CN104580553B - Method and device for identifying network address translation equipment - Google Patents

Method and device for identifying network address translation equipment Download PDF

Info

Publication number
CN104580553B
CN104580553B CN201510055929.9A CN201510055929A CN104580553B CN 104580553 B CN104580553 B CN 104580553B CN 201510055929 A CN201510055929 A CN 201510055929A CN 104580553 B CN104580553 B CN 104580553B
Authority
CN
China
Prior art keywords
address
client
authentication
network
hash value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510055929.9A
Other languages
Chinese (zh)
Other versions
CN104580553A (en
Inventor
任献永
刘洪亮
樊俊诚
王斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Secworld Information Technology Beijing Co Ltd
Original Assignee
Secworld Information Technology Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Secworld Information Technology Beijing Co Ltd filed Critical Secworld Information Technology Beijing Co Ltd
Priority to CN201510055929.9A priority Critical patent/CN104580553B/en
Publication of CN104580553A publication Critical patent/CN104580553A/en
Application granted granted Critical
Publication of CN104580553B publication Critical patent/CN104580553B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint

Abstract

The invention discloses a method and a device for identifying network address translation equipment. Wherein, the method comprises the following steps: acquiring first attribute data and a first IP address of a client in an authentication request data packet sent by the client, wherein the first IP address is the IP address of the client indicated by the authentication request data packet, and the first attribute data is used for describing the source IP address of the client; verifying the first IP address by using the first attribute data to obtain a verification result; if the verification result indicates that the first IP address is verified successfully, identifying that the network address translation equipment is not accessed in the network where the client is located; and if the verification result indicates that the first IP address is not successfully verified, identifying the network address conversion equipment accessed to the network where the client is located. The invention solves the problem of low network security caused by the fact that the gateway cannot identify the illegally accessed NAT equipment in the prior art, realizes simple and effective identification of the illegally accessed NAT equipment in the network, and improves the network security.

Description

Method and device for identifying network address translation equipment
Technical Field
The invention relates to the field of internet, in particular to a method and a device for identifying network address translation equipment.
Background
The existing security gateway equipment comprises a firewall, a router, a switch and the like, provides an access function for a client to access the internet, and meanwhile, due to the scarcity of an IPV4 address, most gateway equipment has an NAT (network address translation) function, and the NAT technology solves the problem that an intranet client accesses the internet.
The NAT is Network Address Translation, i.e., Network Address Translation, and is an IETF (Internet Engineering Task Force) standard, which allows an entire mechanism to appear on the Internet (i.e., the Internet) as a public ip (Internet protocol) Address; the IPV4 is a fourth version of the Internet Protocol (IP).
In order to perform authorization management on an accessed client, an existing security gateway device generally has a client access authentication function, and once the client passes authentication, a gateway is finally controlled through an IP address corresponding to the client. However, this method has a great problem that if the IP address of the data packet arriving at the gateway is modified, the gateway cannot identify the accurate source of the data packet, for example, the NAT device can convert the IP addresses of all the clients in the intranet into the same IP address, so that once one client passes the authentication, all the clients in the intranet can access the internet, resulting in some illegal clients accessing, and causing a certain network security risk.
The IP Address is an Internet Protocol Address, which is a uniform Address format provided by the IP Protocol, and allocates a logical Address to each network and each host on the Internet to shield the difference of physical addresses.
For example, client a has an IP address of 1.1.1.1 and client B has an IP address of 1.1.1.2. Under normal conditions, when the gateway starts the client authentication, if the client A and the client B want to access the network through the gateway, the identity authentication must be carried out firstly, if the client A passes the authentication, the gateway can record the address of 1.1.1.1 in a white list of the gateway, and a data packet meeting the address next time is directly forwarded; at this time, if the client B fails to pass the authentication, the IP address of the data packet initiated by the client B is 1.1.1.2, and after the gateway receives the data packet of the client B, it searches for no address 1.1.1.2 in the white list, and directly refuses to forward the data packet of the address. However, if a NAT device is illegally accessed in the network, the address of the packet is changed from 1.1.1.2 to 1.1.1.1, and then the client B can access the network without performing identity authentication.
As shown in fig. 1, the leftmost client (e.g., the client 11 ', the client 12', the client 13 ', the client 14', the client 15 ', the client 16', … …, and the client N 'shown in fig. 1) that needs to access the Internet is the firewall 40', which is a general exit, if each client accesses the Internet (i.e., the Internet 50 'shown in fig. 1) first must access the firewall through the switch (e.g., the switch 21' and the switch 22 'shown in fig. 1) to perform client identity authentication, after the authentication of the client by the authentication server 30' is successful, the IP address of the authenticated client is recorded on the firewall, and subsequent network access to the Internet only allows the authenticated IP address to pass through the firewall.
The main problem of this application mode in the prior art is that if the switch (e.g. switch 21 ') is replaced by a three-layer NAT device in fig. 1 or after a NAT device is newly connected between the switch 21' and the client 11 ', the client 12' and the client 13 ', the source addresses of the client 11', the client 12 'and the client 13' are all converted into a certain address of the NAT device, so that the source addresses of the packets arriving at the client 11 ', the client 12' and the client 13 'of the firewall become one, resulting in a problem that as long as one client (e.g. client 11', the client 12 'or the client 13') passes the client identity authentication, other clients (e.g. client 12 'and client 13') in the same lan can access the Internet without performing the client authentication, because the source address seen on the firewall uses only one address translated by the NAT device.
Aiming at the problem that the gateway in the prior art cannot identify the illegally accessed NAT equipment, so that the network security is low, an effective solution is not provided at present.
Disclosure of Invention
The invention mainly aims to provide a method and a device for identifying network address translation equipment, which are used for solving the problem of low network security caused by the fact that a gateway cannot identify illegally-accessed NAT equipment in the prior art.
In order to achieve the above object, according to an aspect of an embodiment of the present invention, there is provided an identification method of a network address translation device, the method including: acquiring first attribute data and a first IP address of a client in an authentication request data packet sent by the client, wherein the first IP address is the IP address of the client indicated by the authentication request data packet, and the first attribute data is used for describing the source IP address of the client; verifying the first IP address by using the first attribute data to obtain a verification result; if the verification result indicates that the first IP address is verified successfully, identifying that the network address translation equipment is not accessed in the network where the client is located; and if the verification result indicates that the first IP address is not successfully verified, identifying the network address conversion equipment accessed to the network where the client is located.
Further, before acquiring the first attribute data and the first IP address of the client in the authentication request packet sent by the client, the identification method further includes: acquiring a second IP address of the client, wherein the second IP address is a source IP address of the client; performing hash calculation on the second IP address, and taking the obtained first hash value as first attribute data; packaging the second IP address and the first hash value into an authentication request data packet; and sending the authentication request data packet to the gateway.
Further, the checking the first IP address by using the first attribute data, and obtaining a checking result includes: performing hash calculation on the first IP address to obtain a second hash value; judging whether the first hash value is the same as the second hash value; if the first hash value is the same as the second hash value, judging that the first IP address is successfully verified; and if the first hash value is different from the second hash value, judging that the first IP address is not successfully verified.
Further, after identifying that the network address translation device is not accessed in the network where the client is located, the identification method further includes: acquiring authentication configuration parameters and authentication information carried in an authentication request data packet, wherein the authentication configuration parameters comprise a third IP address, and the authentication information comprises a user name and a password of a client for accessing the Internet; sending the user name and the password to an authentication server corresponding to the third IP address; receiving an authentication result obtained by the authentication server performing identity authentication on the client by using the user name and the password; if the authentication result indicates that the identity authentication is successful, determining that the identity authentication of the corresponding client is successful; and if the authentication result indicates that the identity authentication fails, determining that the identity authentication of the corresponding client fails.
Further, after determining that the identity authentication of the corresponding client is successful, the identification method further includes: storing the first IP address of the corresponding client into a white list of the gateway; after identifying that the network address translation device is not accessed in the network where the client is located, the identification method further includes: judging whether the first IP address in the authentication request data packet exists in a white list of the gateway or not; and if the first IP address in the authentication request data packet does not exist in the white list of the gateway, acquiring authentication configuration parameters and authentication information carried in the authentication request data packet.
In order to achieve the above object, according to another aspect of the embodiments of the present invention, there is provided an identification apparatus of a network address translation device, the apparatus including: the first obtaining module is used for obtaining first attribute data and a first IP address of the client in an authentication request data packet sent by the client, wherein the first IP address is the IP address of the client indicated by the authentication request data packet, and the first attribute data is used for describing the source IP address of the client; the verification module is used for verifying the first IP address by using the first attribute data to obtain a verification result; the first identification module is used for identifying that the network address translation equipment is not accessed in the network where the client is located under the condition that the verification result indicates that the first IP address is verified successfully; and the second identification module is used for identifying the network address conversion equipment accessed to the network where the client is located under the condition that the verification result indicates that the verification of the first IP address is unsuccessful.
Further, the identification device further comprises: the second obtaining module is used for obtaining a second IP address of the client before obtaining the first attribute data and the first IP address of the client in the authentication request data packet sent by the client, wherein the second IP address is a source IP address of the client; the first calculation module is used for performing hash calculation on the second IP address and taking the obtained first hash value as first attribute data; the encapsulation module is used for encapsulating the second IP address and the first hash value into an authentication request data packet; and the first sending module is used for sending the authentication request data packet to the gateway.
