CN111107106A - Authentication method, authentication system, firewall device and storage medium - Google Patents
Authentication method, authentication system, firewall device and storage medium Download PDFInfo
- Publication number
- CN111107106A CN111107106A CN201911424084.0A CN201911424084A CN111107106A CN 111107106 A CN111107106 A CN 111107106A CN 201911424084 A CN201911424084 A CN 201911424084A CN 111107106 A CN111107106 A CN 111107106A
- Authority
- CN
- China
- Prior art keywords
- authentication
- user information
- user
- firewall
- authentication server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The present disclosure provides an authentication method for a firewall, including: acquiring an authentication user information set in an authentication server, wherein the authentication user information set is a set of user information of users who finish authentication on the authentication server; receiving an access request of a first user to an external network; and determining, in response to the access request, whether to allow the first user to access an external network based on the set of authenticated user information. The present disclosure also provides an authentication system for a firewall, a firewall device, and a computer-readable storage medium.
Description
Technical Field
The present disclosure relates to the field of computer technologies, and more particularly, to an authentication method for a firewall, an authentication system for a firewall, a firewall device, and a computer-readable storage medium.
Background
With the continuous increase of enterprise business scale, more and more network devices are deployed in enterprises, and in order to ensure the safety of internal networks of enterprises, a firewall is usually arranged between an intranet and an extranet, so that when an intranet user needs to access the extranet, the intranet user needs to pass through the firewall, and the firewall determines whether the intranet user is allowed to access the extranet or not.
In implementing the disclosed concept, the inventors found that there are at least the following problems in the related art:
if an intranet user wants to access an extranet, the intranet user needs to be authenticated on a firewall in advance through user authentication software and the like, the intranet user can access the extranet after the authentication is successful, otherwise, the intranet user is not allowed to access the extranet, and the authentication mode is low in efficiency and multiple in redundancy operation.
Disclosure of Invention
In view of the above, the present disclosure provides an authentication method for a firewall, an authentication system for a firewall, a firewall device, and a computer-readable storage medium.
One aspect of the present disclosure provides an authentication method for a firewall, including: acquiring an authentication user information set in an authentication server, wherein the authentication user information set is a set of user information of users who finish authentication on the authentication server; receiving an access request of a first user to an external network; and determining, in response to the access request, whether to allow the first user to access an external network based on the set of authenticated user information.
According to an embodiment of the present disclosure, the acquiring a set of authenticated user information in an authentication server includes: and acquiring the authentication user information set from the authentication server every preset time.
According to an embodiment of the present disclosure, the method further comprises: and obtaining the authenticated user information from the authentication server.
According to an embodiment of the present disclosure, the method further comprises: sending authentication information to the authentication server so that the authentication server authenticates the firewall; and receiving authentication result information from the authentication server, wherein under the condition that the authentication result information represents that the authentication server successfully authenticates the firewall, an authentication user information set is obtained from the authentication server.
According to an embodiment of the present disclosure, the determining, in response to the access request, whether to allow the first user to access an external network based on the set of authenticated user information includes: acquiring user information of the first user from the access request; determining whether the user information of the first user matches the set of authenticated user information; determining whether to allow the first user to access an external network based on a matching result.
According to an embodiment of the present disclosure, the determining whether to allow the first user to access the external network based on the matching result includes: further comprising: allowing the first user to access an external network under the condition that the matching result represents that the user information of the first user is matched with the authentication user information set; and sending an authentication request to the first user under the condition that the matching result represents that the user information of the first user does not match with the authentication user information set, so that the first user can authenticate on the authentication server based on the authentication request.
According to an embodiment of the present disclosure, the method further comprises: acquiring an updated authenticated user information set from the authentication server; and replacing the existing authentication user information set with the updated authentication user information set.
Another aspect of the present disclosure provides an authentication system for a firewall, comprising: the information acquisition module is used for acquiring an authentication user information set in an authentication server, wherein the authentication user information set is a set of user information of users who finish authentication on the authentication server; the request acquisition module is used for acquiring an access request of a first user to an external network; a determination module that determines, in response to the access request, whether to allow the first user to access an external network based on the set of authenticated user information.
According to an embodiment of the present disclosure, the system further comprises: the authentication module is used for sending authentication information to the authentication server so that the authentication server can authenticate the firewall; and the result processing module is used for receiving authentication result information from the authentication server and controlling the acquisition module to acquire an authentication user information set from the authentication server under the condition that the authentication result information represents that the authentication server successfully authenticates the firewall.
According to an embodiment of the present disclosure, the determining module includes: the user information submodule is used for acquiring the user information of the first user from the access request; a matching sub-module, configured to determine, in response to the access request, whether the user information of the first user matches the set of authenticated user information; a determination sub-module for determining whether to allow the first user to access an external network based on a matching result.
Another aspect of the present disclosure provides a firewall apparatus, including: one or more processors; memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method as described above.
Another aspect of the present disclosure provides a computer-readable storage medium storing computer-executable instructions for implementing the method as described above when executed.
Another aspect of the disclosure provides a computer program product comprising computer readable instructions, wherein the computer readable instructions, when executed, are for performing the method as described above.
According to the embodiment of the disclosure, the firewall can synchronize the authentication user information list on the authentication server, and the user authenticated on the authentication server is used as the authentication-free user of the firewall, so that the technical problem of low efficiency of an authentication mode in the prior art is at least partially solved, and the technical effects of ensuring the safety, increasing the authentication-free performance of the firewall, improving the efficiency of user authentication, improving the synchronization real-time performance of the authentication-free user of the firewall and reducing the redundancy of operation are achieved.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent from the following description of embodiments of the present disclosure with reference to the accompanying drawings, in which:
fig. 1 schematically illustrates an exemplary system architecture to which an authentication method may be applied, according to an embodiment of the present disclosure;
fig. 2 schematically illustrates a flow chart of an authentication method for a firewall according to an embodiment of the present disclosure;
FIG. 3 schematically illustrates a flow chart for determining whether to allow the first user to access the external network based on the set of authenticated user information, according to an embodiment of the disclosure;
fig. 4 schematically illustrates a flow diagram of an authentication method for a firewall according to another embodiment of the present disclosure;
FIG. 5 schematically illustrates a flow diagram of firewall interaction with a server, according to an embodiment of the disclosure;
fig. 6 schematically illustrates a block diagram of an authentication system 300 for a firewall, in accordance with an embodiment of the present disclosure; and
fig. 7 schematically illustrates a block diagram of a firewall device suitable for implementing an authentication method according to an embodiment of the disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.). Where a convention analogous to "A, B or at least one of C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B or C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
An embodiment of the present disclosure provides an authentication method for a firewall, including: and acquiring an authentication user information set in the authentication server, wherein the authentication user information set is a set of user information of users who finish authentication on the authentication server. A request for access to an external network by a first user is received. In response to the access request, it is determined whether to allow the first user access to the external network based on the set of authenticated user information.
Fig. 1 schematically illustrates an exemplary system architecture 100 to which an authentication method may be applied, according to an embodiment of the disclosure. It should be noted that fig. 1 is only an example of a system architecture to which the embodiments of the present disclosure may be applied to help those skilled in the art understand the technical content of the present disclosure, and does not mean that the embodiments of the present disclosure may not be applied to other devices, systems, environments or scenarios.
As shown in fig. 1, the system architecture 100 according to this embodiment may include a firewall 101, an AD (active directory) server 102, and an internal network device 103, where the firewall 101, the AD server 102, and the internal network device 103 serve in the same internal network, where the authentication server in this embodiment may refer to the AD server 102, and the AD server 102 may be connected to multiple network devices 103 in the internal network and manage the multiple network devices 103. In addition, the firewall 101 is also connected to a plurality of network devices 103 in the internal network, so that a user can connect to the firewall 101 through the plurality of network devices 103 and further access the external network through the firewall 101.
AD Server is a directory service oriented to Windows Standard Server, Windows Enterprise Server and Windows data Server, where a directory represents a hierarchical structure for storing information of objects on a network, and like a directory of books, can provide all things in an internal network for quickly querying objects on the network in a Windows system, including shared resources (e.g., servers, printers, network users, and computer accounts, etc.), domains, applications, services, security policies, etc.
The intranet user needs to authenticate on the AD server, the network can be accessed only after the authentication is passed, the AD server stores the user information set of the authenticated user, and the user information set can be stored in a list form. In the related art, many users have already been authenticated on the AD server, but still need to be authenticated again at the firewall, which causes problems of inefficiency and operation redundancy.
The authentication method of the embodiment of the disclosure can enable the firewall to acquire the authentication user information set from the AD server, and determine whether to allow the intranet user to access the external network according to the authentication user information set. Therefore, a user authenticated on the AD server can access the external network through the firewall without re-authentication at the firewall.
It should be noted that the authentication method provided by the embodiment of the present disclosure may be generally executed by the firewall 101. Accordingly, the authentication system provided by the embodiment of the present disclosure may be generally disposed in the firewall 101. The authentication method provided by the embodiment of the present disclosure may also be performed by another firewall in the intranet that is different from firewall 101 and capable of communicating with AD server 102. Accordingly, the authentication system provided in the embodiment of the present disclosure may be provided in another firewall in the intranet that is different from the firewall 101 and is capable of communicating with the AD server 102.
Fig. 2 schematically shows a flow chart of an authentication method for a firewall according to an embodiment of the present disclosure.
As shown in fig. 2, the method includes operations S210 to S230.
In operation S210, an authenticated user information set in the authentication server is obtained, where the authenticated user information set is a set of user information of users who have completed authentication on the authentication server.
For example, the authentication server may be an AD server in an internal network, and the set of authenticated user information may refer to a set of user information of authenticated users on the AD server.
In operation S220, an access request of a first user to an external network is received.
For example, a user may send a request to a firewall to access an external network through a network device such as a computer, a mobile phone, a server, etc., and accordingly, the firewall may receive a request from any intranet user to access an external network from these network devices. The first user may refer to any one of all intranet users.
In operation S230, it is determined whether to allow the first user to access the external network based on the authenticated user information set in response to the access request.
For example, if the user information of the first user is located in the set of authenticated user information, the first user may be allowed to access the external network without requiring the first user to re-authenticate at the firewall.
According to the embodiment of the disclosure, the firewall can synchronize the authentication user information list on the AD server, and the user authenticated on the AD server is used as the authentication-free user of the firewall, so that the security is ensured, meanwhile, the authentication-free performance of the firewall is improved, the efficiency of user authentication is improved, the synchronization real-time performance of the authentication-free user of the firewall is improved, and the redundancy of operation is reduced.
According to an embodiment of the present disclosure, obtaining the authenticated user information set in the authentication server may include: and acquiring the authentication user information set from the authentication server every preset time.
The predetermined time period may be, for example, one minute or ten minutes, a timer may be set on the firewall, a thread is started every predetermined time period by using the timer, a Window management tool (Window management tool) is used to obtain an authenticated user information set from the AD server, and the thread is recovered after the operation is completed.
After receiving the authenticated user information set, the firewall may store the authenticated user information set locally, and may use the user in the authenticated user information set as an authentication-free user.
According to the embodiment of the disclosure, the firewall acquires the authenticated user information set from the AD server once every preset time, the newly acquired authenticated user information set can be used for replacing the existing authenticated user information set on the firewall, and the authenticated user information set on the firewall can be ensured to be updated once every preset time.
According to the embodiment of the disclosure, the firewall may further obtain the updated authenticated user information set from the authentication server, and replace the existing authenticated user information set with the updated authenticated user information set.
For example, the authentication server may set a monitoring thread, and when it is monitored that the authentication user information set in the authentication server is updated, the firewall may notify the update information to the firewall, and after receiving the update information, the firewall may initiate a request for acquiring the updated authentication user information set from the authentication server, and the authentication server may return the updated authentication user information set to the firewall. Or, after monitoring that the authentication user information set in the authentication server changes, the updated authentication user information set can be actively sent to the firewall.
After receiving the updated authenticated user information set, the firewall can replace the existing authenticated user information set on the firewall with the updated authenticated user information set.
Based on the above manner, the firewall can timely acquire the updated authenticated user information set after the authenticated user information set on the authentication server changes, so that the real-time synchronization between the firewall and the authenticated user information set on the authentication server is realized.
According to an embodiment of the present disclosure, the authentication method for a firewall may further include: authenticated user information is obtained from an authentication server.
The firewall may obtain one or more authenticated user information from the server. For example, the firewall may obtain information of one or more authenticated users authenticated within a certain time period in the authentication server; alternatively, information of one or more authenticated users having a certain same characteristic in the authentication server may be acquired; or, when it is monitored that new authenticated user information is added to the authenticated user information set in the authentication server, information of one or more newly added authenticated users can be acquired from the authentication server.
Based on the above mode, the firewall can not only obtain the authentication user information set in the authentication server, but also obtain one or more specific authentication user information in the authentication server according to different requirements, and can set the authentication mode of the firewall according to different requirements.
According to the embodiment of the disclosure, the access request sent by the user may include user information of the user who initiated the request, and the user information may be, for example, an account number, a password, a user ID, and other information capable of characterizing the user identity.
Fig. 3 schematically shows a flowchart for determining whether to allow the first user to access the external network based on the set of authenticated user information according to an embodiment of the present disclosure.
As shown in fig. 3, operation S230 may include, according to an embodiment of the present disclosure, the steps of:
in operation S231, user information of the first user is acquired from the access request.
For example, information such as an account number, a password, a user ID, etc. of the first user may be acquired.
In operation S232, it is determined whether the user information of the first user matches the authenticated user information set.
For example, it may be determined whether the authenticated user information set includes user information of a first user, and if so, the user information of the first user is considered to be matched with the authenticated user information set, and if not, the user information of the first user is considered to be not matched with the authenticated user information set.
In operation S232, it is determined whether the first user is allowed to access the external network based on the matching result.
According to the embodiment of the disclosure, in the case that the user information of the first user is matched with the set of authenticated user information according to the matching result, the first user is allowed to access the external network.
And under the condition that the matching result represents that the user information of the first user does not match with the authentication user information set, sending an authentication request to the first user so that the first user can authenticate on the authentication server based on the authentication request.
For example, the firewall may send authentication request information to the network device, so that the network device may present an authentication window to a user based on the authentication request information, the user may operate through the authentication window, and the network device may send information input by the user to the AD server for authentication. After the AD server successfully authenticates, the firewall may retrieve the authenticated user information set on the AD server, and update the existing user authentication information on the AD server, so that the newly authenticated user can access the external network. If the user chooses not to perform authentication operations, the firewall may prevent the user from accessing the external network.
According to the embodiment of the disclosure, whether the user is allowed to access the external network can be determined by judging whether the user information in the access request is matched with the set of authenticated user information acquired by the firewall, so that the firewall can quickly authenticate and release the user. And, under the condition that the user authentication fails, the user can be guided to carry out authentication on the authentication server, and the authentication information can be updated in time.
Fig. 4 schematically shows a flow chart of an authentication method for a firewall according to another embodiment of the present disclosure.
As shown in fig. 4, the authentication method may further include S201 to S202 according to an embodiment of the present disclosure.
In operation S201, authentication information is transmitted to the authentication server to cause the authentication server to authenticate the firewall.
In operation S202, authentication result information is received from the authentication server.
According to the embodiment of the disclosure, under the condition that the authentication result information represents that the authentication server passes the firewall authentication, the authentication user information set is obtained from the authentication server. Fig. 5 schematically shows a flow chart of firewall interaction with a server according to an embodiment of the present disclosure.
As shown in fig. 5, the firewall needs to authenticate to the AD server first, and the firewall has the right to acquire the authenticated user information set from the AD server after the AD server successfully authenticates. For example, the firewall may send authentication information such as an account number, a password, and configuration information to the AD server, and the AD server determines whether the firewall is authenticated based on the authentication information sent by the firewall, for example, if the authentication information sent by the firewall matches corresponding information pre-stored in the AD server, the firewall may be considered to be authenticated. The AD server may notify the firewall of the authentication result so that the firewall transmits a request to extract the authenticated user information set to the AD server, and the AD server transmits the authenticated user information set to the firewall based on the extraction request.
According to the embodiment of the disclosure, before the firewall and the authentication server perform transmission of the authentication user information, the firewall needs to perform authentication on the authentication server, and the authentication server enables the firewall to have permission to acquire the authentication user information from the authentication server under the condition that the authentication server passes the authentication of the firewall, so that the security of the authentication user information can be guaranteed.
Another aspect of the disclosed embodiments provides an authentication system for a firewall.
Fig. 6 schematically illustrates a block diagram of an authentication system 300 for a firewall, in accordance with an embodiment of the disclosure.
As shown in fig. 6, the authentication system 300 may include an information acquisition module 310, a request acquisition module 320, and a determination module 330.
The information obtaining module 310 is configured to obtain an authenticated user information set in the authentication server, where the authenticated user information set is a set of user information of users who complete authentication on the authentication server.
The request obtaining module 320 is configured to obtain an access request of a first user to an external network.
The determining module 330 is configured to determine whether to allow the first user to access the external network based on the set of authenticated user information in response to the access request.
According to an embodiment of the present disclosure, the information obtaining module 310 is further configured to obtain the authenticated user information set from the authentication server every predetermined time.
According to an embodiment of the present disclosure, the information obtaining module 310 is further configured to obtain authenticated user information from an authentication server.
According to an embodiment of the present disclosure, the authentication system may further include an authentication module and a result processing module.
The authentication module is used for sending authentication information to the authentication server so that the authentication server can authenticate the firewall.
And the result processing module is used for receiving the authentication result information from the authentication server and controlling the acquisition module to acquire the authentication user information set from the authentication server under the condition that the authentication result information represents that the authentication server successfully authenticates the firewall.
According to an embodiment of the present disclosure, the determination module may include a user information sub-module, a matching sub-module, and a determination sub-module.
The user information submodule is used for acquiring the user information of the first user from the access request.
The matching sub-module is used for responding to the access request and determining whether the user information of the first user is matched with the authentication user information set.
The determination submodule is used for determining whether to allow the first user to access the external network based on the matching result.
According to an embodiment of the present disclosure, the determining sub-module may be further configured to allow the first user to access the external network when the matching result indicates that the user information of the first user matches the set of authenticated user information; and under the condition that the matching result represents that the user information of the first user does not match with the authentication user information set, sending an authentication request to the first user so that the first user can authenticate on the authentication server based on the authentication request.
According to an embodiment of the present disclosure, the authentication system may further include an update module configured to obtain an updated authenticated user information set from the authentication server; and replacing the existing authenticated user information set with the updated authenticated user information set.
Any number of modules, sub-modules, units, sub-units, or at least part of the functionality of any number thereof according to embodiments of the present disclosure may be implemented in one module. Any one or more of the modules, sub-modules, units, and sub-units according to the embodiments of the present disclosure may be implemented by being split into a plurality of modules. Any one or more of the modules, sub-modules, units, sub-units according to embodiments of the present disclosure may be implemented at least in part as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in any other reasonable manner of hardware or firmware by integrating or packaging a circuit, or in any one of or a suitable combination of software, hardware, and firmware implementations. Alternatively, one or more of the modules, sub-modules, units, sub-units according to embodiments of the disclosure may be at least partially implemented as a computer program module, which when executed may perform the corresponding functions.
For example, any plurality of the obtaining module 310, the request obtaining module 320 and the determining module 330, the authenticating module, the result processing module, the user information sub-module, the matching sub-module and the determining sub-module may be combined and implemented in one module/unit/sub-unit, or any one of the modules/units/sub-units may be split into a plurality of modules/units/sub-units. Alternatively, at least part of the functionality of one or more of these modules/units/sub-units may be combined with at least part of the functionality of other modules/units/sub-units and implemented in one module/unit/sub-unit. According to an embodiment of the present disclosure, at least one of the obtaining module 310, the request obtaining module 320 and the determining module 330, the authenticating module, the result processing module, the user information sub-module, the matching sub-module and the determining sub-module may be at least partially implemented as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented by hardware or firmware in any other reasonable manner of integrating or packaging a circuit, or implemented by any one of three implementations of software, hardware and firmware, or by a suitable combination of any of them. Alternatively, at least one of the obtaining module 310, the request obtaining module 320 and the determining module 330, the authenticating module, the result processing module, the user information sub-module, the matching sub-module and the determining sub-module may be at least partially implemented as a computer program module which, when executed, may perform a corresponding function.
It should be noted that, the authentication system part in the embodiment of the present disclosure corresponds to the authentication method part in the embodiment of the present disclosure, and the description of the authentication system part specifically refers to the authentication method part, which is not described herein again.
Fig. 7 schematically illustrates a block diagram of a firewall device adapted to implement the above-described method according to an embodiment of the present disclosure. The firewall device shown in fig. 7 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 7, the firewall device 500 according to the embodiment of the present disclosure includes a processor 501 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)502 or a program loaded from a storage section 508 into a Random Access Memory (RAM) 503. The processor 501 may comprise, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 501 may also include onboard memory for caching purposes. Processor 501 may include a single processing unit or multiple processing units for performing different actions of a method flow according to embodiments of the disclosure.
In the RAM 503, various programs and data necessary for the operation of the system 500 are stored. The processor 501, the ROM 502, and the RAM 503 are connected to each other by a bus 504. The processor 501 performs various operations of the method flows according to the embodiments of the present disclosure by executing programs in the ROM 502 and/or the RAM 503. Note that the programs may also be stored in one or more memories other than the ROM 502 and the RAM 503. The processor 501 may also perform various operations of method flows according to embodiments of the present disclosure by executing programs stored in the one or more memories.
According to an embodiment of the present disclosure, device 500 may also include an input/output (I/O) interface 505, input/output (I/O) interface 505 also being connected to bus 504. The device 500 may also include one or more of the following components connected to the I/O interface 505: an input portion 506 including a keyboard, a mouse, and the like; an output portion 507 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage portion 508 including a hard disk and the like; and a communication section 509 including a network interface card such as a LAN card, a modem, or the like. The communication section 509 performs communication processing via a network such as the internet. The driver 510 is also connected to the I/O interface 505 as necessary. A removable medium 511 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 510 as necessary, so that a computer program read out therefrom is mounted into the storage section 508 as necessary.
Yet another aspect of the disclosed embodiments provides a computer program product comprising computer readable instructions, wherein the computer readable instructions, when executed, are configured to perform the authentication method for a firewall of the disclosed embodiments.
The method flows according to embodiments of the present disclosure may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable storage medium, the computer program containing program code for performing the method illustrated by the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 509, and/or installed from the removable medium 511. The computer program, when executed by the processor 501, performs the above-described functions defined in the system of the embodiments of the present disclosure. The systems, devices, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
The present disclosure also provides a computer-readable storage medium, which may be contained in the apparatus/device/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement the method according to an embodiment of the disclosure.
According to an embodiment of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium. Examples may include, but are not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
For example, according to embodiments of the present disclosure, a computer-readable storage medium may include ROM 502 and/or RAM 503 and/or one or more memories other than ROM 502 and RAM 503 described above.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that various combinations and/or combinations of features recited in the various embodiments and/or claims of the present disclosure can be made, even if such combinations or combinations are not expressly recited in the present disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present disclosure may be made without departing from the spirit or teaching of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.
The embodiments of the present disclosure have been described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used in advantageous combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the present disclosure, and such alternatives and modifications are intended to be within the scope of the present disclosure.
Claims (11)
1. An authentication method for a firewall, comprising:
acquiring an authentication user information set in an authentication server, wherein the authentication user information set is a set of user information of users who finish authentication on the authentication server;
receiving an access request of a first user to an external network; and
in response to the access request, determining whether to allow the first user to access an external network based on the set of authenticated user information.
2. The method of claim 1, wherein the obtaining a set of authenticated user information in an authentication server comprises:
and acquiring the authentication user information set from the authentication server every preset time.
3. The method of claim 1, further comprising:
and obtaining the authenticated user information from the authentication server.
4. The method of claim 1, further comprising:
sending authentication information to the authentication server so that the authentication server authenticates the firewall; and
receiving authentication result information from the authentication server,
and acquiring an authentication user information set from the authentication server under the condition that the authentication result information represents that the authentication server successfully authenticates the firewall.
5. The method of claim 1, wherein the determining, in response to the access request, whether to allow the first user access to an external network based on the set of authenticated user information comprises:
acquiring user information of the first user from the access request;
determining whether the user information of the first user matches the set of authenticated user information;
determining whether to allow the first user to access an external network based on a matching result.
6. The method of claim 5, wherein the determining whether to allow the first user access to an external network based on the matching result comprises:
allowing the first user to access an external network under the condition that the matching result represents that the user information of the first user is matched with the authentication user information set;
and sending an authentication request to the first user under the condition that the matching result represents that the user information of the first user does not match with the authentication user information set, so that the first user can authenticate on the authentication server based on the authentication request.
7. The method of any of claims 1 to 6, further comprising:
acquiring an updated authenticated user information set from the authentication server;
and replacing the existing authentication user information set with the updated authentication user information set.
8. An authentication system for a firewall, comprising:
the information acquisition module is used for acquiring an authentication user information set in an authentication server, wherein the authentication user information set is a set of user information of users who finish authentication on the authentication server;
the request acquisition module is used for acquiring an access request of a first user to an external network;
a determination module to determine, in response to the access request, whether to allow the first user to access an external network based on the set of authenticated user information.
9. A firewall device, comprising:
one or more processors;
a memory for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method of any of claims 1-7.
10. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to carry out the method of any one of claims 1 to 7.
11. A computer program product comprising computer readable instructions, wherein the computer readable instructions, when executed, are for performing the method of any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911424084.0A CN111107106A (en) | 2019-12-31 | 2019-12-31 | Authentication method, authentication system, firewall device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911424084.0A CN111107106A (en) | 2019-12-31 | 2019-12-31 | Authentication method, authentication system, firewall device and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111107106A true CN111107106A (en) | 2020-05-05 |
Family
ID=70427178
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911424084.0A Pending CN111107106A (en) | 2019-12-31 | 2019-12-31 | Authentication method, authentication system, firewall device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111107106A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114244589A (en) * | 2021-12-07 | 2022-03-25 | 国网福建省电力有限公司 | Intelligent firewall and method based on AAA authentication and authorization information |
| CN117014222A (en) * | 2023-09-01 | 2023-11-07 | 四川绍泰锦网络科技有限公司 | Computer network information security event processing method |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060149967A1 (en) * | 2004-12-30 | 2006-07-06 | Samsung Electronics Co., Ltd. | User authentication method and system for a home network |
| CN105227455A (en) * | 2015-10-08 | 2016-01-06 | 北京星网锐捷网络技术有限公司 | A kind of method and system of batch user web authentication active-standby switch |
| CN105450616A (en) * | 2014-09-23 | 2016-03-30 | 中国电信股份有限公司 | Terminal authentication method, trusted determination gateway, authentication server and system |
| CN105933333A (en) * | 2016-06-20 | 2016-09-07 | 锐捷网络股份有限公司 | Authentication charging method and export gateway of enterprise network |
| CN107517189A (en) * | 2016-06-17 | 2017-12-26 | 中兴通讯股份有限公司 | Method, the equipment that a kind of WLAN user access authentication and configuration information issue |
-
2019
- 2019-12-31 CN CN201911424084.0A patent/CN111107106A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060149967A1 (en) * | 2004-12-30 | 2006-07-06 | Samsung Electronics Co., Ltd. | User authentication method and system for a home network |
| CN105450616A (en) * | 2014-09-23 | 2016-03-30 | 中国电信股份有限公司 | Terminal authentication method, trusted determination gateway, authentication server and system |
| CN105227455A (en) * | 2015-10-08 | 2016-01-06 | 北京星网锐捷网络技术有限公司 | A kind of method and system of batch user web authentication active-standby switch |
| CN107517189A (en) * | 2016-06-17 | 2017-12-26 | 中兴通讯股份有限公司 | Method, the equipment that a kind of WLAN user access authentication and configuration information issue |
| CN105933333A (en) * | 2016-06-20 | 2016-09-07 | 锐捷网络股份有限公司 | Authentication charging method and export gateway of enterprise network |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114244589A (en) * | 2021-12-07 | 2022-03-25 | 国网福建省电力有限公司 | Intelligent firewall and method based on AAA authentication and authorization information |
| CN117014222A (en) * | 2023-09-01 | 2023-11-07 | 四川绍泰锦网络科技有限公司 | Computer network information security event processing method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10484462B2 (en) | Dynamic registration of an application with an enterprise system | |
| US11469894B2 (en) | Computing system and methods providing session access based upon authentication token with different authentication credentials | |
| US9083690B2 (en) | Communication session termination rankings and protocols | |
| US10187386B2 (en) | Native enrollment of mobile devices | |
| US20130332727A1 (en) | Access token event virtualization | |
| US11544415B2 (en) | Context-aware obfuscation and unobfuscation of sensitive content | |
| CN111669351B (en) | Authentication method, service server, client and computer readable storage medium | |
| CN112491778A (en) | Authentication method, device, system and medium | |
| US11658907B2 (en) | System and method for validating virtual session requests | |
| US11803398B2 (en) | Computing device and associated methods providing browser launching of virtual sessions in an application | |
| CN111107106A (en) | Authentication method, authentication system, firewall device and storage medium | |
| CN113630253A (en) | Login method, device, computer system and readable storage medium | |
| US11669626B2 (en) | Resource access with use of bloom filters | |
| US11627123B2 (en) | Techniques for simultaneously accessing multiple isolated systems while maintaining security boundaries | |
| US11777742B2 (en) | Network device authentication | |
| US20230020656A1 (en) | Computing session multi-factor authentication | |
| US11474840B1 (en) | Computing device and related methods providing virtual session launching from previously cached assets | |
| US11503074B2 (en) | Device enrollment in a management service | |
| US20140282955A1 (en) | Controlled Password Modification Method and Apparatus | |
| US11797686B1 (en) | Assessing risk from use of variants of credentials | |
| US20220414240A1 (en) | Contextual tab aware app protection | |
| CN113132303A (en) | Information processing method and device executed by firewall |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200505 |
|
| RJ01 | Rejection of invention patent application after publication |