CN117220903A - Secure access method and system for private network - Google Patents
Secure access method and system for private network Download PDFInfo
- Publication number
- CN117220903A CN117220903A CN202310952688.2A CN202310952688A CN117220903A CN 117220903 A CN117220903 A CN 117220903A CN 202310952688 A CN202310952688 A CN 202310952688A CN 117220903 A CN117220903 A CN 117220903A
- Authority
- CN
- China
- Prior art keywords
- access request
- domain name
- network access
- network
- name resolution
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 25
- 238000006243 chemical reaction Methods 0.000 claims abstract description 21
- 238000001514 detection method Methods 0.000 claims description 10
- 230000004044 response Effects 0.000 claims description 3
- 239000000523 sample Substances 0.000 claims 2
- 238000010586 diagram Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention provides a secure access method and a secure access system for a private network, wherein the method comprises the following steps: receiving a network access request initiated by target equipment in a private network, and identifying attribution information of the network access request; reading a security configuration policy matched with the attribution information, and sending the network access request to a domain name resolution server and receiving a domain name resolution result fed back by the domain name resolution server under the condition that the security configuration policy characterizes that the equipment level is provided with a corresponding domain name resolution server; judging the server type of the resource server pointed by the domain name resolution result, if the server type represents an external network server, converting the network access request according to a request conversion rule, and then sending the converted access request to the resource server. The technical scheme provided by the invention can save the network access cost in the private network.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method and system for secure access to a private network.
Background
SASE (Secure Access Service Edge, secure access service edge technology) integrates network and security onto one platform, which can integrate multiple security solutions into cloud services, thus implementing a unified strategy among all companies' locations, users and data.
However, the network structure in the private network is complex, the hardware update iterates fast, and the network service is relatively backward, so that the complex network configuration can be realized only by adding extra cost.
In view of this, there is a need for a lower cost secure access to private networks.
Disclosure of Invention
The invention provides a secure access method and a secure access system for a private network, which can save network access cost in the private network.
In view of this, an aspect of the present invention provides a secure access method for a private network, the method comprising:
receiving a network access request initiated by target equipment in a private network, and identifying attribution information of the network access request, wherein the attribution information at least characterizes equipment hierarchy of the target equipment in the private network;
reading a security configuration policy matched with the attribution information, and sending the network access request to a domain name resolution server and receiving a domain name resolution result fed back by the domain name resolution server under the condition that the security configuration policy characterizes that the equipment level is provided with a corresponding domain name resolution server;
judging the server type of the resource server pointed by the domain name resolution result, if the server type represents an external network server, acquiring a request conversion rule from the security configuration strategy, converting the network access request according to the request conversion rule, and then transmitting the access request obtained by conversion to the resource server.
In one embodiment, identifying the home information of the network access request includes:
identifying source address information from the network access request, and positioning the geographic position of the target equipment based on a prefix network segment in the source address information;
and determining a machine room at the geographic position obtained by positioning, and determining the equipment level of the target equipment in the machine room according to the suffix network segment in the source address information.
In one embodiment, if the network access request does not include source address information, the method further includes:
and responding to the network access request, sending an address detection data packet to the target equipment, receiving reply data fed back by the target equipment aiming at the address detection data packet, and extracting source address information of the target equipment from the reply data.
In one embodiment, the method further comprises:
and if the security configuration policy characterizes that the equipment level does not have the corresponding domain name resolution server, sending the network access request to a preset authoritative domain name resolution server, and receiving a domain name resolution result fed back by the authoritative domain name resolution server.
In one embodiment, converting the network access request according to the request conversion rule includes:
identifying source address information in the network access request;
according to the equipment level of the target equipment, corresponding external address information is obtained;
and replacing the source address information in the network access request by using the external address information.
Another aspect of the present invention provides a secure access system for a private network, the system comprising:
a request processing unit, configured to receive a network access request initiated by a target device in a private network, and identify home information of the network access request, where the home information at least characterizes a device level where the target device is located in the private network;
the policy reading unit is used for reading a security configuration policy matched with the attribution information, sending the network access request to the domain name resolution server and receiving a domain name resolution result fed back by the domain name resolution server when the security configuration policy characterizes that the equipment level is provided with the corresponding domain name resolution server;
and the request conversion unit is used for judging the server type of the resource server pointed by the domain name resolution result, acquiring a request conversion rule from the security configuration policy if the server type represents an external network server, converting the network access request according to the request conversion rule, and transmitting the converted access request to the resource server.
In one embodiment, the request processing unit is specifically configured to identify source address information from the network access request, and locate a geographic location of the target device based on a prefix network segment in the source address information; and determining a machine room at the geographic position obtained by positioning, and determining the equipment level of the target equipment in the machine room according to the suffix network segment in the source address information.
In one embodiment, the request processing unit is specifically further configured to, if the network access request does not include source address information, send an address detection data packet to the target device in response to the network access request, receive reply data fed back by the target device for the address detection data packet, and extract source address information of the target device from the reply data.
According to the technical scheme provided by the invention, after the network access request initiated in the private network is received, the device level where the target device is located can be identified. Different device levels may correspond to different security configuration policies, and some device levels may have pre-deployed internal domain name resolution servers, thereby ensuring the security of the domain name resolution process. In this case, the network access request can be resolved by the internal domain name resolution server, and when the network request is sent to the external network, the network access request can be converted, so that the privacy of the internal network address is protected, the security risk is avoided, and meanwhile, no complex hardware architecture is required to be additionally deployed, so that the network access cost of the private network is saved.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims thereof as well as the appended drawings.
The technical scheme of the invention is further described in detail through the drawings and the embodiments.
Drawings
The accompanying drawings are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate the invention and together with the embodiments of the invention, serve to explain the invention. In the drawings:
fig. 1 is a schematic diagram of steps of a method for secure access to a private network according to an embodiment of the present invention;
fig. 2 is a schematic functional block diagram of a secure access system for a private network according to an embodiment of the present invention.
Detailed Description
The preferred embodiments of the present invention will be described below with reference to the accompanying drawings, it being understood that the preferred embodiments described herein are for illustration and explanation of the present invention only, and are not intended to limit the present invention.
Referring to fig. 1, the present invention provides a secure access method for a private network, the method comprising:
s1: receiving a network access request initiated by target equipment in a private network, and identifying attribution information of the network access request, wherein the attribution information at least characterizes equipment hierarchy of the target equipment in the private network;
s2: reading a security configuration policy matched with the attribution information, and sending the network access request to a domain name resolution server and receiving a domain name resolution result fed back by the domain name resolution server under the condition that the security configuration policy characterizes that the equipment level is provided with a corresponding domain name resolution server;
s3: judging the server type of the resource server pointed by the domain name resolution result, if the server type represents an external network server, acquiring a request conversion rule from the security configuration strategy, converting the network access request according to the request conversion rule, and then transmitting the access request obtained by conversion to the resource server.
In one embodiment, identifying the home information of the network access request includes:
identifying source address information from the network access request, and positioning the geographic position of the target equipment based on a prefix network segment in the source address information;
and determining a machine room at the geographic position obtained by positioning, and determining the equipment level of the target equipment in the machine room according to the suffix network segment in the source address information.
Where the source address information is 10.10.11.11, for example, then the prefix segment may be the network address of the first three segments and the suffix segment may be the network address of the last segment. The prefix network segments are typically mapped to geographic locations, which may be flexibly partitioned according to the actual scenario. For example, geographic locations may be divided by province, city, etc. regions. Each geographic location may be deployed with a machine room, and devices within the machine room may be located according to a suffix network segment.
In one embodiment, if the network access request does not include source address information, the method further includes:
and responding to the network access request, sending an address detection data packet to the target equipment, receiving reply data fed back by the target equipment aiming at the address detection data packet, and extracting source address information of the target equipment from the reply data.
In one embodiment, the method further comprises:
and if the security configuration policy characterizes that the equipment level does not have the corresponding domain name resolution server, sending the network access request to a preset authoritative domain name resolution server, and receiving a domain name resolution result fed back by the authoritative domain name resolution server.
In this embodiment, if the device hierarchy includes a domain name resolution server that is disposed in advance, domain name resolution may be performed by using the domain name resolution server in order to secure domain name resolution. If the device hierarchy does not have an internal domain name resolution server, domain name resolution can be directly performed through the authoritative domain name resolution server.
In one embodiment, converting the network access request according to the request conversion rule includes:
identifying source address information in the network access request;
according to the equipment level of the target equipment, corresponding external address information is obtained;
and replacing the source address information in the network access request by using the external address information.
Different device levels can correspond to different external address information, after the external address information is utilized to replace the source address information, a mapping relation between the external address information and the source address information can be constructed, whether the source address information mapped with each other exists in the external address information can be judged firstly when data forwarding is carried out later, if the source address information mapped with each other exists in the external address information, the external address information can be restored to the source address information firstly, and then data forwarding is carried out based on the source address information, so that the data can be forwarded to a target device correctly.
Referring to fig. 2, another aspect of the present invention provides a secure access system for a private network, the system comprising:
a request processing unit, configured to receive a network access request initiated by a target device in a private network, and identify home information of the network access request, where the home information at least characterizes a device level where the target device is located in the private network;
the policy reading unit is used for reading a security configuration policy matched with the attribution information, sending the network access request to the domain name resolution server and receiving a domain name resolution result fed back by the domain name resolution server when the security configuration policy characterizes that the equipment level is provided with the corresponding domain name resolution server;
and the request conversion unit is used for judging the server type of the resource server pointed by the domain name resolution result, acquiring a request conversion rule from the security configuration policy if the server type represents an external network server, converting the network access request according to the request conversion rule, and transmitting the converted access request to the resource server.
In one embodiment, the request processing unit is specifically configured to identify source address information from the network access request, and locate a geographic location of the target device based on a prefix network segment in the source address information; and determining a machine room at the geographic position obtained by positioning, and determining the equipment level of the target equipment in the machine room according to the suffix network segment in the source address information.
In one embodiment, the request processing unit is specifically further configured to, if the network access request does not include source address information, send an address detection data packet to the target device in response to the network access request, receive reply data fed back by the target device for the address detection data packet, and extract source address information of the target device from the reply data.
According to the technical scheme provided by the invention, after the network access request initiated in the private network is received, the device level where the target device is located can be identified. Different device levels may correspond to different security configuration policies, and some device levels may have pre-deployed internal domain name resolution servers, thereby ensuring the security of the domain name resolution process. In this case, the network access request can be resolved by the internal domain name resolution server, and when the network request is sent to the external network, the network access request can be converted, so that the privacy of the internal network address is protected, the security risk is avoided, and meanwhile, no complex hardware architecture is required to be additionally deployed, so that the network access cost of the private network is saved.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present invention without departing from the spirit or scope of the invention. Thus, it is intended that the present invention also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.
Claims (8)
1. A method of secure access to a private network, the method comprising:
receiving a network access request initiated by target equipment in a private network, and identifying attribution information of the network access request, wherein the attribution information at least characterizes equipment hierarchy of the target equipment in the private network;
reading a security configuration policy matched with the attribution information, and sending the network access request to a domain name resolution server and receiving a domain name resolution result fed back by the domain name resolution server under the condition that the security configuration policy characterizes that the equipment level is provided with a corresponding domain name resolution server;
judging the server type of the resource server pointed by the domain name resolution result, if the server type represents an external network server, acquiring a request conversion rule from the security configuration strategy, converting the network access request according to the request conversion rule, and then transmitting the access request obtained by conversion to the resource server.
2. The method of claim 1, wherein identifying the home information for the network access request comprises:
identifying source address information from the network access request, and positioning the geographic position of the target equipment based on a prefix network segment in the source address information;
and determining a machine room at the geographic position obtained by positioning, and determining the equipment level of the target equipment in the machine room according to the suffix network segment in the source address information.
3. The method of claim 2, wherein if the network access request does not include source address information, the method further comprises:
and responding to the network access request, sending an address detection data packet to the target equipment, receiving reply data fed back by the target equipment aiming at the address detection data packet, and extracting source address information of the target equipment from the reply data.
4. The method according to claim 1, wherein the method further comprises:
and if the security configuration policy characterizes that the equipment level does not have the corresponding domain name resolution server, sending the network access request to a preset authoritative domain name resolution server, and receiving a domain name resolution result fed back by the authoritative domain name resolution server.
5. The method of claim 1, wherein translating the network access request according to the request translation rule comprises:
identifying source address information in the network access request;
according to the equipment level of the target equipment, corresponding external address information is obtained;
and replacing the source address information in the network access request by using the external address information.
6. A secure access system for a private network, the system comprising:
a request processing unit, configured to receive a network access request initiated by a target device in a private network, and identify home information of the network access request, where the home information at least characterizes a device level where the target device is located in the private network;
the policy reading unit is used for reading a security configuration policy matched with the attribution information, sending the network access request to the domain name resolution server and receiving a domain name resolution result fed back by the domain name resolution server when the security configuration policy characterizes that the equipment level is provided with the corresponding domain name resolution server;
and the request conversion unit is used for judging the server type of the resource server pointed by the domain name resolution result, acquiring a request conversion rule from the security configuration policy if the server type represents an external network server, converting the network access request according to the request conversion rule, and transmitting the converted access request to the resource server.
7. The system of claim 6, wherein the request processing unit is specifically configured to identify source address information from the network access request and locate a geographic location of the target device based on a prefix network segment in the source address information; and determining a machine room at the geographic position obtained by positioning, and determining the equipment level of the target equipment in the machine room according to the suffix network segment in the source address information.
8. The system according to claim 7, wherein the request processing unit is further specifically configured to, if the network access request does not include source address information, send an address probe packet to the target device in response to the network access request, receive reply data fed back by the target device for the address probe packet, and extract source address information of the target device from the reply data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310952688.2A CN117220903A (en) | 2023-07-31 | 2023-07-31 | Secure access method and system for private network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310952688.2A CN117220903A (en) | 2023-07-31 | 2023-07-31 | Secure access method and system for private network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117220903A true CN117220903A (en) | 2023-12-12 |
Family
ID=89043232
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310952688.2A Pending CN117220903A (en) | 2023-07-31 | 2023-07-31 | Secure access method and system for private network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117220903A (en) |
-
2023
- 2023-07-31 CN CN202310952688.2A patent/CN117220903A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7908379B2 (en) | Automatic mobile device detection | |
| US7373426B2 (en) | Network system using name server with pseudo host name and pseudo IP address generation function | |
| US9300623B1 (en) | Domain name system cache integrity check | |
| US7467203B2 (en) | System and methods for robust discovery of servers and services in a heterogeneous environment | |
| US8073936B2 (en) | Providing support for responding to location protocol queries within a network node | |
| CN102137174B (en) | Method for caching of domain name system, authorized domain name server and cache domain name server | |
| US20210243170A1 (en) | Methods for processing encrypted domain name server, dns, queries received from user equipment in a telecommunication network | |
| US20100254395A1 (en) | Methods and apparatus for routing data to nodes | |
| CN111182089B (en) | Container cluster system, method and device for accessing big data assembly and server | |
| CN102571972B (en) | The distributed file system access of site-aware is carried out from outside enterprise network | |
| US20050055461A1 (en) | Determining an international destination address | |
| CN104993953A (en) | Method for detecting network service state and device detecting network service state | |
| US20120124087A1 (en) | Method and apparatus for locating naming discrepancies | |
| CN109819068B (en) | User terminal, block chain domain name resolution method thereof, computer equipment and computer readable storage medium | |
| CN102484649A (en) | Locating subscription data in a multi-tenant network | |
| CN112235408A (en) | Network system, reverse proxy method and reverse proxy server | |
| CN110913036A (en) | Method for identifying terminal position based on authoritative DNS | |
| US20240056318A1 (en) | Information processing method, intermediate parser, network device and storage medium | |
| US20030126241A1 (en) | Registration agent system, network system and program therefor | |
| CN112995354B (en) | Domain name resolution record reconstruction method and domain name resolution method | |
| US11956641B2 (en) | Inter-SAS spectrum allocation synchronization | |
| CN111355817A (en) | Domain name resolution method, device, security server and medium | |
| CN117220903A (en) | Secure access method and system for private network | |
| CN110035134B (en) | Network address translation method, device and access equipment | |
| US8676923B2 (en) | Use of discovery scanning and method of IP only communication to identify owners and administrators of network attached devices |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |