address, the HostID and the UserToken do not meet the filtering rule, rejecting connection.

Claims (4)

1. An end-to-end password middle station zero trust security gateway system is characterized in that: the system consists of a client, a core gateway and a password middle station;
the core gateway consists of a capturing subsystem, an analyzing subsystem, a forwarding subsystem, an access filtering subsystem, a verification code generating subsystem and a first service authorization record table;
the password middle station consists of one or more password service subsystems and a second service authorization record table, and each subsystem corresponds to the IP address of different domain names;
the client sends out a first data packet for accessing the first password service subsystem, and the core gateway captures the first data packet;
analyzing the first data packet by the core gateway to obtain a destination domain name in the first data packet;
the core gateway resolves the destination domain name through DNS to obtain a destination IP address;
the client sends out a second data packet for accessing the first password service subsystem, and the core gateway captures the second data packet;
analyzing the second data packet by the core gateway to obtain a HostID and a UserToken in the second data packet;
a first service authorization record table in the core gateway, which records service authorization information in the latest time period T;
inquiring the first service authorization record table according to the IP address, hostID and UserToken, and acquiring a first service authorization code;
if the first service authorization code is successfully obtained, the HostID, userToken and the first service authorization code are sent to the first cryptographic service subsystem for authorization code comparison, which specifically comprises the following steps:
s1: transmitting HostID, userToken and the first service authorization code to a first cryptographic service subsystem by the forwarding subsystem, wherein a second service authorization record table stored in a cryptographic center station records service authorization information in a latest time period T;
s2: the password middle station inquires a second service authorization record table according to the received HostID, userToken to obtain a second service authorization code, and compares the first service authorization code with the second service authorization code;
s3: if the comparison is successful, establishing connection, updating the authorization time in the second service authorization record table to be the time of the comparison success, sending the updated authorization time to the core gateway, and updating the authorization time in the first service authorization record table;
s4: if the comparison fails, rejecting the connection, deleting the authorization information corresponding to HostID, userToken in the second service authorization record table, returning the failure information to the core gateway, and deleting the authorization information corresponding to HostID, userToken in the first service authorization record table;
if the first service authorization code is not acquired, the whole process verification is performed, which specifically comprises the following steps:
s5: the forwarding subsystem sends the IP address, the HostID and the UserToken to an access filtering subsystem, wherein the access filtering subsystem is configured with an access restriction filtering rule;
s6: if the IP address, hostID and userToken meet the filtering rule, executing the following steps:
s6.1: the verification code generation subsystem generates an access verification code;
s6.2: the forwarding subsystem sends the HostID, the userID and the verification code to a first password service subsystem, and the first password service subsystem carries out hash calculation on the verification code to obtain a hash value;
s6.3: carrying out hash verification according to the hash value to judge whether to establish connection or not;
s7: and if the IP address, the HostID and the UserToken do not meet the filtering rule, rejecting connection.
2. The system of claim 1, wherein the client comprises a cell phone native application, a computer native application, a Web application, or a dedicated terminal, the cell phone native application, the computer native application, and the Web application comprising a graphical user interface, the dedicated terminal comprising an instruction manipulation interface, the graphical user interface and the instruction manipulation interface each capable of sending instructions to manipulate and control a cryptographic center.
3. The system of claim 2, wherein the access filtering subsystem is configured with access restriction filtering rules specifically comprising: whether the IP address belongs to an IP address which allows access, whether the IP address allows the HostID access, whether the IP address allows the UserToken access, whether the IP address is legal, whether the HostID belongs to an accessible Host packet, and whether the UserToken belongs to an accessible User packet.
4. A system according to claim 3, wherein said hash verification based on the hash value to determine whether to establish the connection comprises the steps of:
s6.3.1: if the hash verification is passed, establishing connection and generating an authorization code, adding HostID, userToken and the authorization code into the second service authorization table, taking the passing time of the hash verification as the service authorization time and adding the service authorization time into the second service authorization table, sending the information of the passing verification to a core gateway, adding HostID, userToken and the authorization code into the first service authorization table, and adding the passing time of the hash verification as the service authorization time into the first service authorization table;
s6.3.2: if the hash verification is not passed, the connection is refused.
CN202310303810.3A 2023-03-27 2023-03-27 End-to-end password middle station zero trust security gateway system Active CN116074125B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310303810.3A CN116074125B (en) 2023-03-27 2023-03-27 End-to-end password middle station zero trust security gateway system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310303810.3A CN116074125B (en) 2023-03-27 2023-03-27 End-to-end password middle station zero trust security gateway system

Publications (2)

Publication Number Publication Date
CN116074125A CN116074125A (en) 2023-05-05
CN116074125B true CN116074125B (en) 2023-05-30

Family

ID=86170065

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310303810.3A Active CN116074125B (en) 2023-03-27 2023-03-27 End-to-end password middle station zero trust security gateway system

Country Status (1)

Country Link
CN (1) CN116074125B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110120946A (en) * 2019-04-29 2019-08-13 武汉理工大学 A kind of Centralized Authentication System and method of Web and micro services
CN112685709A (en) * 2021-01-13 2021-04-20 树根互联技术有限公司 Authorization token management method and device, storage medium and electronic equipment
CN114238036A (en) * 2022-02-23 2022-03-25 成都运荔枝科技有限公司 Method and device for monitoring abnormity of SAAS (software as a service) platform in real time
CN114518909A (en) * 2022-02-17 2022-05-20 中国建设银行股份有限公司 Authorization information configuration method, device, equipment and storage medium based on API gateway
CN115499235A (en) * 2022-09-27 2022-12-20 江苏易安联网络技术有限公司 DNS-based zero-trust network authorization method and system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11323426B2 (en) * 2017-10-19 2022-05-03 Check Point Software Technologies Ltd. Method to identify users behind a shared VPN tunnel

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110120946A (en) * 2019-04-29 2019-08-13 武汉理工大学 A kind of Centralized Authentication System and method of Web and micro services
CN112685709A (en) * 2021-01-13 2021-04-20 树根互联技术有限公司 Authorization token management method and device, storage medium and electronic equipment
CN114518909A (en) * 2022-02-17 2022-05-20 中国建设银行股份有限公司 Authorization information configuration method, device, equipment and storage medium based on API gateway
CN114238036A (en) * 2022-02-23 2022-03-25 成都运荔枝科技有限公司 Method and device for monitoring abnormity of SAAS (software as a service) platform in real time
CN115499235A (en) * 2022-09-27 2022-12-20 江苏易安联网络技术有限公司 DNS-based zero-trust network authorization method and system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"基于零信任的云环境数据存储加密模型研究";孟慧石、刘军;《网络安全技术与应用》(第1期);第62-68页 *

Also Published As

Publication number Publication date
CN116074125A (en) 2023-05-05

Similar Documents

Publication Publication Date Title
US9350704B2 (en) Provisioning network access through a firewall
WO2021115449A1 (en) Cross-domain access system, method and device, storage medium, and electronic device
US7624429B2 (en) Method, a network access server, an authentication-authorization-and-accounting server, and a computer software product for proxying user authentication-authorization-and-accounting messages via a network access server
US20080301801A1 (en) Policy based virtual private network (VPN) communications
KR20080024469A (en) Preventing fraudulent internet account access
US8914510B2 (en) Methods, systems, and computer program products for enhancing internet security for network subscribers
WO2022247751A1 (en) Method, system and apparatus for remotely accessing application, device, and storage medium
US11838269B2 (en) Securing access to network devices utilizing authentication and dynamically generated temporary firewall rules
JP3987539B2 (en) Session information management method and session information management apparatus
JP5864598B2 (en) Method and system for providing service access to a user
CA2716689C (en) Address couplet communication filtering
US10873497B2 (en) Systems and methods for maintaining communication links
US20240015010A1 (en) Crypto tunnelling between two-way trusted network devices in a secure peer-to-peer data network
JP2018502394A (en) Computer-readable storage medium for legacy integration and method and system for using the same
US20220021653A1 (en) Network security device
CN105187380A (en) Secure access method and system
CN115603932A (en) Access control method, access control system and related equipment
CN114600426A (en) Email security in multi-tenant email services
US11784993B2 (en) Cross site request forgery (CSRF) protection for web browsers
US10931662B1 (en) Methods for ephemeral authentication screening and devices thereof
US20090271852A1 (en) System and Method for Distributing Enduring Credentials in an Untrusted Network Environment
WO2011063658A1 (en) Method and system for unified security authentication
CN116074125B (en) End-to-end password middle station zero trust security gateway system
US7631344B2 (en) Distributed authentication framework stack
JP3668648B2 (en) Session information management method and session information management apparatus

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant