CN106936779A - A kind of data connecting method, system and device - Google Patents

A kind of data connecting method, system and device Download PDF

Info

Publication number
CN106936779A
CN106936779A CN201511019836.7A CN201511019836A CN106936779A CN 106936779 A CN106936779 A CN 106936779A CN 201511019836 A CN201511019836 A CN 201511019836A CN 106936779 A CN106936779 A CN 106936779A
Authority
CN
China
Prior art keywords
data cube
cube computation
certification
terminal device
identity
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201511019836.7A
Other languages
Chinese (zh)
Inventor
谭锋
孟庆森
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
BEIJING LEADSEC TECHNOLOGY CO LTD
Venustech Group Inc
Original Assignee
BEIJING LEADSEC TECHNOLOGY CO LTD
Venustech Group Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BEIJING LEADSEC TECHNOLOGY CO LTD, Venustech Group Inc filed Critical BEIJING LEADSEC TECHNOLOGY CO LTD
Priority to CN201511019836.7A priority Critical patent/CN106936779A/en
Publication of CN106936779A publication Critical patent/CN106936779A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/029Firewall traversal, e.g. tunnelling or, creating pinholes

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention provides a kind of data connecting method, and methods described includes:After certification access gateway gets the data cube computation message of terminal device transmission, judge the terminal device whether by certification;Data cube computation message after the treatment is sent to authorization control gateway by the certification access gateway after corresponding treatment is done to the data cube computation message according to the judged result;The authorization control gateway judges whether for the data cube computation message to be sent to server according to the corresponding delegated strategy of the terminal device.Such scheme is kept completely separate by by certification with mandate, there is provided more efficient safe NS software and authorization method, while IP address spoof attack can be prevented effectively.

Description

A kind of data connecting method, system and device
Technical field
The present invention relates to the communications field, and in particular to a kind of data connecting method, system and device.
Background technology
As shown in figure 1, enterprise or industry in some large-scale cross-regions, exist hundreds and thousands of inside it Individual user network and multiple information centres, each user network and information centre are connected by private wide area network, Peer node is in network, in the absence of network address translation (NAT).Visitor in user network Family end is frequently necessary to access multiple different information centres simultaneously.Generally, each information centre adheres to separately different Authorities, the different user for coming to visit needs unique mandate, and this empowerment management generally by Respective authorities of information centre decide in its sole discretion, it is impossible to carry out whole industry unified authorization management.This kind of enterprise Industry typically possessed relatively uniform account identity issue or mark system (such as employee number, numeral card Book etc.).
Additionally, Server history in the information centre of this kind of industry user is long, species is various, it is existing Traditional service based on C/S frameworks, also there is the newly-built service based on B/S frameworks, meanwhile, may be used also Can there is the application based on udp protocol, how realize that a unification is not only independent, simple but also powerful, flexible The Certificate Authority and access control system of user identity are efficiently based on again, are the length that network security industry faces Long problem.
The existing solution for having following two types:The first using authentication gateway as shown in Fig. 2 added The technical scheme of fire wall, in the program, in the export deployment authentication gateway of user network, in the information The entrance deployment fire wall of the heart.User rs host is used after the egress gateways of user network complete authentication Family network gateway is responsible for safeguarding the mapping of the IP address with identity of client, and sends the map to , be converted into the authority of the user based on IP on the fire wall of the heart in the information by the fire wall of information centre The access rule of address.Second as shown in figure 3, using vpn tunneling technical scheme, in the program, Only vpn tunneling is supported in the entrance deployment of the heart in the information (such as IPSEC, L2TP, SSLVPN etc.) Fire wall, VPN client is installed in every main frame of user network.
For above-mentioned existing technical scheme, there is problems with:
1) from terms of secure context:A. conventional authentication gateway approach only in access authentication due to verifying user's body Part, after the completion of certification, all access controls of client are converted into IP address-based strategy, generally There is larger open network between user network and information centre, its address is easy to be pretended or palmed off. B.VPN tunnel encapsulations scheme has lacked basic access and has recognized due to reducing the egress gateways of user network Card filtering, the entry gateway of information centre turns into the bottleneck for accessing, and may face substantial amounts of unverified non- Method is accessed, and is easily denied service attack.
2) from terms of aspect of performance:For tunnel encapsulation scheme, the foundation in tunnel and the restructuring of message are required for More time and resource is consumed, declining to a great extent for network throughput performance may be caused, information centre enters Mouth gateway needs stronger disposal ability, is otherwise difficult to maintain substantial amounts of concurrent user to access.As a same reason, The substantial amounts of old client host in user network, its hardware configuration cannot be competent at sometimes.
3) from from the aspect of deployment:For vpn tunneling scheme, according to packaged type, it will usually different journeys Degree ground changes source address, destination address or the access path of network message, it may be necessary to in original information Intracardiac server or application program is transformed or rewritten.Meanwhile, such scheme is needed in each client Main frame installs VPN client program, in addition to increasing and mapping out the work, also results in substantial amounts of compatibling problem.
The content of the invention:
The present invention provides a kind of data connecting method and system, to realize more efficient safe network access Control and mandate.
In order to solve the above technical problems, the present invention provides a kind of detection method, methods described includes:
After certification access gateway gets the data cube computation message of terminal device transmission, judge that the terminal sets It is standby whether to pass through certification;
The certification access gateway does corresponding treatment to the data cube computation message according to the judged result The data cube computation message after the treatment is sent to authorization control gateway afterwards;
The authorization control gateway judges whether the number according to the corresponding delegated strategy of the terminal device Server is sent to according to connection message.
Alternatively,
It is described to judge whether the terminal device is included by certification:
The mapping relations that the source address of the data cube computation message and the certification access gateway are recorded are carried out Compare;When the corresponding identity of the source address is found in the mapping relations, then institute is judged Terminal device is stated by certification;
The certification access gateway does corresponding treatment to the data cube computation message according to the judged result The data cube computation message after the treatment is sent into authorization control gateway afterwards includes:
When judging that the terminal device passes through certification, the identity that will be determined according to the data cube computation message The authorization control gateway is sent to after the mark insertion data cube computation header;
The authorization control gateway judges whether the number according to the corresponding delegated strategy of the terminal device Being sent to server according to connection message includes:
When the authorization control gateway gets identity from the data cube computation message, will be described Identity is matched with the delegated strategy of the authorization control gateway, when the delegated strategy is allowed, The identity then is recorded in conversational list is connected, and the data cube computation message is sent to the clothes Business device.
Alternatively,
It is described to judge whether the terminal device is included by certification:
The mapping relations that the source address of the data cube computation message and the certification access gateway are recorded are carried out Compare;When the corresponding identity of the source address is not found in the mapping relations, then judge The terminal device is not authenticated;
The certification access gateway does corresponding treatment to the data cube computation message according to the judged result The data cube computation message after the treatment is sent into authorization control gateway afterwards includes:
When judging that the terminal device is not authenticated, the data cube computation message is transmitted directly to institute State authorization control gateway;
The authorization control gateway judges whether the number according to the corresponding delegated strategy of the terminal device Being sent to server according to connection message includes:
When the authorization control gateway does not get identity from the data cube computation message, if When the strategy of unauthenticated user configuration is allowed, then the data cube computation message is sent to the server.
Alternatively,
Methods described also includes:
The certification access gateway receives the authentication information that the Authentication Client on the terminal device sends After identity, the certification access gateway is verified to the authentication information;
When the authentication information is verified, the mapping relations of the identity and source address are preserved.
Alternatively,
After the certification access gateway is verified to the authentication information, methods described also includes:
The identity and authentication information are sent to the authorization control net by the certification access gateway Close.
Alternatively,
The identity and authentication information are sent to the authorization control gateway by the certification access gateway Afterwards, methods described also includes:
After the authorization control gateway receives the identity and authentication information, believed according to the certification The attribute of breath generates the corresponding delegated strategy of the identity.
The present invention also provides a kind of data connecting method, is applied to certification access gateway, and methods described includes:
After certification access gateway gets the data cube computation message of terminal device transmission, judge that the terminal sets It is standby whether to pass through certification;
The certification access gateway does corresponding treatment to the data cube computation message according to the judged result The data cube computation message after the treatment is sent to authorization control gateway afterwards.
Alternatively,
It is described to judge whether the terminal device is included by certification:
The mapping relations of the source address of the data cube computation message and certification access gateway record are compared It is right;When the corresponding identity of the source address is found in the mapping relations, then judge described Terminal device passes through certification;
The certification access gateway does corresponding treatment to the data cube computation message according to the judged result The data cube computation message after the treatment is sent into authorization control gateway afterwards includes:
When judging that the terminal device passes through certification, the identity that will be determined according to the data cube computation message The authorization control gateway is sent to after the mark insertion data cube computation header.
Alternatively,
It is described to judge whether the terminal device is included by certification:
The mapping relations of the source address of the data cube computation message and certification access gateway record are compared It is right;When the corresponding identity of the source address is not found in the mapping relations, then institute is judged State terminal device not authenticated;
The certification access gateway does corresponding treatment to the data cube computation message according to the judged result The data cube computation message after the treatment is sent into authorization control gateway afterwards includes:
When judging that the terminal device is not authenticated, the data cube computation message is transmitted directly to institute State authorization control gateway.
Alternatively,
Methods described also includes:
The certification access gateway receives the authentication information that the Authentication Client on the terminal device sends After identity, the certification access gateway is verified to the authentication information;
When the authentication information is verified, the mapping relations of the identity and source address are preserved.
Alternatively,
After the certification access gateway is verified to the authentication information, methods described also includes:
The identity and authentication information are sent to the authorization control net by the certification access gateway Close.
The present invention also provides a kind of data link system, and the system includes certification access gateway and authorize to control Gateway processed:
After the certification access gateway is used to get the data cube computation message of terminal device transmission, institute is judged Whether terminal device is stated by certification;It is additionally operable to do the data cube computation message according to the judged result The data cube computation message after the treatment is sent to authorization control gateway after corresponding treatment;
The authorization control gateway is used to be judged whether institute according to the corresponding delegated strategy of the terminal device State data cube computation message and be sent to server.
Alternatively,
The certification access gateway is used to judge whether the terminal device is specifically referred to by certification:
The mapping relations that the source address of the data cube computation message and the certification access gateway are recorded are carried out Compare;When the corresponding identity of the source address is found in the mapping relations, then institute is judged Terminal device is stated by certification;
The certification access gateway is additionally operable to do accordingly the data cube computation message according to the judged result Treatment after the data cube computation message after the treatment be sent to authorization control gateway specifically refer to:
When judging that the terminal device passes through certification, the identity that will be determined according to the data cube computation message The authorization control gateway is sent to after the mark insertion data cube computation header;
The authorization control gateway is used to be judged whether institute according to the corresponding delegated strategy of the terminal device State data cube computation message and be sent to server and specifically refer to:
When the authorization control gateway gets identity from the data cube computation message, will be described Identity is matched with the delegated strategy of the authorization control gateway, when the delegated strategy is allowed, The identity then is recorded in conversational list is connected, and the data cube computation message is sent to the clothes Business device.
Alternatively,
The certification access gateway is used to judge whether the terminal device is specifically referred to by certification:
The mapping relations that the source address of the data cube computation message and the certification access gateway are recorded are carried out Compare;When the corresponding identity of the source address is not found in the mapping relations, then judge The terminal device is not authenticated;
The certification access gateway is additionally operable to do accordingly the data cube computation message according to the judged result Treatment after the data cube computation message after the treatment be sent to authorization control gateway specifically refer to:
When judging that the terminal device is not authenticated, the data cube computation message is transmitted directly to institute State authorization control gateway;
The authorization control gateway is used to be judged whether institute according to the corresponding delegated strategy of the terminal device State data cube computation message and be sent to server and specifically refer to:
When the authorization control gateway does not get identity from the data cube computation message, if When the strategy of unauthenticated user configuration is allowed, then the data cube computation message is sent to the server.
Alternatively,
What the Authentication Client that the certification access gateway is additionally operable to receive on the terminal device sent recognizes After card information and identity, the authentication information is verified;And be additionally operable to believe when the certification When breath is verified, the mapping relations of the identity and source address are preserved.
Alternatively,
The certification access gateway is additionally operable to for the identity and authentication information to be sent to the mandate control Gateway processed.
Alternatively,
After the authorization control gateway is additionally operable to receive the identity and authentication information, according to described The attribute of authentication information generates the corresponding delegated strategy of the identity.
The present invention also provides a kind of device, is arranged at certification access gateway, and described device includes:
Judge module, for after the data cube computation message for getting terminal device transmission, judging the terminal Whether equipment passes through certification;
First processing module, for doing corresponding place to the data cube computation message according to the judged result The data cube computation message after the treatment is sent to authorization control gateway after reason.
Alternatively,
The judge module is used to judge whether the terminal device is specifically referred to by certification:
The mapping relations that the source address of the data cube computation message and the certification access gateway are recorded are carried out Compare;When the corresponding identity of the source address is found in the mapping relations, then institute is judged Terminal device is stated by certification;
The first processing module is used to do the data cube computation message accordingly according to the judged result The data cube computation message after the treatment is sent into authorization control gateway after treatment to specifically refer to:
When judging that the terminal device passes through certification, the identity that will be determined according to the data cube computation message The authorization control gateway is sent to after the mark insertion data cube computation header.
Alternatively,
The judge module judges whether the terminal device is specifically referred to by certification:
The mapping relations that the source address of the data cube computation message and the certification access gateway are recorded are carried out Compare;When the corresponding identity of the source address is not found in the mapping relations, then judge The terminal device is not authenticated;
The first processing module is used to do the data cube computation message accordingly according to the judged result The data cube computation message after the treatment is sent into authorization control gateway after treatment to specifically refer to:
When judging that the terminal device is not authenticated, the data cube computation message is transmitted directly to institute State authorization control gateway.
Alternatively,
Described device also includes:
Authentication module, for receive the Authentication Client on the terminal device transmission authentication information and After identity, the authentication information is verified;It is additionally operable to when the authentication information is verified, Preserve the mapping relations of the identity and source address.
Alternatively,
Described device also includes:
Second processing module, for the identity and authentication information to be sent into the authorization control net Close.
Such scheme is kept completely separate by by certification with mandate, there is provided more efficient safe network access Control and authorization method, while IP address spoof attack can be prevented effectively.
Brief description of the drawings
Fig. 1 is distributed user network and information centre's schematic diagram;
Fig. 2 is the schematic diagram of certification plus firewall solutions;
Fig. 3 is the schematic diagram of vpn tunneling solution;
Fig. 4 is the schematic diagram of network design of the invention;
Fig. 5 is the flow chart of data connecting method in embodiment one;
Fig. 6 is another flow chart of data connecting method in embodiment one;
Fig. 7 is the structural representation of data link system in embodiment three;
Fig. 8 is the structural representation of device in embodiment three;
Fig. 9 is another structural representation of device in embodiment three.
Specific embodiment
For the purpose, technical scheme and advantage for making the application become more apparent, below in conjunction with accompanying drawing Embodiments herein is described in detail.It should be noted that in the case where not conflicting, this Shen Please in embodiment and the feature in embodiment can mutually be combined.
As shown in figure 4, in technical scheme, being provided with each terminal device in user network Authentication Client, the entrance that the export deployment of user network has certification access gateway, information centre is deployed with Authorization control gateway.
Authentication Client is responsible for initiating certification request with certification access gateway, is also responsible for setting up and maintaining certification Connection, can also be responsible for route and be oriented to and datagram encapsulation.Certification access gateway is responsible for receiving certification client The certification request at end, clearance bill of the distribution comprising identity during certification success;It is responsible for setting up and maintains It is connected with the certification of client;In addition when offline in client to authorization control gateway notice user profile with Logging status, and to the first packet insertion IP option security extensions of data cube computation.Authorization control gateway is responsible for The user profile and logging status for receiving certification access gateway are noticed, there is provided the configuration interface of delegated strategy, IP option security extensions are extracted from the first packet of data cube computation, and to data message according to identity reality Apply and authorize control strategy.
Embodiment one
As shown in figure 5, the present embodiment provides a kind of data connecting method, methods described includes:
Step S11:After certification access gateway gets the data cube computation message of terminal device transmission, institute is judged Whether terminal device is stated by certification;
Step S12:The certification access gateway does phase according to the judged result to the data cube computation message The data cube computation message after the treatment is sent to authorization control gateway after the treatment answered;
Step S13:The authorization control gateway judges whether according to the corresponding delegated strategy of the terminal device The data cube computation message is sent to server.
Alternatively, also include:
Step S14:Certification access gateway receives the certification that the Authentication Client on the terminal device sends After information and identity, the certification access gateway is verified to the authentication information;Recognize when described When card Information Authentication passes through, the mapping relations of the identity and source address are preserved.
Step S15:The identity and authentication information are sent to the authorization control by certification access gateway Gateway.
Step S16:After authorization control gateway receives the identity and authentication information, recognized according to described The attribute of card information generates the corresponding delegated strategy of the identity.
In the present embodiment, to by the terminal of certification, certification access gateway gets terminal device hair After the data cube computation message for sending, by reflecting that the source address of the data cube computation message and certification access gateway are recorded The relation of penetrating is compared;When the corresponding identity of source address is found in mapping relations, then judge The terminal device passes through certification.Then certification access gateway will determine according to the data cube computation message Identity is sent to the authorization control gateway after inserting the data cube computation header.Authorization control Gateway is received after being inserted with the data cube computation message of identity, can be obtained from the data cube computation message Identity is taken, then the identity is matched with the delegated strategy of authorization control gateway, when When delegated strategy is allowed, then the identity is recorded in conversational list is connected, and by the data cube computation report Text is sent to server.
For not authenticated terminal device, certification access gateway gets the data of terminal device transmission After connection message, the mapping relations that the source address of the data cube computation message and certification access gateway are recorded are entered Row is compared;When the corresponding identity of the source address is not found in the mapping relations, then sentence The terminal device that breaks is not authenticated.Then certification access gateway directly transmits the data cube computation message Give authorization control gateway.After authorization control gateway receives the data cube computation message, from the data cube computation message In when not getting identity, the strategy of unauthenticated user configuration is checked, if unauthenticated user is configured Strategy allow when, then the data cube computation message is sent to server.
It should be noted that in the present embodiment, for the data cube computation that certain terminal device sends Message, step S14 to step S16 is according to first carrying out step S14 and then step S15 final steps S16 Order perform, but for the either step in S14 step S16 of step and step S11 to step S13 can in no particular order sequentially, and such as step S14 is performed or same with step S13 before step S13 Shi Zhihang etc..
As shown in fig. 6, the present embodiment also provides a kind of data connecting method, certification access gateway is applied to, Methods described includes:
Step S21:After certification access gateway gets the data cube computation message of terminal device transmission, institute is judged Whether terminal device is stated by certification;
Step S22:The certification access gateway does phase according to the judged result to the data cube computation message The data cube computation message after the treatment is sent to authorization control gateway after the treatment answered.
Alternatively, it is described to judge whether the terminal device is included by certification:
The mapping relations of the source address of the data cube computation message and certification access gateway record are compared It is right;When the corresponding identity of the source address is found in the mapping relations, then judge described Terminal device passes through certification;
The certification access gateway does corresponding treatment to the data cube computation message according to the judged result The data cube computation message after the treatment is sent into authorization control gateway afterwards includes:
When judging that the terminal device passes through certification, the identity that will be determined according to the data cube computation message The authorization control gateway is sent to after the mark insertion data cube computation header.
Alternatively, it is described to judge whether the terminal device is included by certification:
The mapping relations of the source address of the data cube computation message and certification access gateway record are compared It is right;When the corresponding identity of the source address is not found in the mapping relations, then institute is judged State terminal device not authenticated;
The certification access gateway does corresponding treatment to the data cube computation message according to the judged result The data cube computation message after the treatment is sent into authorization control gateway afterwards includes:
When judging that the terminal device is not authenticated, the data cube computation message is transmitted directly to institute State authorization control gateway.
Alternatively, methods described also includes:
Step S23:What the Authentication Client that the certification access gateway receives on the terminal device sent After authentication information and identity, the certification access gateway is verified to the authentication information;Work as institute When stating authentication information and being verified, the mapping relations of the identity and source address are preserved.
Step S24:The identity and authentication information are sent to the mandate by the certification access gateway Control gateway.
With access mandate control be kept completely separate for certification access by above-mentioned technical proposal, in certification access gateway pair By expanding IP options in the data cube computation message of certification, User Identity is carried, in authorization control net Pass is extracted the mark and realizes dialogue-based user's access mandate, so that there is provided more efficient safe net Network access control and authorization method, while IP address spoof attack can be prevented effectively.
Embodiment two
Technical scheme is further illustrated below.
First, identifying procedure
1st, user start Authentication Client, may be inserted into certificate or input account password, Authentication Client to Connection is set up in the request of certification access gateway;
If user's insertion is certificate, identity and certificate information are submitted to certification access gateway, If user input account password, identity is submitted to certification access gateway.Usual identity is The integer of one 4 byte or 8 bytes.
2nd, the validity of certification access gateway checking account password or certificate;
Certification does not pass through if code error or Certificate Revocation;If password authentification passes through or certificate Effective then certification passes through, and now then records the mapping relations of the identity and source address;
If be forwarded to for the identity all of by the 3, user input account password, certification access gateway Authorization control gateway;If user's insertion certificate, certification access gateway is by identity and certificate information It is forwarded to all of authorization control gateway;
4th, data genaration corresponding delegated strategy of the authorization control gateway according to the authentication information for receiving.
2nd, access mandate treatment
1st, user end to server initiates business datum connection by sending data cube computation message;
Data cube computation message is IP messages, can be TCP/UDP/ICMP etc..
2nd, after certification access gateway intercepts and captures the data message, judge whether the client has passed through certification, If by certification, the identity that will be obtained in the data cube computation message is expanded as the safety of IP options After exhibition is inserted into the head of the data cube computation message, the data cube computation message that will be inserted with identity sends Give authorization control gateway;If not over certification, certification access gateway is not to the data cube computation message Process and data cube computation message is directly sent to authorization control gateway.
IP packet in can include some packet be forwarded or is received before treatment Optional Field.IP Realization can use random order Treatment Options.At most can be with the option of 40 bytes after standard IP header.IP Option Field may include 0 or multiple individually options.Option has two types, single byte and multibyte. One multibyte IP option includes coding, length, skew and content.Multibyte is introduced herein IP option extension security extensions, it is encoded to 0x48, and length is 8 bytes, is total up to 12 bytes.Its In content be User Identity.
Usual identity is the integer of 4 bytes or 8 bytes, using identity as IP options After security extension inserts the data cube computation message, the length of the data cube computation message can increase by 12 bytes, For TCP connections, its first packet is generally smaller, and not over MTU, and the first packet of UDP/ICMP has More than MTU after may inserting, then also need to message fragment.
3rd, after authorization control gateway receives data cube computation message, if getting body from data cube computation message Part mark, then matched the identity with delegated strategy, is abandoned if strategy is forbidden;If Strategy is allowed then to record the identity in conversational list is connected, and data cube computation message is then sent to clothes Business device;
If not getting identity from data cube computation message, configured according to unauthenticated user Delegated strategy choose whether to allow to access.Abandoned if strategy is forbidden;Number if strategy is allowed Server is sent to according to connection message;
4th, server receives the response that session is attached after data cube computation message, the process with it is traditional Access control based on connection session is identical.
In invention, certification is independent deployment and separate configurations with access mandate.Can configure must certification Address/port, it is also possible to configuration do not need certification address/port.For the ground of configured necessary certification Location/port, if unverified data message will then be dropped.For configuration do not require the address of certification/ Port, if unverified data message then forwards the data message as former state, without user profile; If certification by data message then equally addition user profile after forward.
Heart entrance in the information, it will performed according to delegated strategy.Easy to use in order to configure, information enters Two special user's groups can be provided with the gateway of mouth, be respectively " all user of certification /anybody " " all unauthenticated user/nobody ", keeper can be respectively provided with access rights for user's group.
With access mandate control be kept completely separate for certification by the present invention, by expanding IP options in data message User Identity is carried, authorization control gateway extracts the mark it is achieved thereby that dialogue-based user visits Mandate is asked, IP spoofing has effectively been prevented and treated.User's access mandate supports all of IP loads simultaneously, including TCP, UDP, ICMP etc., and existing network topological structure and service server need not transform.
Embodiment three
As shown in fig. 7, the present embodiment provides a kind of data link system, the system is accessed including certification Gateway 11 and authorization control gateway 12:
After the certification access gateway 11 is used to get the data cube computation message of terminal device transmission, judge Whether the terminal device passes through certification;It is additionally operable to according to the judged result to the data cube computation message The data cube computation message after the treatment is sent to authorization control gateway after doing corresponding treatment;
The authorization control gateway 12 be used for according to the corresponding delegated strategy of the terminal device judge whether by The data cube computation message is sent to server.
Alternatively,
The certification access gateway 11 is used to judge whether the terminal device is specifically referred to by certification:
The mapping relations that the source address of the data cube computation message and the certification access gateway are recorded are carried out Compare;When the corresponding identity of the source address is found in the mapping relations, then institute is judged Terminal device is stated by certification;
The certification access gateway 11 is additionally operable to do phase to the data cube computation message according to the judged result The data cube computation message after the treatment is sent into authorization control gateway after the treatment answered to specifically refer to:
When judging that the terminal device passes through certification, the identity that will be determined according to the data cube computation message The authorization control gateway is sent to after the mark insertion data cube computation header;
The authorization control gateway 12 be used for according to the corresponding delegated strategy of the terminal device judge whether by The data cube computation message is sent to server and specifically refers to:
When the authorization control gateway gets identity from the data cube computation message, will be described Identity is matched with the delegated strategy of the authorization control gateway, when the delegated strategy is allowed, The identity then is recorded in conversational list is connected, and the data cube computation message is sent to the clothes Business device.
Alternatively,
The certification access gateway 11 is used to judge whether the terminal device is specifically referred to by certification:
The mapping relations that the source address of the data cube computation message and the certification access gateway are recorded are carried out Compare;When the corresponding identity of the source address is not found in the mapping relations, then judge The terminal device is not authenticated;
The certification access gateway 11 is additionally operable to do phase to the data cube computation message according to the judged result The data cube computation message after the treatment is sent into authorization control gateway after the treatment answered to specifically refer to:
When judging that the terminal device is not authenticated, the data cube computation message is transmitted directly to institute State authorization control gateway;
The authorization control gateway 12 be used for according to the corresponding delegated strategy of the terminal device judge whether by The data cube computation message is sent to server and specifically refers to:
When the authorization control gateway does not get identity from the data cube computation message, if When the strategy of unauthenticated user configuration is allowed, then the data cube computation message is sent to the server.
Alternatively,
What the Authentication Client that the certification access gateway 11 is additionally operable to receive on the terminal device sent After authentication information and identity, the authentication information is verified;And be additionally operable to when the certification When Information Authentication passes through, the mapping relations of the identity and source address are preserved.
Alternatively,
The certification access gateway 11 is additionally operable to for the identity and authentication information to be sent to the mandate Control gateway.
Alternatively,
After the authorization control gateway 12 is additionally operable to receive the identity and authentication information, according to institute The attribute for stating authentication information generates the corresponding delegated strategy of the identity.
As shown in figure 8, the present embodiment also provides a kind of device, certification access gateway 11 is arranged at, it is described Device includes:
Judge module 111, for after the data cube computation message for getting terminal device transmission, judging the end Whether end equipment passes through certification;
First processing module 112, for being done accordingly to the data cube computation message according to the judged result The data cube computation message after the treatment is sent to authorization control gateway after treatment.
Alternatively,
The judge module 111 is used to judge whether the terminal device is specifically referred to by certification:
The mapping relations that the source address of the data cube computation message and the certification access gateway are recorded are carried out Compare;When the corresponding identity of the source address is found in the mapping relations, then institute is judged Terminal device is stated by certification;
The first processing module 112 is used to do phase to the data cube computation message according to the judged result The data cube computation message after the treatment is sent into authorization control gateway after the treatment answered to specifically refer to:
When judging that the terminal device passes through certification, the identity that will be determined according to the data cube computation message The authorization control gateway is sent to after the mark insertion data cube computation header.
Alternatively,
The judge module 111 is used to judge whether the terminal device is specifically referred to by certification:
The mapping relations that the source address of the data cube computation message and the certification access gateway are recorded are carried out Compare;When the corresponding identity of the source address is not found in the mapping relations, then judge The terminal device is not authenticated;
The first processing module 112 is used to do phase to the data cube computation message according to the judged result The data cube computation message after the treatment is sent into authorization control gateway after the treatment answered to specifically refer to:
When judging that the terminal device is not authenticated, the data cube computation message is transmitted directly to institute State authorization control gateway.
Alternatively, as shown in figure 9,
Described device also includes:
Authentication module 113, the authentication information for receiving the transmission of the Authentication Client on the terminal device After identity, the authentication information is verified;It is additionally operable to be verified when the authentication information When, preserve the mapping relations of the identity and source address.
Alternatively,
Described device also includes:
Second processing module 114, for the identity and authentication information to be sent into the authorization control Gateway.
The preferred embodiments of the present invention are the foregoing is only, is not intended to limit the invention, for this For the technical staff in field, the present invention can have various modifications and variations.It is all it is of the invention spirit and Within principle, any modification, equivalent substitution and improvements made etc. should be included in protection of the invention Within the scope of.One of ordinary skill in the art will appreciate that all or part of step in the above method can lead to Cross program to instruct related hardware to complete, described program can be stored in computer-readable recording medium, Such as read-only storage, disk or CD.Alternatively, all or part of step of above-described embodiment also may be used To be realized using one or more integrated circuits, correspondingly, each module/module in above-described embodiment can Realized with the form of hardware, it would however also be possible to employ the form of software function module is realized.The application is not limited It is formed on the combination of the hardware and software of any particular form.

Claims (22)

1. a kind of data connecting method, it is characterised in that methods described includes:
After certification access gateway gets the data cube computation message of terminal device transmission, judge that the terminal sets It is standby whether to pass through certification;
The certification access gateway does corresponding treatment to the data cube computation message according to the judged result The data cube computation message after the treatment is sent to authorization control gateway afterwards;
The authorization control gateway judges whether the number according to the corresponding delegated strategy of the terminal device Server is sent to according to connection message.
2. the method for claim 1, it is characterised in that:
It is described to judge whether the terminal device is included by certification:
The mapping relations that the source address of the data cube computation message and the certification access gateway are recorded are carried out Compare;When the corresponding identity of the source address is found in the mapping relations, then institute is judged Terminal device is stated by certification;
The certification access gateway does corresponding treatment to the data cube computation message according to the judged result The data cube computation message after the treatment is sent into authorization control gateway afterwards includes:
When judging that the terminal device passes through certification, the identity that will be determined according to the data cube computation message The authorization control gateway is sent to after the mark insertion data cube computation header;
The authorization control gateway judges whether the number according to the corresponding delegated strategy of the terminal device Being sent to server according to connection message includes:
When the authorization control gateway gets identity from the data cube computation message, will be described Identity is matched with the delegated strategy of the authorization control gateway, when the delegated strategy is allowed, The identity then is recorded in conversational list is connected, and the data cube computation message is sent to the clothes Business device.
3. the method for claim 1, it is characterised in that:
It is described to judge whether the terminal device is included by certification:
The mapping relations that the source address of the data cube computation message and the certification access gateway are recorded are carried out Compare;When the corresponding identity of the source address is not found in the mapping relations, then judge The terminal device is not authenticated;
The certification access gateway does corresponding treatment to the data cube computation message according to the judged result The data cube computation message after the treatment is sent into authorization control gateway afterwards includes:
When judging that the terminal device is not authenticated, the data cube computation message is transmitted directly to institute State authorization control gateway;
The authorization control gateway judges whether the number according to the corresponding delegated strategy of the terminal device Being sent to server according to connection message includes:
When the authorization control gateway does not get identity from the data cube computation message, if When the strategy of unauthenticated user configuration is allowed, then the data cube computation message is sent to the server.
4. the method as described in claims 1 to 3 is any, it is characterised in that methods described also includes:
The certification access gateway receives the authentication information that the Authentication Client on the terminal device sends After identity, the certification access gateway is verified to the authentication information;
When the authentication information is verified, the mapping relations of the identity and source address are preserved.
5. method as claimed in claim 4, it is characterised in that:
After the certification access gateway is verified to the authentication information, methods described also includes:
The identity and authentication information are sent to the authorization control net by the certification access gateway Close.
6. method as claimed in claim 5, it is characterised in that:
The identity and authentication information are sent to the authorization control gateway by the certification access gateway Afterwards, methods described also includes:
After the authorization control gateway receives the identity and authentication information, believed according to the certification The attribute of breath generates the corresponding delegated strategy of the identity.
7. a kind of data connecting method, is applied to certification access gateway, it is characterised in that methods described bag Include:
After certification access gateway gets the data cube computation message of terminal device transmission, judge that the terminal sets It is standby whether to pass through certification;
The certification access gateway does corresponding treatment to the data cube computation message according to the judged result The data cube computation message after the treatment is sent to authorization control gateway afterwards.
8. method as claimed in claim 7, it is characterised in that:
It is described to judge whether the terminal device is included by certification:
The mapping relations of the source address of the data cube computation message and certification access gateway record are compared It is right;When the corresponding identity of the source address is found in the mapping relations, then judge described Terminal device passes through certification;
The certification access gateway does corresponding treatment to the data cube computation message according to the judged result The data cube computation message after the treatment is sent into authorization control gateway afterwards includes:
When judging that the terminal device passes through certification, the identity that will be determined according to the data cube computation message The authorization control gateway is sent to after the mark insertion data cube computation header.
9. method as claimed in claim 7, it is characterised in that:
It is described to judge whether the terminal device is included by certification:
The mapping relations of the source address of the data cube computation message and certification access gateway record are compared It is right;When the corresponding identity of the source address is not found in the mapping relations, then institute is judged State terminal device not authenticated;
The certification access gateway does corresponding treatment to the data cube computation message according to the judged result The data cube computation message after the treatment is sent into authorization control gateway afterwards includes:
When judging that the terminal device is not authenticated, the data cube computation message is transmitted directly to institute State authorization control gateway.
10. the method as described in claim 7 to 9 is any, it is characterised in that methods described also includes:
The certification access gateway receives the authentication information that the Authentication Client on the terminal device sends After identity, the certification access gateway is verified to the authentication information;
When the authentication information is verified, the mapping relations of the identity and source address are preserved.
11. methods as claimed in claim 10, it is characterised in that:
After the certification access gateway is verified to the authentication information, methods described also includes:
The identity and authentication information are sent to the authorization control net by the certification access gateway Close.
12. a kind of data link systems, it is characterised in that the system includes certification access gateway and awards Power control gateway:
After the certification access gateway is used to get the data cube computation message of terminal device transmission, institute is judged Whether terminal device is stated by certification;It is additionally operable to do the data cube computation message according to the judged result The data cube computation message after the treatment is sent to authorization control gateway after corresponding treatment;
The authorization control gateway is used to be judged whether institute according to the corresponding delegated strategy of the terminal device State data cube computation message and be sent to server.
13. systems as claimed in claim 12, it is characterised in that:
The certification access gateway is used to judge whether the terminal device is specifically referred to by certification:
The mapping relations that the source address of the data cube computation message and the certification access gateway are recorded are carried out Compare;When the corresponding identity of the source address is found in the mapping relations, then institute is judged Terminal device is stated by certification;
The certification access gateway is additionally operable to do accordingly the data cube computation message according to the judged result Treatment after the data cube computation message after the treatment be sent to authorization control gateway specifically refer to:
When judging that the terminal device passes through certification, the identity that will be determined according to the data cube computation message The authorization control gateway is sent to after the mark insertion data cube computation header;
The authorization control gateway is used to be judged whether institute according to the corresponding delegated strategy of the terminal device State data cube computation message and be sent to server and specifically refer to:
When the authorization control gateway gets identity from the data cube computation message, will be described Identity is matched with the delegated strategy of the authorization control gateway, when the delegated strategy is allowed, The identity then is recorded in conversational list is connected, and the data cube computation message is sent to the clothes Business device.
14. systems as claimed in claim 12, it is characterised in that:
The certification access gateway is used to judge whether the terminal device is specifically referred to by certification:
The mapping relations that the source address of the data cube computation message and the certification access gateway are recorded are carried out Compare;When the corresponding identity of the source address is not found in the mapping relations, then judge The terminal device is not authenticated;
The certification access gateway is additionally operable to do accordingly the data cube computation message according to the judged result Treatment after the data cube computation message after the treatment be sent to authorization control gateway specifically refer to:
When judging that the terminal device is not authenticated, the data cube computation message is transmitted directly to institute State authorization control gateway;
The authorization control gateway is used to be judged whether institute according to the corresponding delegated strategy of the terminal device State data cube computation message and be sent to server and specifically refer to:
When the authorization control gateway does not get identity from the data cube computation message, if When the strategy of unauthenticated user configuration is allowed, then the data cube computation message is sent to the server.
15. system as described in claim 12 to 14 is any, it is characterised in that:
What the Authentication Client that the certification access gateway is additionally operable to receive on the terminal device sent recognizes After card information and identity, the authentication information is verified;And be additionally operable to believe when the certification When breath is verified, the mapping relations of the identity and source address are preserved.
16. systems as claimed in claim 15, it is characterised in that:
The certification access gateway is additionally operable to for the identity and authentication information to be sent to the mandate control Gateway processed.
17. systems as claimed in claim 16, it is characterised in that:
After the authorization control gateway is additionally operable to receive the identity and authentication information, according to described The attribute of authentication information generates the corresponding delegated strategy of the identity.
A kind of 18. devices, are arranged at certification access gateway, it is characterised in that described device includes:
Judge module, for after the data cube computation message for getting terminal device transmission, judging the terminal Whether equipment passes through certification;
First processing module, for doing corresponding place to the data cube computation message according to the judged result The data cube computation message after the treatment is sent to authorization control gateway after reason.
19. devices as claimed in claim 18, it is characterised in that:
The judge module is used to judge whether the terminal device is specifically referred to by certification:
The mapping relations that the source address of the data cube computation message and the certification access gateway are recorded are carried out Compare;When the corresponding identity of the source address is found in the mapping relations, then institute is judged Terminal device is stated by certification;
The first processing module is used to do the data cube computation message accordingly according to the judged result The data cube computation message after the treatment is sent into authorization control gateway after treatment to specifically refer to:
When judging that the terminal device passes through certification, the identity that will be determined according to the data cube computation message The authorization control gateway is sent to after the mark insertion data cube computation header.
20. devices as claimed in claim 18, it is characterised in that:
The judge module judges whether the terminal device is specifically referred to by certification:
The mapping relations that the source address of the data cube computation message and the certification access gateway are recorded are carried out Compare;When the corresponding identity of the source address is not found in the mapping relations, then judge The terminal device is not authenticated;
The first processing module is used to do the data cube computation message accordingly according to the judged result The data cube computation message after the treatment is sent into authorization control gateway after treatment to specifically refer to:
When judging that the terminal device is not authenticated, the data cube computation message is transmitted directly to institute State authorization control gateway.
21. device as described in claim 18 to 20 is any, it is characterised in that described device is also wrapped Include:
Authentication module, for receive the Authentication Client on the terminal device transmission authentication information and After identity, the authentication information is verified;It is additionally operable to when the authentication information is verified, Preserve the mapping relations of the identity and source address.
22. devices as claimed in claim 21, it is characterised in that described device also includes:
Second processing module, for the identity and authentication information to be sent into the authorization control net Close.
CN201511019836.7A 2015-12-29 2015-12-29 A kind of data connecting method, system and device Pending CN106936779A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201511019836.7A CN106936779A (en) 2015-12-29 2015-12-29 A kind of data connecting method, system and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201511019836.7A CN106936779A (en) 2015-12-29 2015-12-29 A kind of data connecting method, system and device

Publications (1)

Publication Number Publication Date
CN106936779A true CN106936779A (en) 2017-07-07

Family

ID=59440946

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201511019836.7A Pending CN106936779A (en) 2015-12-29 2015-12-29 A kind of data connecting method, system and device

Country Status (1)

Country Link
CN (1) CN106936779A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107566260A (en) * 2017-10-23 2018-01-09 合肥时代智慧高新投资管理有限公司 It is a kind of to exempt from the unified identity authentication method that client exempts to log in based on subscriber mailbox
CN110830415A (en) * 2018-08-07 2020-02-21 华为技术有限公司 Network access control method and device
CN114006884A (en) * 2021-11-17 2022-02-01 中国电信股份有限公司 Session control method, device and system under network address conversion scene

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101478485A (en) * 2009-01-19 2009-07-08 成都市华为赛门铁克科技有限公司 Method for local area network access control and network gateway equipment
CN102638473A (en) * 2012-05-04 2012-08-15 盛趣信息技术(上海)有限公司 User data authorization method, device and system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101478485A (en) * 2009-01-19 2009-07-08 成都市华为赛门铁克科技有限公司 Method for local area network access control and network gateway equipment
CN102638473A (en) * 2012-05-04 2012-08-15 盛趣信息技术(上海)有限公司 User data authorization method, device and system

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107566260A (en) * 2017-10-23 2018-01-09 合肥时代智慧高新投资管理有限公司 It is a kind of to exempt from the unified identity authentication method that client exempts to log in based on subscriber mailbox
CN107566260B (en) * 2017-10-23 2020-10-02 合肥时代智慧高新投资管理有限公司 Client-free login-free unified identity authentication method based on user mailbox
CN110830415A (en) * 2018-08-07 2020-02-21 华为技术有限公司 Network access control method and device
CN110830415B (en) * 2018-08-07 2021-02-12 华为技术有限公司 Network access control method and device
CN114006884A (en) * 2021-11-17 2022-02-01 中国电信股份有限公司 Session control method, device and system under network address conversion scene
CN114006884B (en) * 2021-11-17 2024-03-15 中国电信股份有限公司 Session control method, device and system in network address translation scene

Similar Documents

Publication Publication Date Title
DE102014224694B4 (en) Network device and network system
US7730527B2 (en) Procedure for controlling access to a source terminal network using a block mode tunnel and computer programs for its implementation
US6816462B1 (en) System and method to determine connectivity of a VPN secure tunnel
US7823194B2 (en) System and methods for identification and tracking of user and/or source initiating communication in a computer network
US9641551B1 (en) System and method for traversing a NAT device with IPSEC AH authentication
US6668282B1 (en) System and method to monitor and determine if an active IPSec tunnel has become disabled
CN100380870C (en) System and method for managing a proxy request over a secure network using inherited security attributes
US7661131B1 (en) Authentication of tunneled connections
CN104322001A (en) Transport layer security traffic control using service name identification
WO2017143903A1 (en) Method, device and system for access control
CN107231336A (en) A kind of access control method, device and the gateway device of LAN Intranet resource
WO2007006007A2 (en) Using non 5-tuple information with ipsec
CN103647772A (en) Method for carrying out trusted access controlling on network data package
CA2506418C (en) Systems and apparatuses using identification data in network communication
CN101986598A (en) Authentication method, server and system
CN116055254A (en) Safe and trusted gateway system, control method, medium, equipment and terminal
CN106169952A (en) Authentication method that a kind of internet IKMP is heavily consulted and device
CN107453861B (en) A kind of collecting method based on SSH2 agreement
CN106506354A (en) A kind of message transmitting method and device
CN106936779A (en) A kind of data connecting method, system and device
CN111343083B (en) Instant messaging method, instant messaging device, electronic equipment and readable storage medium
KR101214613B1 (en) Security method and security system based on proxy for identifying connector credibly
CN111147451A (en) Service system security access method, device and system based on cloud platform
CN105635076B (en) A kind of media transmission method and equipment
US20160294558A1 (en) Information collection system and a connection control method in the information collection system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20170707