Further, the verification module includes: the second calculation module is used for carrying out hash calculation on the first IP address to obtain a second hash value; the first judgment module is used for judging whether the first hash value is the same as the second hash value; the first determining module is used for determining that the first IP address is successfully verified under the condition that the first hash value is the same as the second hash value; and the second determining module is used for determining that the first IP address is not successfully verified under the condition that the first hash value is different from the second hash value.
Further, the identification device further comprises: the third obtaining module is used for obtaining authentication configuration parameters and authentication information carried in the authentication request data packet after identifying that the network where the client is located is not accessed to the network address conversion equipment, wherein the authentication configuration parameters comprise a third IP address, and the authentication information comprises a user name and a password for the client to access the Internet; the second sending module is used for sending the user name and the password to the authentication server corresponding to the third IP address; the receiving module is used for receiving an authentication result obtained by the authentication server performing identity authentication on the client by using the user name and the password; the third determining module is used for determining that the identity authentication of the corresponding client is successful under the condition that the authentication result indicates that the identity authentication is successful; and the fourth determining module is used for determining that the identity authentication of the corresponding client fails under the condition that the authentication result indicates that the identity authentication fails.
Further, the identification device further comprises: the storage module is used for storing the first IP address of the corresponding client into a white list of the gateway after the identity authentication of the corresponding client is determined to be successful; the identification device further comprises: the second judgment module is used for judging whether the first IP address in the authentication request data packet exists in a white list of the gateway or not after the fact that the network address conversion equipment is not accessed in the network where the client is located is identified; and the fourth obtaining module is used for obtaining the authentication configuration parameters and the authentication information carried in the authentication request data packet under the condition that the first IP address in the authentication request data packet does not exist in the white list of the gateway.
By adopting the embodiment of the invention, after the first attribute data and the first IP address of the client in the authentication request data packet sent by the client are obtained, the first IP address is verified by using the first attribute data to obtain a verification result, and if the verification result indicates that the first IP address is successfully verified, the network address conversion equipment which is not accessed in the network where the client is located is identified; and if the verification result indicates that the first IP address is not successfully verified, identifying the network address conversion equipment accessed to the network where the client is located. In the above embodiment of the present invention, the first attribute data carried in the authentication request packet is used to check the IP address carried in the authentication request packet, so as to determine whether the IP address of the authentication request packet is modified by the NAT device, thereby identifying whether the NAT device is illegally accessed in the network, specifically, if the check of the IP address of the authentication request packet is successful, it indicates that the IP address is consistent with the source IP address of the client, that is, the IP address of the authentication request packet is not modified by the NAT device, and it can be determined that there is no NAT device illegally accessed in the network; if the verification of the IP address of the authentication request data packet is unsuccessful, the IP address is inconsistent with the source IP address of the client, namely the IP address of the authentication request data packet is modified by the illegally-accessed NAT equipment in the network, and the illegally-accessed NAT equipment in the network can be judged. The embodiment of the invention solves the problem of low network security caused by the fact that the gateway cannot identify the illegally accessed NAT equipment in the prior art, realizes simple and effective identification of the illegally accessed NAT equipment in the network, and improves the network security.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this application, illustrate embodiments of the invention and, together with the description, serve to explain the invention and not to limit the invention. In the drawings:
FIG. 1 is a schematic diagram of a client accessing the Internet according to the prior art;
fig. 2 is a flowchart of an identification method of a network address translation device according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of an alternative client authentication system according to an embodiment of the present invention;
FIG. 4 is a timing diagram of an alternative authentication server authenticating a client according to an embodiment of the present invention;
fig. 5 is a flow chart of an alternative network address translation device identification method according to an embodiment of the present invention; and
fig. 6 is a schematic diagram of an identification device of a network address translation apparatus according to an embodiment of the present invention.
Detailed Description
It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict. The present invention will be described in detail below with reference to the embodiments with reference to the attached drawings.
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged under appropriate circumstances in order to facilitate the description of the embodiments of the invention herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The embodiment of the invention provides an identification method of network address translation equipment.
Fig. 2 is a flowchart of an identification method of a network address translation device according to an embodiment of the present invention. As shown in fig. 2, the identification method may include the steps of:
step S202, first attribute data and a first IP address of the client in the authentication request data packet sent by the client are obtained.
The first IP address is the IP address of the client indicated by the authentication request data packet, and the first attribute data is used for describing the source IP address of the client.
Step S204, the first IP address is verified by using the first attribute data, and a verification result is obtained.
Step S206, if the verification result indicates that the first IP address is successfully verified, it is identified that the network address translation equipment is not accessed in the network where the client is located.
Step S208, if the verification result indicates that the first IP address is not successfully verified, identifying that the network address translation device is accessed in the network where the client is located.
By adopting the embodiment of the invention, after the first attribute data and the first IP address of the client in the authentication request data packet sent by the client are obtained, the first IP address is verified by using the first attribute data to obtain a verification result, and if the verification result indicates that the first IP address is successfully verified, the network address conversion equipment which is not accessed in the network where the client is located is identified; and if the verification result indicates that the first IP address is not successfully verified, identifying the network address conversion equipment accessed to the network where the client is located. In the above embodiment of the present invention, the first attribute data carried in the authentication request packet is used to check the IP address carried in the authentication request packet, so as to determine whether the IP address of the authentication request packet is modified by the NAT device, thereby identifying whether the NAT device is illegally accessed in the network, specifically, if the check of the IP address of the authentication request packet is successful, it indicates that the IP address is consistent with the source IP address of the client, that is, the IP address of the authentication request packet is not modified by the NAT device, and it can be determined that there is no NAT device illegally accessed in the network; if the verification of the IP address of the authentication request data packet is unsuccessful, the IP address is inconsistent with the source IP address of the client, namely the IP address of the authentication request data packet is modified by the illegally-accessed NAT equipment in the network, and the illegally-accessed NAT equipment in the network can be judged. The embodiment of the invention solves the problem of low network security caused by the fact that the gateway cannot identify the illegally accessed NAT equipment in the prior art, realizes simple and effective identification of the illegally accessed NAT equipment in the network, and improves the network security.
According to the above embodiment of the present invention, before acquiring the first attribute data and the first IP address of the client in the authentication request packet sent by the client, the identification method may further include: acquiring a second IP address of the client, wherein the second IP address is a source IP address of the client; performing hash calculation on the second IP address, and taking the obtained first hash value as first attribute data; packaging the second IP address and the first hash value into an authentication request data packet; and sending the authentication request data packet to the gateway.
Specifically, before acquiring first attribute data of a client and a first IP address in an authentication request data packet, a second IP address (i.e., a source IP address) of the client is acquired, hash calculation is performed on the IP address to obtain a first hash value, the first hash value is used as the first attribute data and is encapsulated into the authentication request data packet together with the second IP address, and the authentication request data packet is sent to a gateway, so as to perform identity authentication required for internet access on the client sending the authentication request data packet.
In the above embodiment of the present invention, the verifying the first IP address by using the first attribute data, and obtaining the verification result may include: performing hash calculation on the first IP address to obtain a second hash value; judging whether the first hash value is the same as the second hash value; if the first hash value is the same as the second hash value, judging that the first IP address is successfully verified; and if the first hash value is different from the second hash value, judging that the first IP address is not successfully verified.
Specifically, performing hash calculation on a first IP address of a client indicated by an acquired authentication request packet to obtain a second hash value, and then judging whether a first hash value of a source IP address (i.e., a second IP address) of the client is the same as the second hash value, if the first hash value is the same as the second hash value, which indicates that the source IP address of the client is the same as the first IP address of the authentication request packet, judging that the first IP address is successfully verified, that is, the first IP address of the authentication request packet is not modified by NAT equipment, and no NAT equipment is accessed in a network where the client is located; if the first hash value is different from the second hash value, which indicates that the source IP address of the client is different from the first IP address of the authentication request packet, it is determined that the first IP address is not successfully verified, that is, the first IP address of the authentication request packet is modified by the NAT device, and the NAT device is accessed to the network where the client is located.
According to the above embodiment of the present invention, after identifying that the network address translation device is not accessed in the network where the client is located, the identification method may further include: acquiring authentication configuration parameters and authentication information carried in an authentication request data packet, wherein the authentication configuration parameters can comprise a third IP address, and the authentication information can comprise a user name and a password for a client to access the Internet; sending the user name and the password to an authentication server corresponding to the third IP address; receiving an authentication result obtained by the authentication server performing identity authentication on the client by using the user name and the password; if the authentication result indicates that the identity authentication is successful, determining that the identity authentication of the corresponding client is successful; and if the authentication result indicates that the identity authentication fails, determining that the identity authentication of the corresponding client fails.
Specifically, after the NAT equipment is not accessed in the network, the identity authentication is carried out on the client side by verifying the user name and the password of the client side for accessing the Internet, namely, the user name and the password are sent to an authentication server corresponding to a third IP address, the authentication result obtained by the authentication server for carrying out the identity authentication on the client side by using the user name and the password is received, and if the authentication result indicates that the identity authentication is successful, the identity authentication of the corresponding client side is determined to be successful; and if the authentication result indicates that the identity authentication fails, determining that the identity authentication of the corresponding client fails.
In this embodiment, the authentication configuration parameter may include a third IP address indicating the authentication server, a port number of the authentication port, a version number of the authentication protocol, and the like; the authentication information is information required by the client to access the internet, and may include a user name and a password of the client to access the internet and attribute parameters of the client (such as a department where the client is located).
By the above embodiment of the present invention, address verification is added to the existing authentication process, and the authentication process in the prior art is optimized, that is, by adding a hash value of a source IP address (i.e., the first hash value in the above embodiment) to a data packet of an authentication request and verifying the IP address of the data packet of the authentication request (i.e., the first IP address in the above embodiment) using the hash value, whether NAT equipment is accessed in a network link where a client is located is determined.
Further, after determining that the identity authentication of the corresponding client is successful, the identification method may further include: storing the first IP address of the corresponding client into a white list of the gateway; after identifying that the network address translation device is not accessed in the network where the client is located, the identification method may include: judging whether the first IP address in the authentication request data packet exists in a white list of the gateway or not; and if the first IP address in the authentication request data packet does not exist in the white list of the gateway, acquiring authentication configuration parameters and authentication information carried in the authentication request data packet.
Specifically, after it is determined that the corresponding client successfully passes the identity authentication, the first IP address of the client is stored in a white list of the gateway, before the gateway performs the identity authentication on the client corresponding to the received authentication request packet next time (i.e., acquires the authentication configuration parameters and the authentication information carried in the authentication request packet), it is first determined whether the white list of the gateway stores the IP address in the authentication request packet of the client (i.e., the first IP address in the above embodiment), and if the white list of the gateway stores the IP address in the authentication request packet of the client, the data packet of the client is directly forwarded without performing the identity authentication on the client; and if the white list of the gateway does not store the IP address in the authentication request data packet of the client, performing identity authentication on the client, namely acquiring authentication configuration parameters and authentication information carried in the authentication request data packet, and performing identity authentication on the client by using a user name and a password in the authentication information.
Through the embodiment of the invention, the IP address of the successfully authenticated client is stored in the white list of the gateway, and the client is not authenticated any more when the request for accessing the internet, which is sent by the client, is received again next time, so that the operation time is saved, and the speed of processing the request for accessing the internet is increased.
In an alternative embodiment, the above-mentioned embodiment of the present invention may be implemented by a system as shown in fig. 3, wherein the system may include: authentication client 20, authentication parameter configuration module 40, authentication service module 60, and session management module 80.
The authentication client is client software running on the client and used for initiating an authentication request data packet; the authentication parameter configuration module is configured to configure a user parameter of the gateway (i.e., the authentication configuration parameter in the above embodiment of the present invention), where the user parameter of the gateway may include an IP address of the authentication server, a port number of the authentication port, a version of the authentication protocol, and the like; the authentication service module is used for interacting authentication information with the client according to the user parameters of the gateway (namely, performing identity authentication on the client in the embodiment of the invention), and sending an authentication result to the session management module; the session management module is used for managing the session which passes the authentication, namely after the identity authentication of the client is successful, the gateway directly forwards the data packet of the client without performing the identity authentication.
Further, the system shown in fig. 3 can realize the functions thereof through the flow shown in fig. 4, and the above-described embodiment of the present invention is described in detail below with reference to fig. 3 and 4.
Specifically, the authentication client on the client 10 first initiates an authentication request data packet as a user authentication request (corresponding to step S202 in the foregoing embodiment of the present invention), where the authentication request data packet includes a special field, and the special field records a first HASH value (i.e., a first HASH value in the foregoing embodiment of the present invention) of a source IP address of the client that initiated the authentication request data packet; after receiving the authentication request packet, the gateway 30 first performs HASH value verification (corresponding to step S204 in the foregoing embodiment of the present invention), that is, calculates a second HASH value of the IP address of the received authentication request packet (i.e., the second HASH value in the foregoing embodiment of the present invention), compares the first HASH value with the second HASH value, and if the calculated second HASH value is consistent with the first HASH value recorded in the authentication request packet, it indicates that the authentication request packet does not pass through the NAT device in the transmission process; and if the calculated second HASH value is not consistent with the first HASH value recorded in the authentication request data packet, indicating that the authentication request data packet passes through the NAT equipment in the transmission process.
In the embodiment of the present invention, the HASH value is the HASH value.
Further, after the HASH value check is performed on the user authentication request, step S402 is performed: the user authentication request is processed.
Specifically, if the authentication request packet of the user authentication request passes through the NAT device in the transmission process, step S404 is executed: rejecting the user authentication request and generating an authentication result, and then returning the authentication result to the corresponding client; if the authentication request data packet of the user authentication request does not pass through the NAT device in the transmission process, the gateway sends the user authentication request to the authentication firewall 50 to execute the subsequent process of user authentication, the authentication service module interacts with the authentication information in the user authentication request to perform identity authentication on the client, and step S406 is executed: and returning the obtained authentication result to the client.
This embodiment is described in detail below with reference to fig. 5. The identification method as shown in fig. 5 may include the steps of:
step S502, receiving a user authentication request initiated by a client.
Specifically, a user authentication request initiated by an authentication client on a client is received, wherein a first HASH value of a source IP address of the client is recorded in an authentication request data packet of the user authentication request.
Step S504, hash check is performed on the IP address in the user authentication request, and a check result is obtained.
Specifically, a second HASH value of the IP address (i.e., the first IP address in the above embodiment) in the user authentication request is calculated, and the second HASH value is checked using the first HASH value (e.g., comparing whether the first HASH value is the same as the second HASH value), so as to obtain a check result.
Step S506, determine whether the verification result is successful.
Specifically, if the verification result indicates that the first HASH value is the same as the second HASH value, it is determined that the verification result is successful; and if the verification result indicates that the first HASH value is different from the second HASH value, judging that the verification result is unsuccessful.
Wherein, when the verification result is that the verification is successful, the step S508 is executed; in case the verification result is that the verification is unsuccessful, step S514 is executed.
Step S508, the authentication server performs identity authentication on the client and generates an authentication result.
Specifically, the authentication service module of the gateway uploads authentication information (such as a user name and a password for a client to access the internet) in a user authentication request to the authentication server, and the authentication server performs identity authentication on the client through the authentication information and generates an authentication result.
Step S510, determine whether the authentication result is successful.
Specifically, if the authentication result indicates that the client passes the identity authentication, the authentication result is judged to be successful; if the authentication result indicates that the client fails in identity authentication, the authentication result is judged to be unsuccessful.
Wherein, if the authentication result is successful, executing step S512; in the case where the authentication result is that the authentication is unsuccessful, step S516 is performed.
In step S512, the session management module records the IP address of the client.
Specifically, when the authentication result is that the authentication is successful, the session management module of the gateway records the IP address of the client, and when the gateway receives the data packet initiated by the client again, the gateway does not perform the identity authentication step of the client any more, but directly forwards the data packet of the client.
Step S514, it is determined that the NAT device is detected.
Step S516, determining that the authentication fails, and returning the generated failure prompt information to the client.
The failure prompt message may include a verification failure prompt message and an authentication failure prompt message.
Specifically, when the verification result is that verification is unsuccessful, verification failure prompt information is generated and returned to the client, so as to prompt that the network link where the client is located has access to the NAT device, resulting in authentication failure; and under the condition that the authentication result is unsuccessful, generating authentication failure prompt information, and returning the authentication failure prompt information to the client to prompt that the authentication information of the client is incorrect and the authentication fails.
Through the embodiment of the invention, the user authentication request of the client passing through the NAT equipment is rejected through the authentication client and each module (such as the authentication parameter configuration module, the authentication service module and the session management module) of the gateway, and the user authentication request of the client with incorrect authentication information is rejected, so that the client can be ensured to be safely accessed to the network, meanwhile, the illegal access of the illegal client is prevented, and the safety of the client accessing to the Internet is improved.
It should be noted that the steps illustrated in the flowcharts of the figures may be performed in a computer system such as a set of computer-executable instructions and that, although a logical order is illustrated in the flowcharts, in some cases, the steps illustrated or described may be performed in an order different than presented herein.
The embodiment of the invention also provides an identification device of the network address translation equipment. The device can realize the functions thereof by the identification method of the network address translation equipment in the embodiment of the invention.
Fig. 6 is a schematic diagram of an identification device of a network address translation apparatus according to an embodiment of the present invention. As shown in fig. 6, the identification means may include: a first obtaining module 70, configured to obtain first attribute data and a first IP address of the client in an authentication request data packet sent by the client, where the first IP address is an IP address of the client indicated by the authentication request data packet, and the first attribute data is used to describe a source IP address of the client; the checking module 90 is configured to check the first IP address by using the first attribute data to obtain a checking result; the first identifying module 110 is configured to identify that the network address translation device is not accessed in the network where the client is located, if the verification result indicates that the first IP address is successfully verified; the second identifying module 130 is configured to identify, when the check result indicates that the first IP address check is unsuccessful, an access network address translation device in the network where the client is located.
By adopting the embodiment of the invention, after the first attribute data and the first IP address of the client in the authentication request data packet sent by the client are obtained, the first IP address is verified by using the first attribute data to obtain a verification result, and if the verification result indicates that the first IP address is successfully verified, the network address conversion equipment which is not accessed in the network where the client is located is identified; and if the verification result indicates that the first IP address is not successfully verified, identifying the network address conversion equipment accessed to the network where the client is located. In the above embodiment of the present invention, the first attribute data carried in the authentication request packet is used to check the IP address carried in the authentication request packet, so as to determine whether the IP address of the authentication request packet is modified by the NAT device, thereby identifying whether the NAT device is illegally accessed in the network, specifically, if the check of the IP address of the authentication request packet is successful, it indicates that the IP address is consistent with the source IP address of the client, that is, the IP address of the authentication request packet is not modified by the NAT device, and it can be determined that there is no NAT device illegally accessed in the network; if the verification of the IP address of the authentication request data packet is unsuccessful, the IP address is inconsistent with the source IP address of the client, namely the IP address of the authentication request data packet is modified by the illegally-accessed NAT equipment in the network, and the illegally-accessed NAT equipment in the network can be judged. The embodiment of the invention solves the problem of low network security caused by the fact that the gateway cannot identify the illegally accessed NAT equipment in the prior art, realizes simple and effective identification of the illegally accessed NAT equipment in the network, and improves the network security.
According to the above embodiment of the present invention, the identification apparatus may further include: the second obtaining module is used for obtaining a second IP address of the client before obtaining the first attribute data and the first IP address of the client in the authentication request data packet sent by the client, wherein the second IP address is a source IP address of the client; the first calculation module is used for performing hash calculation on the second IP address and taking the obtained first hash value as first attribute data; the encapsulation module is used for encapsulating the second IP address and the first hash value into an authentication request data packet; and the first sending module is used for sending the authentication request data packet to the gateway.
Specifically, before acquiring first attribute data of a client and a first IP address in an authentication request data packet, a second IP address (i.e., a source IP address) of the client is acquired, hash calculation is performed on the IP address to obtain a first hash value, the first hash value is used as the first attribute data and is encapsulated into the authentication request data packet together with the second IP address, and the authentication request data packet is sent to a gateway, so as to perform identity authentication required for internet access on the client sending the authentication request data packet.
In the above embodiment of the present invention, the checking module may include: the second calculation module is used for carrying out hash calculation on the first IP address to obtain a second hash value; the first judgment module is used for judging whether the first hash value is the same as the second hash value; the first determining module is used for determining that the first IP address is successfully verified under the condition that the first hash value is the same as the second hash value; and the second determining module is used for determining that the first IP address is not successfully verified under the condition that the first hash value is different from the second hash value.
Specifically, performing hash calculation on a first IP address of a client indicated by an acquired authentication request packet to obtain a second hash value, and then judging whether a first hash value of a source IP address (i.e., a second IP address) of the client is the same as the second hash value, if the first hash value is the same as the second hash value, which indicates that the source IP address of the client is the same as the first IP address of the authentication request packet, judging that the first IP address is successfully verified, that is, the first IP address of the authentication request packet is not modified by NAT equipment, and no NAT equipment is accessed in a network where the client is located; if the first hash value is different from the second hash value, which indicates that the source IP address of the client is different from the first IP address of the authentication request packet, it is determined that the first IP address is not successfully verified, that is, the first IP address of the authentication request packet is modified by the NAT device, and the NAT device is accessed to the network where the client is located.
According to the above embodiment of the present invention, the identification apparatus may further include: a third obtaining module, configured to obtain an authentication configuration parameter and authentication information carried in the authentication request data packet after identifying that the network where the client is located is not accessed to the network address translation device, where the authentication configuration parameter may include a third IP address, and the authentication information may include a user name and a password for the client to access the internet; the second sending module is used for sending the user name and the password to the authentication server corresponding to the third IP address; the receiving module is used for receiving an authentication result obtained by the authentication server performing identity authentication on the client by using the user name and the password; the third determining module is used for determining that the identity authentication of the corresponding client is successful under the condition that the authentication result indicates that the identity authentication is successful; and the fourth determining module is used for determining that the identity authentication of the corresponding client fails under the condition that the authentication result indicates that the identity authentication fails.
Specifically, after the NAT equipment is not accessed in the network, the identity authentication is carried out on the client side by verifying the user name and the password of the client side for accessing the Internet, namely, the user name and the password are sent to an authentication server corresponding to a third IP address, the authentication result obtained by the authentication server for carrying out the identity authentication on the client side by using the user name and the password is received, and if the authentication result indicates that the identity authentication is successful, the identity authentication of the corresponding client side is determined to be successful; and if the authentication result indicates that the identity authentication fails, determining that the identity authentication of the corresponding client fails.
In this embodiment, the authentication configuration parameter may include a third IP address indicating the authentication server, a port number of the authentication port, a version number of the authentication protocol, and the like; the authentication information is information required by the client to access the internet, and may include a user name and a password of the client to access the internet and attribute parameters of the client (such as a department where the client is located).
By the above embodiment of the present invention, address verification is added to the existing authentication process, and the authentication process in the prior art is optimized, that is, by adding a hash value of a source IP address (i.e., the first hash value in the above embodiment) to a data packet of an authentication request and verifying the IP address of the data packet of the authentication request (i.e., the first IP address in the above embodiment) using the hash value, whether NAT equipment is accessed in a network link where a client is located is determined.
Further, the identification apparatus may further include: the storage module is used for storing the first IP address of the corresponding client into a white list of the gateway after the identity authentication of the corresponding client is determined to be successful; the identification device may further include: the second judgment module is used for judging whether the first IP address in the authentication request data packet exists in a white list of the gateway or not after the fact that the network address conversion equipment is not accessed in the network where the client is located is identified; and the fourth obtaining module is used for obtaining the authentication configuration parameters and the authentication information carried in the authentication request data packet under the condition that the first IP address in the authentication request data packet does not exist in the white list of the gateway.
Specifically, after it is determined that the corresponding client successfully passes the identity authentication, the first IP address of the client is stored in a white list of the gateway, before the gateway performs the identity authentication on the client corresponding to the received authentication request packet next time (i.e., acquires the authentication configuration parameters and the authentication information carried in the authentication request packet), it is first determined whether the white list of the gateway stores the IP address in the authentication request packet of the client (i.e., the first IP address in the above embodiment), and if the white list of the gateway stores the IP address in the authentication request packet of the client, the data packet of the client is directly forwarded without performing the identity authentication on the client; and if the white list of the gateway does not store the IP address in the authentication request data packet of the client, performing identity authentication on the client, namely acquiring authentication configuration parameters and authentication information carried in the authentication request data packet, and performing identity authentication on the client by using a user name and a password in the authentication information.
Through the embodiment of the invention, the IP address of the successfully authenticated client is stored in the white list of the gateway, and the client is not authenticated any more when the request for accessing the internet, which is sent by the client, is received again next time, so that the operation time is saved, and the speed of processing the request for accessing the internet is increased.
Each module provided in this embodiment is the same as the use method provided in the corresponding step of the method embodiment, and the application scenario may also be the same. Of course, it should be noted that the solution related to the modules may not be limited to the content and the scenario in the above embodiments, and the modules may be executed in a computer terminal or a mobile terminal, and may be implemented by software or hardware.
From the above description, it can be seen that the present invention achieves the following technical effects:
by adopting the embodiment of the invention, after the first attribute data and the first IP address of the client in the authentication request data packet sent by the client are obtained, the first IP address is verified by using the first attribute data to obtain a verification result, and if the verification result indicates that the first IP address is successfully verified, the network address conversion equipment which is not accessed in the network where the client is located is identified; and if the verification result indicates that the first IP address is not successfully verified, identifying the network address conversion equipment accessed to the network where the client is located. In the above embodiment of the present invention, the first attribute data carried in the authentication request packet is used to check the IP address carried in the authentication request packet, so as to determine whether the IP address of the authentication request packet is modified by the NAT device, thereby identifying whether the NAT device is illegally accessed in the network, specifically, if the check of the IP address of the authentication request packet is successful, it indicates that the IP address is consistent with the source IP address of the client, that is, the IP address of the authentication request packet is not modified by the NAT device, and it can be determined that there is no NAT device illegally accessed in the network; if the verification of the IP address of the authentication request data packet is unsuccessful, the IP address is inconsistent with the source IP address of the client, namely the IP address of the authentication request data packet is modified by the illegally-accessed NAT equipment in the network, and the illegally-accessed NAT equipment in the network can be judged. The embodiment of the invention solves the problem of low network security caused by the fact that the gateway cannot identify the illegally accessed NAT equipment in the prior art, realizes simple and effective identification of the illegally accessed NAT equipment in the network, and improves the network security.
It will be apparent to those skilled in the art that the modules or steps of the present invention described above may be implemented by a general purpose computing device, they may be centralized on a single computing device or distributed across a network of multiple computing devices, and they may alternatively be implemented by program code executable by a computing device, such that they may be stored in a storage device and executed by a computing device, or fabricated separately as individual integrated circuit modules, or fabricated as a single integrated circuit module from multiple modules or steps. Thus, the present invention is not limited to any specific combination of hardware and software.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (8)

1. A method for identifying a network address translation device, comprising:
acquiring first attribute data and a first IP address of a client in an authentication request data packet sent by the client, wherein the first IP address is the IP address of the client indicated by the authentication request data packet, and the first attribute data is used for describing the source IP address of the client;
verifying the first IP address by using the first attribute data to obtain a verification result;
if the verification result indicates that the first IP address is verified successfully, identifying that the network address translation equipment is not accessed in the network where the client is located;
if the verification result indicates that the first IP address is not successfully verified, identifying that the network address translation equipment is accessed to the network where the client is located;
after identifying that the network address translation device is not accessed in the network where the client is located, the identification method further includes:
acquiring authentication configuration parameters and authentication information carried in the authentication request data packet, wherein the authentication configuration parameters comprise a third IP address, a port number of an authentication port and a version number of an authentication protocol, and the authentication information comprises a user name and a password of the client for accessing the Internet and attribute parameters of the client;
sending the user name and the password to an authentication server corresponding to the third IP address;
receiving an authentication result obtained by the authentication server performing identity authentication on the client by using the user name and the password;
if the authentication result indicates that the identity authentication is successful, determining that the identity authentication of the corresponding client is successful;
and if the authentication result indicates that the identity authentication fails, determining that the identity authentication of the corresponding client fails.
2. The identification method according to claim 1, wherein before acquiring the first attribute data and the first IP address of the client in the authentication request packet sent by the client, the identification method further comprises:
acquiring a second IP address of the client, wherein the second IP address is a source IP address of the client;
performing hash calculation on the second IP address, and taking an obtained first hash value as the first attribute data;
encapsulating the second IP address and the first hash value into the authentication request data packet;
and sending the authentication request data packet to a gateway.
3. The identification method according to claim 2, wherein the checking the first IP address using the first attribute data, and obtaining the checking result comprises:
performing hash calculation on the first IP address to obtain a second hash value;
judging whether the first hash value is the same as the second hash value;
if the first hash value is the same as the second hash value, judging that the first IP address is successfully verified;
and if the first hash value is different from the second hash value, judging that the first IP address is not successfully verified.
4. The identification method according to claim 1,
after determining that the identity authentication of the corresponding client is successful, the identification method further includes: storing the first IP address of the corresponding client into a white list of a gateway;
after identifying that the network address translation device is not accessed in the network where the client is located, the identification method further includes: judging whether the first IP address in the authentication request data packet exists in a white list of the gateway or not; and if the first IP address in the authentication request data packet does not exist in a white list of the gateway, acquiring the authentication configuration parameters and the authentication information carried in the authentication request data packet.
5. An apparatus for identifying a network address translation device, comprising:
a first obtaining module, configured to obtain first attribute data and a first IP address of a client in an authentication request data packet sent by the client, where the first IP address is an IP address of the client indicated by the authentication request data packet, and the first attribute data is used to describe a source IP address of the client;
the verification module is used for verifying the first IP address by using the first attribute data to obtain a verification result;
the first identification module is used for identifying that the network address translation equipment is not accessed in the network where the client is located under the condition that the verification result indicates that the first IP address is verified successfully;
the second identification module is used for identifying that the network address translation equipment is accessed to the network where the client is located under the condition that the verification result indicates that the first IP address is not verified;
the identification device further comprises:
a third obtaining module, configured to obtain, after it is identified that a network address translation device is not accessed in a network where the client is located, an authentication configuration parameter and authentication information carried in the authentication request packet, where the authentication configuration parameter includes a third IP address, a port number of an authentication port, and a version number of an authentication protocol, and the authentication information includes a user name and a password for the client to access the internet, and an attribute parameter of the client;
the second sending module is used for sending the user name and the password to an authentication server corresponding to the third IP address;
a receiving module, configured to receive an authentication result obtained by the authentication server performing identity authentication on the client using the user name and the password;
a third determining module, configured to determine that the identity authentication of the corresponding client is successful if the authentication result indicates that the identity authentication is successful;
and the fourth determining module is used for determining that the identity authentication of the corresponding client side fails under the condition that the authentication result indicates that the identity authentication fails.
6. The identification device of claim 5, further comprising:
a second obtaining module, configured to obtain a second IP address of a client before obtaining first attribute data and a first IP address of the client in an authentication request data packet sent by the client, where the second IP address is a source IP address of the client;
the first calculation module is used for performing hash calculation on the second IP address and taking an obtained first hash value as the first attribute data;
an encapsulation module, configured to encapsulate the second IP address and the first hash value into the authentication request packet;
and the first sending module is used for sending the authentication request data packet to a gateway.
7. The identification device of claim 6, wherein the verification module comprises:
the second calculation module is used for carrying out hash calculation on the first IP address to obtain a second hash value;
the first judgment module is used for judging whether the first hash value is the same as the second hash value or not;
a first determining module, configured to determine that the first IP address is successfully verified when the first hash value is the same as the second hash value;
and the second determining module is used for determining that the first IP address is not successfully verified under the condition that the first hash value is different from the second hash value.
8. Identification device according to claim 5,
the identification device further comprises: the storage module is used for storing the first IP address of the corresponding client into a white list of a gateway after the identity authentication of the corresponding client is determined to be successful;
the identification device further comprises: the second judging module is used for judging whether the first IP address in the authentication request data packet exists in a white list of the gateway or not after identifying that the network address conversion equipment is not accessed in the network where the client is located; a fourth obtaining module, configured to obtain the authentication configuration parameter and the authentication information carried in the authentication request packet when the first IP address in the authentication request packet does not exist in a white list of the gateway.
CN201510055929.9A 2015-02-03 2015-02-03 Method and device for identifying network address translation equipment Active CN104580553B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510055929.9A CN104580553B (en) 2015-02-03 2015-02-03 Method and device for identifying network address translation equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510055929.9A CN104580553B (en) 2015-02-03 2015-02-03 Method and device for identifying network address translation equipment

Publications (2)

Publication Number Publication Date
CN104580553A CN104580553A (en) 2015-04-29
CN104580553B true CN104580553B (en) 2021-05-04

Family

ID=53095707

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510055929.9A Active CN104580553B (en) 2015-02-03 2015-02-03 Method and device for identifying network address translation equipment

Country Status (1)

Country Link
CN (1) CN104580553B (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
BR112017023309A2 (en) 2015-05-08 2018-08-14 Visa Int Service Ass method, server computer, and computer-implemented method
CN105959251B (en) * 2015-11-06 2019-12-06 杭州迪普科技股份有限公司 method and device for preventing NAT from traversing authentication
CN110266656B (en) * 2019-05-30 2021-11-09 世纪龙信息网络有限责任公司 Secret-free authentication identity identification method and device and computer equipment
CN110740490A (en) * 2019-10-22 2020-01-31 深圳市信锐网科技术有限公司 Terminal network access method, gateway equipment, system, storage medium and device
CN113973299B (en) * 2020-07-22 2023-09-29 中国石油化工股份有限公司 Wireless sensor with identity authentication function and identity authentication method
CN112887265B (en) * 2020-12-31 2024-03-26 浙江远望信息股份有限公司 Access method for preventing unregistered terminal from being falsified into legal communication under NAT
CN114844856B (en) * 2022-04-26 2024-03-22 夏宇 Network penetration method, device, electronic equipment and storage medium
CN116319103B (en) * 2023-05-22 2023-08-08 拓尔思天行网安信息技术有限责任公司 Network trusted access authentication method, device, system and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7369537B1 (en) * 2001-07-18 2008-05-06 Global Ip Solutions, Inc. Adaptive Voice-over-Internet-Protocol (VoIP) testing and selecting transport including 3-way proxy, client-to-client, UDP, TCP, SSL, and recipient-connect methods
CN101325759A (en) * 2007-06-15 2008-12-17 华为技术有限公司 Method and system for accessing IMS early authentication for subscriber terminal
CN101540725A (en) * 2009-04-27 2009-09-23 深圳华为通信技术有限公司 Method and device for limiting number of user equipment of access user premises equipment
US7953868B2 (en) * 2007-01-31 2011-05-31 International Business Machines Corporation Method and system for preventing web crawling detection
CN102137090A (en) * 2010-11-10 2011-07-27 华为技术有限公司 Method for logging in VOIP (Voice Over Internet Protocol) network and authentication server

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7369537B1 (en) * 2001-07-18 2008-05-06 Global Ip Solutions, Inc. Adaptive Voice-over-Internet-Protocol (VoIP) testing and selecting transport including 3-way proxy, client-to-client, UDP, TCP, SSL, and recipient-connect methods
US7953868B2 (en) * 2007-01-31 2011-05-31 International Business Machines Corporation Method and system for preventing web crawling detection
CN101325759A (en) * 2007-06-15 2008-12-17 华为技术有限公司 Method and system for accessing IMS early authentication for subscriber terminal
CN101540725A (en) * 2009-04-27 2009-09-23 深圳华为通信技术有限公司 Method and device for limiting number of user equipment of access user premises equipment
CN102137090A (en) * 2010-11-10 2011-07-27 华为技术有限公司 Method for logging in VOIP (Voice Over Internet Protocol) network and authentication server

Also Published As

Publication number Publication date
CN104580553A (en) 2015-04-29

Similar Documents

Publication Publication Date Title
CN104580553B (en) Method and device for identifying network address translation equipment
CN106101258B (en) Interface calling method, device and system of hybrid cloud
US10148645B2 (en) Method and device for classifying TCP connection carrying HTTP traffic
US10419431B2 (en) Preventing cross-site request forgery using environment fingerprints of a client device
CN105939348B (en) MAC address authentication method and device
CN104811462B (en) A kind of access gateway reorientation method and access gateway
US8869258B2 (en) Facilitating token request troubleshooting
US20140189842A1 (en) Method for defending against session hijacking attacks and firewall
CN107508822B (en) Access control method and device
CN106302346A (en) The safety certifying method of API Calls, device, system
CN107086979B (en) User terminal verification login method and device
CN109347864B (en) Single sign-on method and device based on virtual private network
WO2022247751A1 (en) Method, system and apparatus for remotely accessing application, device, and storage medium
CN105791235B (en) Configuration information downloading method and equipment
CN106559405B (en) Portal authentication method and equipment
CN111182537A (en) Network access method, device and system for mobile application
CN112953745A (en) Service calling method, system, computer device and storage medium
CN113872990A (en) VPN network certificate authentication method and device based on SSL protocol and computer equipment
CN111147625B (en) Method, device and storage medium for acquiring local external network IP address
CN110166474B (en) Message processing method and device
CN107835099B (en) Information synchronization method and device
CN103812859A (en) Network admission method, terminal admission method, network admission device and terminal
CN102624724A (en) Security gateway and method for securely logging in server by gateway
KR20140116422A (en) Integrating server applications with multiple authentication providers
CN112291255B (en) Method, device and server for pushing messages of gateway

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP03 Change of name, title or address

Address after: 2nd Floor, Building 1, Yard 26, Xizhimenwai South Road, Xicheng District, Beijing, 100032

Patentee after: Qianxin Wangshen information technology (Beijing) Co.,Ltd.

Address before: 100085 1st floor, Section II, No.7 Kaifa Road, Shangdi Information Industry base, Haidian District, Beijing

Patentee before: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) Inc.

CP03 Change of name, title or address