CN105933245B - Safe and trusted access method in software defined network - Google Patents
Safe and trusted access method in software defined network Download PDFInfo
- Publication number
- CN105933245B CN105933245B CN201610465444.1A CN201610465444A CN105933245B CN 105933245 B CN105933245 B CN 105933245B CN 201610465444 A CN201610465444 A CN 201610465444A CN 105933245 B CN105933245 B CN 105933245B
- Authority
- CN
- China
- Prior art keywords
- access
- equipment
- random number
- network
- verification code
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/70—Admission control; Resource allocation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/60—Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/12—Details relating to cryptographic hardware or logic circuitry
- H04L2209/127—Trusted platform modules [TPM]
Abstract
The invention discloses a safe access method in a software defined network, which introduces a trusted access technology into an access process in an SDN network; by combining with a trusted computing technology, the access behavior of the equipment to the network without security can be effectively prevented; meanwhile, the invention also provides a quick access authentication mode and a grading access mode to the same user through a credible value aiming at the flexible originality of the SDN network. By adopting the technical scheme of the invention, the defects in the SDN access authentication can be effectively overcome, and the security of the SDN is enhanced.
Description
Technical Field
The invention belongs to the technical field of software defined networks, and particularly relates to a safe trusted access method in a software defined network.
Background
The concept of OpenFlow was created 2006 by researchers at stanford university, usa, advising to decouple the data and control layers of traditional network devices, manage and configure various network devices with standardized interfaces through a centralized controller (controller). Subsequently, researchers began to generalize Software-Defined Networking (SDN) concepts and have drawn extensive attention in both academia and industry.
The Floodlight Open SDN controller is an enterprise level Java-based OpenFlow controller. It is easy to build and use, supporting numerous virtual and physical OpenFlow switches. As a controller of the OpenFlow network, flodlight provides the capability of network management by combining the functions of different modules. It provides an API to the user to allow the user-created intelligent application to manage the network or enhance the controller functionality.
Network access issues are one of the network security issues. Access by illegitimate users tends to penetrate the beginning of the entire network. Various methods have been devised to authenticate users. From the early 90 s of the last century to the present, the network security experts known at home and abroad use new technologies and methods successively to solve the problem of secure access of network terminals. Active defense and the like are also proposed accordingly.
The trusted network connection group (TNC-SG) of month 5 in 2004 holds, which released the trusted network connection TNC specification and the corresponding interface specification in month 3 in 2005, the TNCV1.0 version released this time determining the core of the TNC. The TNC architecture mainly describes three entities in network Access, which are Access Requestors (ARs), Policy Decision Points (PDPs), and Policy Enforcement Points (PEPs). Meanwhile, the TNC architecture includes three layers, which are a network access layer, an integrity evaluation layer and an integrity measurement layer. Currently, there is also a concept of referencing TNC architecture and introducing trusted computing, partly for traditional network access enhancement schemes.
The network access problem is always one of the key points of the network security problem. Software Defined Networking (SDN) is still in the early stage of development and lacks suitable access methods.
Currently, the commonly used method for authenticating the user by combining the IP, MAC and user identity information has been unable to provide secure network access service in the increasingly complex network access environment. Common access protocols refer to the current network design, are not consistent with SDN realization ideas, and are not directly applied to the SDN.
Disclosure of Invention
The technical problem to be solved by the invention is to provide a secure access method in a software defined network, so that the trusted access architecture TNC and the SDN network architecture are combined with each other, and a secure and trusted access service can be effectively provided for the SDN network.
In order to solve the problems, the invention adopts the following technical scheme:
a secure trusted access method in a software defined network comprises the following steps:
step S1, acquiring a credible measurement information PCR value stored in a credible platform configuration register by the access equipment according to the SDN network security access requirement;
step S2, the access device sends an access request to an access server, wherein the request contains the credible measurement information PCR value;
step S3, the access server performs the quantity evaluation and the access judgment of the integrity of the equipment according to the credible measurement information PCR value and the acquired user information, and if the judgment result is that the access is allowed, the access server sends an access decision to the OpenFlow controller;
step S4, the OpenFlow controller generates a corresponding flow entry according to the access decision, and sends the flow entry to the SDN switch, and the SDN switch releases the network access of the accessed device according to the indication of the flow entry.
Preferably, in step 2, the random number verification code of the client side and the device information of the client side of the request are sent to the access server side in the process of initiating the request.
Preferably, step 3 specifically comprises the following steps:
step 3.1, the access server side acquires a request of the access equipment, verifies the access state and judges whether the equipment is allowed to be accessed, if the equipment is allowed to be accessed, the access server side replies a random number verification code to the access equipment and attaches the access request server side;
step 3.2, the access equipment acquires the reply of the access server, authenticates whether the random number sent by the server is the same as the random number appointed before, and sends the PCR value of the local machine and the random number of the server side to the access server if the random number sent by the server is the same as the random number appointed before;
and 3.3, the access server acquires the PCR value and the server side random number sent by the access equipment and verifies whether the server side random number sent by the access equipment is the same as the server side random number sent before. If the two access devices are the same, starting to inquire whether the access device meets the condition of quick access;
step 3.4, if the condition of fast access is met, sending the access judgment result and the client side random number verification code to the access equipment, if the condition of fast access is not met, continuing the process, and sending a request for entering a user authentication stage to the access equipment and including the client side random number verification code;
step 3.5, the access device verifies whether the random number of the client is the same as that sent before according to the reply of the access server, if so, the judgment result of the server is processed, and when the judgment result is credible, the user authentication identity information is sent to the access server;
and 3.6, the access server verifies the user information, if the verification result is that access is allowed, the access state, the IP address, the MAC address, the PCR value and the login user name of the client are recorded in a recently connected device list, and meanwhile, the access server sends an access decision to the OpenFlow controller and releases the access authority of the access device to the network.
Preferably, the fast access condition is: the IP and MAC addresses are located in the latest access device list, and the credible PCR value provided by the device during the access is the same as the last time.
Preferably, if the fast access condition is not met, the credibility status of the user is judged, and the credibility judgment result is: fully trusted, partially trusted, and untrusted.
Preferably, in step 3.5, when the judgment result is that the client is not trusted, the login process is interrupted, and the client cannot access the network; and when the judgment result is credible, the access equipment is required to provide user authentication information.
Preferably, the method further comprises the following steps: in the initial stage of network starting, the access server sends an instruction to the OpenFlow controller, wherein the instruction is used for preventing unauthenticated equipment from carrying out network communication; and simultaneously, after receiving the instruction, the OpenFlow controller issues corresponding flow table items according to the network flow information submitted by the switch so as to complete the limitation on the non-authentication equipment.
Preferably, the access device is an entity device or a cloud virtual machine.
According to the technical scheme, a trusted access technology is introduced into a secure access method in the SDN, and the access behavior of equipment to the network in an unsafe manner can be effectively prevented by combining with a related technology of trusted computing; meanwhile, the invention also provides a quick access authentication mode and a grading access mode to the same user through a credible value aiming at the flexible originality of the SDN, so that the defects in the SDN access authentication can be effectively overcome, and the security of the SDN is enhanced.
Drawings
Fig. 1 is a schematic structural diagram of an access method according to the present invention, taking a TNC architecture as a view point;
FIG. 2 is a schematic structural diagram of the access method of the present invention with a view of a software-defined network architecture;
FIG. 3 is a schematic diagram of a data transmission flow of the access method of the present invention;
FIG. 4 is a schematic diagram of a quick access procedure determination and procedure;
fig. 5 is a schematic diagram of a user authority determination process.
Detailed Description
The present invention will be described in further detail below with reference to specific embodiments and with reference to the attached drawings.
The embodiment of the invention provides a safe trusted access method in a software defined network, which provides a framework required by the safe access method according to a trusted access framework of a trusted access standard TNC and by combining the characteristics that an OpenFlow framework concentrates a control layer on a controller and a switch concentrates on forwarding, wherein the safe access framework is as shown in figure 1 from the view point of the TNC framework, and the safe access framework is as shown in figure 2 from the view point of an SDN network structure.
The architecture refers to the structure of a TNC trusted access model, all devices involved in network access are classified into access requesters, and a policy execution point and a policy management & access control issuing point are used.
The access device: access requester
The client running thereon will be primarily responsible for providing network access authentication services. Meanwhile, in order to realize the trusted access function, the integrity metric value of the access device collected by other measurement applications can be obtained, and idle PCR can be used for measuring programs related to network access. After obtaining the relevant results, the measurement value is transmitted to the server for verifying the credibility condition.
Wherein the access device has a data layer connection with the switch.
Openflow (sdn) switch: policy enforcement point
The OpenFlow switch is combined to concentrate on the characteristic of data forwarding according to the flow table, the switch is set as a strategy execution point, and the decision from the control layer and the application layer is executed. At the beginning of user access, the OpenFlow exchange helps the user to communicate its trusted assessment data and authentication data to the controller. After the OpenFlow controller makes a decision, the OpenFlow controller forwards normal communication data of the access device according to the flow table item and limits communication behaviors.
The OpenFlow switch and the OpenFlow controller have management layer data connection and access server side data connection.
An OpenFlow controller: control center for managing network connection and processing user access request
The network management part is performed by an OpenFlow controller. The judgment of the client trusted state and the access authentication are realized by calling an API (application programming interface) of an OpenFlow controller by an application (access server) of an SDN application layer. After the access server finishes the judgment of the user request, the access server informs the result to the OpenFlow controller through the API, and the OpenFlow controller issues the corresponding flow table item to the OpenFlow switch through a special safety channel of the OpenFlow controller to finish the control of the user.
The access server side is connected with the data layer of the switch.
As shown in fig. 3, an embodiment of the present invention provides a secure trusted access method in a software-defined network, which specifically includes the following steps:
in the initial stage of network activation, the access server sends an instruction to an OpenFlow controller (hereinafter, referred to as "controller"): except for white-listed devices, network communications other than authentication are blocked. After receiving the instruction, the controller issues a corresponding flow entry in combination with network flow information submitted by an OpenFlow switch (hereinafter, referred to as a "switch") to complete the restriction on the non-authentication device.
Step 1, a client is started according to the requirement of obtaining access equipment (entity equipment or a cloud virtual machine) to access an SDN network, and meanwhile, the client obtains a credible measurement information PCR value stored in a credible platform configuration register.
Step 2, the access equipment (request initiator) initiates an access request to the access server. And indicating the random number verification code of the current request client side to the access server side in the process of initiating the request. Meanwhile, the device information (IP address and MAC address) of the access server is carried so that the access server can correspond to the device. In order to ensure that data is not intercepted, the information simultaneously comprises an encryption key required to be used when the access server side replies, and all the information is encrypted by a public key which is disclosed by the access server side in advance. The data transmission involved in this process can be described as
And 3, after the access server (request receiver) receives the request of the access equipment, verifying the access state of the user (for example, whether the user is accessed) and judging whether the equipment is allowed to be accessed. If the access of the equipment is allowed, the random number verification code of the service side of the access request is replied to the access equipment. For security reasons, the access server needs to carry the random number verification code of the client side when replying. The above information is encrypted by using the key specified by the authentication client in step 1. The data transmission involved in this process can be described as
And 4, after the access equipment receives the reply of the access server, firstly, authenticating whether the random number returned by the access server is the same as the random number appointed before. If the difference is not the same, the login is stopped; and if the two phases are the same, entering a transmission and verification phase of the trusted information. The access device calls the credible measurement PCR value stored in the credible platform configuration register, and packages and sends the value to the access server. When sending data, the random number of the access server side is carried to verify the connection state. The information is encrypted by an encryption key disclosed by the access server. The data transmission involved in this process can be described as
And 5, after the access service end receives the data sent by the access equipment. Firstly, whether the server-side random number contained in the information is the same as that sent before is verified, and if not, the connection is interrupted. If the two access devices are the same, starting to inquire whether the access device meets the condition of quick access or not to obtain a judgment result, wherein the judgment result comprises the following steps: fully trusted, partially trusted (collectively trusted), untrusted, and eligible for fast access.
The concept of 'quick access process' is provided by combining the use characteristics of the SDN network and the support of the trusted computing technology. The quick access process provides a simple access scheme for the recently offline device, reduces the time required by access, and enhances the network use experience of the user.
The quick access process refers to that equipment meeting quick access conditions directly accesses a network after completing platform credible authentication without performing a user authentication stage; the fast access condition means: the IP and the MAC address are positioned in a latest access equipment list, and the credible PCR value provided by the equipment during the access is the same as the last time; the decision for the fast access procedure is shown in fig. 4.
If the access server side meets the quick access condition, the access server side replies the client side access result and issues a corresponding rule to the controller to remove the network access restriction of the access equipment.
And if the user does not accord with the quick access condition, judging the credible state of the user.
The credible judgment result is divided into: totally credible, partly credible and incredible, 3 kinds in total. Where fully trusted and partially trusted are collectively referred to as "trusted".
Unreliable: is that the key parameter does not comply with the record.
And part of credibility: the critical parameters are in accordance with the record and the non-critical parameters are not in accordance with the record.
The method is completely credible: both the critical parameters and the non-critical parameters are in accordance with the record.
Step 6, at the access serverAnd after the judgment is finished, the judgment result is fed back to the access equipment. At the same time, a random number originally specified by the client is attached to verify the access. The above contents are encrypted with a key specified by the client. The data transmission involved in this process can be described as
And 7, after receiving the reply of the access server, the access equipment firstly judges the state of the random number sent by the access server. If the random numbers are different, the access is interrupted. And when the random numbers are the same, starting to process the judgment result of the server.
And when the judgment result is credible (including complete credibility and partial credibility), prompting the user of the credible authentication result and requiring the user to enter a user authentication stage. And when the judgment result is found to be unreliable, interrupting the login process, and preventing the client from accessing the network. And when the judgment result is that the quick access condition is met, reminding the user of related information and prompting that the network is connected.
And 8, after entering the user authentication stage, the client prompts a user of the access equipment to perform identity authentication on the user information (namely the user name and the password) owned by the user. And after the user finishes inputting the authentication information, sending the authentication information to the access server. For authentication, the access server is also sent its specified random number. The contents are encrypted by adopting a public key published in advance by the access server. The data transmission involved in this process can be described as
And 9, the access server side verifies the user name and the password provided by the access equipment and provides a final judgment result. If the result is that the access is allowed, the access state, IP address, MAC address, PCR value and login user name of the client are recorded in the list of the recently connected devices, and meanwhile, the expiration time of the list item is specified. And simultaneously, the access server sends an instruction to the controller, and releases the access authority of the access equipment to the network according to the user authority.
The platform credibility value of the access equipment can influence the access authority of the user after the user accesses the network, and not only all network authorities are provided for the user through user identity authentication, but different network access authorities are provided by combining the credibility state. Therefore, the network can be prevented from being influenced after the non-compliant equipment of the legal user accesses the network.
The determination of the user's rights is based primarily on the trusted status. Trusted states are divided into fully trusted and partially trusted. Full trust refers to all parameters meeting the trusted condition, while partial trust refers to the existence of non-critical parameters that do not meet the trusted requirements. The status is determined by the access server. Network contents which can be accessed aiming at different credible states are set by an administrator, and generally, the authority of a completely credible device is considered to be large, and the authority of a partially credible device is considered to be small. The user right judgment flow is shown in fig. 5.
The replied information includes the judged access result and the random number originally specified by the client. The above contents are encrypted by using a secret key specified by the client. The data transmission involved in this process can be described as
And step 10, after receiving the access decision, the controller generates a corresponding flow table item by combining the device connection condition, and sends the decision to a forwarding device (SDN switch) through an OpenFlow channel. The SDN switch may then pass through network access of the accessed device according to the indication of the flow entry.
The network access process is now described.
The invention realizes the safe access method by combining the trusted computing technology and the traditional user identity authentication technology and combining the related technology and the SDN network characteristics. The invention is subjected to BAN predicate logic verification and AVISPA protocol analysis software attack test, so that the safety and the effectiveness of the scheme are ensured, and simultaneously, the real machine test is carried out to test the feasibility and the effectiveness of the scheme. After testing, the invention can effectively provide safe access service for the SDN network, even if unauthorized accessors and legal accessors with equipment problems can not access the network or access the network with low authority, thereby protecting the network safety.
The above embodiments are only exemplary embodiments of the present invention, and are not intended to limit the present invention, and the scope of the present invention is defined by the claims. Various modifications and equivalents may be made by those skilled in the art within the spirit and scope of the present invention, and such modifications and equivalents should also be considered as falling within the scope of the present invention.
Claims (4)
1. A secure trusted access method in a software defined network, comprising the steps of:
step 1, acquiring a credible measurement information PCR value stored in a credible platform configuration register by access equipment according to the SDN network security access requirement;
step 2, sending the random number verification code of the client side and the self equipment information of the current request to an access server side in the process of initiating the request;
step 3.1, the access server side acquires a request of the access equipment, verifies the access state and judges whether the equipment is allowed to be accessed, if the equipment is allowed to be accessed, the access server side replies a random number verification code to the access equipment and attaches the access request server side; for the consideration of security, the access server needs to carry the random number verification code of the client side when replying;
step 3.2, the access equipment acquires the reply of the access server, authenticates whether the client side random number verification code sent by the access server is the same as the client side random number verification code appointed before, and sends the credibility measurement information PCR value of the local machine and the server side random number verification code to the access server if the client side random number verification code is the same as the client side random number verification code appointed before;
step 3.3, the access server side obtains the credibility measurement information PCR value and the server side random number verification code sent by the access equipment, and verifies whether the server side random number verification code sent by the access equipment is the same as that sent before; if the two access devices are the same, starting to inquire whether the access device meets the condition of quick access;
step 3.4, if the condition of fast access is met, sending the access judgment result and the client side random number verification code to the access equipment, if the condition of fast access is not met, continuing the process, and sending a request for entering a user authentication stage to the access equipment and including the client side random number verification code;
step 3.5, the access equipment verifies whether the random number verification code of the client side is the same as that sent before according to the reply of the access server side, if so, the judgment result of the access server side is processed, and when the judgment result is credible, user authentication identity information is sent to the access server side;
step 3.6, the access server side verifies the user authentication identity information, if the verification result is that access is allowed, the access state, the IP address, the MAC address, the credibility measurement information PCR value and the login user name of the access equipment are recorded in a recently connected equipment list, meanwhile, the access server side sends an access decision to the OpenFlow controller, and releases the access authority of the access equipment to the network;
and 4, the OpenFlow controller generates a corresponding flow table item according to the access decision and sends the flow table item to an SDN switch, and the SDN switch releases the network access of the accessed device according to the indication of the flow table item.
2. A method for secure trusted access in a software defined network as claimed in claim 1, wherein said fast access condition is: the IP and the MAC address are positioned in the latest access equipment list, and the credible measurement information PCR value provided by the equipment during the access is the same as the last time.
3. The method as claimed in claim 1, wherein if the fast access condition is not met, the trusted status of the user is determined, and the trusted determination result is: fully trusted, partially trusted, and untrusted.
4. The method according to claim 1, wherein in step 3.5, when the determination result is not trusted, the login procedure is interrupted, and the access device cannot access the network; and when the judgment result is credible, the access equipment is required to provide user authentication identity information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610465444.1A CN105933245B (en) | 2016-06-23 | 2016-06-23 | Safe and trusted access method in software defined network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610465444.1A CN105933245B (en) | 2016-06-23 | 2016-06-23 | Safe and trusted access method in software defined network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105933245A CN105933245A (en) | 2016-09-07 |
| CN105933245B true CN105933245B (en) | 2020-04-28 |
Family
ID=56830803
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610465444.1A Active CN105933245B (en) | 2016-06-23 | 2016-06-23 | Safe and trusted access method in software defined network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105933245B (en) |
Families Citing this family (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106789351A (en) * | 2017-01-24 | 2017-05-31 | 华南理工大学 | A kind of online intrusion prevention method and system based on SDN |
| CN106850443A (en) * | 2017-02-10 | 2017-06-13 | 济南浪潮高新科技投资发展有限公司 | A kind of SDN flow table issuance methods based on TPM |
| CN106686013A (en) * | 2017-03-10 | 2017-05-17 | 湖北天专科技有限公司 | Identity recognition device for unmanned aerial vehicle, recognition system and recognition method thereof |
| CN107612731A (en) * | 2017-09-19 | 2018-01-19 | 北京工业大学 | One kind is based on the believable network section generation of software definition and credible recovery system |
| CN108833381A (en) * | 2018-05-31 | 2018-11-16 | 中共中央办公厅电子科技学院 | The credible connection method of software defined network and system |
| CN110602150B (en) * | 2019-10-16 | 2021-11-16 | 超越科技股份有限公司 | Trusted authentication method between SDN nodes |
| CN112491896B (en) * | 2020-11-30 | 2022-08-02 | 超越科技股份有限公司 | Trusted access authentication system based on virtualization network |
| CN113438119B (en) * | 2021-08-25 | 2021-11-09 | 北京信达环宇安全网络技术有限公司 | Reinforced software deployment method and device, electronic equipment and storage medium |
| CN116389032B (en) * | 2022-12-29 | 2023-12-08 | 国网甘肃省电力公司庆阳供电公司 | SDN architecture-based power information transmission link identity verification method |
| CN116545775B (en) * | 2023-07-06 | 2023-09-15 | 北京长扬软件有限公司 | NFV-based remote trusted network connection method, device and system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101483522A (en) * | 2008-01-09 | 2009-07-15 | 华为技术有限公司 | Method, system and device for controlling trustable network access |
| CN103023911A (en) * | 2012-12-25 | 2013-04-03 | 北京工业大学 | Authentication method for access of trusted network devices to trusted network |
| CN103929422A (en) * | 2014-04-08 | 2014-07-16 | 北京工业大学 | Trusted inter-domain safety certificate protocol based on SDN |
| WO2016085516A1 (en) * | 2014-11-28 | 2016-06-02 | Hewlett Packard Enterprise Development Lp | Verifying a network configuration |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150281276A1 (en) * | 2014-03-26 | 2015-10-01 | Juniper Networks, Inc. | Monitoring compliance with security policies for computer networks |
| CN104113839A (en) * | 2014-07-14 | 2014-10-22 | 蓝盾信息安全技术有限公司 | Mobile data safety protection system and method based on SDN |
-
2016
- 2016-06-23 CN CN201610465444.1A patent/CN105933245B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101483522A (en) * | 2008-01-09 | 2009-07-15 | 华为技术有限公司 | Method, system and device for controlling trustable network access |
| CN101483522B (en) * | 2008-01-09 | 2012-04-04 | 华为技术有限公司 | Method, system and device for controlling trustable network access |
| CN103023911A (en) * | 2012-12-25 | 2013-04-03 | 北京工业大学 | Authentication method for access of trusted network devices to trusted network |
| CN103929422A (en) * | 2014-04-08 | 2014-07-16 | 北京工业大学 | Trusted inter-domain safety certificate protocol based on SDN |
| WO2016085516A1 (en) * | 2014-11-28 | 2016-06-02 | Hewlett Packard Enterprise Development Lp | Verifying a network configuration |
Non-Patent Citations (2)
| Title |
|---|
| Sandra Scott-Hayward;Sriram Natarajan;Sakir Sezer.A Survey of Security in Software Defined Networks.《IEEE Communications Surveys & Tutorials 》.2015, * |
| 软件定义网络(SDN)研究进展;张朝昆; 崔勇; 唐翯翯; 吴建平;《软件学报》;20150115;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105933245A (en) | 2016-09-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105933245B (en) | Safe and trusted access method in software defined network | |
| US11063928B2 (en) | System and method for transferring device identifying information | |
| KR101114728B1 (en) | A trusted network access control system based ternery equal identification | |
| US9639678B2 (en) | Identity risk score generation and implementation | |
| US8327441B2 (en) | System and method for application attestation | |
| US9781096B2 (en) | System and method for out-of-band application authentication | |
| US8713672B2 (en) | Method and apparatus for token-based context caching | |
| CN107181720B (en) | Software Defined Networking (SDN) secure communication method and device | |
| US9237021B2 (en) | Certificate grant list at network device | |
| US20050278775A1 (en) | Multifactor device authentication | |
| US8566918B2 (en) | Method and apparatus for token-based container chaining | |
| US9548982B1 (en) | Secure controlled access to authentication servers | |
| US9361443B2 (en) | Method and apparatus for token-based combining of authentication methods | |
| CN113472820A (en) | Cloud resource security isolation control method and system based on zero trust model | |
| WO2016134482A1 (en) | License management for device management system | |
| CN113901429A (en) | Access method and device of multi-tenant system | |
| US8793782B1 (en) | Enforcing a health policy in a local area network | |
| Liu et al. | A trusted access method in software-defined network | |
| US11177958B2 (en) | Protection of authentication tokens | |
| CN103780395B (en) | Network insertion proves the method and system of two-way measurement | |
| US8789143B2 (en) | Method and apparatus for token-based conditioning | |
| CN113901428A (en) | Login method and device of multi-tenant system | |
| CN114978544A (en) | Access authentication method, device, system, electronic equipment and medium | |
| US11271925B1 (en) | Secure access gateway for egress system | |
| CN112822217A (en) | Server access method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |