CN110855709A - Access control method, device, equipment and medium for security access gateway - Google Patents
Access control method, device, equipment and medium for security access gateway Download PDFInfo
- Publication number
- CN110855709A CN110855709A CN201911175585.XA CN201911175585A CN110855709A CN 110855709 A CN110855709 A CN 110855709A CN 201911175585 A CN201911175585 A CN 201911175585A CN 110855709 A CN110855709 A CN 110855709A
- Authority
- CN
- China
- Prior art keywords
- user terminal
- risk level
- strategy
- security risk
- identity
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention discloses an admission control method, a device, equipment and a medium for a security access gateway. The method comprises the following steps: receiving an identity authentication request sent by a user terminal, and verifying the identity of a user according to identity verification information carried in the identity authentication request; if the identity of the user terminal passes the authentication, inquiring the security risk level of the user terminal according to the attribute information carried in the identity authentication request; determining an admission strategy corresponding to the user terminal according to the security risk level of the user terminal; and controlling the user terminal to connect with the target server according to the access strategy. The embodiment of the invention can classify the security risk level of the user terminal accessed to the server, appoint the corresponding access strategy and effectively ensure the security when connecting with the target server.
Description
Technical Field
The embodiment of the invention relates to the field of network security, in particular to an admission control method, a device, equipment and a medium for a security access gateway.
Background
Network Access Control (NAC) is a management specification for mainly solving the requirements of network and compliance and achieving 'illegal non-network access and network access compliance', and aims to prevent the security of enterprises from being damaged by emerging hacker technologies such as viruses and worms. With NAC, each enterprise may only allow legal, secure and trusted terminal devices (e.g., servers, PDAs (personal digital assistants), mobile devices, etc.) to access the network, and perform compliance check on the devices accessing the network.
In the process of implementing the invention, the inventor finds that at least the following problems exist in the prior art:
in the process of accessing the terminal to the gateway, the access policy of the terminal to the gateway is fixed, that is, determined according to the attribute information (for example, the terminal identifier) reported by the terminal, when the security risk level of the terminal changes, the terminal still realizes the connection with the server according to the original access policy, and the security of the connection server is difficult to guarantee.
Disclosure of Invention
Embodiments of the present invention provide an admission control method, apparatus, device, and medium for a secure access gateway, which can determine an admission policy of a user terminal according to a security risk level of the user terminal.
In a first aspect, an embodiment of the present invention provides an admission control method for a secure access gateway, where the method includes:
receiving an identity authentication request sent by a user terminal, and verifying the identity of a user according to identity verification information carried in the identity authentication request;
if the identity of the user terminal passes the verification, inquiring the security risk level of the user terminal according to the attribute information carried in the identity authentication request;
determining an admission strategy corresponding to the user terminal according to the security risk level of the user terminal;
and controlling the user terminal to be connected with a target server according to the access strategy.
In a second aspect, an embodiment of the present invention provides an admission control apparatus for a secure access gateway, where the apparatus includes:
the verification module is used for receiving an identity authentication request sent by a user terminal and verifying the identity of a user according to identity verification information carried in the identity authentication request;
the query module is used for querying the security risk level of the user terminal according to the attribute information carried in the identity authentication request if the identity verification of the user terminal passes;
a determining module, configured to determine an admission policy corresponding to the user terminal according to the security risk level of the user terminal;
and the control module is used for controlling the user terminal to be connected with the target server according to the access strategy.
In a third aspect, an embodiment of the present invention provides an electronic device, including:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the method for admission control of a secure access gateway according to any of the embodiments of the present invention.
In a fourth aspect, an embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the admission control method for a secure access gateway according to any one of the embodiments of the present invention.
The embodiment of the invention verifies the identity of the user terminal, checks the security risk level of the user terminal according to the attribute information of the user terminal after the identity of the user terminal passes the verification, and determines the corresponding admission strategy according to the security risk level of the user terminal so as to realize the connection of the target server according to the admission strategy. The method and the system can classify the security risk level of the user terminal accessing the server, assign the corresponding access strategy and effectively ensure the security when connecting the target server.
Drawings
Fig. 1 is a schematic flowchart of an admission control method of a security access gateway according to a first embodiment of the present invention;
fig. 2 is a flowchart illustrating an admission control method of a security access gateway according to a second embodiment of the present invention;
fig. 3 is a schematic structural diagram of an admission control apparatus of a secure access gateway in a third embodiment of the present invention;
fig. 4 is a schematic structural diagram of an electronic device in a fourth embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures.
Example one
Fig. 1 is a flowchart illustrating an admission control method of a security access gateway according to a first embodiment of the present invention. The embodiment is applicable to the case of determining the admission policy according to the security risk level of the user terminal. The method can be executed by an admission control device of a security access gateway, which can be implemented in hardware and/or software and can be configured in an electronic device. The method specifically comprises the following steps:
s110, receiving an identity authentication request sent by the user terminal, and verifying the identity of the user according to identity verification information carried in the identity authentication request.
In this embodiment, the user terminal may be an intelligent terminal used by a user to connect to the server; the intelligent terminal is an intelligent device with a data access function and can support functions of server access, connection and the like. For example, smart phones, tablet computers, and PCs (Personal computers), and the like. In order to ensure the security of the network boundary, it is necessary to authenticate a user (i.e., a user) of a user terminal accessing the server, and therefore, the user needs to send an authentication request through the user terminal before accessing the server. Specifically, customized security access clients can be installed on various user terminals accessing to the internal network, and the identity information of the user is verified on each user terminal through the security access client; for example, a user can send an identity authentication request to the security access server through the user terminal, and after the security access server receives the identity authentication request, the identity of the user is verified according to identity verification information carried in the identity authentication request; the safety access server is deployed in front of an internal network firewall (belonging to an open resource area), and various user terminals can directly access the safety access server without authentication.
Specifically, the identity authentication information carried in the identity authentication request sent by the user terminal may be an account name and a login password that are preset when the user registers the secure access client; the account name can be a mobile phone number of a user, a mailbox or user-defined characters; if the user logs in by using the existing other software account (such as a mailbox), the user can directly log in through the mailbox and the password corresponding to the mailbox; in this embodiment, the login password corresponding to the account name may be static, or may be obtained dynamically, where the static password is a fixed password set by the user, and the dynamic password is randomly allocated to the security access client during each login. Verifying the user identity according to the account name and the login password, and if the identity of the user terminal passes the verification, executing S120; if the identity authentication of the user terminal is not passed, prompting to carry out the authentication again, if the identity authentication of the user terminal is not passed within the preset authentication frequency range, quitting the authentication interface, and prompting not to receive the login of the account name within a limited time period; the user terminal which does not pass the identity authentication can only access the server of the open resource, and all the server requests for accessing the controlled resource can be blocked by the firewall.
And S120, inquiring the security risk level of the user terminal according to the attribute information carried in the identity authentication request.
In this embodiment, after the user terminal passes the authentication, in order to distinguish different user terminals to ensure the security of the access server, it is necessary to classify different user terminals; specifically, classification of different user terminals can be realized according to the security risk level of the user terminal. In the embodiment, the safety risk level is determined according to the attribute information of the user terminal; the attribute information of the user terminal may include at least one of the following: the type of the current operating system of the user terminal, the version number of the user terminal, the terminal identifier, the login user, an IP (Internet Protocol, Protocol for interconnection between networks) segment, an organization and a serial number corresponding to the user terminal. The security risk level of the user terminal is queried for compliance checking of the user terminal accessing the network, i.e. checking whether the user terminal accessing the security access server is legitimate.
Specifically, different attribute information of the user terminal corresponds to the security risk level of the user terminal one to one; for example, if the current operating system type of the user terminal is Windows XP, it indicates that the security risk level of the user terminal is first, that is, the security risk level of the user terminal is higher.
S130, determining an admission strategy corresponding to the user terminal according to the security risk level of the user terminal.
In this embodiment, in order to ensure the security of the connection server, corresponding admission policies need to be specified according to different security risk levels of the user terminal, so as to avoid potential safety hazards caused when the user terminal with a higher security risk level connects to the server. The access strategy corresponding to the user terminal is the corresponding relation between each server which can be accessed by the user terminal and the user terminal; which records the addresses of servers that the user terminal can access.
Specifically, the admission strategy corresponding to the user terminal can be determined through the corresponding relation between the security risk level in the security access server and the admission strategy; and sending the determined access strategy of the user terminal to a firewall, informing the firewall to open a gateway for the user terminal, and issuing the access strategy corresponding to the user terminal so as to realize that the user terminal is connected with a server which wants to access according to the corresponding access strategy. The firewall can generate an access control list corresponding to the user terminal identification information according to the access strategy of the user terminal; in this embodiment, the user terminal identification information may be an IP address corresponding to the user terminal.
And S140, controlling the user terminal to be connected with the target server according to the access strategy.
In this embodiment, the access policy records addresses of servers that the user terminal can access; the target server is a server that the user terminal wants to access, i.e., an access object set in advance. When the user terminal accesses the server of the controlled resource, the firewall controls the connection between the user terminal and the target server by matching the target server of the user terminal in the access strategy corresponding to the user.
If the user terminal passing the identity authentication accesses the server of the controlled resource, if the firewall matches a target server which the user terminal wants to access in the recorded access strategy, the firewall does not block the user terminal; if the firewall fails to match a target server which the user terminal wants to access in the recorded admission strategy, the firewall blocks the user terminal; i.e. indicating that the user terminal cannot access a predetermined target server and prompting the user terminal that no access rights are available when accessing the target server.
The embodiment of the invention verifies the identity of the user terminal, checks the security risk level of the user terminal according to the attribute information of the user terminal after the identity of the user terminal passes the verification, and determines the corresponding admission strategy according to the security risk level of the user terminal so as to realize the connection of the target server according to the admission strategy. The method and the system can classify the security risk level of the user terminal accessing the server, assign the corresponding access strategy and effectively ensure the security when connecting the target server.
Example two
Fig. 2 is a flowchart illustrating an admission control method of a secure access gateway according to a second embodiment of the present invention. The embodiment is further expanded and optimized on the basis of the embodiment, and can be combined with any optional alternative in the technical scheme. As shown in fig. 2, the method includes:
s210, receiving an identity authentication request sent by the user terminal, and verifying the identity of the user according to identity verification information carried in the identity authentication request.
And S220, inquiring the security risk level of the user terminal according to the attribute information carried in the identity authentication request.
And S230, determining the strategy ID corresponding to the user terminal according to the security risk level of the user terminal.
In this embodiment, different security risk levels of the user terminal correspond to different policy IDs (identity identification numbers); the policy ID is identification information of the admission policy, and is in one-to-one correspondence with the admission policy. Specifically, the policy ID of the user terminal corresponding to the security risk level is determined by querying the security risk level of the user terminal. When the same user terminal accesses the server, the determined strategy ID is not unique and can be changed in real time according to the attribute information of the user terminal.
S240, determining the admission strategy corresponding to the user terminal through the strategy ID corresponding to the user terminal.
In this embodiment, the policy ID corresponding to the ue and the admission policy corresponding to the ue have unique relativity, that is, one admission policy corresponds to one policy ID. After the access strategy corresponding to the user terminal is determined, the firewall establishes the corresponding relation between the IP address of the user terminal and the access strategy corresponding to the user terminal, so that when the user terminal needs to access the server of the controlled resource subsequently, the firewall can select the access strategy corresponding to the user terminal by identifying the IP address of the user terminal, and the connection between the user terminal and the target server is realized.
And S250, controlling the user terminal to be connected with the target server according to the access strategy.
Optionally, before receiving the identity authentication request sent by the user terminal, the method further includes:
receiving an IP address allocation request sent by a user terminal;
and returning the IP address corresponding to the user terminal according to the IP address allocation request.
In this embodiment, if the user terminal accesses the secure access server, an IP address allocation request needs to be sent through the secure access client; specifically, an IP address allocation request may be initiated to the secure access server through the secure access client based on an 802.1x Protocol, and after the identity of the user terminal is verified, the secure access server may authorize a DHCP (Dynamic Host Configuration Protocol) server to allocate a corresponding IP address to the DHCP server. The DHCP has the characteristics of easy implementation of admission control, low cost and good network compatibility; the 802.1x protocol is an access control and authentication protocol based on a Client-Server (Client-Server) architecture, and allows only EAPol (extended authentication protocol over local area network) data to connect to a secure access Server port through a user terminal.
Optionally, determining a policy ID corresponding to the user terminal according to the security risk level of the user terminal includes:
if the security risk level of the user terminal is within the preset risk level range, determining a strategy ID corresponding to the user terminal according to the attribute information;
and if the security risk level of the user terminal is out of the preset risk level range, distributing the strategy ID corresponding to the user terminal according to the security risk level of the user terminal.
In this embodiment, in order to determine different policy IDs according to different security risk levels of the ue, so that the ues with different security risk levels enjoy different policy IDs, it is necessary to determine the security degree of the ue, that is, whether the ue is a risky ue, according to the security risk level of the ue.
Specifically, the security risk level of the user terminal may be compared with a preset risk level range according to the found security risk level of the user terminal, so as to determine whether the security risk level of the user terminal is within the preset risk level range, thereby determining whether the user terminal is a risk user. If the security risk level of the user terminal is within the preset risk level range, the user terminal is not a risk user, and a strategy ID corresponding to the user terminal is determined according to the attribute information of the user terminal; for example, the policy ID of the user terminal may be determined based on any one of a terminal identifier, an IP address, a login user, and a configuration of the user terminal, and the determined policy ID may be unchanged as long as the attribute information of the user terminal is unchanged. If the security risk level of the user terminal is outside the preset risk level range, the user terminal is indicated to be a risk user, and a corresponding strategy ID is distributed through the security access server according to the security risk level of the user terminal; the higher the security risk level of the user terminal is, the lower the security of the user terminal is, and the fewer the number of servers contained in the access policy corresponding to the allocated policy ID is; and the corresponding strategy ID is distributed according to the security risk level of the user terminal, and the distribution results of the same user terminal at each time are possibly different.
Optionally, after determining the admission policy corresponding to the user terminal through the policy ID corresponding to the user terminal, the method further includes:
monitoring the local running state of the user terminal in real time, and updating the safety risk level of the user terminal according to the local running state;
and updating the strategy ID corresponding to the user terminal according to the security risk level of the user terminal, and updating the admission strategy corresponding to the user terminal through the strategy ID corresponding to the user terminal.
In this embodiment, after the admission policy corresponding to the user terminal is determined, the local operating state of the user terminal may be monitored in real time, so as to update the security risk level of the user terminal when the local operating state changes, so that the policy ID corresponding to the user terminal is determined again by the security access server, and the admission policy corresponding to the user terminal is determined again by the policy ID. The local running state of the user terminal may be a local program activity of the user terminal and a network activity condition.
Specifically, the user terminal triggering the security risk is given network admission control measures such as reminding, right reduction, blocking and the like to the user terminal according to the security risk level of the user terminal. In this embodiment, if the security risk level of the user terminal triggering the security risk is low, a reminding operation is performed on the user terminal, for example, a reminding message is sent to the user terminal to prompt the user terminal that the current account is abnormal or the current account security risk exists; if the security risk level of the user terminal triggering the security risk is high, performing right reducing operation on the user terminal, for example, reducing the number of access servers; and if the security risk level of the user terminal triggering the security risk is higher, performing blocking operation on the user terminal, for example, preventing the user terminal from accessing the authority of the server of the controlled resource.
After the access strategy corresponding to the user terminal is determined through the strategy ID corresponding to the user terminal, the embodiment of the invention can also monitor the local running state of the user terminal in real time, update the safety risk level of the user terminal according to the local running state, and achieve the aim of updating the strategy ID of the user terminal so as to realize the redetermination of the access strategy of the user terminal. By implementing corresponding network access control measures according to the security risk levels corresponding to different user terminals triggering the security risks, the access strategy of the user terminal can be effectively updated in real time according to the security risk levels of the user terminals.
EXAMPLE III
Fig. 3 is a schematic structural diagram of an admission control apparatus of a secure access gateway in a third embodiment of the present invention. The embodiment is applicable to the case of determining the admission policy according to the security risk level of the user terminal. The device is configured in the electronic equipment, and can realize the access control method of the secure access gateway in any embodiment of the application. The device specifically comprises the following steps:
the verification module 310 is configured to receive an identity authentication request sent by a user terminal, and verify an identity of a user according to identity verification information carried in the identity authentication request;
the query module 320 is configured to query the security risk level of the user terminal according to the attribute information carried in the identity authentication request if the identity of the user terminal passes the authentication;
a determining module 330, configured to determine an admission policy corresponding to the user terminal according to the security risk level of the user terminal;
a control module 340, configured to control the user terminal to connect to the target server according to the admission policy.
Optionally, on the basis of the above apparatus, the apparatus further includes:
an allocating module 350, configured to receive an IP address allocation request sent by the user terminal;
a returning module 360, configured to return the IP address corresponding to the user terminal according to the IP address allocation request.
Optionally, on the basis of the foregoing apparatus, the determining module 330 is specifically configured to:
determining a strategy ID corresponding to the user terminal according to the security risk level of the user terminal;
and determining the admission strategy corresponding to the user terminal according to the strategy ID corresponding to the user terminal.
Optionally, on the basis of the foregoing apparatus, the determining module 330 is further specifically configured to:
if the security risk level of the user terminal is within a preset risk level range, determining a strategy ID corresponding to the user terminal according to the attribute information;
and if the security risk level of the user terminal is out of the preset risk level range, distributing the strategy ID corresponding to the user terminal according to the security risk level of the user terminal.
Optionally, on the basis of the above apparatus, the apparatus further includes:
an updating module 370, configured to monitor a local operating state of the user terminal in real time, and update a security risk level of the user terminal according to the local operating state;
the updating module 370 is further configured to update the policy ID corresponding to the user terminal according to the security risk level of the user terminal, and update the admission policy corresponding to the user terminal according to the policy ID corresponding to the user terminal.
By the access control device of the security access gateway in the third embodiment of the invention, the user terminals accessing the server can be classified according to security risk level, a corresponding access strategy is assigned, and the security when the target server is connected is effectively ensured.
The access control device of the security access gateway provided by the embodiment of the invention can execute the access control method of the security access gateway provided by any embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method.
Example four
Fig. 4 is a schematic structural diagram of an electronic device according to a fourth embodiment of the present invention, as shown in fig. 4, the electronic device includes a processor 410, a memory 420, an input device 430, and an output device 440; the number of the processors 410 in the electronic device may be one or more, and one processor 410 is taken as an example in fig. 4; the processor 410, the memory 420, the input device 430 and the output device 440 in the electronic apparatus may be connected by a bus or other means, and the bus connection is exemplified in fig. 4.
The memory 420 is a computer-readable storage medium, and can be used for storing software programs, computer-executable programs, and modules, such as program instructions/modules corresponding to the admission control method of the secure access gateway in the embodiment of the present invention. The processor 410 executes various functional applications and data processing of the electronic device by executing software programs, instructions and modules stored in the memory 420, that is, implements the above-mentioned admission control method of the secure access gateway.
The memory 420 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the terminal, and the like. Further, the memory 420 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some examples, memory 420 may further include memory located remotely from processor 410, which may be connected to an electronic device over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input device 430 may be used to receive input numeric or character information and generate key signal inputs related to user settings and function control of the electronic apparatus, and may include a keyboard, a mouse, and the like. The output device 440 may include a display device such as a display screen.
EXAMPLE five
A fifth embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the method for controlling admission of a secure access gateway according to the first embodiment of the present invention. Of course, the embodiment of the present invention provides a computer-readable storage medium, which can perform relevant operations in the admission control method of a secure access gateway provided in any embodiment of the present invention.
From the above description of the embodiments, it is obvious for those skilled in the art that the present invention can be implemented by software and necessary general hardware, and certainly, can also be implemented by hardware, but the former is a better embodiment in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which may be stored in a computer-readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute the methods according to the embodiments of the present invention.
It should be noted that, in the embodiment of the above search apparatus, each included unit and module are merely divided according to functional logic, but are not limited to the above division as long as the corresponding functions can be implemented; in addition, specific names of the functional units are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present invention.
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.
Claims (10)
1. An access control method for a security access gateway, the method comprising:
receiving an identity authentication request sent by a user terminal, and verifying the identity of a user according to identity verification information carried in the identity authentication request;
if the identity of the user terminal passes the verification, inquiring the security risk level of the user terminal according to the attribute information carried in the identity authentication request;
determining an admission strategy corresponding to the user terminal according to the security risk level of the user terminal;
and controlling the user terminal to be connected with a target server according to the access strategy.
2. The method according to claim 1, wherein before the receiving the identity authentication request sent by the user terminal, the method further comprises:
receiving an IP address allocation request sent by the user terminal;
and returning the IP address corresponding to the user terminal according to the IP address allocation request.
3. The method of claim 1, wherein the determining the admission policy corresponding to the user terminal according to the security risk level of the user terminal comprises:
determining a strategy ID corresponding to the user terminal according to the security risk level of the user terminal;
and determining the admission strategy corresponding to the user terminal according to the strategy ID corresponding to the user terminal.
4. The method according to claim 3, wherein the determining the policy ID corresponding to the user terminal according to the security risk level of the user terminal comprises:
if the security risk level of the user terminal is within a preset risk level range, determining a strategy ID corresponding to the user terminal according to the attribute information;
and if the security risk level of the user terminal is out of the preset risk level range, distributing the strategy ID corresponding to the user terminal according to the security risk level of the user terminal.
5. The method according to claim 3, wherein after determining the admission policy corresponding to the user terminal by the policy ID corresponding to the user terminal, the method further comprises:
monitoring the local running state of the user terminal in real time, and updating the safety risk level of the user terminal according to the local running state;
and updating the strategy ID corresponding to the user terminal according to the security risk level of the user terminal, and updating the admission strategy corresponding to the user terminal through the strategy ID corresponding to the user terminal.
6. An admission control arrangement for a secure access gateway, the arrangement comprising:
the verification module is used for receiving an identity authentication request sent by a user terminal and verifying the identity of a user according to identity verification information carried in the identity authentication request;
the query module is used for querying the security risk level of the user terminal according to the attribute information carried in the identity authentication request if the identity verification of the user terminal passes;
a determining module, configured to determine an admission policy corresponding to the user terminal according to the security risk level of the user terminal;
and the control module is used for controlling the user terminal to be connected with the target server according to the access strategy.
7. The apparatus of claim 6, wherein the determining module is specifically configured to:
determining a strategy ID corresponding to the user terminal according to the security risk level of the user terminal;
and determining the admission strategy corresponding to the user terminal according to the strategy ID corresponding to the user terminal.
8. The apparatus of claim 7, wherein the determining module is further specifically configured to:
if the security risk level of the user terminal is within a preset risk level range, determining a strategy ID corresponding to the user terminal according to the attribute information;
and if the security risk level of the user terminal is out of the preset risk level range, distributing the strategy ID corresponding to the user terminal according to the security risk level of the user terminal.
9. An electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement a method of admission control for a secure access gateway as claimed in any of claims 1 to 5.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, implements a method for admission control of a secure access gateway according to any of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911175585.XA CN110855709A (en) | 2019-11-26 | 2019-11-26 | Access control method, device, equipment and medium for security access gateway |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911175585.XA CN110855709A (en) | 2019-11-26 | 2019-11-26 | Access control method, device, equipment and medium for security access gateway |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110855709A true CN110855709A (en) | 2020-02-28 |
Family
ID=69604827
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911175585.XA Pending CN110855709A (en) | 2019-11-26 | 2019-11-26 | Access control method, device, equipment and medium for security access gateway |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110855709A (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111510453A (en) * | 2020-04-15 | 2020-08-07 | 深信服科技股份有限公司 | Business system access method, device, system and medium |
| CN112165536A (en) * | 2020-09-11 | 2021-01-01 | 中国银联股份有限公司 | Network terminal authentication method and device |
| CN112202708A (en) * | 2020-08-24 | 2021-01-08 | 国网山东省电力公司 | Identity authentication method and device, electronic equipment and storage medium |
| CN112351005A (en) * | 2020-10-23 | 2021-02-09 | 杭州安恒信息技术股份有限公司 | Internet of things communication method and device, readable storage medium and computer equipment |
| CN112565257A (en) * | 2020-12-03 | 2021-03-26 | 国网安徽省电力有限公司检修分公司 | Security process management system based on power grid special and edge Internet of things agent |
| CN112613007A (en) * | 2020-12-22 | 2021-04-06 | 北京八分量信息科技有限公司 | Data access method and device based on credible authentication and related products |
| CN113612771A (en) * | 2021-08-03 | 2021-11-05 | 烽火通信科技股份有限公司 | Protection method and device based on Internet of things authentication |
| CN113691521A (en) * | 2021-08-19 | 2021-11-23 | 北京鼎普科技股份有限公司 | Method for network access based on terminal |
| CN113905362A (en) * | 2021-09-24 | 2022-01-07 | 深圳市欧瑞博科技股份有限公司 | Method and device for optimizing network access of Ble Mesh device, electronic device and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105610962A (en) * | 2016-01-15 | 2016-05-25 | 华洋通信科技股份有限公司 | Anti-conflict mobile terminal IP address allocation relay equipment and method |
| CN108183924A (en) * | 2018-03-01 | 2018-06-19 | 深圳市买买提信息科技有限公司 | A kind of login validation method and terminal device |
| CN109086582A (en) * | 2018-06-15 | 2018-12-25 | 努比亚技术有限公司 | A kind of fingerprint verification method, terminal and computer readable storage medium |
| CN110278556A (en) * | 2018-03-13 | 2019-09-24 | 中兴通讯股份有限公司 | A kind of safety certification strategy determines method, equipment and computer readable storage medium |
| US20190325449A1 (en) * | 2018-04-23 | 2019-10-24 | Trans Union Llc | Systems and methods for dynamic identity decisioning |
-
2019
- 2019-11-26 CN CN201911175585.XA patent/CN110855709A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105610962A (en) * | 2016-01-15 | 2016-05-25 | 华洋通信科技股份有限公司 | Anti-conflict mobile terminal IP address allocation relay equipment and method |
| CN108183924A (en) * | 2018-03-01 | 2018-06-19 | 深圳市买买提信息科技有限公司 | A kind of login validation method and terminal device |
| CN110278556A (en) * | 2018-03-13 | 2019-09-24 | 中兴通讯股份有限公司 | A kind of safety certification strategy determines method, equipment and computer readable storage medium |
| US20190325449A1 (en) * | 2018-04-23 | 2019-10-24 | Trans Union Llc | Systems and methods for dynamic identity decisioning |
| CN109086582A (en) * | 2018-06-15 | 2018-12-25 | 努比亚技术有限公司 | A kind of fingerprint verification method, terminal and computer readable storage medium |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111510453A (en) * | 2020-04-15 | 2020-08-07 | 深信服科技股份有限公司 | Business system access method, device, system and medium |
| CN111510453B (en) * | 2020-04-15 | 2023-02-03 | 深信服科技股份有限公司 | Business system access method, device, system and medium |
| CN112202708A (en) * | 2020-08-24 | 2021-01-08 | 国网山东省电力公司 | Identity authentication method and device, electronic equipment and storage medium |
| CN112165536B (en) * | 2020-09-11 | 2022-11-11 | 中国银联股份有限公司 | Network terminal authentication method and device |
| CN112165536A (en) * | 2020-09-11 | 2021-01-01 | 中国银联股份有限公司 | Network terminal authentication method and device |
| CN112351005A (en) * | 2020-10-23 | 2021-02-09 | 杭州安恒信息技术股份有限公司 | Internet of things communication method and device, readable storage medium and computer equipment |
| CN112351005B (en) * | 2020-10-23 | 2022-11-15 | 杭州安恒信息技术股份有限公司 | Internet of things communication method and device, readable storage medium and computer equipment |
| CN112565257A (en) * | 2020-12-03 | 2021-03-26 | 国网安徽省电力有限公司检修分公司 | Security process management system based on power grid special and edge Internet of things agent |
| CN112613007A (en) * | 2020-12-22 | 2021-04-06 | 北京八分量信息科技有限公司 | Data access method and device based on credible authentication and related products |
| CN112613007B (en) * | 2020-12-22 | 2024-02-09 | 北京八分量信息科技有限公司 | Data admission method and device based on trusted authentication and related products |
| CN113612771A (en) * | 2021-08-03 | 2021-11-05 | 烽火通信科技股份有限公司 | Protection method and device based on Internet of things authentication |
| CN113691521A (en) * | 2021-08-19 | 2021-11-23 | 北京鼎普科技股份有限公司 | Method for network access based on terminal |
| CN113905362A (en) * | 2021-09-24 | 2022-01-07 | 深圳市欧瑞博科技股份有限公司 | Method and device for optimizing network access of Ble Mesh device, electronic device and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110855709A (en) | Access control method, device, equipment and medium for security access gateway | |
| US10652226B2 (en) | Securing communication over a network using dynamically assigned proxy servers | |
| US11245576B2 (en) | Blockchain-based configuration profile provisioning system | |
| US10110585B2 (en) | Multi-party authentication in a zero-trust distributed system | |
| US8407240B2 (en) | Autonomic self-healing network | |
| US9237021B2 (en) | Certificate grant list at network device | |
| EP2779574A1 (en) | Attack detection and prevention using global device fingerprinting | |
| CA2955066C (en) | Method and system for providing a virtual asset perimeter | |
| CN114553540B (en) | Zero trust-based Internet of things system, data access method, device and medium | |
| CN111898124B (en) | Process access control method and device, storage medium and electronic equipment | |
| CN113347072B (en) | VPN resource access method, device, electronic equipment and medium | |
| US20120005729A1 (en) | System and method of network authorization by scoring | |
| US20200052908A1 (en) | Method and system for managing public-key client certificates | |
| CN111737232A (en) | Database management method, system, device, equipment and computer storage medium | |
| CN115795493A (en) | Access control policy deployment method, related device and access control system | |
| CN114710302A (en) | Internet access control method and control device thereof | |
| US10412097B1 (en) | Method and system for providing distributed authentication | |
| CN111711612B (en) | Communication control method, method and device for processing communication request | |
| US20220311777A1 (en) | Hardening remote administrator access | |
| CN115834209A (en) | Remote server based on VPN connection and login method thereof | |
| CN115733674A (en) | Security reinforcement method and device, electronic equipment and readable storage medium | |
| CN117061140A (en) | Penetration defense method and related device | |
| CN118056380A (en) | Limiting lateral traversal within a computer network | |
| CN116684113A (en) | Service processing method and related device based on SDP (software defined boundary) | |
| CN115834182A (en) | User identity authentication method and device, storage medium and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20220915 Address after: 25 Financial Street, Xicheng District, Beijing 100033 Applicant after: CHINA CONSTRUCTION BANK Corp. Address before: 25 Financial Street, Xicheng District, Beijing 100033 Applicant before: CHINA CONSTRUCTION BANK Corp. Applicant before: Jianxin Financial Science and Technology Co.,Ltd. |
|
| TA01 | Transfer of patent application right | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200228 |
|
| RJ01 | Rejection of invention patent application after publication |