CN111355721B - Access control method, device, equipment and system and storage medium - Google Patents
Access control method, device, equipment and system and storage medium Download PDFInfo
- Publication number
- CN111355721B CN111355721B CN202010115945.3A CN202010115945A CN111355721B CN 111355721 B CN111355721 B CN 111355721B CN 202010115945 A CN202010115945 A CN 202010115945A CN 111355721 B CN111355721 B CN 111355721B
- Authority
- CN
- China
- Prior art keywords
- access request
- determining
- current access
- security
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/52—Network services specially adapted for the location of the user terminal
Abstract
The application discloses an access control method, a system, an access control device and a computer readable storage medium, wherein the method comprises the following steps: after an access request is acquired, determining a network position for initiating the current access request; determining a corresponding security control strategy aiming at the current access request according to the network position; and controlling the current access request based on the security control policy, and determining whether to allow the current access request to be responded. As can be seen from the above, after the access request is obtained, the network location where the access request is initiated is determined, and then the security control policy corresponding to the network location is obtained, so that the corresponding operation is performed on the access request based on the security control policy, that is, the security control policy can be dynamically adjusted according to the network location where the current access request is initiated, so as to avoid an unnecessary control process, thereby reducing the complexity of the user in use, and effectively improving the use efficiency and experience of the user.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to an access control method, apparatus, device, and system, and a computer-readable storage medium.
Background
In a conventional access control system, a user must be authenticated by the access control system to access a service. Meanwhile, the use flow of the traditional access control system is usually fixed and static, and the traditional access control system requires that authentication is performed before access is performed. However, in an actual usage scenario, some access control procedures may be unnecessary, resulting in increased user usage complexity and decreased user usage efficiency.
Disclosure of Invention
The application aims to provide an access control method, an access control device, access control equipment and an access control system and a computer readable storage medium, so that the use complexity of a user is reduced, and the use efficiency and the experience of the user are effectively improved.
To achieve the above object, the present application provides an access control method, including:
after an access request is acquired, determining a network position for initiating the current access request;
determining a corresponding security control strategy aiming at the current access request according to the network position;
and controlling the current access request based on the security control policy, and determining whether to allow the current access request to be responded.
Optionally, after obtaining the access request, determining a network location where the current access request is initiated includes:
after an access request is acquired, determining a source address for initiating the current access request;
judging whether the source address is in the network segment address of the intranet or not;
if so, determining that the network position initiating the current access request is an intranet;
if not, determining that the network position initiating the current access request is an extranet.
Optionally, after obtaining the access request, determining a network location where the current access request is initiated includes:
after an access request is acquired, determining an access address corresponding to the current access request;
if the access address is an intranet access address, determining that the network position initiating the current access request is an intranet;
and if the access address is an external network access address, determining that the network position initiating the current access request is an external network.
Optionally, the determining, according to the network location, a corresponding security control policy for the current access request includes:
if the network position is an intranet, determining a target service system corresponding to the current access request, and acquiring the security level of the target service system;
if the security level is greater than a security threshold, determining a security control policy including identity authentication, authorization and encrypted transmission for the current access request;
determining a security control policy including encrypted transmissions for the current access request if the security level is less than the security threshold.
Optionally, the determining, according to the network location, a corresponding security control policy for the current access request includes:
and if the network position is an external network, determining a security control strategy comprising identity authentication, authorization and encrypted transmission aiming at the current access request.
Optionally, after determining the corresponding security control policy for the current access request according to the network location, the method further includes:
and acquiring configuration information aiming at admission control, and determining whether the security control strategy comprises the admission control according to the configuration information.
Optionally, the obtaining the configuration information for admission control includes:
acquiring configuration information aiming at admission control;
or, receiving the configuration information for admission control in real time through the input interface.
Optionally, the controlling the current access request based on the security control policy and determining whether to allow a response to the current access request include:
if the security control strategy comprises access control, acquiring the environment security condition corresponding to the terminal initiating the current access request;
determining whether to allow a response to the current access request based on the environmental security condition.
Optionally, the obtaining an environmental security status corresponding to the terminal initiating the current access request includes:
detecting whether the terminal initiating the current access request is provided with antivirus software or not;
the determining whether to allow a response to the current access request based on the environmental security condition includes:
and if the terminal initiating the current access request is provided with antivirus software, allowing the current access request to be responded.
To achieve the above object, the present application provides an access control apparatus including:
the position determining module is used for determining the network position for initiating the current access request after the access request is obtained;
the strategy determining module is used for determining a corresponding security control strategy aiming at the current access request according to the network position;
and the access control module is used for controlling the current access request based on the security control strategy and determining whether to allow the response to the current access request.
To achieve the above object, the present application provides an access control apparatus including:
a memory for storing a computer program;
a processor for implementing the steps of any of the previously disclosed access control methods when executing the computer program.
To achieve the above object, the present application provides an access control system including: an intranet system, an extranet system, a business system and access control equipment as disclosed in the foregoing;
the intranet system comprises a firewall, a switch and a user terminal, the extranet system comprises a user terminal and a firewall, and the service system comprises a key service system and a non-key service system.
To achieve the above object, the present application provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of any of the access control methods disclosed in the foregoing.
According to the above scheme, the access control method provided by the present application includes: after an access request is acquired, determining a network position for initiating the current access request; determining a corresponding security control strategy aiming at the current access request according to the network position; and controlling the current access request based on the security control policy, and determining whether to allow the current access request to be responded. As can be seen from the above, after the access request is obtained, the network location where the access request is initiated is determined, and then the security control policy corresponding to the network location is obtained, so that the corresponding operation is performed on the access request based on the security control policy, that is, the security control policy can be dynamically adjusted according to the network location where the current access request is initiated, so as to avoid an unnecessary control process, thereby reducing the complexity of the user in use, and effectively improving the use efficiency and experience of the user.
The application also discloses an access control device, equipment and a system and a computer readable storage medium, which can also realize the technical effects.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a system architecture diagram of an application of an access control method in a specific scenario disclosed in an embodiment of the present application;
fig. 2 is a flowchart of an access control method disclosed in an embodiment of the present application;
fig. 3 is a flowchart of another access control method disclosed in an embodiment of the present application;
fig. 4 is a block diagram of an access control apparatus disclosed in an embodiment of the present application;
fig. 5 is a block diagram of an access control device disclosed in an embodiment of the present application;
fig. 6 is a block diagram of another access control device disclosed in an embodiment of the present application;
fig. 7 is a schematic deployment diagram of an access control system disclosed in an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In the related art, the conventional access control system mainly comprises admission, authentication, authorization and encrypted transmission agent access, i.e. a user must be authenticated by the identity of the access control system to access the service system. Meanwhile, the use flow of the traditional access control system is usually fixed and static, and the traditional access control system requires that authentication is performed before access is performed. However, in an actual usage scenario, some access control procedures may be unnecessary, resulting in increased user usage complexity and decreased user usage efficiency.
Therefore, the embodiment of the application discloses an access control method, which reduces the use complexity of a user and effectively improves the use efficiency and experience of the user.
In order to facilitate understanding of the access control method provided in the present application, a system for use thereof will be described below. Referring to fig. 1, a system architecture diagram of an application of an access control method in a specific scenario provided in an embodiment of the present application is shown. As shown in fig. 1, includes a user terminal 10, an access control device 20, and a server 30. The user terminal 10 and the access control device 20, and the access control device 20 and the server 30 are connected by communication via a network 40. The user terminal 10, the access control device 20, and the server 30 may further include a processor, a memory, a communication interface, an input unit, a display, and a communication bus, and the processor, the memory, the communication interface, the input unit, and the display all complete communication with each other through the communication bus.
Specifically, the user terminal 10 is configured to send an access request to the access control device 20, which may specifically include but is not limited to a smart phone, a tablet computer, a notebook computer, a desktop computer, or the like, or an intelligent wearable device, or the like.
In this application, the access control device 20 is configured to obtain an access request initiated by the user terminal 10, determine a network location where the access request is initiated, and further determine a security control policy corresponding to the current network location, so as to control the current access request based on the security control policy and determine whether to allow a response to the current access request. If the response to the current access request is allowed, the current access request is forwarded to the server 30, so that the user can access the corresponding content in the server 30.
It should be noted that the access control device 20 is a device capable of acquiring an access request and its originating network location, and providing a function of dynamically adjusting a corresponding security control policy, and the types of the access control device may include, but are not limited to, various types of servers, personal computers, handheld terminals, and the like.
It can be understood that the network 40 in the present application may be determined according to the network condition and the application requirement in the actual application process, and may be a wireless communication network, such as a mobile communication network or a WiFi network, or a wired communication network; either a wide area network or a local area network may be used as circumstances warrant.
Referring to fig. 2, an access control method disclosed in an embodiment of the present application includes:
s101: after acquiring the access request, determining the network position for initiating the current access request;
in the embodiment of the application, after the access request initiated by the user is obtained, the network position of the current access request can be determined. The access request may specifically be a request for accessing the service system, and in an implementation, an input interface may be provided to receive an access request initiated by a user. The Network location specifically includes an intranet and an extranet, where the intranet is a Local Area Network (LAN), and refers to a computer group formed by interconnecting multiple computers in a certain Area; the external Network is a Wide Area Network (WAN), also known as a public Network, which is a remote Network for connecting computers in local Area networks or metropolitan Area networks in different regions for communication. The local area network is a network in which several or dozens of computers are connected with each other for resource sharing, and the external network is communicated with the internet and can access all network resources on the internet.
In an embodiment, the process of determining the network location from which the current access request originates may specifically include: after an access request is acquired, determining a source address for initiating the current access request; judging whether the source address is in the network segment address of the intranet or not; if so, determining that the network position initiating the current access request is an intranet; if not, determining that the network position initiating the current access request is an extranet. For example, if the intranet segment address is 192.168.0.1-192.168.0.254, the source IP address initiating the access request may be obtained first, and when the source IP address is in the intranet segment, it is determined that the current user is a request initiated from the intranet; otherwise, the current user is determined to be a request initiated from the external network.
In another embodiment, the process of determining the network location initiating the current access request may specifically include: after an access request is acquired, determining an access address corresponding to the current access request; if the access address is an intranet access address, determining that the network position initiating the current access request is an intranet; and if the access address is the external network access address, determining that the network position initiating the current access request is the external network. In this embodiment, two or more IPs may be previously arranged on the network interface for receiving the access request, one or more of the IPs may be used as the external network access IP address, and the other IPs may be used as the internal network access IP address. When a user initiates an access request by accessing an IP address through an external network, determining that the current user is a request initiated from the external network; otherwise, the current user is determined to be a request initiated from the intranet.
S102: determining a corresponding security control strategy aiming at the current access request according to the network position;
in this step, a corresponding security control policy may be determined according to the determined network location initiating the access request, where the security control policy is used to implement security control on the current access request, and may include specific procedures such as authentication and encryption. For example, if the network location is an external network, the corresponding security control policy includes identity authentication, authorization, and encrypted transmission; if the network location is an intranet, the corresponding security control strategy comprises encryption transmission. The safety risk of the intranet is low in practical use, so that the use experience and the use efficiency are preferentially guaranteed; and the security risk of the external network is higher, the security is guaranteed preferentially, and the external network needs to be authenticated and accessed again.
Specifically, the embodiment of the present application may pre-establish and store a correspondence between the network location and the security control policy, and after determining the network location initiating the access request, search for the corresponding security control policy in the correspondence according to the current network location.
S103: and controlling the current access request based on the security control policy, and determining whether to allow the current access request to be responded.
It will be appreciated that after determining the security control policy, the current access request may be controlled based on the security policy and a determination may be made whether to allow a response to the current access request. The current access request may be authenticated or encrypted for transmission processing based on a security policy, for example.
As a feasible implementation manner, after determining the corresponding security control policy according to the network location, the embodiment of the present application may further obtain configuration information for admission control, and determine whether the security control policy includes admission control according to the configuration information. The admission control refers to the judgment and control of whether the wireless access network is allowed or not by the wireless access network according to the current load level of the network when the mobile phone and other terminals request to establish a wireless link to the wireless access network, the protection of the network boundary and the compliance check of the terminals accessed to the network.
The process of acquiring the configuration information for admission control may specifically be: acquiring configuration information aiming at admission control; or, receiving configuration information for admission control in real time through the input interface. That is, in a specific embodiment, the administrator may pre-configure whether to enable admission control, so that it may be determined whether the current security control policy includes admission control according to the configuration information; in another specific embodiment, an input interface may be provided to receive in real time configuration information whether admission control is enabled.
It should be noted that, if the security control policy includes admission control, when the current access request is controlled based on the security control policy, the environmental security status corresponding to the terminal that initiated the current access request may be obtained, and then it is determined whether to respond to the current access request according to the environmental security status. For example, if the terminal does not have antivirus software installed, the response to the current access request is prohibited; and if the terminal has the virus, forbidding to respond to the current access request.
According to the above scheme, the access control method provided by the present application includes: after an access request is acquired, determining a network position for initiating the current access request; determining a corresponding security control strategy aiming at the current access request according to the network position; and controlling the current access request based on the security control policy, and determining whether to allow the current access request to be responded. As can be seen from the above, after the access request is obtained, the network location where the access request is initiated is determined, and then the security control policy corresponding to the network location is obtained, so that the corresponding operation is performed on the access request based on the security control policy, that is, the security control policy can be dynamically adjusted according to the network location where the current access request is initiated, so as to avoid an unnecessary control process, thereby reducing the complexity of the user in use, and effectively improving the use efficiency and experience of the user.
The embodiment of the application discloses another access control method, and compared with the previous embodiment, the embodiment further describes and optimizes the technical scheme. Referring to fig. 3, specifically:
s201: after an access request is acquired, determining a network position for initiating the current access request;
s202: if the network position is an intranet, determining a target service system corresponding to the current access request, and acquiring the security level of the target service system;
s203: if the security level is greater than a security threshold, determining a security control policy including identity authentication, authorization and encrypted transmission for the current access request;
s204: if the security level is less than the security threshold, determining a security control policy including encrypted transmissions for the current access request;
as a preferred embodiment, after determining the network location initiating the current access request, if the network location is an intranet, the present application further determines a security control policy according to the security level of the target service system to be accessed. If the security level of the target service system is lower, the corresponding security control strategy does not include the identity authentication and authorization process, and only encryption transmission is carried out to ensure the use efficiency and experience as much as possible; if the security level of the target service system is higher, the corresponding security control strategy further comprises an identity authentication and authorization process besides encryption transmission, so that the security is guaranteed as much as possible. In addition, whether to perform admission control can also be determined according to the configuration of an administrator.
In the embodiment of the application, a security threshold value can be preset, and a corresponding security control strategy can be determined by judging the relationship between the security level of the target service system and the security threshold value. The safety threshold may be set in a specific implementation, and is not limited herein. The security level of the target business system can also be divided in advance by an administrator.
S205: if the network location is an external network, determining a security control strategy comprising identity authentication, authorization and encrypted transmission aiming at the current access request;
it can be understood that, if the network location initiating the current access request is an external network, the corresponding security control policy includes identity authentication, an authorization process and encryption transmission, so as to ensure the security as much as possible.
S206: and controlling the current access request based on the security control policy, and determining whether to allow the current access request to be responded.
In the following, an access control device provided by an embodiment of the present application is described, and an access control device described below and an access control method described above may be referred to each other.
Referring to fig. 4, an access control apparatus provided in an embodiment of the present application includes:
the location determining module 301 is configured to determine a network location where a current access request is initiated after the access request is acquired;
a policy determining module 302, configured to determine, according to the network location, a corresponding security control policy for the current access request;
an access control module 303, configured to control the current access request based on the security control policy, and determine whether to allow a response to the current access request.
For the specific implementation process of the modules 301 to 303, reference may be made to the corresponding content disclosed in the foregoing embodiments, and details are not repeated here.
The present application further provides an access control device, and as shown in fig. 5, an access control device provided in an embodiment of the present application includes:
a memory 100 for storing a computer program;
the processor 200, when executing the computer program, may implement the steps provided by the above embodiments.
Specifically, the memory 100 includes a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and computer-readable instructions, and the internal memory provides an environment for the operating system and the computer-readable instructions in the non-volatile storage medium to run. The processor 200 may be a Central Processing Unit (CPU), a controller, a microcontroller, a microprocessor or other data Processing chip in some embodiments, and provides computing and controlling capability for the access control device, and when executing the computer program stored in the memory 100, the steps of the access control method disclosed in any of the foregoing embodiments may be implemented.
On the basis of the above embodiment, as a preferred implementation, referring to fig. 6, the access control device further includes:
and an input interface 300 connected to the processor 200, for acquiring computer programs, parameters and instructions imported from the outside, and storing the computer programs, parameters and instructions into the memory 100 under the control of the processor 200. The input interface 300 may be connected to an input device for receiving parameters or instructions manually input by a user. The input device may be a touch layer covered on a display screen, or a button, a track ball or a touch pad arranged on a terminal shell, or a keyboard, a touch pad or a mouse, etc.
A display unit 400, connected to the processor 200, for displaying data processed by the processor 200 and for displaying a visualized user interface. The display unit 400 may be an LED display, a liquid crystal display, a touch-sensitive liquid crystal display, an OLED (Organic Light-Emitting Diode) touch panel, or the like.
The network port 500 is connected to the processor 200, and is configured to perform communication connection with external terminal devices. The communication technology adopted by the communication connection can be a wired communication technology or a wireless communication technology, such as a mobile high definition link (MHL) technology, a Universal Serial Bus (USB), a High Definition Multimedia Interface (HDMI), a wireless fidelity (WiFi), a bluetooth communication technology, a low power consumption bluetooth communication technology, an ieee802.11 s-based communication technology, and the like.
Fig. 6 shows only an access control device having the assembly 100 and 500, and those skilled in the art will appreciate that the structure shown in fig. 6 does not constitute a limitation of the access control device, and may include fewer or more components than those shown, or some components in combination, or a different arrangement of components.
Fig. 7 is a schematic deployment diagram of an access control system according to an embodiment of the present application. As shown in fig. 7, the access control system specifically includes an intranet system, an extranet system, a service system, and an access control device. The intranet system comprises a firewall, a switch and a user terminal, the extranet system comprises the user terminal and the firewall, the service system comprises a key service system and a non-key service system, and access control equipment is arranged among the extranet system, the intranet system and the service system to limit that a user can access the service system in an agent mode only through the dynamic access control equipment. Firstly, whether the network position where the user terminal initiates access is an internal network or an external network, namely the internet, can be identified. Identity authentication is required for an access request initiated from an external network, transmission is encrypted, and whether access control is performed or not can be determined according to dynamic configuration of an administrator; for an access request initiated from an intranet, a corresponding control strategy can be further determined according to a security requirement set by a target service system to be accessed, for a non-key service system with lower security requirement, identity authentication can be omitted, transmission is encrypted, and whether access control is performed or not is determined according to dynamic configuration of an administrator; for a key service system with higher safety requirement, identity authentication is required, transmission is encrypted, and whether admission control is performed is determined according to a strategy configured by an administrator.
The present application also provides a computer-readable storage medium, which may include: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk. The storage medium has stored thereon a computer program which, when executed by a processor, implements the steps of the access control method disclosed in any of the preceding embodiments.
After the access request is obtained, the network position initiating the access request is determined, and then the security control strategy corresponding to the network position is obtained, so that corresponding operation is executed on the access request based on the security control strategy.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. For the system disclosed by the embodiment, the description is relatively simple because the system corresponds to the method disclosed by the embodiment, and the relevant points can be referred to the method part for description. It should be noted that, for those skilled in the art, without departing from the principle of the present application, the present application can also make several improvements and modifications, and those improvements and modifications also fall into the protection scope of the claims of the present application.
It is further noted that, in the present specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Claims (11)
1. An access control method, comprising:
after acquiring the access request, determining the network position for initiating the current access request;
determining a corresponding security control strategy aiming at the current access request according to the network position;
controlling the current access request based on the security control policy, and determining whether to allow a response to the current access request;
wherein the determining a corresponding security control policy for the current access request according to the network location comprises:
if the network position is an intranet, determining a target service system corresponding to the current access request, and acquiring the security level of the target service system; if the security level is greater than a security threshold, determining a security control policy including identity authentication, authorization and encrypted transmission for the current access request;
if the security level is less than the security threshold, determining a security control policy including encrypted transmissions for the current access request;
and if the network position is an external network, determining a security control strategy comprising identity authentication, authorization and encrypted transmission aiming at the current access request.
2. The access control method according to claim 1, wherein determining the network location from which the current access request is initiated after the access request is obtained comprises:
after an access request is acquired, determining a source address for initiating the current access request;
judging whether the source address is in the network segment address of the intranet or not;
if so, determining that the network position initiating the current access request is an intranet;
if not, determining that the network position initiating the current access request is an extranet.
3. The access control method according to claim 1, wherein determining the network location from which the current access request is initiated after the access request is obtained comprises:
after an access request is acquired, determining an access address corresponding to the current access request;
if the access address is an intranet access address, determining that the network position initiating the current access request is an intranet;
and if the access address is an external network access address, determining that the network position initiating the current access request is an external network.
4. The access control method according to any one of claims 1 to 3, wherein after determining the corresponding security control policy for the current access request according to the network location, the method further comprises:
and acquiring configuration information aiming at admission control, and determining whether the security control strategy comprises the admission control according to the configuration information.
5. The access control method of claim 4, wherein the obtaining configuration information for admission control comprises:
acquiring configuration information aiming at admission control;
or, receiving configuration information for admission control in real time through the input interface.
6. The access control method of claim 4, wherein the controlling the current access request based on the security control policy, and the determining whether to allow a response to the current access request comprises:
if the security control strategy comprises access control, acquiring the environment security condition corresponding to the terminal initiating the current access request;
determining whether to allow a response to the current access request based on the environmental security condition.
7. The access control method according to claim 6, wherein the obtaining of the environmental security status corresponding to the terminal that initiated the current access request comprises:
detecting whether the terminal initiating the current access request is provided with antivirus software or not;
the determining whether to allow a response to the current access request based on the environmental security condition includes:
and if the terminal initiating the current access request is provided with antivirus software, allowing the current access request to be responded.
8. An access control apparatus, comprising:
the position determining module is used for determining the network position for initiating the current access request after the access request is obtained;
the strategy determining module is used for determining a corresponding security control strategy aiming at the current access request according to the network position;
the access control module is used for controlling the current access request based on the security control strategy and determining whether to allow the response to the current access request;
if the position determining module determines that the network position is an intranet, the policy determining module is configured to determine a target service system corresponding to the current access request and obtain a security level of the target service system; if the security level is greater than a security threshold value, determining a security control strategy comprising identity authentication, authorization and encrypted transmission aiming at the current access request; if the security level is less than the security threshold, determining a security control policy including encrypted transmissions for the current access request;
and if the position determining module determines that the network position is an extranet, the policy determining module is used for determining a security control policy comprising identity authentication, authorization and encrypted transmission aiming at the current access request.
9. An access control device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the access control method according to any one of claims 1 to 7 when executing the computer program.
10. An access control system, comprising: an intranet system, an extranet system, a business system, and the access control device of claim 9;
the intranet system comprises a firewall, a switch and a user terminal, the extranet system comprises a user terminal and a firewall, and the service system comprises a key service system and a non-key service system.
11. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, which computer program, when being executed by a processor, carries out the steps of the access control method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010115945.3A CN111355721B (en) | 2020-02-25 | 2020-02-25 | Access control method, device, equipment and system and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010115945.3A CN111355721B (en) | 2020-02-25 | 2020-02-25 | Access control method, device, equipment and system and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111355721A CN111355721A (en) | 2020-06-30 |
| CN111355721B true CN111355721B (en) | 2022-09-30 |
Family
ID=71197215
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010115945.3A Active CN111355721B (en) | 2020-02-25 | 2020-02-25 | Access control method, device, equipment and system and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111355721B (en) |
Families Citing this family (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112333145B (en) * | 2020-09-21 | 2023-07-28 | 南方电网海南数字电网研究院有限公司 | Power grid monitoring video integration and safety protection system and method |
| CN112422292B (en) * | 2020-11-19 | 2024-04-02 | 杭州世平信息科技有限公司 | Network security protection method, system, equipment and storage medium |
| CN112650732A (en) * | 2020-12-22 | 2021-04-13 | 平安普惠企业管理有限公司 | Service processing method, device, equipment and storage medium |
| CN113014427B (en) * | 2021-02-22 | 2023-11-07 | 深信服科技股份有限公司 | Network management method and device and storage medium |
| CN113162943B (en) * | 2021-04-28 | 2023-01-31 | 中国工商银行股份有限公司 | Method and system for dynamically managing firewall policy |
| CN114465767A (en) * | 2021-12-27 | 2022-05-10 | 天翼云科技有限公司 | Data scheduling method and equipment |
| CN114329602A (en) * | 2021-12-30 | 2022-04-12 | 奇安信科技集团股份有限公司 | Access control method, server, electronic device and storage medium |
| CN115001804B (en) * | 2022-05-30 | 2023-11-10 | 广东电网有限责任公司 | Bypass access control system, method and storage medium applied to field station |
| CN116132198B (en) * | 2023-04-07 | 2023-07-25 | 杭州海康威视数字技术股份有限公司 | Internet of things privacy behavior sensing method and device based on lightweight context semantics |
| CN117835248A (en) * | 2023-10-17 | 2024-04-05 | 湖北星纪魅族集团有限公司 | Security control method, terminal, and non-transitory computer-readable storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103404103A (en) * | 2011-01-28 | 2013-11-20 | F5网络公司 | System and method for combining an access control system with a traffic management system |
| CN110311929A (en) * | 2019-08-01 | 2019-10-08 | 江苏芯盛智能科技有限公司 | A kind of access control method, device and electronic equipment and storage medium |
| CN110535887A (en) * | 2019-09-30 | 2019-12-03 | 海南鼎立信科技有限责任公司 | Safety access control method, device, storage medium and electronic equipment based on Kafka |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9426182B1 (en) * | 2013-01-07 | 2016-08-23 | Workspot, Inc. | Context-based authentication of mobile devices |
| CN111262865B (en) * | 2016-09-23 | 2021-03-30 | 华为技术有限公司 | Method, device and system for making access control strategy |
| CN107426168A (en) * | 2017-05-23 | 2017-12-01 | 国网山东省电力公司电力科学研究院 | A kind of Secure Network Assecc processing method and processing device |
| CN110278556B (en) * | 2018-03-13 | 2021-11-12 | 中兴通讯股份有限公司 | Security authentication policy determination method, device and computer readable storage medium |
-
2020
- 2020-02-25 CN CN202010115945.3A patent/CN111355721B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103404103A (en) * | 2011-01-28 | 2013-11-20 | F5网络公司 | System and method for combining an access control system with a traffic management system |
| CN110311929A (en) * | 2019-08-01 | 2019-10-08 | 江苏芯盛智能科技有限公司 | A kind of access control method, device and electronic equipment and storage medium |
| CN110535887A (en) * | 2019-09-30 | 2019-12-03 | 海南鼎立信科技有限责任公司 | Safety access control method, device, storage medium and electronic equipment based on Kafka |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111355721A (en) | 2020-06-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111355721B (en) | Access control method, device, equipment and system and storage medium | |
| US11165593B2 (en) | System and method for wireless network management | |
| US10554655B2 (en) | Method and system for verifying an account operation | |
| US10869196B2 (en) | Internet access authentication method and client, and computer storage medium | |
| US20200296107A1 (en) | Centralized authentication for granting access to online services | |
| US9392067B2 (en) | Efficient automatic sharing of network access among devices | |
| CN111049946B (en) | Portal authentication method, portal authentication system, electronic equipment and storage medium | |
| US9083690B2 (en) | Communication session termination rankings and protocols | |
| US20050015592A1 (en) | System and method for application and user-based class of security | |
| CN111382421A (en) | Service access control method, system, electronic device and storage medium | |
| KR101620254B1 (en) | Method and apparatus for controlling access | |
| US11941631B2 (en) | Trust platform | |
| WO2011086787A1 (en) | Sensitive information leakage prevention system, sensitive information leakage prevention method and sensitive information leakage prevention program | |
| TW201906433A (en) | Wireless network type detection method, device and electronic device | |
| CN106714181B (en) | Method and device for connecting WiFi hotspot | |
| US20200380108A1 (en) | Systems and methods for proximity single sign-on | |
| US9143510B2 (en) | Secure identification of intranet network | |
| US10375141B2 (en) | Method for processing URL and associated server and non-transitory computer readable storage medium | |
| US10924505B2 (en) | Passcode based access-control with randomized limits | |
| CN113365272B (en) | Method and system for preventing network from being rubbed | |
| CN111294336B (en) | Login behavior detection method and device, computer equipment and storage medium | |
| KR20050009945A (en) | Method and system for managing virtual storage space using mobile storage | |
| CN113746909A (en) | Network connection method, device, electronic equipment and computer readable storage medium | |
| CN105791238A (en) | Method for preventing DHCP flooding attacks of wireless local area network | |
| CN106330818B (en) | Protection method and system for embedded page of client |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |