CN109672665B - Access control method, device and system and computer readable storage medium - Google Patents
Access control method, device and system and computer readable storage medium Download PDFInfo
- Publication number
- CN109672665B CN109672665B CN201811354619.7A CN201811354619A CN109672665B CN 109672665 B CN109672665 B CN 109672665B CN 201811354619 A CN201811354619 A CN 201811354619A CN 109672665 B CN109672665 B CN 109672665B
- Authority
- CN
- China
- Prior art keywords
- data packet
- access
- target
- authority
- address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
Abstract
The invention provides an access control method, device and system and a computer readable storage medium, and belongs to the technical field of networks. The transfer device can receive an access data packet sent by the access device, then set an authority attribute identifier for the access data packet based on a source address of the access data packet to obtain a target data packet, and finally send the target data packet to the target device, wherein the target device can process the target data packet based on the authority attribute represented by the authority attribute identifier, so that an authority list does not need to be stored in the target device, the target device does not need to determine authority based on the authority list, the access authority of the target data packet can be determined directly based on the authority attribute identifier included in the target data packet, and then the data packet sent by the access device is processed, so that the occupation of a storage space of the target device can be reduced, and the influence on the performance of the target device and the normal processing of the data packet by the target device can be avoided.
Description
Technical Field
The present invention relates to the field of network technologies, and in particular, to a method, an apparatus, a system, and a computer-readable storage medium for access control.
Background
At present, with the continuous development of network technology, more and more devices are in the network system, and in order to improve the security of the network, it is often necessary to limit the access rights of the devices in the network system, for example, for a server storing data with a higher security level, only a part of the servers are allowed to access.
In the prior art, when access is restricted, usually an authority list is stored in a target device, where the authority list records all network protocol (IP) addresses of access devices that are allowed to access the target device and are not allowed to access the target device, when the target device receives a data packet sent from the access device, the target device first obtains an IP of the access device sent to the data packet based on the data packet, then judges whether the IP of the access device has an access authority based on the IP of the access device and the authority list, if so, processes the data packet, otherwise, does not process the data packet, and further implements access control.
However, when the number of servers in the network system is large and the access control relationship is complex, the size of the authority list stored in the target device is large, and thus the storage space of the target device is occupied, and meanwhile, the target device determines the operation of the authority based on the authority list, and also consumes more resources of the target device, so that the performance of the target device is reduced, and the normal processing of the target device on the data packet is affected.
Disclosure of Invention
In view of this, the present invention provides an access control method, an access control apparatus, an access control system, and a computer-readable storage medium, which solve the problems that, when access is restricted, the occupied storage space of a target device is large, the performance of the target device is reduced, and the normal processing of a data packet by the target device is affected.
According to a first aspect of the present invention, there is provided an access control method applied to a system including a relay device and a target device, the method including:
the transit equipment receives an access data packet sent by the access equipment; the target address of the access data packet is the IP address of the target equipment;
the transfer equipment sets authority attribute identification for the access data packet based on the source address of the access data packet to obtain a target data packet;
the transfer equipment sends the target data packet to the target equipment;
and the target device processes the target data packet based on the authority attribute represented by the authority attribute identification.
According to a second aspect of the present invention, there is provided an access control method applied to a relay device, the method including:
receiving an access data packet sent by access equipment; the target address of the access data packet is the IP address of the target equipment;
setting authority attribute identification for the access data packet based on the source address of the access data packet to obtain a target data packet;
and sending the target data packet to the target equipment.
Optionally, the authority attribute includes permission to access and prohibition of access, and the authority attribute is identified as an authority IP address;
the setting of the authority attribute identifier for the access data packet based on the source address of the access data packet to obtain a target data packet includes:
acquiring a source address of the access data packet;
determining an authority IP address corresponding to the authority attribute of the access data packet based on the source address of the access data packet;
and replacing the source address of the access data packet by using the authority IP address corresponding to the authority attribute of the access data packet to obtain a target data packet.
Optionally, the determining, based on the source address of the access packet, an authority IP address corresponding to the authority attribute of the access packet includes:
determining a target network segment where a source address of the access data packet is located based on the source address of the access data packet;
and matching in a preset network segment and authority IP address corresponding relation according to the target network segment, and determining an authority IP address corresponding to the target network segment to be used as an authority IP address corresponding to the authority attribute of the access data packet.
Optionally, the authority attribute is identified as a designated marker;
the setting of the authority attribute identifier for the access data packet based on the source address of the access data packet to obtain a target data packet includes:
acquiring a source address of the access data packet;
determining the authority attribute of the access data packet based on the source address of the access data packet;
and inserting a designated marker corresponding to the authority attribute of the access data packet into the designated position of the access data packet to obtain a target data packet.
Optionally, the receiving an access data packet sent by the access device includes: establishing a connection channel with the access device based on the port information of the access device and the IP address of the access device; receiving the access data packet based on the connection channel;
after sending the target data packet to the target device, the method further includes:
receiving a response data packet sent by target equipment; and if the target address of the response data packet is the authority IP address, based on the port information in the response data packet, sending the response data packet to the corresponding access equipment through the connecting channel corresponding to the port information.
According to a third aspect of the present invention, there is provided an access control method applied to a target device, the method including:
receiving a target data packet sent by the transfer equipment; the target data packet is provided with an authority attribute identifier which represents the authority attribute of the target data packet, the target data packet is generated by the transfer device based on an access data packet sent by an access device, and the source address of the access data packet is the IP address of the access device;
and processing the target data packet based on the authority attribute identification in the target data packet.
Optionally, the processing the target data packet based on the authority attribute identifier in the target data packet includes:
if the authority attribute identification in the target data packet represents permission of access, processing the target data packet;
and if the authority attribute identification in the target data packet represents that the access is forbidden, discarding the target data packet.
According to a fourth aspect of the present invention, there is provided an access control system comprising: a transfer device and a target device;
the transit equipment is used for receiving the access data packet sent by the access equipment; the target address of the access data packet is the IP address of the target equipment;
the transfer device is further configured to set an authority attribute identifier for the access packet based on the source address of the access packet, so as to obtain a target packet;
the transit device is further configured to send the target data packet to the target device;
and the target device is used for processing the target data packet based on the authority attribute represented by the authority attribute identification.
According to a fifth aspect of the present invention, there is provided an access control apparatus applied to a relay device, the apparatus may include:
the first receiving module is used for receiving an access data packet sent by the access equipment; the target address of the access data packet is the IP address of the target equipment;
the setting module is used for setting authority attribute identification for the access data packet based on the source address of the access data packet to obtain a target data packet;
and the first sending module is used for sending the target data packet to the target equipment.
Optionally, the authority attribute includes permission to access and prohibition of access, and the authority attribute is identified as an authority IP address;
the setting module includes:
the obtaining submodule is used for obtaining a source address of the access data packet;
the determining submodule is used for determining an authority IP address corresponding to the authority attribute of the access data packet based on the source address of the access data packet;
and the replacing submodule is used for replacing the source address of the access data packet by using the authority IP address corresponding to the authority attribute of the access data packet to obtain a target data packet.
Optionally, the determining sub-module is configured to:
determining a target network segment where a source address of the access data packet is located based on the source address of the access data packet;
and matching in a preset network segment and authority IP address corresponding relation according to the target network segment, and determining an authority IP address corresponding to the target network segment to be used as an authority IP address corresponding to the authority attribute of the access data packet.
Optionally, the authority attribute is identified as a designated marker;
the setting module is configured to:
acquiring a source address of the access data packet;
determining the authority attribute of the access data packet based on the source address of the access data packet;
and inserting a designated marker corresponding to the authority attribute of the access data packet into the designated position of the access data packet to obtain a target data packet.
Optionally, the first receiving module is configured to:
establishing a connection channel with the access device based on the port information of the access device and the IP address of the access device; receiving the access data packet based on the connection channel;
the device further comprises:
the second receiving module is used for receiving a response data packet sent by the target equipment;
and the second sending module is used for sending the response data packet to the corresponding access equipment through a connecting channel corresponding to the port information based on the port information in the response data packet if the target address of the response data packet is the authority IP address.
According to a sixth aspect of the present invention, there is provided an access control apparatus, applied to a target device, the apparatus may include:
the third receiving module is used for receiving the target data packet sent by the transit equipment; the target data packet is provided with an authority attribute identifier which represents the authority attribute of the target data packet, the target data packet is generated by the transfer device based on an access data packet sent by an access device, and the source address of the access data packet is the IP address of the access device;
and the processing module is used for processing the target data packet based on the authority attribute identification in the target data packet.
Optionally, the processing module is configured to:
if the authority attribute identification in the target data packet represents permission of access, processing the target data packet;
and if the authority attribute identification in the target data packet represents that the access is forbidden, discarding the target data packet.
According to a seventh aspect of the present invention, there is provided a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the access control method according to the first, second and third aspects.
Aiming at the prior art, the invention has the following advantages:
the relay device can receive an access data packet sent by the access device, then set an authority attribute identifier for the access data packet based on a source address of the access data packet to obtain a target data packet, wherein the authority attribute identifier is used for representing authority attributes of the access data packet, the authority attributes comprise access permission and access prohibition, and finally, the target data packet is sent to the target device, and the target device can process the target data packet based on the authority attributes represented by the authority attribute identifier, so that the authority list does not need to be stored in the target device, the target device does not need to determine authority based on the authority list, the access authority of the target data packet can be determined directly based on the authority attribute identifier included in the target data packet, and then the data packet sent by the access device is processed, and further the occupation of a storage space of the target device can be reduced, the performance of the target device and the normal processing of the data packet by the target device are prevented from being influenced.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
fig. 1 is a flowchart illustrating steps of an access control method according to an embodiment of the present invention;
FIG. 2 is a flow chart illustrating steps of another access control method provided by an embodiment of the present invention;
FIG. 3 is a flowchart illustrating steps of another method for access control according to an embodiment of the present invention;
FIG. 4 is a flow chart illustrating steps of a further method for access control according to an embodiment of the present invention;
FIG. 5 is a flow chart illustrating steps of a further method for access control according to an embodiment of the present invention;
fig. 6 is a schematic application diagram of an access control system according to an embodiment of the present invention;
fig. 7 is a block diagram of an access control device according to an embodiment of the present invention;
fig. 8 is a block diagram of another access control device provided by an embodiment of the present invention;
fig. 9 is a block diagram of another access control device provided in an embodiment of the present invention;
fig. 10 is a block diagram of an access control system according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the invention are shown in the drawings, it should be understood that the invention can be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.
Fig. 1 is a flowchart of steps of an access control method provided in an embodiment of the present invention, which is applied to a system including a transit device and a target device, and as shown in fig. 1, the method may include:
In this embodiment of the present invention, the access device refers to a device that needs to access a target device and send an access packet to the target device, and the access device may be a computer, a server, a portable mobile terminal, and the like, which is not limited in this embodiment of the present invention.
Further, the access packet may be a packet whose destination address sent by the access device is an IP address of the destination device, and in practical applications, when the device sends the packet, the device usually directly sends the packet to the device indicated by the destination address of the packet.
And 102, setting authority attribute identification for the access data packet by the transfer equipment based on the source address of the access data packet to obtain a target data packet.
In the embodiment of the present invention, the permission attribute identifier may be used to indicate a permission attribute for accessing the data packet, where the permission attribute includes permission for access and prohibition for access, and correspondingly, the permission attribute identifier may include a permission attribute identifier indicating permission for access and a permission attribute identifier for prohibition for access.
Further, the authority attribute of the access packet may be determined by the source address thereof, where the source address of the access packet indicates the IP address of the access device that sent the access packet, and generally, the authority attribute of the access packet corresponds to the authority of the access device that sent the access packet, for example, when the access device has the access authority, the authority attribute of the access packet that the access device sends may be access-allowed, and when the access device does not have the access authority, the authority attribute of the access packet that the access device sends may be access-prohibited, so in this embodiment of the present invention, the IP address of the access device that has the access authority and the IP address of the access device that does not have the access authority may be defined in advance in the relay device, and accordingly, the relay device may determine the authority of the access device that sent the access packet based on the source address of the access packet, and then setting an authority attribute identifier for the access data packet based on the authority of the access device sending the access data packet, thereby obtaining a target data packet.
And 103, the transfer device sends the target data packet to the target device.
In the embodiment of the present invention, the relay device may send the target data packet to the target device, so as to facilitate processing of the target data packet by the target device.
And 104, the target device processes the target data packet based on the authority attribute represented by the authority attribute identification.
In the embodiment of the invention, the relay equipment sets the authority attribute identifier in the target data packet, so that after the target equipment receives the target data packet, the authority attribute of the target data packet can be determined directly based on the authority attribute identifier in the target data packet, and then the target data packet is correspondingly processed, so that the operation of storing an authority list in the target equipment can be omitted, and correspondingly, the target equipment does not need to determine the authority of the target data packet based on the authority list, so that the processing resource of the target equipment is saved, the performance of the target equipment is prevented from being influenced, and the target equipment can be ensured to normally process the target data packet.
To sum up, in the access control method provided in the embodiments of the present invention, the relay device may receive the access packet sent by the access device, and then set the authority attribute identifier for the access packet based on the source address of the access packet to obtain the target packet, where the authority attribute identifier is used to indicate the authority attribute of the access packet, and the authority attribute includes permission for access and prohibition for access, and finally send the target packet to the target device, and the target device may process the target packet based on the authority attribute indicated by the authority attribute identifier, so that the target device does not need to store the authority list in the target device, and does not need to determine the authority based on the authority list, and can determine the access authority of the target packet based on the authority attribute identifier included in the target packet directly, thereby implementing processing on the packet sent by the access device, therefore, the occupation of the storage space of the target equipment can be reduced, and the influence on the performance of the target equipment and the normal processing of the data packet by the target equipment can be avoided.
Fig. 2 is a flowchart of steps of another access control method provided in an embodiment of the present invention, which is applied to a transit device, and as shown in fig. 2, the method may include:
Specifically, the implementation manner of this step may refer to step 101 described above, and details of the embodiment of the present invention are not described herein.
Specifically, the implementation manner of this step may refer to step 102, which is not described herein again in this embodiment of the present invention.
Specifically, the implementation manner of this step may refer to step 103, which is not described herein again in this embodiment of the present invention.
To sum up, in another access control method provided in the embodiments of the present invention, a relay device may receive an access packet sent by an access device, and then set an authority attribute identifier for the access packet based on a source address of the access packet to obtain a target packet, where the authority attribute identifier is used to indicate an authority attribute of the access packet, and the authority attribute includes permission for access and prohibition for access, and finally send the target packet to a target device, so that the target device may process the target packet based on the authority attribute indicated by the authority attribute identifier, and thus, the target device does not need to store an authority list and determine an authority based on the authority list, and can determine an access authority of the target packet based on the authority attribute identifier included in the target packet directly, thereby implementing processing on the packet sent by the access device, therefore, the occupation of the storage space of the target equipment can be reduced, and the influence on the performance of the target equipment and the normal processing of the data packet by the target equipment can be avoided.
Fig. 3 is a flowchart of steps of another access control method provided in an embodiment of the present invention, which is applied to an access device, and as shown in fig. 3, the method may include:
In this embodiment of the present invention, the destination address of the access packet may be an IP address of a destination device, and the relay device may be a computer, a server, a portable mobile terminal, and the like, which is not limited in this embodiment of the present invention. In practical application, when a device sends a data packet, the device usually sends the data packet directly to a device represented by a destination address of the data packet, but in the embodiment of the present invention, in order to facilitate the destination device to process an access data packet based on the authority of accessing the data packet, the access device may be configured in advance to route so that the access device can send the access data packet with the destination address being the IP address of the destination device to a relay device first, and then the relay device sets an authority attribute identifier for the destination data packet based on the source address of the access data packet, and sends the target data packet obtained after the setting to the destination device, because the authority attribute identifier is set in the destination data packet by the relay device, the destination device does not need to store an authority list in the destination device, and the destination device does not need to determine the authority based on the authority list, and can determine the access authority of the destination data packet directly based on the authority attribute identifier included in the destination data packet, the target data packet is processed, so that the occupation of the storage space of the target equipment can be reduced, and the influence on the performance of the target equipment and the normal processing of the data packet by the target equipment is avoided.
In summary, according to another access control method provided in the embodiments of the present invention, an access device may send an access packet whose target address is an IP address of a target device to a relay device, so that the relay device sets an authority attribute identifier for the access packet based on a source address of the access packet, and sends the target packet obtained after the setting to the target device, so that the target device does not need to store an authority list in the target device, and the target device does not need to determine an authority based on the authority list, and can determine an access authority of the target packet based on the authority attribute identifier included in the target packet directly, thereby processing the data packet sent by the access device, and further reducing an occupation of a storage space of the target device, and avoiding an influence on performance of the target device and normal processing of the data packet by the target device.
Fig. 4 is a flowchart of steps of another access control method provided in an embodiment of the present invention, which is applied to a target device, and as shown in fig. 4, the method may include:
step 401, receiving a target data packet sent by a transit device; and the target data packet is provided with an authority attribute identifier which represents the authority attribute of the target data packet.
In the embodiment of the present invention, the target data packet may be generated by the relay device based on an access data packet sent by the access device, and a source address of the access data packet is an IP address of the access device, specifically, the target data packet may be obtained by setting an authority attribute identifier in the access data packet based on the source address of the access data packet, that is, effective data information carried in the target data packet is the same as effective data information carried in the access data packet, and the target data packet may be considered as a data packet sent by the access device essentially. Furthermore, because the target data packet includes the authority attribute identifier, the authority list does not need to be stored in the target device, the target device does not need to determine the authority based on the authority list, the access authority of the target data packet can be determined directly based on the authority attribute identifier included in the target data packet, and the target data packet is processed, so that the occupation of the storage space of the target device can be reduced, and the influence on the performance of the target device and the normal processing of the data packet by the target device is avoided.
In the embodiment of the invention, the target device can perform corresponding processing on the target data packet based on the authority attribute represented by the authority attribute identifier in the target data packet, so as to realize access control.
In summary, according to another access control method provided in the embodiments of the present invention, a target device may receive a target data packet sent by a relay device, where the target data packet is provided with an authority attribute identifier indicating an authority attribute of the target data packet, and then the target data packet is processed based on the authority attribute identifier in the target data packet, so that an authority list does not need to be stored in the target device, the target device does not need to determine an authority based on the authority list, and an access authority of the target data packet can be determined directly based on the authority attribute identifier included in the target data packet, so as to process the data packet sent by the access device, thereby reducing an occupied storage space of the target device, and avoiding an influence on performance of the target device and normal processing of the data packet by the target device.
Fig. 5 is a flowchart illustrating steps of another access control method according to an embodiment of the present invention, where as shown in fig. 5, the method may include:
In this step, in order to enable the access device to send the access packet to the relay device first, the routing configuration of the access device may be changed in advance based on the IP address of the relay device, and specifically, the IP address of the relay device may be added to the routing rule of the access device to implement the routing configuration.
Further, when the access device sends the access packet to the relay device, the access device may first send a connection establishment request including an IP address and port information of the access device to the relay device, so that the relay device may establish a connection channel with the access device based on the port information and the IP address of the access device, and then the access device may send the access packet to the relay device through the connection channel. The connection channel may be a Transmission Control Protocol (TCP) connection channel.
Accordingly, in this step, the relay device may receive a connection establishment request including the port information of the access device and the IP address of the access device, which is sent by the access device, then establish a connection channel with the access device based on the port information of the access device and the IP address of the access device, and then receive the access packet based on the connection channel.
The present step can have the following two possible embodiments.
A first possible embodiment:
the authority attribute identifier may be an authority IP address, and accordingly, the relay device may set the authority attribute identifier for the access packet based on the source address of the access packet based on the following substeps (1) to (3), to obtain an operation of the target packet:
substep (1): the transfer device obtains the source address of the access data packet.
In this step, the transfer device may analyze the access packet, and then read the source address of the access packet from the location where the source address information is stored in the analyzed access packet.
Substep (2): and the transfer equipment determines the authority IP address corresponding to the authority attribute of the access data packet based on the source address of the access data packet.
In this step, the transfer device may first determine a target network segment where the source address of the access data packet is located based on the source address of the access data packet, and then perform matching in a preset network segment and permission IP address correspondence according to the target network segment, to determine a permission IP address corresponding to the target network segment, so as to serve as the permission IP address corresponding to the permission attribute of the access data packet.
In practical applications, when performing access authority control, it is often necessary to perform authority control on all IP addresses included in a certain network segment, for example, there is a network segment N1: 1.1.1.0/24, segment N2: 1.1.2.0/24, segment N3: 1.1.3.0/24, it may be restricted that segment N1 does not allow access to segment N3 and segment N2 allows access to segment N3. Therefore, in this step, the authority IP addresses representing the authority attributes can be set for different network segments in advance according to actual requirements, and the corresponding relationship between the network segments and the authority IP addresses is established and stored in the transfer device, so that the amount of stored data can be reduced compared with a mode of storing a plurality of IP addresses. Of course, in the embodiment of the present invention, the corresponding relationship between the IP address and the authority IP address may also be stored, and accordingly, the relay device may directly search the authority IP address corresponding to the source address of the access data packet from the corresponding relationship between the IP address and the authority IP address, which is not limited in the embodiment of the present invention.
Further, since the source address of the access packet is the IP address of the access device, the relay device may determine the network segment where the source address of the access packet is located, that is, the network segment where the IP address is located, then search the authority IP address corresponding to the target network segment from the preset correspondence between the network segment and the authority IP address, and determine the authority IP address corresponding to the target network segment as the authority IP address corresponding to the authority attribute of the access packet, for example, it is assumed that the authority IP address includes 1.1.3.2 and 1.1.3.3, where 1.1.3.2 indicates that access is prohibited, 1.1.3.3 indicates that access is permitted, the authority IP address corresponding to the network segment N1 is 1.1.3.2, the authority IP address corresponding to N2 is 1.1.3.3, and the target network segment where the source address of the access packet is N2, and then the relay device may determine 1.1.3.3 as the authority IP address corresponding to the authority attribute of the access packet.
Substep (3): and the transfer equipment replaces the source address of the access data packet by using the authority IP address corresponding to the authority attribute of the access data packet to obtain a target data packet.
In this step, the transfer device may delete the source address stored in the access packet, and then write the permission IP address into the location where the source address is stored in the access packet, to obtain the destination packet.
A second possible embodiment:
the authority attribute identifier is a designated marker, and accordingly, the transfer device can set the authority attribute identifier for the access packet based on the source address of the access packet based on the following substeps (4) to (6), so as to obtain the operation of the target packet:
substep (4): the transfer device obtains the source address of the access data packet.
Specifically, the implementation manner of this step is similar to that of the substep (1), and the substep (1) can be referred to, which is not described herein again in the embodiments of the present invention.
Substep (5): and the transfer equipment determines the authority attribute of the access data packet based on the source address of the access data packet.
In this step, the transfer device may first determine a target network segment where the source address of the access data packet is located based on the source address of the access data packet, then determine an assigned tag corresponding to the target network segment based on a corresponding relationship between a preset network segment and the assigned tag, and finally determine the assigned tag corresponding to the target network segment as the assigned tag corresponding to the authority attribute of the access data packet. The specific identifier may include an identifier indicating that access is allowed and an identifier indicating that access is prohibited, and a specific form of the identifier may be set according to actual requirements, which is not limited in the embodiment of the present invention. For example, a flag indicating that access is permitted may be set to a, and a flag indicating that access is prohibited may be set to B. For example, assuming that the designated identifier corresponding to the destination network segment where the source address of the access data packet is located is a, the transit device may determine that a is the designated identifier corresponding to the authority attribute of the access data packet.
Substep (6): and the transfer equipment inserts the appointed marker corresponding to the authority attribute of the access data packet into the appointed position of the access data packet to obtain a target data packet.
In this step, the designated location may be set according to an actual situation, for example, the designated location may be a last bit, and accordingly, the relay device may insert the designated marker a corresponding to the authority attribute of the access packet into the last bit of the access packet to obtain the target packet.
Specifically, the implementation manner of this step may refer to step 103, which is not described herein again in this embodiment of the present invention.
And step 505, the target device receives the target data packet sent by the transit device.
Specifically, the implementation manner of this step may refer to step 301, which is not described herein again in this embodiment of the present invention.
Specifically, the target device may analyze the target data packet, extract the authority attribute identifier from the analyzed target data packet, process the target data packet if the authority attribute identifier in the target data packet indicates that access is allowed, and discard the target data packet if the authority attribute identifier in the target data packet indicates that access is prohibited. In the embodiment of the invention, the transfer device generates the target data packet by setting the authority attribute identifier for the access data packet, the target device processes the target data packet which is allowed to be accessed and represented by the authority attribute identifier, and discards the target data packet which is forbidden to be accessed, so that part of the access devices can be controlled to be capable of accessing the target device, and further access control is realized, and meanwhile, by selectively discarding the target data packet, the concurrency of the data packet on the target device and the flow consumed by the target device for processing the data packet can be controlled, and further concurrency control and flow control are realized. Further, in practical applications, in order to save processing resources of the target device as much as possible, the access data packet that the corresponding authority attribute identifier indicates that access is prohibited can be directly discarded through the relay device, so that the number of data packets sent to the target device is reduced, and the processing resources of the target device are saved.
Further, if the relay device changes the source address of the access packet by using the authority IP address to generate the target packet, because the target packet does not carry the IP address of the access device that sent the packet, in order to facilitate the subsequent process, the target device can normally send the response packet for the target packet to the access device, the target device can send the response packet to the relay device, and then the relay device can receive the response packet sent by the target device, and if the target address of the response packet is the authority IP address, the response packet is sent to the corresponding access device through the connection channel corresponding to the port information based on the port information in the response packet. Specifically, the transit device may search a connection channel having the same port information as the port information in the response packet in the previously established connection channel, and send the response packet to the access device using the connection channel.
To sum up, in another access control method provided in the embodiments of the present invention, an access device may send an access packet with a target address being an IP address of a target device to a relay device, the relay device may receive the access packet sent by the access device, then set an authority attribute identifier for the access packet based on a source address of the access packet to obtain the target packet, where the authority attribute identifier is used to represent authority attributes of the access packet, and the authority attributes include access permission and access prohibition, and finally send the target packet to the target device, the target device may receive the target packet sent by the relay device, and then process the target packet based on the authority attribute identifier in the target packet, so that an authority list does not need to be stored in the target device, and the target device does not need to determine an authority based on the authority list, the access authority of the target data packet can be determined directly based on the authority attribute identification included in the target data packet, so that the data packet sent by the access device can be processed, the occupation of the storage space of the target device can be reduced, and the influence on the performance of the target device and the normal processing of the data packet by the target device is avoided.
Fig. 6 is an application schematic diagram of an access control system according to an embodiment of the present invention, as shown in fig. 6, where S1 denotes an access device 1, S2 denotes an access device 2, S4 denotes a relay device, S3 denotes a target device, and further, a network segment N1 where a source address of the access device 1 is located is: 1.1.1.0/24, the network segment N2 on which the source address of the access device 2 is located is: 1.1.2.0/24, the IP address indicating the right to allow access is: 1.1.3.3, the IP address representing the authority to prohibit access is: 1.1.3.2.
assuming that in the preset correspondence between the network segment and the authority IP address, the network segment N1: 1.1.1.0/24, and the authority IP address 1.1.3.2 corresponding to the network segment matched with the network segment N2: 1.1.2.0/24, the right IP address corresponding to the network segment is 1.1.3.3, then the relay device may replace the source address of the access packet with the source address in N1 sent by the access device 1 with 1.1.3.2, and replace the source address of the access packet with the source address in N2 sent by the access device 2 with 1.1.3.3, thereby obtaining the destination packet. The transit device may then send the target data packet to the target device. Further, the destination device may discard the destination packet with the source address of 1.1.3.2, and process the destination packet with the source address of 1.1.3.3.
In summary, in the embodiment of the present invention, the relay device may reset, according to the permission of the access device, a source address capable of representing the permission attribute for the access packet sent by the access device, so as to obtain the target packet, then the relay device may send the target packet to the target device, the target device may receive the target packet sent by the relay device, then process the target packet whose permission attribute identifier represents that the access is allowed, and discard the target packet whose permission attribute identifier represents that the access is prohibited. Therefore, the authority list does not need to be stored in the target equipment, the target equipment does not need to determine the authority based on the authority list, whether the target data packet is processed or not can be determined directly based on the authority attribute represented by the source address of the target data packet, the data packet sent by the access equipment is further processed, the occupation of the storage space of the target equipment is reduced, and the influence on the performance of the target equipment and the normal processing of the data packet by the target equipment is avoided.
Fig. 7 is a block diagram of an access control apparatus according to an embodiment of the present invention, and as shown in fig. 7, the apparatus 70 may be applied to a relay device, and the apparatus 70 may include:
a first receiving module 701, configured to receive an access data packet sent by an access device; and the target address of the access data packet is the IP address of the target equipment.
A setting module 702, configured to set an authority attribute identifier for the access data packet based on the source address of the access data packet, so as to obtain a target data packet.
A first sending module 703 is configured to send the target data packet to the target device.
Optionally, the authority attribute includes permission to access and prohibition of access, and the authority attribute is identified as an authority IP address.
The setup module 702 includes:
and the obtaining submodule is used for obtaining the source address of the access data packet.
And the determining submodule is used for determining the authority IP address corresponding to the authority attribute of the access data packet based on the source address of the access data packet.
And the replacing submodule is used for replacing the source address of the access data packet by using the authority IP address corresponding to the authority attribute of the access data packet to obtain a target data packet.
Optionally, the determining sub-module is configured to:
and determining a target network segment where the source address of the access data packet is located based on the source address of the access data packet.
And matching in a preset network segment and authority IP address corresponding relation according to the target network segment, and determining an authority IP address corresponding to the target network segment to be used as an authority IP address corresponding to the authority attribute of the access data packet.
Optionally, the authority attribute is identified as a designated marker;
the setting module 702 is configured to:
and acquiring a source address of the access data packet.
And determining the authority attribute of the access data packet based on the source address of the access data packet.
And inserting a designated marker corresponding to the authority attribute of the access data packet into the designated position of the access data packet to obtain a target data packet.
Optionally, the first receiving module 701 is configured to:
and establishing a connection channel with the access equipment based on the port information of the access equipment and the IP address of the access equipment. And receiving the access data packet based on the connection channel.
The apparatus 70 further comprises:
and the second receiving module is used for receiving the response data packet sent by the target equipment.
And the second sending module is used for sending the response data packet to the corresponding access equipment through a connecting channel corresponding to the port information based on the port information in the response data packet if the response address of the response data packet is the authority IP address.
To sum up, in an access control apparatus provided in the embodiments of the present invention, a first receiving module may receive an access packet sent by an access device, and then a setting module may set an authority attribute identifier for the access packet based on a source address of the access packet to obtain a target packet, where the authority attribute identifier is used to indicate an authority attribute of the access packet, the authority attribute includes permission for access and prohibition for access, and finally a first sending module may send the target packet to the target device, so that the target device does not need to store an authority list in the target device, and also does not need to determine an authority based on the authority list, and can determine an access authority of the target packet based on the authority attribute identifier included in the target packet directly, thereby implementing processing on a packet sent by the access device, and further reducing occupation of a storage space of the target device, the performance of the target device and the normal processing of the data packet by the target device are prevented from being influenced.
Fig. 8 is a block diagram of another access control apparatus according to an embodiment of the present invention, and as shown in fig. 8, the apparatus 80 may be applied to an access device, and the apparatus 80 may include:
a third sending module 801, configured to send the access packet to a relay device, so that the relay device sets an authority attribute identifier for the access packet based on a source address of the access packet, obtains a target packet, and sends the target packet to a target device.
And the target address of the access data packet is the IP address of the target equipment.
Optionally, the apparatus 80 further comprises:
and the changing module is used for changing the routing configuration of the access equipment based on the IP address of the transfer equipment so that the access equipment sends an access data packet with a target address as the IP address of the target equipment to the transfer equipment.
In summary, in another access control apparatus provided in the embodiment of the present invention, the third sending module may send the access packet whose destination address is the IP address of the destination device to the relay device, so that the transfer device sets the authority attribute identification for the access packet based on the source address of the access packet, and the target data packet obtained after the setting is sent to the target equipment, so that the access authority of the target data packet can be determined directly on the basis of the authority attribute identification included in the target data packet without storing an authority list in the target equipment or determining the authority on the basis of the authority list by the target equipment, and then realize processing the data packet that the access equipment sent, and then can reduce the occupation to the storage space of the target device, avoid causing the influence to the performance of the target device and normal processing of the data packet of the target device.
Fig. 9 is a block diagram of another access control apparatus according to an embodiment of the present invention, and as shown in fig. 9, the apparatus 90 may be applied to a target device, and the apparatus 90 may include:
a third receiving module 901, configured to receive a target data packet sent by the relay device; the target data packet is provided with an authority attribute identifier which represents the authority attribute of the target data packet, the target data packet is generated by the transfer device based on an access data packet sent by an access device, and the source address of the access data packet is the IP address of the access device.
A processing module 902, configured to process the target data packet based on the authority attribute identifier in the target data packet.
Optionally, the processing module 902 is configured to:
and if the authority attribute identification in the target data packet represents permission of access, processing the target data packet.
And if the authority attribute identification in the target data packet represents that the access is forbidden, discarding the target data packet.
In summary, in another access control apparatus provided in the embodiment of the present invention, the third receiving module may receive the target data packet sent by the forwarding device, wherein the target data packet is provided with an authority attribute identifier representing the authority attribute of the target data packet, and then the processing module can determine whether the target data packet is authorized to be processed, the target data packet is processed such that access rights for the target data packet are determined based directly on the rights attribute identification included in the target data packet without storing a rights list in the target device and without the target device determining the rights based on the rights list, and then realize processing the data packet that the access equipment sent, and then can reduce the occupation to the storage space of the target device, avoid causing the influence to the performance of the target device and normal processing of the data packet of the target device.
Fig. 10 is a block diagram of an access control system according to an embodiment of the present invention, and as shown in fig. 10, the system 10 may include: a relay device 1001 and a target device 1002;
the transfer device 1001 is configured to receive an access packet sent by an access device 1003; the target address of the access data packet is the IP address of the target equipment;
the transfer device 1001 is further configured to set an authority attribute identifier for the access packet based on the source address of the access packet, so as to obtain a target packet;
the transit device 1001 is further configured to send the target data packet to the target device 1002;
the target device 1002 is configured to process the target data packet based on the authority attribute represented by the authority attribute identifier.
To sum up, in an access control system provided in an embodiment of the present invention, a relay device may receive an access packet sent by an access device, and then set an authority attribute identifier for the access packet based on a source address of the access packet to obtain a target packet, where the authority attribute identifier is used to indicate authority attributes of the access packet, and the authority attributes include permission for access and prohibition for access, and finally send the target packet to the target device, and the target device may receive the target packet sent by the relay device, and then process the target packet based on the authority attribute identifier in the target packet, so that the target device does not need to store an authority list in the target device, and the target device does not need to determine authority based on the authority list, and can determine access authority of the target packet directly based on the authority attribute identifier included in the target packet, and then realize processing the data packet that the access equipment sent, and then can reduce the occupation to the storage space of the target device, avoid causing the influence to the performance of the target device and normal processing of the data packet of the target device.
For the above device embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and for the relevant points, refer to the partial description of the method embodiment.
In addition, an embodiment of the present invention further provides a terminal, which includes a processor, a memory, and a computer program stored in the memory and capable of running on the processor, where the computer program, when executed by the processor, implements each process of the foregoing access control method embodiment, and can achieve the same technical effect, and details are not repeated here to avoid repetition.
The embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the computer program implements each process of the above access control method embodiment, and can achieve the same technical effect, and in order to avoid repetition, details are not repeated here. The computer-readable storage medium may be a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk.
The embodiments in the present specification are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.
As is readily imaginable to the person skilled in the art: any combination of the above embodiments is possible, and thus any combination between the above embodiments is an embodiment of the present invention, but the present disclosure is not necessarily detailed herein for reasons of space.
The access control methods provided herein are not inherently related to any particular computer, virtual system, or other apparatus. Various general purpose systems may also be used with the teachings herein. The structure required to construct a system incorporating aspects of the present invention will be apparent from the description above. Moreover, the present invention is not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the invention and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the claims, any of the claimed embodiments may be used in any combination.
The various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functions of some or all of the components of the access control method according to embodiments of the present invention. The present invention may also be embodied as apparatus or device programs (e.g., computer programs and computer program products) for performing a portion or all of the methods described herein. Such programs implementing the present invention may be stored on computer-readable media or may be in the form of one or more signals. Such a signal may be downloaded from an internet website or provided on a carrier signal or in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.
Claims (17)
1. An access control method applied to a system including a relay device and a target device, the method comprising:
the transit equipment receives an access data packet sent by the access equipment; the target address of the access data packet is the IP address of the target equipment;
the transit device sets authority attribute identification for the access data packet based on the source address of the access data packet to obtain a target data packet, and the method comprises the following steps: replacing the source address of the access data packet by using the authority IP address corresponding to the authority attribute of the access data packet to obtain the target data packet;
the transfer equipment sends the target data packet to the target equipment;
and the target device processes the target data packet based on the authority attribute represented by the authority attribute identification.
2. An access control method applied to a relay device, the method comprising:
receiving an access data packet sent by access equipment; the target address of the access data packet is the IP address of the target equipment;
setting authority attribute identification for the access data packet based on the source address of the access data packet to obtain a target data packet, wherein the authority attribute identification comprises the following steps: replacing the source address of the access data packet by using the authority IP address corresponding to the authority attribute of the access data packet to obtain the target data packet;
and sending the target data packet to the target equipment.
3. The method of claim 2, wherein the permission attributes include permission to access and prohibition of access, the permission attributes being identified as permission IP addresses;
the setting of the authority attribute identifier for the access data packet based on the source address of the access data packet to obtain a target data packet includes:
acquiring a source address of the access data packet;
and determining the authority IP address corresponding to the authority attribute of the access data packet based on the source address of the access data packet.
4. The method according to claim 3, wherein the determining, based on the source address of the access packet, the authority IP address corresponding to the authority attribute of the access packet comprises:
determining a target network segment where a source address of the access data packet is located based on the source address of the access data packet;
and matching in a preset network segment and authority IP address corresponding relation according to the target network segment, and determining an authority IP address corresponding to the target network segment to be used as an authority IP address corresponding to the authority attribute of the access data packet.
5. The method of claim 2, wherein the permission attribute is identified as a designated tag;
the setting of the authority attribute identifier for the access data packet based on the source address of the access data packet to obtain a target data packet includes:
acquiring a source address of the access data packet;
determining the authority attribute of the access data packet based on the source address of the access data packet;
and inserting a designated marker corresponding to the authority attribute of the access data packet into the designated position of the access data packet to obtain a target data packet.
6. The method of claim 3, wherein receiving the access packet sent by the access device comprises: establishing a connection channel with the access device based on the port information of the access device and the IP address of the access device; receiving the access data packet based on the connection channel;
after sending the target data packet to the target device, the method further includes:
receiving a response data packet sent by target equipment; and if the target address of the response data packet is the authority IP address, based on the port information in the response data packet, sending the response data packet to the corresponding access equipment through the connecting channel corresponding to the port information.
7. An access control method applied to a target device, the method comprising:
receiving a target data packet sent by the transfer equipment; the target data packet is provided with an authority attribute identifier representing the authority attribute of the target data packet, the target data packet is generated by the transfer device setting the authority attribute identifier for the access data packet based on the source address of the access data packet sent by the access device, and the method comprises the following steps: replacing the source address of the access data packet by using the authority IP address corresponding to the authority attribute of the access data packet to obtain the target data packet; the source address of the access data packet is the IP address of the access device;
and processing the target data packet based on the authority attribute identification in the target data packet.
8. The method of claim 7, wherein the processing the target packet based on the authority attribute identification in the target packet comprises:
if the authority attribute identification in the target data packet represents permission of access, processing the target data packet;
and if the authority attribute identification in the target data packet represents that the access is forbidden, discarding the target data packet.
9. An access control system, the system comprising: a transfer device and a target device;
the transit equipment is used for receiving the access data packet sent by the access equipment; the target address of the access data packet is the IP address of the target equipment;
the transit device is further configured to set an authority attribute identifier for the access packet based on the source address of the access packet, and obtain a target packet, where the authority attribute identifier includes: replacing the source address of the access data packet by using the authority IP address corresponding to the authority attribute of the access data packet to obtain the target data packet;
the transit device is further configured to send the target data packet to the target device;
and the target device is used for processing the target data packet based on the authority attribute represented by the authority attribute identification.
10. An access control apparatus, applied to a relay device, the apparatus comprising:
the first receiving module is used for receiving an access data packet sent by the access equipment; the target address of the access data packet is the IP address of the target equipment;
a setting module, configured to set an authority attribute identifier for the access packet based on the source address of the access packet, to obtain a target packet, including: replacing the source address of the access data packet by using the authority IP address corresponding to the authority attribute of the access data packet to obtain the target data packet;
and the first sending module is used for sending the target data packet to the target equipment.
11. The apparatus of claim 10, wherein the permission attributes include permission to access and prohibition of access, and wherein the permission attributes are identified as permission IP addresses;
the setting module includes:
the obtaining submodule is used for obtaining a source address of the access data packet;
and the determining submodule is used for determining the authority IP address corresponding to the authority attribute of the access data packet based on the source address of the access data packet.
12. The apparatus of claim 11, wherein the determination submodule is configured to:
determining a target network segment where a source address of the access data packet is located based on the source address of the access data packet;
and matching in a preset network segment and authority IP address corresponding relation according to the target network segment, and determining an authority IP address corresponding to the target network segment to be used as an authority IP address corresponding to the authority attribute of the access data packet.
13. The apparatus of claim 10, wherein the permission attribute is identified as a designated tag;
the setting module is configured to:
acquiring a source address of the access data packet;
determining the authority attribute of the access data packet based on the source address of the access data packet;
and inserting a designated marker corresponding to the authority attribute of the access data packet into the designated position of the access data packet to obtain a target data packet.
14. The apparatus of claim 11, wherein the first receiving module is configured to: establishing a connection channel with the access device based on the port information of the access device and the IP address of the access device; receiving the access data packet based on the connection channel;
the device further comprises:
the second receiving module is used for receiving a response data packet sent by the target equipment; and the second sending module is used for sending the response data packet to the corresponding access equipment through a connecting channel corresponding to the port information based on the port information in the response data packet if the target address of the response data packet is the authority IP address.
15. An access control apparatus, applied to a target device, the apparatus comprising:
the third receiving module is used for receiving the target data packet sent by the transit equipment; the target data packet is provided with an authority attribute identifier representing the authority attribute of the target data packet, the target data packet is generated by the transfer device setting the authority attribute identifier for the access data packet based on the source address of the access data packet sent by the access device, and the method comprises the following steps: replacing the source address of the access data packet by using the authority IP address corresponding to the authority attribute of the access data packet to obtain the target data packet; the source address of the access data packet is the IP address of the access device;
and the processing module is used for processing the target data packet based on the authority attribute identification in the target data packet.
16. The apparatus of claim 15, wherein the processing module is configured to:
if the authority attribute identification in the target data packet represents permission of access, processing the target data packet;
and if the authority attribute identification in the target data packet represents that the access is forbidden, discarding the target data packet.
17. A computer-readable storage medium, on which a computer program is stored which, when executed by a processor, implements an access control method as claimed in any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811354619.7A CN109672665B (en) | 2018-11-14 | 2018-11-14 | Access control method, device and system and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811354619.7A CN109672665B (en) | 2018-11-14 | 2018-11-14 | Access control method, device and system and computer readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109672665A CN109672665A (en) | 2019-04-23 |
| CN109672665B true CN109672665B (en) | 2021-10-15 |
Family
ID=66142484
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811354619.7A Active CN109672665B (en) | 2018-11-14 | 2018-11-14 | Access control method, device and system and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109672665B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111930709B (en) * | 2020-07-20 | 2024-04-12 | 北京百度云途腾科技有限责任公司 | Data storage method, apparatus, electronic device, and computer readable medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101877704A (en) * | 2010-06-02 | 2010-11-03 | 中兴通讯股份有限公司 | Network access control method and service gateway |
| CN107517150A (en) * | 2016-06-17 | 2017-12-26 | 深圳市信锐网科技术有限公司 | Intranet resource access method and device based on VPN VPN |
| CN108616490A (en) * | 2016-12-13 | 2018-10-02 | 腾讯科技(深圳)有限公司 | A kind of method for network access control, apparatus and system |
| CN108632287A (en) * | 2018-05-14 | 2018-10-09 | 四川斐讯信息技术有限公司 | A kind of control method and system of softward interview permission |
| CN108809964A (en) * | 2018-05-25 | 2018-11-13 | 浙江齐治科技股份有限公司 | A kind of resource access control method and device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7647643B2 (en) * | 2004-12-30 | 2010-01-12 | Cisco Technology, Inc. | Template access control lists |
-
2018
- 2018-11-14 CN CN201811354619.7A patent/CN109672665B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101877704A (en) * | 2010-06-02 | 2010-11-03 | 中兴通讯股份有限公司 | Network access control method and service gateway |
| CN107517150A (en) * | 2016-06-17 | 2017-12-26 | 深圳市信锐网科技术有限公司 | Intranet resource access method and device based on VPN VPN |
| CN108616490A (en) * | 2016-12-13 | 2018-10-02 | 腾讯科技(深圳)有限公司 | A kind of method for network access control, apparatus and system |
| CN108632287A (en) * | 2018-05-14 | 2018-10-09 | 四川斐讯信息技术有限公司 | A kind of control method and system of softward interview permission |
| CN108809964A (en) * | 2018-05-25 | 2018-11-13 | 浙江齐治科技股份有限公司 | A kind of resource access control method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109672665A (en) | 2019-04-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10341367B1 (en) | System and method for inquiring IOC information by P2P protocol | |
| CN114025021B (en) | Communication method, system, medium and electronic equipment crossing Kubernetes cluster | |
| US20180343606A1 (en) | Method and device for establishing wireless connection | |
| US10645001B2 (en) | Information transmission method and apparatus, device and storage medium | |
| CN108845877B (en) | Method, device and system for managing memory | |
| CN110224943B (en) | Flow service current limiting method based on URL, electronic equipment and computer storage medium | |
| US20150088995A1 (en) | Method and apparatus for sharing contents using information of group change in content oriented network environment | |
| CN108173839B (en) | Authority management method and system | |
| US10084777B2 (en) | Secure data processing method and system | |
| CN113315706B (en) | Private cloud flow control method, device and system | |
| CN106302384A (en) | DNS message processing method and device | |
| CN108833450A (en) | A kind of realization server anti-attack method and device | |
| CN105592083B (en) | Method and device for terminal to access server by using token | |
| CN111064804A (en) | Network access method and device | |
| CN109981569A (en) | Network system access method, device, computer equipment and readable storage medium storing program for executing | |
| CN107547400B (en) | Virtual machine migration method and device | |
| CN109672665B (en) | Access control method, device and system and computer readable storage medium | |
| CN110891056A (en) | HTTPS request authentication method and device, electronic equipment and storage medium | |
| CN113301155B (en) | Data routing method, device, equipment and storage medium | |
| CN110582096B (en) | Data request processing method and communication network system | |
| CN111181983B (en) | Endogenous access control method, endogenous access control device, computing equipment and medium | |
| CN113839949B (en) | Access right management and control system, method, chip and electronic equipment | |
| CN113079128B (en) | Information blocking method and device, computing equipment and computer storage medium | |
| CN110769020B (en) | Resource request processing method, device, equipment and system | |
| CN113691488A (en) | Access control method, apparatus, device and medium executed by firewall device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |