CN107231336A - A kind of access control method, device and the gateway device of LAN Intranet resource - Google Patents
A kind of access control method, device and the gateway device of LAN Intranet resource Download PDFInfo
- Publication number
- CN107231336A CN107231336A CN201610176642.6A CN201610176642A CN107231336A CN 107231336 A CN107231336 A CN 107231336A CN 201610176642 A CN201610176642 A CN 201610176642A CN 107231336 A CN107231336 A CN 107231336A
- Authority
- CN
- China
- Prior art keywords
- resource
- client
- access
- user
- grade
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
Abstract
The present invention provides a kind of access control method, device and the gateway device of LAN Intranet resource, and this method includes:Obtain the user right rank and access authorization for resource grade for the first client that resource connection request message is initiated to gateway device;In the mapping table of default user right rank and access authorization for resource grade, if the corresponding access authorization for resource grade of the user right rank for finding first client, the resource connection request message of first client is forwarded to destination server.The present invention passes through the judgement directly on gateway device according to the corresponding access authorization for resource grade of user right rank to the client progress resource access rights of access local network internal resource, and when the client has resource access rights, resource connection request is forwarded to destination server, improve the resource access efficiency that user accesses local network internal resource, and mitigate the processing load of destination server, save intranet resources.
Description
Technical field
The present invention relates to technical field of network security, more particularly to a kind of access control of LAN Intranet resource
Method processed, device and gateway device.
Background technology
SSL VPN refer to setting up based on SSL (Security Socket Layer, SSL) agreement
VPN (Virtual Private Network, VPN) technology of remote secure access passage.SSL
Agreement operates in transport layer, and only the application passage that is carried out to communicating pair is encrypted, rather than to from one
The whole passage of individual main frame to another main frame is encrypted.In the communication using ssl protocol, each
, can be in NAT (Network Address Translation, the network address using the separate component for being a safety
Conversion) work in a transparent mode on agent apparatus.
During SSL of server and client is connected, both sides can carry out authentication, by asymmetric
Key algorithm realizes digital signature.Due to that can only be carried out by the data after private key encryption using corresponding public key
Decryption, therefore whether succeeded according to decryption, it is possible to judge the identity of sender, SSL utilizes PKI (Public
Key Infrastructure, PKIX) provide mechanism ensure public key authenticity.In enterprise network
Using when can pass through OpenSSL (Open Security Socket Layer, Open Security socket layer)
The instrument that agreement is provided sets up the Certification system of our unit, and server and multiple clients are created by root certificate
Private key and certificate, the authenticity and uniqueness of user is ensure that when client initiates access request.
The extension of SSL VPNs refers to ssl protocol that the user disperseed in wide area network is empty by building
Intend LAN to link together.
As shown in figure 1, the relation signal of SSL VPNs extending user, gateway device and internal resource
Figure.User initiates request to gateway device by client and adds LAN, the gateway device when setting up connection
Authentication is carried out to user as server side, available void is obtained from address pool if certification success
Intend LAN internal address to user;Then, user side by the client-side program of operation by the address of distribution
It is configured in local virtual ethernet equipment (abbreviation TUN equipment here), while gateway device can be to
User pushes the addressable network route of Intranet;Finally, client adds after addressable network route is received
Enter into the machine routing table, VLAN is successfully joined to this user.
Different networks are accessed according to user and find corresponding route entry.If access VLAN or
Gateway device intranet resources, can be transmitted by TUN equipment;TUN equipment is sent in data
Afterwards, the data for being sent to TUN equipment are encrypted client, and client-side program will add after the completion of encryption
Ciphertext data is packaged into designated ends slogan, such as 1194, TCP (Transmission Control Protocol pass
Transport control protocol is discussed) or UDP (User Datagram Protocol, UDP) messages from true
Physical internet ports be sent to gateway device;Gateway device receives the port numbers that TCP or UDP are judged after data
Whether it is 1194;If it is, the VPN modules that the packet of this port numbers is sent into gateway device are entered
Row decryption, the data of successful decryption are then forwarded to the Ethernet TUN equipment of gateway device, are now sent to
The data of TUN equipment have been that as being sent to, packet receiving common ethernet device is subsequently entered in plain text
Protocol stack processing.
In actual application, it is found that the resource of internal network has different confidentials for enterprise,
Need to carry out user safe access control, specific resource needs specific authority just to allow to access.And show
There is technology when carrying out safe access control, user is initiated after accessing certain first resource, gets access right
Grade is limited, is judged whether according to grade with access rights.The method access resource efficiency is low, and every time
Need to initiate to connect to requested resource, waste intranet resources.
In addition, when user asks resource, when gateway device end checks the legitimacy of user access resources, net
Closing equipment needs to carry out complicated validity checking to the user for initiating resource request according to user's message information,
And once setting up after resource connection, when resource dynamically changes Permission Levels, the connection having had built up can not
Obtain timely authority relation to update, there is potential safety hazard.
The content of the invention
It is an object of the invention to provide a kind of access control method, device and the gateway of LAN Intranet resource
Equipment, for solving during user's access local network internal resource in the prior art, resource access efficiency is low and provides
The problem of there is potential safety hazard when dynamically changing authority in source.
To achieve these goals, the access control of a kind of LAN Intranet resource provided in an embodiment of the present invention
Method, including:
Obtain to gateway device initiate resource connection request message the first client user right rank with
And access authorization for resource grade;
In the mapping table of default user right rank and access authorization for resource grade, if finding described
The corresponding access authorization for resource grade of user right rank of one client, to destination server forwarding first visitor
The resource connection request message at family end.
Wherein, the first user right level for the client that resource connection request message is initiated to gateway device is obtained
Other step includes:
The access connection request that first client is initiated to gateway device is received, and connection is accessed from described
The user right rank of first client is obtained in request.
Wherein, the step of obtaining the user right rank of first client from the access connection request
Including:
The user for obtaining first client by the Authentication mechanism of security sockets SSL protocol is led to
Authentication is carried out to first client with name, and according to user's common name corresponding digital certificate;
First client authentication by when, by IP address of internal network distribute to it is described first visitor
Family end, completion is connected with the access of first client;
User's common name according to the access connection request, searches user right list and obtains described the
The user right rank of one client.
Wherein, obtain to access authorization for resource of the first client of gateway device initiation resource connection request message etc.
The step of level, includes:
Obtain the money that first client is sent by secure shell protocol VPN SSL VPN
Source connection request message;
According to the resource connection request message, the corresponding access authorization for resource of the resource connection request message is obtained
Grade.
Wherein, according to the resource connection request message, the corresponding money of the resource connection request message is obtained
The step of source Permission Levels, includes:
The message content in the resource connection request message is parsed, it is first resource to obtain resource to be connected;
Search access authorization for resource list and obtain the corresponding access authorization for resource grade of the first resource.
Wherein, after the step of forwarding the resource connection request message of first client to destination server,
Also include:
In first client according to the resource connection request message, being connected to the destination server is
During the first resource that the access authorization for resource ranking score is matched somebody with somebody, the attribute information of first client is saved in
In user's access list of one resource.
Wherein, in addition to:
After first client disconnects the connection with the first resource, by the category of first client
Property information is deleted from user's access list of the first resource.
Wherein, methods described also includes:
According to the change of the access authorization for resource grade or the user right rank, user's access list is carried out more
Newly.
Wherein, according to the change of the access authorization for resource grade, the step of user's access list updates, bag are carried out
Include:
After access authorization for resource grade change, the user for searching the resource for being changed access authorization for resource grade visits
List is asked, the attribute information for the client for accessing the resource for being changed access authorization for resource grade is obtained;
In the mapping table of default the user right rank and access authorization for resource grade, if finding institute
State client user right rank and change after access authorization for resource grade not to it is corresponding when to the client hair
The first replacement message is sent, and the attribute information of the client is deleted from user's access list.
Wherein, according to the change of the user right rank, the step of user's access list updates, bag are carried out
Include:
After user right rank reduction, if being lowered the attribute of the client of user right rank
Information is located at before user right rank is reduced in user's access list of corresponding resource, has been lowered to described
The client of user right rank sends second and resets message, and has been lowered user right rank visitor by described
The attribute information at family end is deleted from user's access list.
The embodiment of the present invention also provides a kind of access control apparatus of LAN Intranet resource, including:
Acquisition module, the use for obtaining the first client that resource connection request message is initiated to gateway device
Family Permission Levels and access authorization for resource grade;
Processing module is performed, for the mapping table in default user right rank and access authorization for resource grade
In, if the corresponding access authorization for resource grade of the user right rank for finding first client, takes to target
The resource connection request message for device forwarding first client of being engaged in.
The embodiment of the present invention also provides a kind of gateway device, including:In LAN as described in above-mentioned embodiment
The access control apparatus of net resource.
The above-mentioned technical proposal of the present invention has the beneficial effect that:
The present invention such scheme in, by directly on gateway device according to the corresponding money of user right rank
Source Permission Levels carry out the judgement of resource access rights to the client for accessing local network internal resource, and at this
When client has resource access rights, resource connection request is forwarded to destination server, user is improved
The resource access efficiency of local network internal resource is accessed, and mitigates the processing load of destination server, is saved
Intranet resources;And the reset immediately for the resource connection for passing through the user to permission modification or resource, protect
When having demonstrate,proved resource dynamic change authority, the data safety of LAN intranet resources.
Brief description of the drawings
Fig. 1 is the SSL VPNs extending user, gateway device and internal resource of the embodiment of the present invention
Relation schematic diagram;
Fig. 2 illustrates for the basic step of the access control method of the LAN Intranet resource of the embodiment of the present invention
Figure;
Fig. 3 is the composition structural representation of the access control apparatus of the LAN Intranet resource of the embodiment of the present invention
Figure;
Fig. 4 illustrates for the idiographic flow of the access control method of the LAN Intranet resource of the embodiment of the present invention
Figure.
Embodiment
To make the technical problem to be solved in the present invention, technical scheme and advantage clearer, below in conjunction with attached
Figure and specific embodiment are described in detail.
When the present invention accesses local network internal resource for user in the prior art, resource access efficiency is low and provides
There is provided a kind of access control of LAN Intranet resource for the problem of source has potential safety hazard when dynamically changing authority
Method, improves the resource access efficiency that user accesses local network internal resource, and mitigate destination server
Processing load, when saving intranet resources and ensure that resource dynamically changes authority, inside LAN
The data safety of Internet resources.
First embodiment
As shown in Fig. 2 the embodiment of the present invention provides a kind of access control method of LAN Intranet resource, bag
Include:
Step 11, the user's power for the first client that resource connection request message is initiated to gateway device is obtained
Limit rank and access authorization for resource grade;
Explanation is needed exist for, user right rank is the Permission Levels of the user of operation client, one
User's one client of correspondence.
Step 12, in the mapping table of default user right rank and access authorization for resource grade, if looking into
The corresponding access authorization for resource grade of user right rank of first client is found, is forwarded to destination server
The resource connection request message of first client.
The access control method of the LAN Intranet resource of the embodiment of the present invention, by directly on gateway device
The client for accessing local network internal resource is carried out according to the corresponding access authorization for resource grade of user right rank
The judgement of resource access rights, and when the client has resource access rights, resource connection request is turned
Destination server is sent to, the resource access efficiency that user accesses local network internal resource is improved, and mitigate mesh
The processing load of server is marked, intranet resources are saved.
Preferably, obtained in step 11 described in the embodiment of the present invention to gateway device and initiate resource connection request
The step of user right rank of first client of message, it can further comprise:
Step 111, the access connection request that first client is initiated to gateway device is received, and from institute
State the user right rank for accessing and first client being obtained in connection request.
Explanation is needed exist for, the first client can extend client for SSL VPNs, and gateway is set
Standby can be VPN vpn gateway equipment.
Here, the step 111 can also further include:
Step 1111, first client is obtained by the Authentication mechanism of SSL ssl protocol
User's common name at end, and first client is entered according to the corresponding digital certificate of user's common name
Row authentication;
Explanation is needed exist for, user's common name is client when applying for account to gateway device keeper
User's mark of the unique mark client.
The corresponding digital certificate of user's common name can be socketed layer protocol OpenSSL by Open Security and provide
Method obtain, certain corresponding private key of user's common name can also be obtained by the method, here numeral card
Include the personally identifiable information of client in book.
Step 1112, first client authentication by when, IP address of internal network is distributed to
First client, completion is connected with the access of first client;
Here, first client authentication by when, IP address of internal network is distributed to described
After first client, user's common name can be stored in data field by gateway device.
It should be noted that, if the authentication of the first client does not pass through, gateway device directly refuse this
The access connection that one client is initiated.So, without destination server extra process to client to be visited
Authentication, save intranet resources, also reduce illegitimate client obtain server internal data
Possibility.
Step 1113, user's common name according to the access connection request, searches user right row
Table obtains the user right rank of first client.
Here it should be noted that, user right list is pre-stored within gateway device, wherein being stored with to visit
Ask the user right rank of the different user of Intranet resource.
Preferably, obtained in step 11 described in the embodiment of the present invention to gateway device and initiate resource connection request
The step of access authorization for resource grade of first client of message, it can further comprise:
Step 112, obtain first client and pass through secure shell protocol VPN SSL VPN
The resource connection request message of transmission;
It should be noted that, gateway device has been completed and the first client before resource connection request is obtained
Access connection.
Step 113, according to the resource connection request message, the resource connection request message correspondence is obtained
Access authorization for resource grade.
Need exist for explanation, if gateway device is according to the resource connection request message, obtain less than with
The corresponding access authorization for resource grade of the resource connection request message, then it represents that client resources to be accessed by is not
In access authorization for resource list, that is, the resource is not provided with access authorization for resource grade, without access rights, owns
The resource inside LAN is may have access to by the client of authentication.
Here, the step 113 can also further include:
Step 1131, the message content in the resource connection request message is parsed, money to be connected is obtained
Source is first resource;
Step 1132, search access authorization for resource list and obtain the corresponding access authorization for resource grade of the first resource.
Here it should be noted that, access authorization for resource list is pre-stored within gateway device, wherein the difference that is stored with
The corresponding different resource Permission Levels of resource.
Further, the access control method of the resource of LAN Intranet described in the embodiment of the present invention, can also be wrapped
Include:
Step 13, after the resource connection request message that first client is forwarded to destination server,
In first client according to the resource connection request message, it is described to be connected to the destination server
During the first resource that access authorization for resource ranking score is matched somebody with somebody, the attribute information of first client is saved in the first money
In user's access list in source.
Need exist for store in explanation, user's access list of first resource and be currently accessing first
The client of resource.
Further, the access control method of the resource of LAN Intranet described in the embodiment of the present invention, can also be wrapped
Include:
Step 14, after first client disconnects the connection with the first resource, by described first
The attribute information of client is deleted from user's access list of the first resource.
Explanation is needed exist for, by the attribute information of first client from the user of the first resource
Delete, it is, the connection of first client and destination server disconnects immediately, can prevent in access list
If only after follow-up user right rank or access authorization for resource grade change, intranet data leakage, it is ensured that intranet data
The security of resource.
Further, the access control method of the resource of LAN Intranet described in the embodiment of the present invention, can also be wrapped
Include:
Step 15, according to the change of the access authorization for resource grade or the user right rank, user is carried out
Access list updates.
Here, according to the change of the access authorization for resource grade in the step 15, user's access list is carried out
The step of renewal, it can also further comprise:
Step 151, after access authorization for resource grade change, the money for being changed access authorization for resource grade is searched
User's access list in source, obtains the client for accessing the resource for being changed access authorization for resource grade
Attribute information;
Step 152, in the mapping table of default the user right rank and access authorization for resource grade,
If find the client user right rank and change after access authorization for resource grade not to it is corresponding when to institute
State client and send first and reset message, and by the attribute information of the client from user's access list
It is middle to delete.
Explanation is needed exist for, the mapping table of default user right rank and access authorization for resource grade is
The access authorization for resource grade specified can be distributed according to user right rank by gateway device keeper in advance to be stored in
In gateway device.
Above-mentioned two show when access authorization for resource grade is changed step by step, by by the inadequate visitor of user right rank
Family end is deleted from user's access list of resource, realizes upgrading in time for user's access list, it is ensured that interior
The safety of net resource data, effectively prevents the leakage of resource data.
Here, according to the change of the user right rank in the step 15, user's access list is carried out
The step of renewal, it can also further comprise:
Step 153, after user right rank reduction, if being lowered the client of user right rank
The attribute information at end is located at before user right rank is reduced in user's access list of corresponding resource, to described
The client for being lowered user right rank sends the second replacement message, and has been lowered user's power by described
The attribute information at limit level guest end is deleted from user's access list.
It should be noted that, step 153 has been lowered user right rank after institute's user's Permission Levels reduction
Client then no longer has the authority for accessing corresponding resource before the reduction of user right rank, by that will be dropped
The attribute information at low user right level guest end reduces the access of preceding corresponding resource from user right rank
Deleted in list, realize upgrading in time for user's access list, it is ensured that the safety of Intranet resource data,
Effectively prevent the leakage of resource data.
The access control method of the LAN Intranet resource of the embodiment of the present invention, by directly on gateway device
The client for accessing local network internal resource is carried out according to the corresponding access authorization for resource grade of user right rank
The judgement of resource access rights, and when the client has resource access rights, resource connection request is turned
Destination server is sent to, the resource access efficiency that user accesses local network internal resource is improved, and mitigate mesh
The processing load of server is marked, intranet resources are saved;And pass through the user to permission modification or money
The reset immediately of the resource connection in source, it is ensured that when resource dynamically changes authority, LAN intranet resources
Data safety.
Second embodiment
As shown in figure 3, the embodiment of the present invention also provides a kind of access control apparatus of LAN Intranet resource,
Including:
Acquisition module 21, the first client of resource connection request message is initiated for obtaining to gateway device
User right rank and access authorization for resource grade;
Explanation is needed exist for, user right rank is the Permission Levels of the user of operation client, one
User's one client of correspondence.
Processing module 22 is performed, for being closed in the correspondence of default user right rank and access authorization for resource grade
In being table, if the corresponding access authorization for resource grade of the first user right rank of the client is found, to mesh
Mark the resource connection request message that server forwards first client.
Specifically, acquisition module 21 described in the embodiment of the present invention may particularly include:
First acquisition submodule, please for receiving the access connection that first client is initiated to gateway device
Ask, and the user right rank of first client is obtained from the access connection request.
Explanation is needed exist for, the first client can extend client for SSL VPNs, and gateway is set
Standby can be VPN vpn gateway equipment.
More specifically, first acquisition submodule may include:
Identity authenticating unit, obtains described for the Authentication mechanism by security sockets SSL protocol
User's common name of first client, and according to the corresponding digital certificate of user's common name to described first
Client carries out authentication;
Explanation is needed exist for, user's common name is client when applying for account to gateway device keeper
User's mark of the unique mark client.
The corresponding digital certificate of user's common name can be socketed layer protocol OpenSSL by Open Security and provide
Method obtain, certain corresponding private key of user's common name can also be obtained by the method, here numeral card
Include the personally identifiable information of client in book.
Access connection unit, for the authentication in first client by when, by Intranet IP
First client is distributed in location, and completion is connected with the access of first client;
Here, first client authentication by when, IP address of internal network is distributed to described
After first client, first user's common name can be stored in data field by gateway device.
It should be noted that, if the authentication of the first client does not pass through, gateway device directly refuse this
The access connection that one client is initiated.So, without destination server extra process to client to be visited
Authentication, save intranet resources, also reduce illegitimate client obtain server internal data
Possibility.
User right rank acquiring unit, for user's common name according to the access connection request,
Search the user right rank that user right list obtains first client.
Here it should be noted that, user right list is pre-stored within gateway device, wherein being stored with to visit
Ask the user right rank of the different user of Intranet resource.
Here, acquisition module 21 described in the embodiment of the present invention also may particularly include:
Second acquisition submodule, secure shell protocol Virtual Private Network is passed through for obtaining first client
The resource connection request message that network SSL VPN are sent;
It should be noted that, gateway device has been completed and the first client before resource connection request is obtained
Access connection.
3rd acquisition submodule, please for according to the resource connection request message, obtaining the resource connection
Seek the corresponding access authorization for resource grade of message.
Need exist for explanation, if gateway device is according to the resource connection request message, obtain less than with
The corresponding first resource Permission Levels of the resource connection request message, then it represents that the client money to be accessed
Source is not in access authorization for resource list, that is, the resource is not provided with access authorization for resource grade, without access rights,
All clients by authentication may have access to the resource inside LAN.
Here, the 3rd acquisition submodule may include:
Dissection process unit, for parsing the message content in the resource connection request message, obtains the company for the treatment of
The resource connect is first resource;
Access authorization for resource grade acquiring unit, it is corresponding for searching the access authorization for resource list acquisition first resource
Access authorization for resource grade.
Here it should be noted that, access authorization for resource list is pre-stored within gateway device, wherein the difference that is stored with
The corresponding different resource Permission Levels of resource.
Specifically, the access control apparatus of the resource of LAN Intranet described in the embodiment of the present invention, may also include:
First processing module 23, for forwarding the resource connection of first client please to destination server
Ask after message, in first client according to the resource connection request message, be connected to the target
When server is the first resource that the access authorization for resource ranking score is matched somebody with somebody, by the attribute information of first client
It is saved in user's access list of first resource.
Need exist for store in explanation, user's access list of first resource and be currently accessing first
The client of resource.
Specifically, the access control apparatus of the resource of LAN Intranet described in the embodiment of the present invention, may also include:
Second processing module 24, for first client disconnect with after the connection of the first resource,
The attribute information of first client is deleted from user's access list of the first resource.
Explanation is needed exist for, by the attribute information of first client from the user of the first resource
Delete, it is, the connection of first client and destination server disconnects immediately, can prevent in access list
If only after follow-up user right rank or access authorization for resource grade change, intranet data leakage, it is ensured that intranet data
The security of resource.
Specifically, the access control apparatus of LAN Intranet resource described in the embodiment of the present invention, may also include:
Access list update module 25, for according to the access authorization for resource grade or the user right rank
Change, carry out user's access list renewal.
Here, the access list update module 25 may particularly include:
4th acquisition submodule, for after access authorization for resource grade change, lookup to be changed resource power
User's access list of the resource of grade is limited, obtains and is accessing the money for being changed access authorization for resource grade
The attribute information of the client in source;
First updates processing submodule, in default the user right rank and access authorization for resource grade
In mapping table, if finding the user right rank and the access authorization for resource grade after change of the client
First is sent to the client reset message when not to correspondence, and by the attribute information of the client from institute
State in user's access list and delete.
Explanation is needed exist for, the mapping table of default user right rank and access authorization for resource grade is
The access authorization for resource grade specified can be distributed according to user right rank by gateway device keeper in advance to be stored in
In gateway device.
Here, above-mentioned acquisition submodule and the first execution processing for updating processing submodule show to weigh in resource
When limiting grade change, by the way that the inadequate client of user right rank is deleted from user's access list of resource
Remove, realize upgrading in time for user's access list, it is ensured that the safety of Intranet resource data, effectively prevent money
The leakage of source data.
Here, the access list update module 25 also may particularly include:
Second updates processing submodule, for after user right rank reduction, if described be lowered
The attribute information of the client of user right rank is located at the use of corresponding resource before user right rank is reduced
In the access list of family, send second to the client for being lowered user right rank and reset message, and
The attribute information at user right level guest end is lowered it by described and has been deleted from user's access list.
It should be noted that, it is described second update processing submodule the user right rank reduction after, by
Reducing user right level guest end then no longer has corresponding resource before the rank reduction of access user right
Authority, by the attribute information by user right level guest end has been lowered before the reduction of user right rank
Deleted in the access list of corresponding resource, realize upgrading in time for user's access list, it is ensured that Intranet
The safety of resource data, effectively prevents the leakage of resource data.
The embodiment of the present invention also provides a kind of gateway device, including the LAN Intranet described in second embodiment
The access control apparatus of resource.
The access control apparatus of the LAN Intranet resource of the embodiment of the present invention, by directly in gateway device
Execution processing module on according to the corresponding access authorization for resource grade of user right rank to access LAN inside
The client of resource carries out the judgement of resource access rights, and when the client has resource access rights,
Resource connection request is forwarded to destination server, the resource visit that user accesses local network internal resource is improved
Efficiency is asked, and mitigates the processing load of destination server, intranet resources are saved;And gateway device
In the reset immediately that is connected by the resource of the user to permission modification or resource of access list update module,
When ensure that resource dynamically changes authority, the data safety of LAN intranet resources.
3rd embodiment
As shown in figure 4, the specific stream of the access control method for the LAN Intranet resource of the embodiment of the present invention
Journey schematic diagram, below should figure illustrate user terminal access LAN Intranet resource implementation process.
Here, i.e. the client described in user terminal first embodiment and second embodiment.
Step 301, gateway device receives the access connection request of a user;
Here, the access connection request message of user is set up encryption tunnel by ssl protocol and sent to gateway
Equipment.
Step 302, whether gateway device checking user identity is legal;
If so, then performing step 303;If it is not, then terminating flow, access connection and disconnect.
Need exist for explanation, the legitimate verification of user identity can be by the authentication of ssl protocol
Mechanism obtains user's common name of the user, passes through the corresponding digital certificate of user's common name in gateway device
Authentication is carried out to the user.
After being verified, IP address of internal network is distributed into the user, the access connection request is completed, this
Mean that the internal resource of the user-accessible LAN.
Step 303, record user's common name and obtain user right rank.
Here, the use of the user can be obtained in user right list from gateway device by user's common name
Family Permission Levels.
Step 304, gateway device obtains the access authorization for resource grade that the user accesses resource;
Here, gateway device receives the resource connection request of user transmission first, please according to resource connection
The middle acquisition user resource to be accessed is sought, obtaining the user by the access authorization for resource list in gateway device will
The Permission Levels of the resource of access.
Step 305, gateway device judge the user whether have permission to access the resource;
If so, then performing step 306;If it is not, then terminating flow.
Here it should be noted that, this step gateway device judges the corresponding resource of user right rank of the user
Whether Permission Levels are accessed the access authorization for resource grade of resource greater than or equal to the user, if so, the then use
Family tool has permission to access the resource.
Step 306, gateway device forwards the resource connection request of the user to destination server;
Here, judged by the resource access rights to user directly on gateway device, improve use
Family accesses the resource access efficiency of local network internal resource, and mitigates the processing load of destination server, saves
Intranet resources.
Step 307, user connects and obtains resources to be accessed by;
Step 308, gateway device is disconnected, and the access record of the user is visited from the user of the resource
Ask in list and delete.
Explanation is needed exist for, the access record of the user is deleted from user's access list of the resource
If can prevent after follow-up user right rank or the change of access authorization for resource grade, intranet data leakage, it is ensured that Intranet
The security of data resource, while when also allowing for user right rank or the change of access authorization for resource grade, Yong Hufang
Ask upgrading in time for list.
The access control method of the LAN Intranet resource of the embodiment of the present invention, by directly on gateway device
The client for accessing local network internal resource is carried out according to the corresponding access authorization for resource grade of user right rank
The judgement of resource access rights, and when the client has resource access rights, resource connection request is turned
Destination server is sent to, the resource access efficiency that user accesses local network internal resource is improved, and mitigate mesh
The processing load of server is marked, intranet resources are saved;And pass through the user to permission modification or money
The reset immediately of the resource connection in source, it is ensured that when resource dynamically changes authority, LAN intranet resources
Data safety.
Described above is the preferred embodiment of the present invention, it is noted that for the common skill of the art
For art personnel, on the premise of principle of the present invention is not departed from, some improvements and modifications can also be made,
These improvements and modifications also should be regarded as protection scope of the present invention.
Claims (12)
1. a kind of access control method of LAN Intranet resource, it is characterised in that including:
Obtain to gateway device initiate resource connection request message the first client user right rank with
And access authorization for resource grade;
In the mapping table of default user right rank and access authorization for resource grade, if finding described
The corresponding access authorization for resource grade of user right rank of one client, to destination server forwarding first visitor
The resource connection request message at family end.
2. the access control method of LAN Intranet resource according to claim 1, it is characterised in that
The step of obtaining the user right rank for the first client for initiating resource connection request message to gateway device
Including:
The access connection request that first client is initiated to gateway device is received, and connection is accessed from described
The user right rank of first client is obtained in request.
3. the access control method of LAN Intranet resource according to claim 2, it is characterised in that
The step of obtaining the user right rank of first client from the access connection request includes:
The user for obtaining first client by the Authentication mechanism of security sockets SSL protocol is led to
Authentication is carried out to first client with name, and according to user's common name corresponding digital certificate;
First client authentication by when, by IP address of internal network distribute to it is described first visitor
Family end, completion is connected with the access of first client;
User's common name according to the access connection request, searches user right list and obtains described the
The user right rank of one client.
4. the access control method of LAN Intranet resource according to claim 1, it is characterised in that
The step of obtaining the access authorization for resource grade for the first client for initiating resource connection request message to gateway device
Including:
Obtain the money that first client is sent by secure shell protocol VPN SSL VPN
Source connection request message;
According to the resource connection request message, the corresponding access authorization for resource of the resource connection request message is obtained
Grade.
5. the access control method of LAN Intranet resource according to claim 4, it is characterised in that
According to the resource connection request message, the corresponding access authorization for resource grade of the resource connection request message is obtained
The step of include:
The message content in the resource connection request message is parsed, it is first resource to obtain resource to be connected;
Search access authorization for resource list and obtain the corresponding access authorization for resource grade of the first resource.
6. the access control method of LAN Intranet resource according to claim 1, it is characterised in that
After the step of resource connection request message of first client being forwarded to destination server, in addition to:
In first client according to the resource connection request message, being connected to the destination server is
During the first resource that the access authorization for resource ranking score is matched somebody with somebody, the attribute information of first client is saved in
In user's access list of one resource.
7. the access control method of LAN Intranet resource according to claim 6, it is characterised in that
Also include:
After first client disconnects the connection with the first resource, by the category of first client
Property information is deleted from user's access list of the first resource.
8. the access control method of the LAN Intranet resource according to claim 6 or 7, its feature
It is, methods described also includes:
According to the change of the access authorization for resource grade or the user right rank, user's access list is carried out more
Newly.
9. the access control method of LAN Intranet resource according to claim 8, it is characterised in that
According to the change of the access authorization for resource grade, the step of user's access list updates is carried out, including:
After access authorization for resource grade change, the user for searching the resource for being changed access authorization for resource grade visits
List is asked, the attribute information for the client for accessing the resource for being changed access authorization for resource grade is obtained;
In the mapping table of default the user right rank and access authorization for resource grade, if finding institute
State client user right rank and change after access authorization for resource grade not to it is corresponding when to the client hair
The first replacement message is sent, and the attribute information of the client is deleted from user's access list.
10. the access control method of LAN Intranet resource according to claim 8, it is characterised in that
According to the change of the user right rank, the step of user's access list updates is carried out, including:
After user right rank reduction, if being lowered the attribute letter of the client of user right rank
Breath is located at before user right rank is reduced in user's access list of corresponding resource, and use has been lowered to described
The client of family Permission Levels sends second and resets message, and has been lowered user right level guest by described
The attribute information at end is deleted from user's access list.
11. a kind of access control apparatus of LAN Intranet resource, it is characterised in that including:
Acquisition module, the use for obtaining the first client that resource connection request message is initiated to gateway device
Family Permission Levels and access authorization for resource grade;
Processing module is performed, for the mapping table in default user right rank and access authorization for resource grade
In, if the corresponding access authorization for resource grade of the user right rank for finding first client, takes to target
The resource connection request message for device forwarding first client of being engaged in.
12. a kind of gateway device, it is characterised in that including:In LAN as claimed in claim 11
The access control apparatus of net resource.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610176642.6A CN107231336A (en) | 2016-03-25 | 2016-03-25 | A kind of access control method, device and the gateway device of LAN Intranet resource |
| PCT/CN2016/086270 WO2017161706A1 (en) | 2016-03-25 | 2016-06-17 | Method of controlling access to network resource in local area network, device, and gateway equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610176642.6A CN107231336A (en) | 2016-03-25 | 2016-03-25 | A kind of access control method, device and the gateway device of LAN Intranet resource |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN107231336A true CN107231336A (en) | 2017-10-03 |
Family
ID=59899366
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610176642.6A Pending CN107231336A (en) | 2016-03-25 | 2016-03-25 | A kind of access control method, device and the gateway device of LAN Intranet resource |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN107231336A (en) |
| WO (1) | WO2017161706A1 (en) |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109379383A (en) * | 2018-12-10 | 2019-02-22 | 杭州迪普科技股份有限公司 | A kind of virtual private network VPN client and implementation method |
| CN109995792A (en) * | 2019-04-11 | 2019-07-09 | 苏州浪潮智能科技有限公司 | A kind of safety management system storing equipment |
| CN110866228A (en) * | 2019-10-17 | 2020-03-06 | 北京旷视科技有限公司 | Data information authority management method, device and system for data issue |
| CN111431928A (en) * | 2020-04-07 | 2020-07-17 | 国电南瑞科技股份有限公司 | VPN-based intelligent substation network security management method and system |
| CN112115503A (en) * | 2019-06-20 | 2020-12-22 | 北京金奔腾汽车科技有限公司 | User authority access control method for automobile diagnosis system |
| CN112182788A (en) * | 2020-11-03 | 2021-01-05 | 智慧航海(青岛)科技有限公司 | Resource allocation method based on virtual simulation test platform |
| CN112910906A (en) * | 2021-02-08 | 2021-06-04 | 北京小米移动软件有限公司 | Data access method and device, mobile terminal and storage medium |
| CN113162985A (en) * | 2021-03-25 | 2021-07-23 | 北京赛博云睿智能科技有限公司 | Lightweight containerized integration and hierarchical domain sharing method and system for edge resources |
| CN113225409A (en) * | 2021-05-27 | 2021-08-06 | 北京天融信网络安全技术有限公司 | NAT load balancing access method, device and storage medium |
| CN113347072A (en) * | 2021-06-23 | 2021-09-03 | 北京天融信网络安全技术有限公司 | VPN resource access method, device, electronic equipment and medium |
| CN114006739A (en) * | 2021-10-25 | 2022-02-01 | 恒安嘉新(北京)科技股份公司 | Resource request processing method, device, equipment and storage medium |
| CN114244569A (en) * | 2021-11-18 | 2022-03-25 | 广东电网有限责任公司 | SSL VPN remote access method, system and computer equipment |
| CN114338060A (en) * | 2020-09-28 | 2022-04-12 | 北京金山云网络技术有限公司 | Authority verification method, device, system, equipment and storage medium |
| CN114978583A (en) * | 2018-03-05 | 2022-08-30 | 上海可鲁系统软件有限公司 | Intelligent virtual private network system for industrial Internet of things |
| CN116545978A (en) * | 2023-05-16 | 2023-08-04 | 深圳市石犀科技有限公司 | Data processing method, device and system, readable storage medium and import network card |
| CN116827586A (en) * | 2023-03-07 | 2023-09-29 | 北京火山引擎科技有限公司 | Network authentication method, device, storage medium and electronic equipment |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108492868A (en) * | 2018-03-06 | 2018-09-04 | 上海京颐科技股份有限公司 | Medical mobile terminal and its function module control method, device, storage medium |
| CN110365778B (en) * | 2019-07-17 | 2021-09-07 | 腾讯科技(深圳)有限公司 | Communication control method and device, electronic equipment and storage medium |
| CN111079104B (en) * | 2019-11-21 | 2023-07-11 | 腾讯科技(深圳)有限公司 | Authority control method, device, equipment and storage medium |
| CN111459769A (en) * | 2020-03-31 | 2020-07-28 | 贵州电网有限责任公司 | Data display method and system for network resources |
| CN113364800A (en) * | 2021-06-23 | 2021-09-07 | 北京天融信网络安全技术有限公司 | Resource access control method, device, electronic equipment and medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080034420A1 (en) * | 2006-08-01 | 2008-02-07 | Array Networks, Inc. | System and method of portal customization for a virtual private network device |
| CN101415009A (en) * | 2008-11-21 | 2009-04-22 | 中兴通讯股份有限公司 | Management method and system for multi-user authority of communication system |
| CN101964800A (en) * | 2010-10-21 | 2011-02-02 | 神州数码网络(北京)有限公司 | Method for authenticating digital certificate user in SSL VPN |
| CN101989974A (en) * | 2009-08-04 | 2011-03-23 | 西安交大捷普网络科技有限公司 | Safety control method for intranet WEB access of security socket layer virtual private network (SSL VPN) |
| CN103200196A (en) * | 2013-04-01 | 2013-07-10 | 天脉聚源(北京)传媒科技有限公司 | Accessing method, system and device between user equipment and accessing target |
| CN103427995A (en) * | 2013-08-02 | 2013-12-04 | 北京星网锐捷网络技术有限公司 | User authentication method, SSL (security socket layer) VPN (virtual private network) server and SSL VPN system |
| CN104333553A (en) * | 2014-11-11 | 2015-02-04 | 安徽四创电子股份有限公司 | Mass data authority control strategy based on combination of blacklist and whitelist |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100385885C (en) * | 2004-07-09 | 2008-04-30 | 威达电股份有限公司 | Safety gateway with SSL protection function and method |
| CN101072108B (en) * | 2007-07-17 | 2011-09-28 | 杭州华三通信技术有限公司 | SSL VPN client end safety inspection method, system and device |
| WO2014059604A1 (en) * | 2012-10-16 | 2014-04-24 | 华为技术有限公司 | Method and device for secure access to resource |
-
2016
- 2016-03-25 CN CN201610176642.6A patent/CN107231336A/en active Pending
- 2016-06-17 WO PCT/CN2016/086270 patent/WO2017161706A1/en active Application Filing
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080034420A1 (en) * | 2006-08-01 | 2008-02-07 | Array Networks, Inc. | System and method of portal customization for a virtual private network device |
| CN101415009A (en) * | 2008-11-21 | 2009-04-22 | 中兴通讯股份有限公司 | Management method and system for multi-user authority of communication system |
| CN101989974A (en) * | 2009-08-04 | 2011-03-23 | 西安交大捷普网络科技有限公司 | Safety control method for intranet WEB access of security socket layer virtual private network (SSL VPN) |
| CN101964800A (en) * | 2010-10-21 | 2011-02-02 | 神州数码网络(北京)有限公司 | Method for authenticating digital certificate user in SSL VPN |
| CN103200196A (en) * | 2013-04-01 | 2013-07-10 | 天脉聚源(北京)传媒科技有限公司 | Accessing method, system and device between user equipment and accessing target |
| CN103427995A (en) * | 2013-08-02 | 2013-12-04 | 北京星网锐捷网络技术有限公司 | User authentication method, SSL (security socket layer) VPN (virtual private network) server and SSL VPN system |
| CN104333553A (en) * | 2014-11-11 | 2015-02-04 | 安徽四创电子股份有限公司 | Mass data authority control strategy based on combination of blacklist and whitelist |
Cited By (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114978583A (en) * | 2018-03-05 | 2022-08-30 | 上海可鲁系统软件有限公司 | Intelligent virtual private network system for industrial Internet of things |
| CN109379383B (en) * | 2018-12-10 | 2021-01-26 | 杭州迪普科技股份有限公司 | Virtual private network VPN client and implementation method |
| CN109379383A (en) * | 2018-12-10 | 2019-02-22 | 杭州迪普科技股份有限公司 | A kind of virtual private network VPN client and implementation method |
| CN109995792B (en) * | 2019-04-11 | 2021-08-31 | 苏州浪潮智能科技有限公司 | Safety management system of storage equipment |
| CN109995792A (en) * | 2019-04-11 | 2019-07-09 | 苏州浪潮智能科技有限公司 | A kind of safety management system storing equipment |
| CN112115503A (en) * | 2019-06-20 | 2020-12-22 | 北京金奔腾汽车科技有限公司 | User authority access control method for automobile diagnosis system |
| CN110866228A (en) * | 2019-10-17 | 2020-03-06 | 北京旷视科技有限公司 | Data information authority management method, device and system for data issue |
| CN111431928A (en) * | 2020-04-07 | 2020-07-17 | 国电南瑞科技股份有限公司 | VPN-based intelligent substation network security management method and system |
| CN114338060A (en) * | 2020-09-28 | 2022-04-12 | 北京金山云网络技术有限公司 | Authority verification method, device, system, equipment and storage medium |
| CN112182788A (en) * | 2020-11-03 | 2021-01-05 | 智慧航海(青岛)科技有限公司 | Resource allocation method based on virtual simulation test platform |
| CN112182788B (en) * | 2020-11-03 | 2023-05-02 | 智慧航海(青岛)科技有限公司 | Resource allocation method based on virtual simulation test platform |
| CN112910906A (en) * | 2021-02-08 | 2021-06-04 | 北京小米移动软件有限公司 | Data access method and device, mobile terminal and storage medium |
| CN112910906B (en) * | 2021-02-08 | 2022-10-14 | 北京小米移动软件有限公司 | Data access method and device, mobile terminal and storage medium |
| CN113162985A (en) * | 2021-03-25 | 2021-07-23 | 北京赛博云睿智能科技有限公司 | Lightweight containerized integration and hierarchical domain sharing method and system for edge resources |
| CN113225409A (en) * | 2021-05-27 | 2021-08-06 | 北京天融信网络安全技术有限公司 | NAT load balancing access method, device and storage medium |
| CN113347072A (en) * | 2021-06-23 | 2021-09-03 | 北京天融信网络安全技术有限公司 | VPN resource access method, device, electronic equipment and medium |
| CN114006739A (en) * | 2021-10-25 | 2022-02-01 | 恒安嘉新(北京)科技股份公司 | Resource request processing method, device, equipment and storage medium |
| CN114244569A (en) * | 2021-11-18 | 2022-03-25 | 广东电网有限责任公司 | SSL VPN remote access method, system and computer equipment |
| CN114244569B (en) * | 2021-11-18 | 2024-04-09 | 广东电网有限责任公司 | SSL VPN remote access method, system and computer equipment |
| CN116827586A (en) * | 2023-03-07 | 2023-09-29 | 北京火山引擎科技有限公司 | Network authentication method, device, storage medium and electronic equipment |
| CN116545978A (en) * | 2023-05-16 | 2023-08-04 | 深圳市石犀科技有限公司 | Data processing method, device and system, readable storage medium and import network card |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2017161706A1 (en) | 2017-09-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107231336A (en) | A kind of access control method, device and the gateway device of LAN Intranet resource | |
| US10645119B2 (en) | Systems and methods for utilizing client side authentication to select services available at a given port number | |
| EP1643691B1 (en) | Remote access vpn mediation method and mediation device | |
| KR101585936B1 (en) | System for managing virtual private network and and method thereof | |
| JP3457645B2 (en) | How to authenticate packets when network address translation and protocol translation are present | |
| EP1730651B1 (en) | Establishing a virtual private network for a road warrior | |
| US7903671B2 (en) | Service for NAT traversal using IPSEC | |
| EP1804461B1 (en) | Method and apparatus for secure communication between user device and private network | |
| EP2090063B1 (en) | Apparatus and methods for authenticating voice and data devices on the same port | |
| EP3272059B1 (en) | Apparatus and method for using certificate data to route data | |
| CN101420423A (en) | Network system | |
| JP2005503047A (en) | Apparatus and method for providing a secure network | |
| US20040243837A1 (en) | Process and communication equipment for encrypting e-mail traffic between mail domains of the internet | |
| CN110474922A (en) | A kind of communication means, PC system and access control router | |
| CN110430221A (en) | A kind of NDP-ESP network security method based on Neighbor Discovery Protocol | |
| CN109309570A (en) | Quantum key method used in SSL VPN and relevant device and storage medium | |
| JP2016066298A (en) | Relay device, communication system, information processing method and program | |
| JP4630296B2 (en) | Gateway device and authentication processing method | |
| EP1836559B1 (en) | Apparatus and method for traversing gateway device using a plurality of batons | |
| US20150381387A1 (en) | System and Method for Facilitating Communication between Multiple Networks | |
| Cisco | Configuring IPSec | |
| Ishikawa et al. | An identification method of PCs behind NAT router with proxy authentication on HTTP communication | |
| Sy et al. | QUICker connection establishment with out-of-band validation tokens | |
| CN117040817A (en) | Authentication method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20171003 |