CN110213215B

CN110213215B - Resource access method, device, terminal and storage medium

Info

Publication number: CN110213215B
Application number: CN201810893233.7A
Authority: CN
Inventors: 杨哲; 蔡晨; 周明辉; 蒙俊伸; 陈增萍; 张华彦; 李超俊; 王继超; 罗靖; 曹子涵; 杜闯; 蔡东赟
Original assignee: Tencent Cloud Computing Beijing Co Ltd
Current assignee: Tencent Cloud Computing Beijing Co Ltd
Priority date: 2018-08-07
Filing date: 2018-08-07
Publication date: 2022-05-06
Anticipated expiration: 2038-08-07
Also published as: CN110213215A

Abstract

The embodiment of the invention discloses a resource access method, a device, a terminal and a storage medium; when the resource needs to be accessed, the embodiment of the invention sends an access bill acquisition request to the network access client; receiving an access bill returned by the network access client, wherein the access bill is acquired from the access control equipment by the network access client based on an access bill acquisition request; sending a connection establishment request to gateway equipment of a network, wherein the connection establishment request carries an access bill; when the connection is successfully established, sending a resource access request to the gateway equipment based on the connection so that the gateway equipment forwards the resource access request to a resource server in the network; the scheme can improve the resource safety.

Description

Resource access method, device, terminal and storage medium

Technical Field

The present invention relates to the field of network technologies, and in particular, to a resource access method, apparatus, terminal, and storage medium.

Background

Traditional enterprise network access relies on the boundary wall to keep apart internal and external networks, is absorbed in defense boundary safety. The enterprise intranet cannot be directly connected outside the boundary, and the enterprise resources need to be accessed and accessed through a Virtual Private Network (VPN). Within the boundary, assuming that any device is safe and credible, identity authentication is performed only once when the device is accessed into the network, and after the authentication is passed, the device accesses enterprise resources without any security measures. Just like protecting the safety in the city through the city wall, the identity of the person entering the city is verified only at the city gate, and if a baddie tries to pass the city gate verification, no supervision is carried out on any baddie after entering the city wall.

Therefore, the existing enterprise network access mode is generally a boundary protection mode, namely identity authentication is performed at the network boundary, however, once the boundary protection is broken, an illegal person can acquire all resources in the network, and the security of the resources is poor.

Disclosure of Invention

The embodiment of the invention provides a resource access method, a resource access device, a terminal and a storage medium, which can improve the security of resources.

The embodiment of the invention provides a resource access method, which is suitable for a terminal and comprises the following steps:

when the resource needs to be accessed, sending an access bill acquisition request to a network access client;

receiving an access bill returned by the network access client, wherein the access bill is acquired by the network access client from access control equipment based on the access bill acquisition request;

sending a connection establishment request to gateway equipment of a network, wherein the connection establishment request carries the access bill;

and when the connection is successfully established, sending a resource access request to the gateway equipment based on the connection so that the gateway equipment can forward the resource access request to a resource server in the network.

The embodiment of the invention provides another resource access method, which is suitable for gateway equipment and comprises the following steps:

receiving a connection establishment request sent by a terminal, wherein the connection establishment request carries the access bill;

sending an authentication request carrying the access ticket to access control equipment so that an access server can authenticate the access ticket;

when the access ticket passes the verification, establishing connection with the terminal according to the connection establishment request;

and receiving a resource access request sent by the terminal based on the established connection, and forwarding the resource access request to a resource server.

An embodiment of the present invention provides another resource access method, which is applicable to an access control device, and includes:

receiving a bill application request sent by a terminal;

acquiring request legal evaluation information according to the bill application request;

determining whether the current bill application request is legal or not according to the request legal evaluation information;

if the terminal is legal, sending an access bill to the terminal;

receiving a verification request sent by gateway equipment, wherein the verification request carries the access bill;

and verifying the access ticket, and sending a ticket verification result to the gateway equipment.

An embodiment of the present invention further provides a resource access device, which is applicable to a terminal, and includes:

the bill request unit is used for sending an access bill acquisition request to the network access client when the resource needs to be accessed;

the bill receiving unit is used for receiving an access bill returned by the network access client, and the access bill is acquired by the network access client from the access control equipment based on the access bill acquisition request;

a connection unit, configured to send a connection establishment request to a gateway device of a network, where the connection establishment request carries the access ticket;

and the access unit is used for sending the resource access request to the gateway equipment based on the connection when the connection is successfully established so that the gateway equipment can forward the resource access request to a resource server in the network.

An embodiment of the present invention further provides a resource access apparatus, which is applicable to a gateway device, and includes:

the receiving unit is used for receiving a connection establishment request sent by a terminal, and the connection establishment request carries the access bill;

the verification unit is used for sending a verification request carrying the access ticket to the access control equipment so as to facilitate the access server to verify the access ticket;

the connection unit is used for establishing connection with the terminal according to the connection establishment request when the access bill passes the verification;

and the forwarding unit is used for receiving the service request sent by the terminal based on the established connection and forwarding the service request to a service server.

An embodiment of the present invention further provides a resource access apparatus, which is suitable for an access control device, and includes:

the receiving unit is used for receiving a bill application request sent by the terminal;

the information acquisition unit is used for acquiring request legal evaluation information according to the bill application request;

the determining unit is used for determining whether the current bill application request is legal or not according to the request legal evaluation information;

the bill sending unit is used for sending an access bill to the terminal when the determining unit determines that the current resource access request is legal;

the second receiving unit is used for receiving an authentication request sent by the gateway equipment, wherein the authentication request carries the access ticket;

and the bill verification unit is used for verifying the access bill and sending a bill verification result to the gateway equipment.

The embodiment of the present invention further provides a storage medium, where the storage medium stores a plurality of instructions, and the instructions are suitable for being loaded by a processor to execute any step in the resource access method suitable for the terminal provided by the embodiment of the present invention.

The embodiment of the present invention further provides another storage medium, where the storage medium stores a plurality of instructions, and the instructions are suitable for being loaded by a processor to perform any of the steps in the resource access method suitable for a gateway device provided in the embodiment of the present invention.

The embodiment of the present invention further provides another storage medium, where the storage medium stores a plurality of instructions, and the instructions are suitable for being loaded by a processor to perform any steps in the resource access method suitable for the access control device provided in the embodiment of the present invention.

The embodiment of the invention also provides a terminal, which comprises a processor and a memory, wherein the memory stores a plurality of instructions, and the processor loads the instructions to execute the steps of any resource access method suitable for the terminal provided by the embodiment of the invention.

The embodiment of the present invention further provides a gateway device, which includes a processor and a memory, where the memory stores multiple instructions, and the processor loads the instructions to execute the steps in any resource access method applicable to the gateway device provided in the embodiment of the present invention.

The embodiment of the present invention further provides an access control device, which includes a processor and a memory, where the memory stores multiple instructions, and the processor loads the instructions to execute the steps in any resource access method applicable to the access control device provided in the embodiment of the present invention.

The embodiment of the invention can send the access bill acquisition request to the network access client when the resource needs to be accessed; receiving an access bill returned by the network access client, wherein the access bill is acquired from the access control equipment by the network access client based on an access bill acquisition request; sending a connection establishment request to gateway equipment of a network, wherein the connection establishment request carries an access bill; when the connection is successfully established, sending a resource access request to the gateway equipment based on the connection so that the gateway equipment forwards the resource access request to a resource server in the network; by adopting the scheme, all resource access requests can be proxied through gateway equipment, and a legal terminal is controlled to access the network by issuing an access bill, so that the terminal cannot directly access the resources of the intranet, and only a credit process is allowed to access the resources of the intranet; therefore, even if the user terminal is invaded by a hacker, the hacker tool on the terminal cannot invade the sensitive resource, and the resource security is greatly improved.

Drawings

In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.

Fig. 1a is a schematic structural diagram of a network system according to an embodiment of the present invention;

FIG. 1b is a flowchart illustrating a resource access method according to an embodiment of the present invention;

FIG. 1c is a schematic structural diagram of a resource access system according to an embodiment of the present invention;

fig. 1d is a schematic diagram of an NGN client interface according to an embodiment of the present invention;

FIG. 2 is another schematic flow chart of a resource access method provided by an embodiment of the present invention;

FIG. 3a is another schematic flow chart of a resource access method according to an embodiment of the present invention;

FIG. 3b is another schematic flow chart of a resource access method according to an embodiment of the present invention;

FIG. 3c is another schematic structural diagram of a resource access system according to an embodiment of the present invention;

fig. 4a is a schematic diagram of a first structure of a resource access apparatus according to an embodiment of the present invention;

fig. 4b is a schematic diagram of a second structure of a resource access apparatus according to an embodiment of the present invention;

fig. 4c is a schematic structural diagram of a resource access apparatus according to an embodiment of the present invention;

fig. 5a is a schematic diagram of a fourth structure of a resource access apparatus according to an embodiment of the present invention;

fig. 5b is a schematic structural diagram of a resource access apparatus according to an embodiment of the present invention;

fig. 6a is a schematic structural diagram of a sixth resource access apparatus according to an embodiment of the present invention;

fig. 6b is a schematic diagram of a seventh structure of a resource access apparatus according to the embodiment of the present invention;

fig. 6c is a schematic diagram of an eighth structure of a resource access apparatus according to an embodiment of the present invention;

fig. 6d is a schematic diagram of a ninth structure of a resource access apparatus according to an embodiment of the present invention;

fig. 7 is a schematic structural diagram of a terminal according to an embodiment of the present invention;

fig. 8 is a schematic structural diagram of a network device according to an embodiment of the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without inventive step based on the embodiments of the present invention, are within the scope of protection of the present invention.

The embodiment of the invention provides a service access method, a service access device, a terminal and a storage medium.

The embodiment of the present invention provides a network system, where the system includes any one of the resource access devices (referred to as a first resource access device) suitable for a terminal and the resource access device (referred to as a second resource access device) suitable for an access control device, where the first resource access device may be integrated in the terminal, and the terminal may be a mobile phone, a tablet computer, or other device; the second resource accessing means may be integrated in an access control device, such as a server. In addition, the system may also include other devices, such as gateway devices and the like.

Referring to fig. 1a, an embodiment of the present invention provides a network system, including: a terminal 10, a gateway device 20, an access control device 30, and a resource server 40. The terminal 10 may be connected to the gateway device 20 and the access control device 30 via a network. The resource server 40 is connected to the gateway apparatus 20 via a network.

The terminal 10 is provided with a network access client, and when the terminal 10 needs to access a resource, for example, when receiving a resource access request, the terminal sends an access ticket acquisition request to the network access client; receiving an access ticket returned by the network access client, wherein the access ticket is acquired from the access control equipment 30 by the network access client based on an access ticket acquisition request; the terminal 10 sends a connection establishment request to the gateway device 30 of the network, the connection establishment request carrying an access ticket; when the connection is successfully established, the terminal sends a resource access request to the gateway device 20 based on the connection, so that the gateway device 20 forwards the resource access request to the resource server 40 in the network.

In addition, the terminal 10 may also detect the security status of the terminal 10 in real time through a network access client to obtain security status information; transmitting the security state information to the access control device 30 through the network access client so that the access control device 30 determines whether the security state of the terminal 10 is abnormal according to the security state information; when the access control device 30 determines that the security state of the terminal 10 is abnormal, a connection interruption instruction is sent to the gateway device 30; the gateway device 30 interrupts 10 all connections with the gateway device 30 according to the connection interruption instruction.

The above example of fig. 1a is only an example of a system architecture for implementing the embodiment of the present invention, and the embodiment of the present invention is not limited to the above system architecture of fig. 1a, and various embodiments of the present invention are proposed based on the system architecture.

The following are detailed below.

In the embodiment of the present invention, the resource access apparatus will be described in terms of a resource access apparatus, which may be specifically integrated in a terminal, such as a mobile phone, a notebook computer, a tablet computer, and the like.

In an embodiment, a resource access method is provided, which may be executed by a processor of a terminal, as shown in fig. 1b, and a specific flow of the resource access method may be as follows:

101. and when the resource needs to be accessed, sending an access ticket acquisition request to the network access client.

In an embodiment, an access ticket acquisition request may be sent to a network access client upon receiving a resource access request (at which point it may be determined that access to a resource is required).

The resource access request may be triggered by an application on the terminal, for example, a browser on the terminal; when the user uses the browser, a corresponding resource access request, such as a code access request, an office resource access request and the like, can be sent through operation triggering. For example, the access ticket acquisition request may be sent to the network access client when receiving a resource access request sent by the application process.

The access ticket acquiring request may carry service resource information, such as resource information that needs to be accessed.

The resource access method provided by the embodiment of the invention can be realized by a gateway proxy process or module (namely a local gateway proxy process or module) in the terminal; for example, when a gateway proxy process, such as smartgateway agent (smart gateway proxy), receives a resource access request, the gateway proxy process may request an access ticket from a network access client; specifically, an access ticket acquisition request may be sent to a network access client.

For example, referring to fig. 1c, when the gateway proxy process on the terminal receives a resource access request triggered by a browser, the gateway proxy process may request an access ticket from a Network access client, such as an NGN (next Generation Network) client, and specifically, may send an access ticket acquisition request to the Network access client.

In an embodiment, before accessing the resource, the terminal may further register with the access control device, so as to bind the current terminal and the user identity information and standardize the device, thereby improving the security of resource access. For example, before the method provided by the embodiment of the present invention needs to access the resource, the method may further include:

sending an equipment registration request to access control equipment, wherein the equipment registration request carries user identity information and equipment identification information of a terminal;

and when the registration is successful, performing equipment standardization processing on the terminal through the network access client.

The user identity information may include: an account number, a password, such as a login account number, a password, etc. of the network access client.

The device standardization process may include standardization of applications, firmware, systems, and various interfaces, among others. Specifically, the equipment standardization process may be set according to actual requirements.

Referring to fig. 1c, the terminal first registers with the access control device, and after the registration is passed, the device standardization process may be performed through the network access client, and then, the resource access may be implemented through the gateway proxy process. For example, when receiving an equipment registration request, the access control equipment may analyze the equipment registration request to obtain user identity information and equipment information of the terminal, and then, the access control equipment may verify the user identity information, and if the user identity information passes the verification, bind the user identity information with the equipment identifier to complete equipment registration. For example, the access control device may authenticate the user account through an account authentication system.

In practical application, device registration may be implemented in a process of a user logging in a network access client, where the device registration request is a login request, for example, for a new employee in an enterprise, when a resource needs to be accessed, a network access client installed in a terminal is first opened, then a user account and a password are input to log in the network access client, that is, the terminal may send the login request to an access control device, the access control device verifies the user account and the password carried in the request, and if the verification passes, login success information is returned, and the terminal may enter the network access client, as shown in fig. 1 d. The access control device may bind the device identifier (e.g., device ID, etc.) of the current terminal with the user identity information (e.g., user name, etc.) when the authentication is passed, and store the bound device identifier and user identity information in a device list, that is, a device baseline.

In an embodiment, the terminal may also automatically trigger operation and log in the network access client, for example, when the terminal is powered on, the terminal automatically logs in the network access client based on the stored user identity information; specifically, the step "sending a device registration request to the access control device" includes:

when the terminal is started, the network access client is operated in the background;

detecting whether the historical user identity information in a storage unit corresponding to the network access client is invalid or not;

if not, extracting historical user identity information from the storage unit;

and automatically sending an equipment registration request to the access control equipment according to the historical user identity information.

For example, when a user starts a terminal, the terminal automatically operates the NGN client at the background, and detects whether user identity information (the user identity information can be used by logging in the NGN client before) stored in a cache unit of the NGN client is invalid, if not, a login request can be sent to the access control device, and the login request carries the device identification information of the terminal and the stored user identity information; and the access control equipment verifies the user identity information, if the user identity information passes the verification, login is allowed, and the equipment information and the user identity information are bound.

In an embodiment, when the historical user identity information is invalid, the user identity information input by the user may also be acquired, and then, an equipment registration request is sent to the access control equipment based on the user identity information input by the user, where the equipment registration request carries the current equipment identification information of the terminal and the user identity information input by the user.

For example, when a user starts a terminal, the terminal automatically operates the NGN client at the background, detects whether user identity information (the user identity information can be used for logging in the NGN client before) stored in a cache unit of the NGN client is invalid, if the user identity information is invalid, displays a login interface of the NGN client, acquires user identity information input by the user according to information input operation of the user aiming at the login interface, and then can send a login request to the access control device, wherein the login request carries device information of the terminal and the user identity information input by the user; and the access control equipment verifies the user identity information, if the user identity information passes the verification, login is allowed, and the equipment identification information and the user identity information are bound. 102. And receiving an access bill returned by the network access client, wherein the access bill is acquired from the access control equipment by the network access client based on the access bill acquisition request.

The access ticket may be authentication information that needs to be used for accessing the resource, for example, the authentication information may be information such as a password.

When the network access client receives the access ticket acquiring request, the network access client can apply for an access ticket for resource access from the access control equipment. For example, the network access client may send an access ticket application request to the access control device, and the access control device may issue or send a corresponding access ticket to the network access client according to the access ticket application request.

And when the network access client receives the access ticket issued by the access control equipment, the access ticket can be returned to the gateway proxy process.

Referring to fig. 1c, when a network access client, such as an NGN client, receives an access ticket acquisition request sent by a gateway proxy process, it may apply for a resource access ticket to an access control device. For example, a network access client, such as an NGN client, may apply for a request to an access control device access ticket; the access control device can issue or send a corresponding access ticket to the network access client according to the access ticket application request.

In an embodiment, the access control device may obtain the request legal evaluation information according to the access ticket application request, then determine whether the current resource access request is legal according to the request legal evaluation information, and if the current resource access request is legal, send or issue the access ticket to the terminal, such as a network access client.

The request legality evaluation information is reference information used for evaluating or determining whether the ticket application request is legal, and for example, the request legality evaluation information may include: user identity information, device information of the terminal, process information, resource information to be accessed, and the like.

The user identity information may include: the user logs in the account number, the password, the employee number, the position where the user is located, the department and the like. In addition, the user identity information may further include: access right information of a user, access object information, and the like.

The device information may include, among other things, the type of device, binding information of the device to user information, device standardization or initialization information, and so on.

Wherein, the process information may include: the process information of the terminal currently running, the process information of the resource needing to be accessed, such as process identification, process type, security information (such as danger or security level) of the process, and the like.

The resource information to be accessed may include attribute information of the resource currently to be accessed, such as a resource name, a resource address, a resource size, and the like.

In the embodiment of the invention, the request legal evaluation information can be acquired in various ways, for example, the access ticket application request can carry the request legal evaluation information, and at the moment, the access control equipment can analyze the access ticket application request to acquire the request legal evaluation information.

In one embodiment, the access control device also requests the terminal for legality evaluation information, e.g., when the access control device receives an access ticket

103. And sending a connection establishment request to the gateway equipment of the network, wherein the connection establishment request carries the access ticket.

The network may be a local area network, which may be a small-scale computer internet network, such as an intranet, for example, an intranet, and so on.

The gateway device may be a computer system or device that provides data conversion services among multiple networks. Gateway devices are connectors between different networks, i.e. devices where data is to be "negotiated" from one network to another. The gateway device may be a SmartGate (smart gateway), such as a borderless smart gateway.

In the embodiment of the invention, before the gateway proxy process establishes the connection after receiving the resource access request, the access ticket can be applied by the network access client, and then the connection is established with the gateway device based on the applied access ticket, for example, the TCP (Transmission Control Protocol) connection is established with the gateway device.

In one embodiment, to improve the security of resource access, an encrypted connection or an encrypted channel may also be established.

After the gateway device receives the connection establishment request sent by the gateway device, the access ticket carried in the request may be verified or authenticated, for example, the access ticket is sent to the access control device for authentication, and if the authentication is passed, the gateway device establishes a connection with the terminal.

104. When the connection is successfully established, a resource access request is sent to the gateway device based on the connection so that the gateway device forwards the resource access request to a resource server in the network.

For example, a resource access request for an application process may be forwarded to the gateway device based on the connection. For example, when a gateway proxy process on a terminal receives a resource access request sent by an application process (such as a browser), an access ticket acquisition request may be sent to an NGN client, and the NGN client may acquire an access ticket from an access control device based on the access ticket acquisition request and return the access ticket to the gateway proxy process; the gateway proxy process can establish connection with the gateway device according to the access ticket, and when the connection is successfully established, the gateway proxy process can access the request to the gateway device resource through the connection.

For example, referring to fig. 1c, when an encrypted channel or connection is established, the terminal may send a resource access request, such as an Office (OA) resource access request, to the gateway device based on the encrypted channel or connection, and after receiving the resource access request, the gateway device may forward the resource access request to a corresponding resource server (such as an OA resource server) in the intranet, so as to access the intranet resource.

In an embodiment, for a gateway device, the gateway device may receive a connection establishment request sent by a terminal, where the connection establishment request carries an access ticket; sending an authentication request carrying an access ticket to the access control equipment so that the access server can authenticate the access ticket; when the access ticket passes the verification, establishing connection with the terminal according to the connection establishment request; and receiving a resource access request sent by the terminal based on the established connection, and forwarding the resource access request to the resource server.

In one embodiment, in order to improve the security of resource access, the resource access request carries an access ticket; at this time, the step "forward the resource access request to the resource server" may include:

sending an authentication request carrying an access ticket to the access control equipment so that the access control equipment can authenticate the access ticket;

and when the access ticket passes the verification, forwarding the resource access request to the resource server.

In one embodiment, to improve the security of resource access, a validity period may be set for the established connection; the connection may be used to send resource access requests when the connection's validity period has not been reached, and not used to send resource access requests when the connection's validity period has been reached. For example, the step "sending a resource access request to the gateway device based on the connection" may include:

determining whether a validity period of the connection has arrived;

and if not, sending the resource access request to the gateway equipment based on the connection.

In one embodiment, when the validity period of the connection is reached, a new access ticket may be re-requested from the network access client, and then a new connection may be re-established with the gateway device based on the new access ticket, and the resource access request may be forwarded to the gateway device based on the new connection.

In an embodiment, in order to improve the security of the resource, after the connection is established, when the resource is accessed each time, the access ticket needs to be sent for verification, and the gateway device forwards the resource access request to the corresponding resource server only when the verification is passed.

For example, the resource access request may also carry access ticket and service information; the gateway device can send the access bill to the access control device for verification after receiving the resource access request, and if the verification is passed, the gateway device can forward the resource access request to a corresponding resource server according to the service information.

In an embodiment, in order to improve the security of the resource, the network access client may further monitor the security state of the terminal in real time, and send the security state information to the access control device, so that the access control device determines whether the security state of the terminal is abnormal based on the security state information. For example, the method provided by the embodiment of the present invention may further include:

detecting the safety state of the terminal in real time through a network access client to obtain safety state information;

and sending the safety state information to the access control equipment through the network access client so that the access control equipment can determine whether the safety state of the terminal is abnormal or not according to the safety state information.

For example, referring to fig. 1c, the security status information of the terminal may be detected in real time by a network access client, such as an NGN client, and then reported to the access control device in real time or periodically.

Wherein the security status information may include: heartbeat data, security data (such as data of trojans, patches, system logs, and the like), process information (such as process identification, security level, and the like), device information (such as device standardization information, device binding information, and the like), interface information (such as security information of API interfaces, interface call information, and the like), resource access log information, and the like.

The access control equipment can determine the safety state of the terminal in real time according to the received safety state information, and when the safety state of the terminal is found to be abnormal, the access control equipment can inform the gateway equipment of interrupting all connections with the terminal so as to improve the safety of resource access.

For example, in an embodiment, when the access control device determines that the security state of the terminal is abnormal according to the security state, the access control device may send a connection interruption instruction to the gateway device, and at this time, the gateway device may further receive the connection interruption instruction sent by the access control device; and interrupting all connections with the terminal according to the connection interruption instruction. As can be seen from the above, in the embodiment of the present invention, when a resource needs to be accessed, an access ticket acquisition request is sent to the network access client; receiving an access bill returned by the network access client, wherein the access bill is acquired from the access control equipment by the network access client based on an access bill acquisition request; sending a connection establishment request to gateway equipment of a network, wherein the connection establishment request carries an access bill; when the connection is successfully established, a resource access request is sent to the gateway device based on the connection so that the gateway device forwards the resource access request to a resource server in the network. According to the scheme, all resource access requests can be proxied through gateway equipment, and a legal terminal is controlled to access the network by issuing an access bill, so that the terminal cannot directly access the resources of the intranet, and only a credit process is allowed to access the resources of the intranet; therefore, even if the user terminal is invaded by a hacker, the hacker tool on the terminal cannot invade the sensitive resource, and the resource security is greatly improved.

In addition, the embodiment of the invention can also report the safety state information to the access control equipment in real time, the access control equipment determines the safety state of the terminal in real time, and if the abnormity is found, the gateway equipment is informed to interrupt all connections with the terminal, so that the resource safety is further improved.

In the embodiment of the present invention, it will be described in terms of another resource access apparatus, which may be specifically integrated in an access control device, such as a server.

In an embodiment, a resource access method is provided, and the method may be executed by a processor of an access control device, as shown in fig. 2, and a specific flow of the resource access method may be as follows:

201. and receiving a bill application request sent by the terminal.

The ticket application request may be sent by a network access client of the terminal, for example, when the network access client of the terminal receives an access ticket acquisition request sent by the gateway proxy process, the network access client of the terminal may send a ticket application request to the access control device.

202. And acquiring the request legal evaluation information according to the bill application request.

The requesting validity evaluation information is reference information used for evaluating or determining whether the resource access request is valid, and may include: user identity information, device information of the terminal, process information, resource information to be accessed, and the like.

In the embodiment of the invention, the terminal can actively send the request to the access control equipment, for example, the bill application request can carry the request legal evaluation information, and at the moment, the access control equipment can analyze the request legal evaluation information from the bill application request.

In an embodiment, the access control device may further obtain the request legality evaluation information from the terminal when receiving the ticket application request.

203. And determining whether the current resource access request is legal or not according to the request legal evaluation information, if so, executing the step 204, and if not, refusing to issue an access bill and the like.

In an embodiment, the access control device may sequentially perform operations such as terminal security judgment, request process legal judgment, user identity authentication, authority verification, and the like to determine whether the current ticket application request is legal.

For example, when requesting the legality evaluation information includes: when the process information, the resource information to be accessed, the device information and the user identity information are required to be accessed, the step of determining whether the current bill application request is legal or not according to the request legal evaluation information may include:

determining whether the terminal is safe or not according to the request legal evaluation information;

if the process is safe, determining whether the process of the current access resource is legal or not according to the process information;

if the identity of the current request user is legal, the identity of the current request user is verified according to the user identity information;

if the verification is passed, checking the resource access authority of the current request user;

and if the verification is passed, determining that the current bill application request is legal.

In an embodiment, the security level of the terminal may be obtained according to the request legal evaluation information, and when the security level is greater than a preset level, the security of the terminal is determined.

In an embodiment, in order to improve the security of resource access, whether the request is legal or not may be determined by combining the heartbeat condition of the terminal and the resource access behavior of the user, so as to improve the accuracy of legal judgment of the request. For example, the resource access method according to the embodiment of the present invention may further include:

acquiring a resource access log of a request user sent by a terminal and heartbeat data sent by the terminal;

at this time, the step of "determining whether the terminal is safe according to the request legality evaluation information" may include:

determining whether the heartbeat of the terminal is abnormal according to the heartbeat data to obtain a heartbeat abnormal result;

performing abnormity analysis on the resource access behavior of the requesting user according to the resource access log to obtain a behavior abnormity analysis result;

acquiring the security level of the terminal according to the heartbeat abnormal result, the behavior abnormal analysis result and the request legal evaluation information;

and when the safety level is greater than the preset level, determining the safety of the terminal.

The heartbeat data can be reported by the terminal in real time or at regular time, for example, when the terminal device is successfully registered and the device standardization is completed, the heartbeat data can be reported to the access control device in real time.

The resource access log of the requesting user can be acquired from the log storage system or the terminal, and the specific acquisition mode is set according to actual requirements, for example, the terminal can also report the resource access log in real time after the device is successfully registered.

For example, in some scenarios, the heartbeat data of the terminal stops being sent, that is, when the heartbeat is abnormal, but the access control device can also receive a ticket request, and at this time, it may be determined that the resource access is risky, and then it may be determined that the request is illegal, and no access ticket is issued to prohibit the resource access.

For another example, in some scenarios, when the access control device requests the user to access the resource at different locations at the same time according to the access log analysis, and at this time, it is determined that the current resource access is risky, it may be determined that the request is illegal, and no access ticket is issued to prohibit the resource access.

In one embodiment, in order to improve the security of resource access, an access ticket may be issued only for the registered device; since the registered devices are all in the device list, it is determined whether the current resource access is secure based on whether there is a device bound to the user in the device list. Specifically, the method in the embodiment of the present invention may further include:

acquiring an equipment list, wherein the equipment list comprises equipment identification information and user identity information which are bound with each other;

determining whether the equipment list has equipment identification information bound with the user identity information of the requesting user to obtain an equipment determination result;

at this time, the step "obtaining the security level of the terminal according to the abnormal heartbeat result, the abnormal behavior analysis result, and the request legal evaluation information" may include:

and acquiring the security level of the terminal according to the equipment determination result, the heartbeat abnormal result, the behavior abnormal analysis result and the request legal evaluation information.

For example, in some scenarios, when determining whether a terminal is secure, it is further required to consider whether a current terminal has already performed device registration, and if registration occurs, user identity information binding device identification information of the terminal and the identification information generally exists in a device list; if the device identification information bound with the identity information of the requesting user does not exist in the device list, at this time, the resource access risk can be determined, the security level of the terminal can be reduced, the request is determined to be illegal, and the access ticket is not issued to prohibit the resource access.

In one embodiment, in order to improve the security of resource access, when determining whether a request is legally issued with an access ticket, the access control device needs to check the resource access permission of a current requesting user; for example, when the identity of the current requesting user is verified, no access ticket is issued to prohibit resource access. Specifically, the step "checking the resource access right of the current requesting user" may include:

acquiring attribute information of a current requesting user in a preset organization framework and preset authority information of resources to be accessed;

and verifying the resource access authority of the current request user according to the attribute information and the preset authority information.

The preset organization architecture can be the most basic structure of enterprise process operation, department setting, function planning and the like.

Wherein, the attribute information of the user in the organization structure may include: department where the user is located, job title where the user is located, and the like.

In an embodiment, the authority information of the resource to be accessed by the requesting user can be acquired according to the attribute information of the requesting user in the preset organization structure, the authority information is matched with the preset authority information, if the matching is successful, it is determined that the resource access authority of the current requesting user passes the verification, otherwise, the resource access authority of the current requesting user does not pass the verification.

In an embodiment, in order to improve flexibility of resource access, an access control policy of a resource to be accessed (for example, which employees can access the resource is specified) may be configured in advance, and at this time, when the right is checked, the resource access right of the current requesting user may also be checked according to the user identity information of the current requesting user and the access control policy. For example, when the identity information of the requesting user is the identity information specified by the access control policy, it may be determined that the authorization check is passed, otherwise, it is not passed.

In an embodiment, when the access control device obtains the user identity information, the access control device may store the user identity information in a cache, and set a certain validity period; when the user identity is verified, if the user identity information in the cache is valid, the identity is directly verified according to the cached user identity information; if the user identity in the cache is invalid, the user identity information of the requesting user needs to be obtained again, for example, the requesting user is required to input a user account password again on the terminal side.

204. And sending the access ticket to the terminal.

Through the manner described above, the access control device can determine whether the current ticket application request is legal. When it is determined that the access ticket is valid, the access control device may acquire the access ticket and send the access ticket to a network access client of the terminal, such as an NGN client.

205. And receiving an authentication request sent by the gateway equipment, wherein the authentication request carries an access bill.

When the network access client of the terminal receives the access ticket, the access ticket can be returned to the gateway proxy process; the gateway proxy process may establish a connection or channel with the gateway device based on the access ticket, e.g., the gateway proxy process may send a connection establishment request to the gateway device. Upon successful establishment of the connection, the gateway proxy process may send a resource access request to the gateway device based on the connection.

206. And verifying the access ticket and sending a ticket verification result to the gateway equipment.

When the gateway device receives the connection establishment request, the gateway device may parse out an access ticket carried by the connection establishment request, and send a verification request carrying the access ticket to the access control device. When the access control device receives the verification request, the access ticket may be verified, for example, whether the access ticket is legal (for example, whether the validity period is reached, whether the access ticket is an access ticket issued by itself, or the like) is detected.

In an embodiment, the method of the present invention may further include:

receiving an equipment registration request sent by a terminal, wherein the equipment registration request carries user identity information and equipment identification information of the terminal;

verifying the user identity information;

and if the verification is passed, binding the equipment identification information and the user identity information, and updating the equipment list.

In practical application, the device registration can be realized in the process of a user logging in a network access client, and the device registration request is a login request. For example, the terminal may send a login request to the access control device, where the login request carries user identity information (such as an account password) and device identification information of the terminal; the access control device may verify the user identity information, for example, verify a user login account password through an account password system, and if the user login account password passes the verification, allow the login network to access the client, bind the device identification information and the user identity information, update the device list, and complete login and device registration.

In one embodiment, in order to further improve the security of resource access, the security state information sent by the terminal can be received in real time, and whether the security state of the terminal is abnormal or not is determined according to the security state information; and if the connection is abnormal, sending a connection interruption instruction to the gateway equipment.

As can be seen from the above, the embodiment of the present invention receives a ticket application request sent by a terminal; acquiring request legal evaluation information according to the bill application request; determining whether the current bill application request is legal or not according to the request legal evaluation information; if the access ticket is legal, the access ticket is sent to the terminal; receiving a verification request sent by gateway equipment, wherein the verification request carries an access bill; and verifying the access ticket and sending a ticket verification result to the gateway equipment. According to the scheme, all resource access requests can be proxied through gateway equipment, and a legal terminal is controlled to access the network by issuing an access bill, so that the terminal cannot directly access the resources of the intranet, and only a credit process is allowed to access the resources of the intranet; therefore, even if the user terminal is invaded by a hacker, the hacker tool on the terminal cannot invade the sensitive resource, and the resource security is greatly improved.

The method described in the above embodiments is further illustrated in detail by way of example.

In an embodiment, the resource access method of the present invention will be further described by taking an example in which the first resource access device is integrated in the terminal and the second resource access device is based on the access control device.

Referring to the resource access system shown in FIG. 1a, the resource access system may include: the system comprises a terminal, a gateway device, an access control device and a resource server.

The terminal is provided with a network access client (such as an NGN client and the like), a gateway proxy process and a browser.

Referring to fig. 3a and 3b, based on the above resource access procedure, the following is:

301. and when receiving the resource access request, the gateway proxy process sends an access bill acquisition request to the network access client.

For example, in an embodiment, when the gateway proxy process receives a resource access request (at this time, it may be determined that the resource needs to be accessed), the gateway proxy process sends an access ticket application request to the network access client.

The access ticket acquiring request may carry current service information and the like.

Referring to fig. 3c, when the gateway proxy process on the terminal receives a resource access request triggered by a browser, the gateway proxy process may request an access ticket from a Network access client, such as an NGN (next Generation Network) client, and specifically, may send an access ticket acquisition request to the Network access client.

In an embodiment, before accessing the resource, the terminal may further register with the access control device, so as to bind the device identification information of the current terminal with the user identity information, thereby improving the security of resource access. For example, before the resource needs to be accessed, the method provided by the embodiment of the present invention may further send an equipment registration request to the access control equipment, where the equipment registration request carries the user identity information and the equipment identification information of the terminal; when the device registration is successful, the terminal can access the client terminal such as the NGN client terminal through the network to perform device standardization processing.

For example, referring to fig. 3c, the terminal first registers with the access control device, and when the registration is passed, the resource access can be implemented through the gateway proxy process. For example, when receiving an equipment registration request, the access control equipment may analyze the equipment registration request to obtain user identity information and equipment information of the terminal, and then, the access control equipment may verify the user identity information, and if the user identity information passes the verification, bind the user identity information with the equipment identification information to complete equipment registration. For example, the access control device may authenticate the user account through an account authentication system.

In an embodiment, in order to improve the security of the resource, the network access client may further monitor the security state of the terminal in real time, and send the security state information to the access control device, so that the access control device determines whether the security state of the terminal is abnormal based on the security state information.

For example, referring to fig. 3c, the network access client may detect the security status of the terminal in real time to obtain security status information; and sending the safety state information to the access control equipment in real time.

Wherein the security status information may include: heartbeat data, security data (such as data of trojans, patches, system logs, etc.), process information (such as process identification, security level of progress, etc.), device information (such as device standardization information, device binding information, etc.), interface information (such as security information of API interfaces, interface usage information, etc.), and so forth. For example, the network access client may monitor the API through the API monitoring module, and report the monitoring data.

The access control device can determine the security state of the terminal according to the received security state information in real time, and when the security state of the terminal is found to be abnormal, the access control device can inform the gateway device of interrupting all connections with the terminal so as to improve the security of resource access. For example, a connection interruption instruction may be sent to the gateway device, and the gateway device interrupts all connections with the terminal according to the connection interruption instruction, thereby ensuring the security of the resource.

Referring to fig. 3c, the access control device is integrated with an access control engine, and the operations performed by the access control device in the embodiment of the present invention may be implemented by the access control engine. The access control engine may include: the system comprises a heartbeat service module, a security center (SOC) module, a security configuration module, a device baseline module and a user behavior analysis module.

The heartbeat service module is used for providing heartbeat service, specifically, receiving heartbeat data reported by the terminal in real time and responding to the heartbeat data.

The SOC module is used for storing security data, such as system logs of the device, resource access logs, process information of the terminal, standardized information, and the like, and determining whether the terminal is abnormal or not according to the user resource access behavior data.

The security configuration module is used for technicians to configure security access policies, such as a policy for configuring abnormal security states of the terminal, a policy for issuing access tickets, resource access permissions, security level calculation vehicles and the like.

The user behavior analysis module is configured to analyze a resource access behavior of the user according to the resource access log (for example, based on a security data analysis in the SOC module) to obtain a behavior analysis result, so that the access control engine may calculate a security level of the terminal according to the behavior analysis result, the heartbeat abnormal result, the request legal evaluation information, and the like, so as to determine whether the terminal device is secure, and the like.

In an embodiment, the access control device may determine the security state of the terminal based on the security state information reported by the terminal in real time and the security state information obtained from the security system (e.g., the SOC module).

In an embodiment, the access control engine may further include a post-audit module, configured to obtain a service access log, such as a cloud disk access log (which may be obtained from a security system), determine a path of a service access request according to the service access log, and determine whether the service access request is sent through a gateway device, if not, determine that the service access is abnormal, notify the gateway device of interruption of connection, and remind a technician.

302. And the network access client sends a bill application request to the access control equipment according to the access bill acquisition request.

For example, the network access client may obtain the request and the request legal evaluation information according to the access ticket, then generate a corresponding ticket application request according to the request legal evaluation information, and send the ticket application request to the access control device.

303. The access control device can acquire the request legal evaluation information according to the bill application request.

For example, in an embodiment, when the ticket application request carries the request legal evaluation information, the ticket application request may be analyzed to obtain the request legal evaluation information.

For another example, in an embodiment, the access control device may further obtain the requested legality evaluation information from the security system or the terminal according to the ticket application request. The security system may be located at the access control device or may be implemented by other devices.

304. The access control device determines whether the current ticket application request is legal according to the request legality evaluation information, and if so, executes step 305.

The access control device issues the access ticket when the current ticket application request is determined to be legal, and denies issuance of the access ticket when the current ticket application request is illegal.

For example, when requesting the legality evaluation information includes: when the process information, the resource information to be accessed, the equipment information and the user identity information are acquired, the access control equipment determines whether the terminal is safe or not according to the request legal evaluation information; if the process is safe, determining whether the process of the current access resource is legal or not according to the process information; if the identity of the current request user is legal, the identity of the current request user is verified according to the user identity information; if the verification is passed, checking the resource access authority of the current request user; and if the verification is passed, determining that the current bill application request is legal.

For example, in an embodiment, in order to improve the security of resource access, whether the request is legal or not may be determined by combining the heartbeat condition of the terminal, the device list binding condition, and the resource access behavior of the user, so as to improve the accuracy of the legal judgment of the request. The access control equipment can determine whether the heartbeat of the terminal is abnormal according to the heartbeat data to obtain a heartbeat abnormal result; performing abnormity analysis on the resource access behavior of the requesting user according to the resource access log to obtain a behavior abnormity analysis result; determining whether the equipment list has equipment identification information bound with the user identity information of the requesting user to obtain an equipment determination result; acquiring the security level of the terminal according to the equipment determination result, the heartbeat abnormal result, the behavior abnormal analysis result and the request legal evaluation information; and when the safety level is greater than the preset level, determining the safety of the terminal.

In an embodiment, the manner of checking the resource access right may include: acquiring attribute information of a current requesting user in a preset organization framework and preset authority information of resources to be accessed; and verifying the resource access authority of the current request user according to the attribute information and the preset authority information.

The preset organization architecture can be the most basic structure of enterprise flow operation, department setting, function planning and the like.

305. And the access control equipment sends an access ticket to the network access client.

306. The network access client returns the access ticket to the gateway proxy process.

307. The gateway proxy process sends a request for establishing a connection carrying an access ticket to the gateway device of the network.

In one embodiment, in order to improve the security of resource access, an encrypted connection or an encrypted channel may also be established. That is, the gateway proxy process sends an encrypted channel or channel establishment request to the gateway device.

308. The gateway device sends an authentication request carrying an access ticket to the access control device.

309. The access control device verifies the access ticket and sends the ticket verification result to the gateway device.

The bill verification result may include verification pass or verification fail.

310. And when the bill verification is passed, the gateway equipment establishes connection with the terminal.

For example, the gateway device may establish an encrypted channel with the terminal when the ticket is validated.

311. The gateway proxy process sends a resource access request to the gateway device through the established connection.

312. The gateway device forwards the resource access request to the resource server.

For example, referring to fig. 3c, when an encrypted channel or connection is established, the terminal may send a resource access request, such as an Office (OA) resource access request, to the gateway device based on the encrypted channel or connection, and after receiving the resource access request, the gateway device may forward the resource access request to a corresponding resource server (such as an OA resource server) in the intranet, so as to access the intranet resource.

By adopting the scheme provided by the embodiment of the invention, new employees of an enterprise can log in the NGN client to complete equipment standardization after the NGN client is installed, then the NGN client can access network access resources, and the access control equipment can issue access tickets based on the security state when accessing the resources, and realize resource access and the like through the access tickets.

For old employees of an enterprise, when a terminal such as a computer is started each time, the terminal can automatically operate the NGN client, log in the NGN client to complete equipment standardization, and then can access network access resources.

By adopting the scheme provided by the embodiment of the invention, the terminal cannot directly access intranet resources such as enterprise resources, the terminal must be provided with a network access client such as an NGN client, and all user network requests pass through gateway equipment such as an NGN intelligent gateway agent; hackers can be prevented from accessing internal resources using illegal devices; meanwhile, in the scheme of the embodiment of the invention, only the credit granting process is allowed to access the sensitive resource, and even if the user computer is invaded by a hacker, the hacker tool on the computer cannot invade the sensitive resource.

In addition, in the scheme provided by the embodiment of the invention, the terminal can also detect the security state of the equipment terminal in real time and report the security state to the access control equipment, and the access control equipment performs real-time security rating on the access equipment by merging and analyzing each path of security state data, dynamically regulates and controls the access authority of the equipment, and further improves the resource access security.

In addition, the scheme provided by the embodiment of the invention is based on the fact that the 'human + equipment + process' is taken as a core, and compared with the traditional scheme based on the 'human + equipment', the protection of the process granularity is finer, more accurate and safer.

In order to better implement the method, an embodiment of the present invention further provides a resource access device, where the resource access device may be specifically integrated in a terminal and the like, and the terminal may be a video tablet, a notebook, a mobile phone, and the like.

For example, as shown in fig. 4a, the resource access device may include a ticket requesting unit 401, a ticket receiving unit 402, a connecting unit 403, and an access unit 404, as follows:

the ticket request unit 401 is configured to send an access ticket obtaining request to the network access client when a resource needs to be accessed;

a ticket receiving unit 402, configured to receive an access ticket returned by the network access client, where the access ticket is obtained by the network access client from an access control device based on the access ticket obtaining request;

a connection unit 403, configured to send a connection establishment request to a gateway device of a network, where the connection establishment request carries the access ticket;

an accessing unit 404, configured to send a resource access request to the gateway device based on the connection when the connection is successfully established, so that the gateway device forwards the resource access request to a resource server in the network.

In an embodiment, referring to fig. 4b, the resource access apparatus may further include a security detection unit 405;

a security detection unit 405, operable to:

detecting the safety state of the terminal in real time through the network access client to obtain safety state information;

and sending safety state information to the access control equipment through the network access client so that the access control equipment can determine whether the safety state of the terminal is abnormal or not according to the safety state information.

In an embodiment, referring to fig. 4c, the resource access apparatus may further include a registration unit 406;

a registration unit 406, operable to: sending an equipment registration request to the access control equipment, wherein the equipment registration request carries user identity information and equipment information of a terminal;

and the standard processing unit 407 is configured to perform device standardization processing on the terminal through the network access client when the registration is successful.

In an embodiment, the accessing unit 404 may specifically be configured to:

determining whether a validity period of the connection has arrived;

In an embodiment, the registering unit 406 may be configured to:

if not, extracting historical user identity information from the storage unit;

As can be seen from the above, in the embodiment of the present invention, when a resource needs to be accessed, an access ticket acquisition request is sent to the network access client through the ticket request unit 401; receiving, by a ticket receiving unit 402, an access ticket returned by the network access client, the access ticket being acquired by the network access client from an access control device based on the access ticket acquisition request; sending, by the connection unit 403, a connection establishment request to a gateway device of a network, the connection establishment request carrying the access ticket; when the connection is successfully established, the access unit 404 sends the resource access request to the gateway device based on the connection, so that the gateway device forwards the resource access request to a resource server in the network. According to the scheme, all resource access requests can be proxied through gateway equipment, and a legal terminal is controlled to access the network by issuing an access bill, so that the terminal cannot directly access the resources of the intranet, and only a credit process is allowed to access the resources of the intranet; therefore, even if the user terminal is invaded by a hacker, the hacker tool on the terminal cannot invade the sensitive resource, and the resource security is greatly improved.

In order to better implement the above method, an embodiment of the present invention further provides another resource access apparatus, where the resource access apparatus may be specifically integrated in a gateway device.

For example, as shown in fig. 5a, the resource access apparatus may include a receiving unit 501, an authentication unit 502, a connection unit 503, and a forwarding unit 504, as follows:

a receiving unit 501, configured to receive a connection establishment request sent by a terminal, where the connection establishment request carries the access ticket;

an authentication unit 502, configured to send an authentication request carrying the access ticket to an access control device, so that an access server authenticates the access ticket;

a connection unit 503, configured to establish a connection with the terminal according to the connection establishment request when the access ticket is verified;

a forwarding unit 504, configured to receive a resource access request sent by the terminal based on the established connection, and forward the resource access request to a resource server.

In an embodiment, referring to fig. 5b, the resource access apparatus may further include a connection control unit 505;

a connection control unit 505, which may be configured to:

receiving a connection interruption instruction sent by access control equipment;

and interrupting all connections with the terminal according to the connection interruption instruction.

In an embodiment, the resource access request carries the access ticket; the forwarding unit 504 may specifically be configured to:

receiving a resource access request sent by the terminal based on the established connection;

sending an authentication request carrying the access ticket to the access control equipment so that the access control equipment can authenticate the access ticket;

and when the access ticket passes the verification, forwarding the resource access request to a resource server.

As can be seen from the above, the resource access apparatus provided in the embodiment of the present invention receives, through the receiving unit 501, a connection establishment request sent by a terminal, where the connection establishment request carries the access ticket; sending, by the authentication unit 502, an authentication request carrying the access ticket to the access control device, so that the access server authenticates the access ticket; establishing connection with the terminal according to the connection establishment request when the access ticket is verified by the connection unit 503; the forwarding unit 504 receives the resource access request sent by the terminal based on the established connection and forwards the resource access request to the resource server. According to the scheme, all resource access requests can be proxied through gateway equipment, and a legal terminal is controlled to access the network by issuing an access bill, so that the terminal cannot directly access the resources of the intranet, and only a credit process is allowed to access the resources of the intranet; therefore, even if the user terminal is invaded by a hacker, the hacker tool on the terminal cannot invade the sensitive resource, and the resource safety is greatly improved.

In order to better implement the above method, an embodiment of the present invention further provides another resource access apparatus, which may be specifically integrated in the access control device.

For example, as shown in fig. 6a, the resource access device may include a receiving unit 601, an information acquiring unit 602, a determining unit 603, and a ticket sending unit 604, as follows:

a first receiving unit 601, configured to receive a ticket application request sent by a terminal;

an information obtaining unit 602, configured to obtain request legal evaluation information according to the ticket application request;

a determining unit 603, configured to determine whether the current resource access request is legal according to the request legality evaluation information;

a ticket sending unit 604, configured to send an access ticket to the terminal when the determining unit determines that the current resource access request is legal;

a second receiving unit 605, configured to receive an authentication request sent by a gateway device, where the authentication request carries the access ticket;

and a bill verification unit 606, configured to verify the access bill and send a bill verification result to the gateway device.

In one embodiment, the requesting of the legality evaluation information includes: process information, resource information to be accessed, equipment information and user identity information of a requesting user; referring to fig. 6b, the determining unit 603 may include:

a security determination subunit 6031 configured to determine whether the terminal is secure according to the request legitimacy evaluation information;

a process determining subunit 6032, configured to determine, when the security determining subunit determines security, whether a process of a current access resource is legal according to the process information;

an identity authentication subunit 6033, configured to authenticate the identity of the current requesting user according to the user identity information when it is determined that the process is legal;

a verification subunit 6034, configured to verify the resource access right of the current requesting user when the identity verification passes; and if the verification is passed, determining that the current bill application request is legal.

In an embodiment, referring to fig. 6c, the resource access apparatus may further include: a data acquisition unit 607;

the data obtaining unit 607 is configured to obtain a resource access log of a requesting user and heartbeat data sent by a terminal;

the security determination sub-unit 6031 is configured to:

and when the security level is greater than a preset level, determining the security of the terminal.

In an embodiment, the safety determination subunit 6031 is further configured to:

determining whether the equipment list has equipment identification information bound with the user identity information of the requesting user or not to obtain an equipment determination result;

In an embodiment, the checking subunit 6034 is configured to, when the identity authentication passes, obtain attribute information of the current requesting user in a preset organization structure and preset authority information of a resource to be accessed;

and checking the resource access authority of the current requesting user according to the attribute information and the preset authority information.

In an embodiment, referring to fig. 6d, the resource access apparatus may further include a security processing unit 608;

the security processing unit 608 may specifically be configured to:

receiving safety state information sent by a terminal in real time;

determining whether the safety state of the terminal is abnormal or not according to the safety state information;

and if the connection is abnormal, sending a connection interruption instruction to the gateway equipment.

In an embodiment, referring to fig. 6d, the resource access apparatus may further include a registration unit 609;

the registration unit 609 may specifically be configured to:

receiving an equipment registration request sent by a terminal, wherein the equipment registration request carries user identity information and equipment information of the terminal;

and verifying the user identity information, and if the user identity information passes the verification, binding the equipment identification information and the user identity information, and updating an equipment list.

In specific implementation, the above modules may be implemented as independent entities, or may be combined arbitrarily to be implemented as the same or several entities, and specific implementation of the above modules may refer to the foregoing method embodiments, which are not described herein again.

As can be seen from the above, the resource access device provided in the embodiment of the present invention receives, through the receiving unit 601, a ticket application request sent by a terminal; the information obtaining unit 602 obtains the request legal evaluation information according to the bill application request; determining whether the current resource access request is legal or not by the determining unit 603 according to the request legality evaluation information; the ticket sending unit 604 sends an access ticket to the terminal when the determining unit determines that the current resource access request is legal; receiving, by the second receiving unit 605, an authentication request sent by the gateway device, where the authentication request carries the access ticket; the access ticket is validated by the ticket validation unit 606 and the ticket validation result is sent to the gateway device. According to the scheme, all resource access requests can be proxied through gateway equipment, and a legal terminal is controlled to access the network by issuing an access bill, so that the terminal cannot directly access the resources of the intranet, and only a credit process is allowed to access the resources of the intranet; therefore, even if the user terminal is invaded by a hacker, the hacker tool on the terminal cannot invade the sensitive resource, and the resource security is greatly improved.

The embodiment of the invention also provides the terminal. As shown in fig. 7, it shows a schematic structural diagram of a terminal according to an embodiment of the present invention, specifically:

the terminal may include components such as a processor 701 of one or more processing cores, memory 702 of one or more computer-readable storage media, a power supply 703, and an input unit 704. Those skilled in the art will appreciate that the terminal structure shown in fig. 7 is not intended to be limiting and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components. Wherein:

the processor 701 is a control center of the terminal, connects various parts of the entire terminal using various interfaces and lines, and performs various functions of the terminal and processes data by running or executing software programs and/or modules stored in the memory 702 and calling data stored in the memory 702, thereby performing overall monitoring of the terminal. Optionally, processor 701 may include one or more processing cores; preferably, the processor 701 may integrate an application processor, which mainly handles operating systems, user interfaces, application programs, etc., and a modem processor, which mainly handles wireless communications. It will be appreciated that the modem processor described above may not be integrated into the processor 701.

The memory 702 may be used to store software programs and modules, and the processor 701 executes various functional applications and data processing by operating the software programs and modules stored in the memory 702. The memory 702 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, application programs (such as a sound playing function, an image playing function, etc.) required by at least one function, and the like; the storage data area may store data created according to the use of the terminal, and the like. Further, the memory 702 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device. Accordingly, the memory 702 may also include a memory controller to provide the processor 701 with access to the memory 702.

The terminal further includes a power source 703 for supplying power to each component, and preferably, the power source 703 may be logically connected to the processor 701 through a power management system, so as to implement functions of managing charging, discharging, power consumption, and the like through the power management system. The power supply 703 may also include any component including one or more of a dc or ac power source, a recharging system, a power failure detection circuit, a power converter or inverter, a power status indicator, and the like.

Although not shown, the terminal may further include a display unit and the like, which will not be described in detail herein. Specifically, in this embodiment, the processor 701 in the terminal loads the executable file corresponding to the process of one or more application programs into the memory 702 according to the following instructions, and the processor 701 runs the application program stored in the memory 702, thereby implementing various functions as follows:

In one embodiment, the slave processor 701 may also perform the following steps:

In an embodiment, before the resource needs to be accessed, the processor 701 may further perform the following steps:

and sending an equipment registration request to the access control equipment, wherein the equipment registration request carries user identity information and equipment information of the terminal.

The above operations can be implemented in the foregoing embodiments, and are not described in detail herein.

Referring to fig. 8, an embodiment of the present invention further provides a network device, which may include a processor 801 and a memory 802; the processor 801 in the device loads an executable file corresponding to a process of one or more application programs into the memory 802 according to the following instructions, and the processor 801 executes the application programs stored in the memory 802, thereby implementing various functions.

For example, when the device is a gateway device, the following functions may be implemented:

receiving a connection establishment request sent by a terminal, wherein the connection establishment request carries the access bill; sending an authentication request carrying the access ticket to access control equipment so that an access server authenticates the access ticket; when the access ticket passes the verification, connection is established with the terminal according to the connection establishment request; and receiving a resource access request sent by the terminal based on the established connection, and forwarding the resource access request to a resource server.

For another example, when the device is an access control device, the following functions may be implemented:

receiving a bill application request sent by a terminal; acquiring request legal evaluation information according to the bill application request; determining whether the current bill application request is legal or not according to the request legal evaluation information; if the access ticket is legal, sending the access ticket to the terminal; receiving a verification request sent by gateway equipment, wherein the verification request carries the access bill; and verifying the access ticket, and sending a ticket verification result to the gateway equipment.

As can be seen from the above, the terminal, the access control device, and the gateway device of this embodiment cooperate with each other to proxy all resource access requests through the gateway device, and control the access of a legal terminal to the network by issuing an access ticket, so that the terminal cannot directly access resources of the intranet, and only allow a trust process to access the resources of the intranet; therefore, even if the user terminal is invaded by a hacker, the hacker tool on the terminal cannot invade the sensitive resource, and the resource security is greatly improved.

It will be understood by those skilled in the art that all or part of the steps of the methods of the above embodiments may be performed by instructions or by associated hardware controlled by the instructions, which may be stored in a computer readable storage medium and loaded and executed by a processor.

To this end, the present invention provides a storage medium, in which a plurality of instructions are stored, and the instructions can be loaded by a processor to execute the steps in any one of the resource access methods provided by the embodiments of the present invention. For example, the instructions may perform the steps of:

when the resource needs to be accessed, sending an access bill acquisition request to a network access client; receiving an access bill returned by the network access client, wherein the access bill is acquired by the network access client from access control equipment based on the access bill acquisition request; sending a connection establishment request to gateway equipment of a network, wherein the connection establishment request carries the access bill; and when the connection is successfully established, sending the resource access request to the gateway equipment based on the connection so that the gateway equipment can forward the resource access request to a resource server in the network.

In one embodiment, the instructions may further perform the steps of:

receiving a connection establishment request sent by a terminal, wherein the connection establishment request carries the access bill; sending an authentication request carrying the access ticket to access control equipment so that an access server can authenticate the access ticket; when the access ticket passes the verification, establishing connection with the terminal according to the connection establishment request; and receiving a resource access request sent by the terminal based on the established connection, and forwarding the resource access request to a resource server.

In one embodiment, the instructions may further perform the steps of:

receiving a bill application request sent by a terminal; acquiring request legal evaluation information according to the bill application request; determining whether the current bill application request is legal or not according to the request legal evaluation information; if the terminal is legal, sending an access bill to the terminal; receiving a verification request sent by gateway equipment, wherein the verification request carries the access ticket; and verifying the access ticket, and sending a ticket verification result to the gateway equipment.

For specific implementation, reference may be made to the foregoing embodiments, which are not described herein again.

Wherein the storage medium may include: read Only Memory (ROM), Random Access Memory (RAM), magnetic or optical disks, and the like.

Since the instructions stored in the storage medium may execute the steps in any resource access method provided in the embodiments of the present invention, beneficial effects that can be achieved by any resource access method provided in the embodiments of the present invention may be achieved, for details, see the foregoing embodiments, and are not described herein again.

The foregoing detailed description is directed to a resource access method, device and storage medium provided by the embodiments of the present invention, and specific examples are applied herein to explain the principles and implementations of the present invention, and the descriptions of the foregoing embodiments are only used to help understand the method and the core idea of the present invention; meanwhile, for those skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.

Claims

1. A resource access method is applicable to a terminal, and comprises the following steps:

when the resource needs to be accessed, sending an access bill acquisition request to a network access client through a gateway proxy module of the terminal, wherein the network access client acquires heartbeat data sent by the terminal, a resource access log of a requesting user, process information, resource information needing to be accessed and user identity information of the requesting user according to the bill acquisition request, and determines whether the bill acquisition request is legal or not based on the resource access log of the requesting user, the heartbeat data sent by the terminal, the process information, the resource information needing to be accessed and the user identity information of the requesting user;

receiving an access bill returned by the network access client through the gateway proxy module, wherein the access bill is acquired by the network access client from access control equipment based on the access bill acquisition request;

when the connection is successfully established, sending a resource access request to the gateway equipment based on the connection so that the gateway equipment can forward the resource access request to a resource server in the network;

the resource access method further comprises the following steps:

and sending safety state information to the access control equipment through the network access client so that the access control equipment can determine whether the safety state of the terminal is abnormal or not according to the safety state information, wherein when the access control equipment determines that the safety state of the terminal is abnormal, the access control equipment sends a notification to the gateway equipment so as to interrupt the connection between the gateway equipment and the terminal.

2. The method for resource access of claim 1, further comprising, before access to the resource is required:

sending an equipment registration request to the access control equipment, wherein the equipment registration request carries user identity information and equipment identification information of a terminal;

3. The resource access method of claim 2, wherein sending a device registration request to the access control device comprises:

if not, extracting historical user identity information from the storage unit;

4. A resource access method, adapted to a gateway device, includes:

receiving a connection establishment request sent by a network agent module of a terminal, wherein the connection establishment request carries an access bill;

sending an authentication request carrying the access ticket to access control equipment so that an access server authenticates the access ticket;

when the access bill passes the verification, connection is established with a gateway proxy module of the terminal according to the connection establishment request, wherein a network access client of the terminal detects the security state of the terminal in real time to obtain security state information, and the access control equipment sends the security state information so that the access control equipment can determine whether the security state of the terminal is abnormal or not according to the security state information, and when the access control equipment determines that the security state of the terminal is abnormal, the access control equipment sends a notification to the gateway equipment to interrupt the connection between the gateway equipment and the terminal;

5. A resource access method, adapted to an access control device, comprising:

receiving a bill application request sent by a network access client of a terminal;

acquiring a resource access log of a requesting user, heartbeat data sent by a terminal and request legal evaluation information according to the bill application request, wherein the request legal evaluation information comprises process information, resource information needing to be accessed, equipment information and user identity information of the requesting user;

performing anomaly analysis on the resource access behavior of the requesting user according to the resource access log to obtain a behavior anomaly analysis result;

when the security level is greater than a preset level, determining the security of the terminal;

if the terminal is safe, determining whether the current bill application request is legal or not according to the process information, the resource information needing to be accessed and the user identity information of the requesting user;

if the bill application request is legal, sending an access bill to a gateway proxy module of the terminal;

and verifying the access ticket and sending a ticket verification result to the gateway device, wherein the network access client detects the security state of the terminal in real time to obtain security state information and sends the security state information to the access control terminal, so that the access control device determines whether the security state of the terminal is abnormal according to the security state information, and when the access control device determines that the security state of the terminal is abnormal, the access control device sends a notification to the gateway device to interrupt the connection between the gateway device and the terminal.

6. The method for accessing resources of claim 5, wherein the determining whether the current ticket application request is legal according to the process information, the resource information to be accessed and the user identity information of the requesting user comprises:

determining whether the process of the current access resource is legal or not according to the process information;

if the identity information is legal, the identity of the current request user is verified according to the user identity information;

7. The resource access method of claim 6, further comprising:

acquiring the security level of the terminal according to the heartbeat abnormal result, the behavior abnormal analysis result and the request legal evaluation information, wherein the steps of:

8. The method of claim 6, wherein checking the resource access rights of the current requesting user comprises:

9. A resource access apparatus, adapted for a terminal, comprising:

the system comprises a bill request unit, a gateway proxy module and a network access client, wherein the bill request unit is used for sending an access bill acquisition request to the network access client through the gateway proxy module of the terminal when a resource needs to be accessed, the network access client acquires heartbeat data sent by the terminal, a resource access log of a requesting user, process information, resource information needing to be accessed and user identity information of the requesting user according to the bill acquisition request, and determines whether the bill acquisition request is legal or not based on the resource access log of the requesting user, the heartbeat data sent by the terminal, the process information, the resource information needing to be accessed and the user identity information of the requesting user;

the bill receiving unit is used for receiving an access bill returned by the network access client through the gateway proxy module, wherein the access bill is acquired from the access control equipment by the network access client based on the access bill acquisition request;

an access unit, configured to send a resource access request to the gateway device based on the connection when the connection is successfully established, so that the gateway device forwards the resource access request to a resource server in the network;

wherein the resource access device is further configured to:

10. A resource access apparatus, adapted for a gateway device, comprising:

the receiving unit is used for receiving a connection establishment request sent by a network agent module of the terminal, wherein the connection establishment request carries an access bill;

a connection unit, configured to establish a connection with a gateway proxy module of the terminal according to the connection establishment request when the access ticket is verified, where a network access client of the terminal detects a security state of the terminal in real time to obtain security state information, and sends the security state information to the access control device, so that the access control device determines whether the security state of the terminal is abnormal according to the security state information, and when the access control device determines that the security state of the terminal is abnormal, the access control device sends a notification to the gateway device to interrupt the connection between the gateway device and the terminal;

11. A resource access apparatus adapted for an access control device, comprising:

the first receiving unit is used for receiving a bill application request sent by a network access client of the terminal;

the information acquisition unit is used for acquiring a resource access log of a requesting user, heartbeat data sent by a terminal and request legal evaluation information according to the bill application request, wherein the request legal evaluation information comprises process information, resource information needing to be accessed, equipment information and user identity information of the requesting user;

the heartbeat data determining unit is used for determining whether the heartbeat of the terminal is abnormal or not according to the heartbeat data to obtain a heartbeat abnormal result;

the abnormity analysis unit is used for carrying out abnormity analysis on the resource access behavior of the request user according to the resource access log to obtain a behavior abnormity analysis result;

a security level obtaining unit, configured to obtain a security level of the terminal according to the heartbeat abnormality result, the behavior abnormality analysis result, and the request legal evaluation information;

the terminal safety determining unit is used for determining the safety of the terminal when the safety level is greater than a preset level;

a legality determining unit, configured to determine whether a current ticket application request is legal or not according to the process information, resource information to be accessed, and user identity information of a requesting user if the terminal is safe;

the bill sending unit is used for sending an access bill to a gateway agent module of the terminal when the bill application request is legal;

a second receiving unit, configured to receive an authentication request sent by a gateway device, where the authentication request carries the access ticket;

and the bill verification unit is used for verifying the access bill and sending a bill verification result to the gateway equipment, wherein the network access client detects the security state of the terminal in real time to obtain security state information and sends the security state information to the access control terminal, so that the access control equipment determines whether the security state of the terminal is abnormal or not according to the security state information, and when the access control equipment determines that the security state of the terminal is abnormal, the access control equipment sends a notification to the gateway equipment to interrupt the connection between the gateway equipment and the terminal.

12. A storage medium storing a plurality of instructions adapted to be loaded by a processor to perform the steps of the method of any one of claims 1 to 8.

13. A terminal, comprising a processor and a memory, the memory storing a plurality of instructions, the processor loading the instructions to perform the steps in the resource access method of any one of claims 1 to 4.