CN101635701A - Method for controlling safe access - Google Patents
Method for controlling safe access Download PDFInfo
- Publication number
- CN101635701A CN101635701A CN200810116950A CN200810116950A CN101635701A CN 101635701 A CN101635701 A CN 101635701A CN 200810116950 A CN200810116950 A CN 200810116950A CN 200810116950 A CN200810116950 A CN 200810116950A CN 101635701 A CN101635701 A CN 101635701A
- Authority
- CN
- China
- Prior art keywords
- user
- role
- data flow
- user role
- access control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention provides a method for controlling safe access. The method comprises the following steps of: 1, in a process of access and authentication of a user, determining the role played by the user according to a user attribute; and 2, adding the determined user role to a firewall strategy so as to realize user role-based safe access control. Therefore, the method is backward-compatible with the functions of the conventional firewalls and realizes different user behavior managements on different users through the role-based safe access control, thereby laying a foundation for the integration of the network and security technology; and simultaneously, the method does not do any change in the priority and the first match principle of the firewall strategy and can be easily accepted by managers familiar with the firewall.
Description
Technical field
The present invention relates to network security, more specifically, relate to a kind of method of safe access control.
Background technology
Traditional firewall strategy or access control list (ACL) judgement determine whether allowing data flow according to the lower floor's attribute in the data flow.The attribute of general firewall policy foundation comprises that source address, source port, destination address, destination interface, protocol number or application type determine whether to allow passing through of data flow.General incoming interface and outgoing interface also can become the part of firewall policy.Some manufacturers can introduce the notion of security domain, utilize incoming interface security domain or outgoing interface security domain.Firewall policy is first matching principle.
On the basis of firewall policy, some manufacturers have introduced the notion of certification policy, and whether mate these tactful data flow must allow according to the information decision of organizing through authentication.But still utilize first the coupling principle.
Below be the example of a firewall policy:
| The source interface territory | Purpose interface territory | Source address | Source port | Destination address | Destination interface | Agreement | Group | Action |
| Interior fields | External domain | Any | ?Any | ???? www.sina.com | ????80 | ?TCP | g1 | Do not allow |
| Interior fields | External domain | Any | ?Any | ????Any | ????Any | ?Any | g2 | Allow |
| Interior fields | The DMZ territory | 10.1.1.1 | ?Any | ????1.1.1.1 | ????Any | ?Any | Allow | Allow |
| External domain | The DMZ territory | Any | ?Any | ????1.1.1.1 | ????80 | ?TCP | Allow | Allow |
Under the situation in given source interface territory and purpose interface territory, some manufacturer introduces the notion of authentication group.If detected stream coupling goes up these strategies, the user can determine group under it by firewall authentication.Determine whether to allow data flow pass through according to organizing whether to mate.
| The source interface territory | Purpose interface territory | Source address | Source port | Destination address | Destination interface | Agreement | Group | Action |
| Interior fields | External domain | ??Any | ??Any | ?? www.sina.com | ??80 | ??TCP | ??g1 | Allow |
| Interior fields | External domain | ??Any | ??Any | ??Any | ??80 | ??TCP | ??g2 | Allow |
Because the coupling of firewall policy is first coupling, if the group in the strategy of first coupling is not right, then data flow will be rejected.Even other strategy matching are arranged later on.For example, in the superincumbent example, if the Intranet user visit that belongs to g2 is arranged
Www.sina.com, be article one strategy then because of first coupling based on the IP five-tuple, so we only can utilize this strategy to mate the information of group, if group does not match, we will can not continue to search the second strategy.
Based on role's access control (Role-Based Access Control-RBAC) or based on the access control (Identity-based Access Control) of identity is not new ideas.Application in the network equipment is representative with secure socket layer protocol VPN (virtual private network) (SSLVPN, security socket layer virtual private network).In traditional SSL VPN, can occur utilizing the authentication back to obtain the example of information from the radius certificate server.
The realization of different manufacturers is slightly different, and some introduces the notion of strategy group, searches the policy group according to user's group.Some then utilizes user or group to be index.Because a user may belong to a plurality of groups, thus between each strategy, make preferentially of group, or directly give strategy with priority.
| User, group | ??URL | Action |
| ??Tim?Liu | ?? http://marketing.hillstonenet.com | Do not allow |
| Sell | ?? http://marketing.hillstonenet.com | Allow |
| The engineer | ?? http://eng.hillstonenet.com | Allow |
Strategy and the fire compartment wall of SSL VPN are very different, and can't directly incorporate firewall policy.
Summary of the invention
In order in fire compartment wall, to support access control based on the role, the present invention proposes a kind of method of safe access control, this method may further comprise the steps: step 1, in user's access and verification process, determine user role according to user property; And step 2, determined user role is added in the firewall policy, to realize safe access control based on user role.
Wherein, between step 1 and step 2, also comprise: set up system user role tabulation, and determined user role is inserted in the system user role tabulation.
Also comprise in step 2: set up in the process in data flow, according to the information of system user role tabulation and data flow, specified data flows pairing user role; And mate the firewall policy that has added user role according to lower floor's attribute of pairing user role of determined data flow and data flow, to realize safe access control based on user role.
The method according to this invention, user property comprise one or more in the following attribute: the safe condition of the security domain at user name, user's group, user's IP address, user place, user's access way, the employed PC of user and PC that the user uses.
Role's tabulation is made up of determined user role and user property.
In addition, the information of data flow comprises port information, security domain, encrypted state and IP heading.
Lower floor's attribute of data flow comprises source address, source port, destination address, destination interface and the protocol type of data flow.
The method according to this invention, the user supports one or more roles.
Therefore, adopt the method for the present invention can be backwards-compatible fully to the traditional firewall function, and the access control based on the role has realized different user is carried out different user behavior management, this lays the foundation for integrated network and safe practice, simultaneously, this method is not changed the priority and first matching principle of firewall policy, and is more acceptant to the administrative staff that are familiar with fire compartment wall.
Other features and advantages of the present invention will be set forth in the following description, and, partly from specification, become apparent, perhaps understand by implementing the present invention.Purpose of the present invention and other advantages can realize and obtain by specifically noted structure in the specification of being write, claims and accompanying drawing.
Description of drawings
Accompanying drawing is used to provide further understanding of the present invention, and constitutes the part of specification, is used from explanation the present invention with embodiments of the invention one, is not construed as limiting the invention.In the accompanying drawings:
Fig. 1 is the flow chart of the method according to this invention; And
Fig. 2 is the schematic diagram according to the embodiment of the inventive method.
Embodiment
Below in conjunction with accompanying drawing the preferred embodiments of the present invention are described, should be appreciated that preferred embodiment described herein only is used for description and interpretation the present invention, and be not used in qualification the present invention.
As shown in Figure 1, this method may further comprise the steps:
S102 in user's access and verification process, determines user role according to user property; And
S104 adds determined user role in the firewall policy to, to realize the safe access control based on user role.
Wherein, between S102 and S104, also comprise: set up system user role tabulation, and determined user role is inserted in the system user role tabulation.
Also comprise in S104: set up in the process in data flow, according to the information of system user role tabulation and data flow, specified data flows pairing user role; And mate the firewall policy that has added user role according to lower floor's attribute of pairing user role of determined data flow and data flow, to realize safe access control based on user role.
The method according to this invention, user property comprise one or more in the following attribute: the safe condition of the security domain at user name, user's group, user's IP address, user place, user's access way, the employed PC of user and PC that the user uses.
Role's tabulation is made up of determined user role and user property.
In addition, the information of data flow comprises port information, security domain, encrypted state and IP heading.
Lower floor's attribute of data flow comprises source address, source port, destination address, destination interface and the protocol type of data flow.
The method according to this invention, the user supports one or more roles.
Next embodiments of the invention are described.
User's role can be according to the decision of next parameter or Several Parameters: user name, user's group, IP address, user place security domain, user's access way, the safe condition of user PC, user PC and other roles' of user combination.
The user insert and verification process in, can determine his role (may for multinomial) according to user's login attribute, the state that authenticates attribute and his employed PC.In the system actor tabulation, insert an object.Role's tabulation comprises: IP address; User place security domain; User's access way; User's role (may be multinomial).
Set up in the fire compartment wall data flow and can carry out strategy in the process and search, we search according to port information, security domain, VPN and IP heading diagonal angle the swatch color list, obtain the Role Information of this data flow.
Introduce role's notion in firewall policy, the coupling of firewall policy no longer is the IP five-tuple, but comprises hexa-atomic group of role.
This embodiment supports general firewall policy and based on the mixing fully of role's strategy, and is the same with firewall policy, relies on the natural ordering of strategy to determine priority.
Compatible fully with firewall policy in the past, each tactful role can be " Any ", promptly mates all user roles.The role is that the strategy of " Any " is degenerated to general firewall policy.
Mate to comprise hexa-atomic group of role, keep first matching principle of firewall policy.
Support that the user has a plurality of roles, but the role there is not priority, complete natural priority level according to strategy.
Be exemplified below:
| Group | Source address | Source port | Destination address | Destination interface | Agreement | Action |
| The casual labour | ??Any | ??Any | ??Intranet | ??80 | ??TCP | Do not allow |
| The engineer | ??Any | ??Any | ??Intranet | ??80 | ??TCP | Allow |
| ??Any | ??Any | ??Any | ??Any | ??80 | ??TCP | Allow |
In this example, to the visit of Intranet address, all belong to all can't visiting of casual labour (Contractor) group.All belong to can visiting of engineer (Engineer) group.If a user not only belongs to the Contractor group but also belongs to the Engineer group, then he can't visit Intranet, because unallowed strategy is preceding.Can visit if want to reach all Engineer, and the purpose that other Contractor can not visit, it is just passable that the second strategy is put into article one front.
For example on firewall box, support SSL VPN simultaneously.Present embodiment can reach the fusion fully of firewall policy and SSL VPN strategy.
| Group | Source address | Source port | Destination address | Destination interface | Agreement | Action |
| ??SSL | ??Any | ??Any | The Intranet server | ??Any | ??Any | Do not allow |
| The engineer | ??Any | ??Any | The Eng server | ??Any | ??Any | Allow |
| ??Any | ??Eng_IPs | ??Any | ??Any | ??Any | ??Any | Allow |
| ??Any | ??Any | ??Any | The Email server | ??Any | ??Any | Allow |
Fig. 2 is the schematic diagram according to the embodiment of the inventive method.
As shown in Figure 2, the security gateway of a company has the dual-use function of fire compartment wall and SSL VPN, when the user when public network inserts with SSL VPN, system gives a role " SSL " for these flows, for the engineer (Engineers) of those long-range accesses, this system has also given another role " Engineer ".Company's Intranet has two kinds of PC: a class is the Utility Engineers, group of addresses is Eng_IPs, another kind of is other people usefulness, and group of addresses is that Other_IPs company has three servers: e-mail service device (Email Server), internal server (Intranet Server) and research and development are with server (Eng Server).
Be provided with these strategies in the Policy List:
The remote access user mustn't visit internal server (Intranet Server);
No matter researching and developing with server (Eng Server) of the long-range access of engineer with can visiting of inter access;
The PC of engineer in the Intranet can visit the Intranet Servers-all; And
Though other people long-range access with inter access can see Email, visit e-mail service device (Email Server).
In sum, adopt the method for the present invention can be backwards-compatible fully to the traditional firewall function, and the access control based on the role has realized different user is carried out different user behavior management, this lays the foundation for integrated network and safe practice, simultaneously, this method is not changed the priority and first matching principle of firewall policy, and is more acceptant to the administrative staff that are familiar with fire compartment wall.
Be the preferred embodiments of the present invention only below, be not limited to the present invention, for a person skilled in the art, the present invention can have various changes and variation.Within the spirit and principles in the present invention all, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (8)
1. the method for a safe access control is characterized in that, said method comprising the steps of:
Step 1 in user's access and verification process, is determined user role according to user property; And
Step 2 is added determined user role in the firewall policy to, to realize the safe access control based on user role.
2. method according to claim 1 is characterized in that, also comprises between described step 1 and described step 2:
Set up system user role tabulation, and determined user role is inserted in the described system user role tabulation.
3. method according to claim 2 is characterized in that, also comprises in described step 2:
Set up in the process in data flow,, determine the pairing user role of described data flow according to the information of described system user role tabulation and described data flow; And
Lower floor's attribute according to pairing user role of determined described data flow and described data flow mates the firewall policy that has added user role, to realize the safe access control based on user role.
4. method according to claim 3, it is characterized in that described user property comprises one or more in the following attribute: the safe condition of the security domain at user name, user's group, user's IP address, user place, user's access way, the employed PC of user and PC that the user uses.
5. method according to claim 4 is characterized in that, described role's tabulation is made up of determined user role and described user property.
6. method according to claim 5 is characterized in that, the information of described data flow comprises port information, security domain, encrypted state and IP heading.
7. method according to claim 6 is characterized in that, lower floor's attribute of described data flow comprises source address, source port, destination address, destination interface and the protocol type of described data flow.
8. method according to claim 7 is characterized in that described user supports one or more roles.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810116950A CN101635701A (en) | 2008-07-21 | 2008-07-21 | Method for controlling safe access |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810116950A CN101635701A (en) | 2008-07-21 | 2008-07-21 | Method for controlling safe access |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101635701A true CN101635701A (en) | 2010-01-27 |
Family
ID=41594763
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200810116950A Pending CN101635701A (en) | 2008-07-21 | 2008-07-21 | Method for controlling safe access |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101635701A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103984295A (en) * | 2013-02-12 | 2014-08-13 | 西门子公司 | Method for user management and a power plant control system thereof for a power plant system |
| CN105592052A (en) * | 2015-09-10 | 2016-05-18 | 杭州华三通信技术有限公司 | Method and device for configuring firewall rules |
| CN106375330A (en) * | 2016-09-21 | 2017-02-01 | 东软集团股份有限公司 | Data detection method and device |
| WO2021046782A1 (en) * | 2019-09-11 | 2021-03-18 | Oppo广东移动通信有限公司 | Access control method, device, and storage medium |
| CN113225409A (en) * | 2021-05-27 | 2021-08-06 | 北京天融信网络安全技术有限公司 | NAT load balancing access method, device and storage medium |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1697450A (en) * | 2005-04-14 | 2005-11-16 | 西安交大捷普网络科技有限公司 | Quick method for realizing authentication function of firewall |
-
2008
- 2008-07-21 CN CN200810116950A patent/CN101635701A/en active Pending
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1697450A (en) * | 2005-04-14 | 2005-11-16 | 西安交大捷普网络科技有限公司 | Quick method for realizing authentication function of firewall |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103984295A (en) * | 2013-02-12 | 2014-08-13 | 西门子公司 | Method for user management and a power plant control system thereof for a power plant system |
| CN105592052A (en) * | 2015-09-10 | 2016-05-18 | 杭州华三通信技术有限公司 | Method and device for configuring firewall rules |
| CN105592052B (en) * | 2015-09-10 | 2019-06-07 | 新华三技术有限公司 | A kind of firewall rule configuration method and device |
| CN106375330A (en) * | 2016-09-21 | 2017-02-01 | 东软集团股份有限公司 | Data detection method and device |
| WO2021046782A1 (en) * | 2019-09-11 | 2021-03-18 | Oppo广东移动通信有限公司 | Access control method, device, and storage medium |
| CN113728600A (en) * | 2019-09-11 | 2021-11-30 | Oppo广东移动通信有限公司 | Access control method, device and storage medium |
| CN113728600B (en) * | 2019-09-11 | 2023-10-24 | Oppo广东移动通信有限公司 | Access control method, equipment and storage medium |
| CN113225409A (en) * | 2021-05-27 | 2021-08-06 | 北京天融信网络安全技术有限公司 | NAT load balancing access method, device and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110351381B (en) | Block chain-based Internet of things trusted distributed data sharing method | |
| US8001610B1 (en) | Network defense system utilizing endpoint health indicators and user identity | |
| CN103457878B (en) | A kind of access control method based on stream | |
| CN101167093A (en) | System and method for developing and using trusted policy based on a social model | |
| CN109302310B (en) | A kind of network O&M vulnerability analysis method | |
| CN101635701A (en) | Method for controlling safe access | |
| JP2016045934A (en) | Customer data management for data analysis outsourcing | |
| Lampropoulos et al. | Identity management directions in future internet | |
| JP2023506004A (en) | Programmable switching devices for network infrastructure | |
| Alsmadi | The integration of access control levels based on SDN | |
| Leskinen | Evaluation criteria for future identity management | |
| Taylor et al. | Implementing role based access control for federated information systems on the web | |
| Müller et al. | A secure service infrastructure for interconnecting future home networks based on DPWS and XACML | |
| Chandersekaran et al. | Use case based access control | |
| Wijesekara | A Literature Review on Access Control in Networking Employing Blockchain | |
| Feeney et al. | A trust model for capability delegation in federated policy systems | |
| Cisco | Understanding the Network Topology Tree | |
| Cisco | Understanding the Network Topology Tree | |
| Cisco | Understanding the Network Topology Tree | |
| Cisco | Understanding the Network Topology Tree | |
| Cisco | Populating the Network Topology Tree | |
| Seneviratne et al. | Integrated Corporate Network Service Architecture for Bring Your Own Device (BYOD) Policy | |
| Cisco | Populating the Network Topology Tree | |
| Cisco | Populating the Network Topology Tree | |
| Gordon | A matter of trust |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| EE01 | Entry into force of recordation of patent licensing contract |
Assignee: Suzhou Shanshi Network Co., Ltd. Assignor: Hillstone Networks Communication Technology (Beijing) Co., Ltd. Contract record no.: 2012990000129 Denomination of invention: A method and device for secure access control based on user License type: Exclusive License Open date: 20100127 Record date: 20120326 |
|
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20100127 |