CN111355741A - Network resource access control method, gateway, readable medium and electronic device - Google Patents
Network resource access control method, gateway, readable medium and electronic device Download PDFInfo
- Publication number
- CN111355741A CN111355741A CN202010159076.4A CN202010159076A CN111355741A CN 111355741 A CN111355741 A CN 111355741A CN 202010159076 A CN202010159076 A CN 202010159076A CN 111355741 A CN111355741 A CN 111355741A
- Authority
- CN
- China
- Prior art keywords
- network resource
- target
- data packet
- resource set
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
Abstract
The disclosure relates to a network resource access control method, a gateway, a readable medium and an electronic device. The method comprises the following steps: determining a network resource set with access authority for user identity information in a data packet sent by a user side according to an access control list rule, wherein the access control list rule comprises a corresponding relation between each user identity information and the network resource set with the access authority for the user identity information; determining the target network resource which the user side requests to access according to the target information in the data packet; and forwarding the data packet to the target network resource under the condition that the target network resource belongs to the network resource set. According to the technical scheme provided by the disclosure, an Access Control List (ACL) rule is set according to user identity information, the user identity information is a unique user identifier, for example, the user identity information can be a source IP address, and if employees are added, network segments do not need to be divided again, so that resource waste is avoided.
Description
Technical Field
The present disclosure relates to the field of network management technologies, and in particular, to a network resource access control method, a gateway, a readable medium, and an electronic device.
Background
Currently, the management of the enterprise intranet rights is generally as follows: and setting a source IP network segment of an office area where the enterprise employee is located, and limiting access to a specific target IP address and an ACL (access control list) rule of a target TCP/UDP port. When the ACL rules are set by using the office source IP network segment, for example, 10.1.1.0/24 is an office network segment, the network segment can only accommodate 254 employees at most (except 10.1.1.0, 10.1.1.255 IP addresses), and if the number of employees is increased, the network segment needs to be divided again, which results in resource waste.
Disclosure of Invention
This summary is provided to introduce a selection of concepts in a simplified form that are further described below in the detailed description. This summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter.
In a first aspect, the present disclosure provides a network resource access control method, including:
determining a network resource set with access authority for user identity information in a data packet sent by a user side according to an access control list rule, wherein the access control list rule comprises a corresponding relation between each user identity information and the network resource set with the access authority for the user identity information;
determining the target network resource which the user side requests to access according to the target information in the data packet;
and forwarding the data packet to the target network resource under the condition that the target network resource belongs to the network resource set.
In a second aspect, the present disclosure provides a gateway applied to network resource access control, the gateway comprising:
the access authority acquisition module is used for determining a network resource set of which the user identity information in a data packet sent by a user side has access authority according to an access control list rule, wherein the access control list rule comprises a corresponding relation between each user identity information and the network resource set of which the user identity information has the access authority;
the target network area acquisition module is used for determining the target network resource which the user side requests to access according to the target information in the data packet;
and the judging module is used for forwarding the data packet to the target network resource under the condition that the target network resource belongs to the network resource set.
In a third aspect, the present disclosure provides a computer readable medium having a computer program stored thereon, wherein the program is adapted to, when executed by a processing device, perform the steps of the method of the first aspect.
In a fourth aspect, the present disclosure provides an electronic device comprising:
a storage device having a computer program stored thereon;
processing means for executing the computer program in the storage means to carry out the steps of the method of the first aspect.
Through the technical scheme, the ACL access control list rule is set according to the user identity information which is the unique user identification, such as a source IP address, and if the number of employees is increased, the network segment does not need to be divided again, so that the resource waste is avoided.
Additional features and advantages of the disclosure will be set forth in the detailed description which follows.
Drawings
The above and other features, advantages and aspects of various embodiments of the present disclosure will become more apparent by referring to the following detailed description when taken in conjunction with the accompanying drawings. Throughout the drawings, the same or similar reference numbers refer to the same or similar elements. It should be understood that the drawings are schematic and that elements and features are not necessarily drawn to scale. In the drawings:
fig. 1 is a flowchart illustrating a network resource access control method according to an embodiment of the present disclosure.
Fig. 2 is a schematic diagram illustrating a network resource partitioning result according to an embodiment of the present disclosure.
Fig. 3 is a schematic diagram of various IP segments and BitMap values of the IP segments in fig. 2.
Fig. 4 is a diagram of BitMap values based on the port numbers and the respective port numbers in fig. 2.
Fig. 5 is a diagram of the BitMap value based on the transport layer protocol and the transport layer protocol of fig. 2.
Fig. 6 is a block diagram illustrating a gateway in accordance with an embodiment of the present disclosure.
Fig. 7 is a block diagram illustrating an electronic device in accordance with an embodiment of the present disclosure.
Detailed Description
Embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While certain embodiments of the present disclosure are shown in the drawings, it is to be understood that the present disclosure may be embodied in various forms and should not be construed as limited to the embodiments set forth herein, but rather are provided for a more thorough and complete understanding of the present disclosure. It should be understood that the drawings and embodiments of the disclosure are for illustration purposes only and are not intended to limit the scope of the disclosure.
It should be understood that the various steps recited in the method embodiments of the present disclosure may be performed in a different order, and/or performed in parallel. Moreover, method embodiments may include additional steps and/or omit performing the illustrated steps. The scope of the present disclosure is not limited in this respect.
The term "include" and variations thereof as used herein are open-ended, i.e., "including but not limited to". The term "based on" is "based, at least in part, on". The term "one embodiment" means "at least one embodiment"; the term "another embodiment" means "at least one additional embodiment"; the term "some embodiments" means "at least some embodiments". Relevant definitions for other terms will be given in the following description.
It should be noted that the terms "first", "second", and the like in the present disclosure are only used for distinguishing different devices, modules or units, and are not used for limiting the order or interdependence relationship of the functions performed by the devices, modules or units.
It is noted that references to "a", "an", and "the" modifications in this disclosure are intended to be illustrative rather than limiting, and that those skilled in the art will recognize that "one or more" may be used unless the context clearly dictates otherwise.
The names of messages or information exchanged between devices in the embodiments of the present disclosure are for illustrative purposes only, and are not intended to limit the scope of the messages or information.
An embodiment of the present disclosure provides a network resource access control method, which may be applied to a gateway. Fig. 1 is a flowchart illustrating a network resource access control method according to an embodiment of the present disclosure. As shown in fig. 1, the method comprises the steps of:
step S11, determining, according to the access control list rule, a network resource set for which the user identity information in the data packet sent by the user side has the access right.
The access control list rule comprises the corresponding relation between each user identity information and the network resource set with the access authority of the user identity information. The user identity information may be a source IP address, and the correspondence between each user identity information and the network resource set to which the user identity information has access right is the correspondence between each source IP address and the network resource set. Determining the network resource set with the access right of the user side according to the source IP address in the data packet sent by the user side.
Step S12, determining the target network resource requested to be accessed by the user end according to the destination information in the data packet.
Step S13, forwarding the data packet to the target network resource when the target network resource belongs to the network resource set.
Through step S13, when the network resource set includes the target network resource, the target network resource belongs to the network resource set, that is, the target network resource to be accessed by the data packet sent by the client is within the access right of the client, the data packet is forwarded to the target network resource.
Through the technical scheme, the ACL access control list rule is set according to the user identity information which is the unique user identification, such as a source IP address, and if the number of employees is increased, the network segment does not need to be divided again, so that the resource waste is avoided.
Optionally, the method further comprises establishing the access control list rule by:
and calculating a BitMap value of each type of network resource through a BitMap BitMap algorithm according to the identification information of each type of network resource, and calculating BitMap values of various network resource collections according to the BitMap values of each type of network resource, wherein each network resource collection comprises at least one type of network resource.
Network resources can be divided into a plurality of categories, for example, for an intranet, the network resources can be divided into three categories, namely an office system, a research and development system and a financial system. The identification information of each type of network resource is unique, for example, each type of network resource may be numbered, and the identification information of each type of network resource may be the number. And calculating the BitMap value of each type of network resource through a BitMap BitMap algorithm according to the identification information of each type of network resource, namely calculating the number of each type of network resource through the BitMap algorithm to obtain the BitMap value of each type of network resource. For example, numbers of the office system, the development system and the financial system are 1, 2 and 3 respectively, and the BitMap values of the office system, the development system and the financial system which are 1, 2 and 3 respectively are 0010, 0100 and 1000 are obtained by calculation through the BitMap algorithm. The BitMap value may be expressed by 8 bits, 16 bits, or the like, and 0 may be added to the missing part. For a network resource set, performing or operation according to the BitMap values of multiple types of network resources included in the network resource set, and calculating to obtain the BitMap value of the network resource set.
And taking the identity information of each user as a main key, taking the BitMap value of the network resource set with the access authority of the identity information of each user as a value, establishing a corresponding relation between the identity information of each user and the BitMap value of the network resource set with the access authority of the identity information of the user, and storing the corresponding relation into a first hash table.
For example, when a network resource set with user identity information having access right is an office system and a research and development system, the BitMap value of the network resource set with user identity information having access right is the or operation of the BitMap value of the office system and the BitMap value of the research and development system, that is, the or operation of 0010 and 0100, and the result is 0110, the BitMap value of the network resource set with user identity information having access right is 0110, the user identity information is used as a primary key, and 0110 is used as a value, and the value is stored in the first hash table.
By adopting the technical scheme, the BitMap algorithm can save storage space and accelerate query speed.
Optionally, the user identity information is an initial IP address of the user side, and the method further includes:
and under the condition that the IP address associated with the user account of the user side is detected to be different from the initial IP address, replacing the initial IP address of the user side in the first hash table with the detected IP address.
When a user goes to a non-affiliated office area, after the user side of the user is connected with WiFi of the non-affiliated office area, the IP address of the user side changes, and the user can be identified according to a user account logged in by the user side. If the access control list rule is simply set by using the source IP address, when the user terminal goes to an office other than the office, the set of network resources that the user terminal can access after the source IP address of the user terminal changes will change, and effective network authority management cannot be performed through the access control list rule. By the technical scheme, when the IP address associated with the user account of the user side is detected to be different from the initial IP address, the initial IP address of the user side in the first hash table is replaced by the detected IP address, so that when the user goes out of an office, the network resource set which can be accessed by the user is unchanged, namely the user access authority is unchanged.
Optionally, the first hash table includes a primary hash table and a secondary hash table, and the replacing the initial IP address of the user end in the first hash table with the detected IP address includes:
replacing the initial IP address of the user side in the secondary hash table with the detected IP address to update the secondary hash table.
And after the updating of the auxiliary hash table is finished, setting the auxiliary hash table as a main hash table, and setting the original main hash table as an auxiliary hash table.
The determining, according to the access control list rule, a network resource set for which user identity information in a data packet sent by a user side has an access right includes:
and determining a network resource set with access authority for the user identity information in the data packet sent by the user side according to the main hash table.
Through the technical scheme, the main hash table and the auxiliary hash table are arranged, the searching (network resource collection with user identity information having access authority) operation is performed on the main hash table, and the updating (user identity information) operation is performed on the auxiliary hash table, and when the updating is completed, the main bitmap table and the auxiliary bitmap table are replaced. Thus, lock-free operation is realized, and performance bottleneck is solved.
Optionally, the network resource is divided according to attribute information of the network resource, where the attribute information includes at least one of an IP address field, a port number, and a transport layer protocol of the network resource.
The determining the target network resource which the user terminal requests to access according to the destination information in the data packet includes:
and judging target attribute information corresponding to the target information, and determining the target network resource according to the target attribute information through the corresponding relation between the attribute information of the network resource and the network resource set, wherein the target information comprises at least one of a target IP address, a target port number and a transport layer protocol in the data packet.
For example, when the network resource is divided according to the IP address field, the IP address field to which the destination IP address belongs may be determined according to the destination IP address in the data packet, and the network resource to which the IP address field belongs is the target network resource. When the network resource is divided according to the two attribute information, for example, when the network resource is divided according to the IP address field and the transport layer protocol, the IP address field to which the destination IP address belongs may be determined according to the destination IP address in the data packet, and then the network resource (set) to which the IP address field belongs and the network resource (set) to which the transport layer protocol in the data packet belongs are and-operated, and the operation result is the target network resource. Similarly, when the network resource is divided according to the destination IP address, the destination port number, and the transport layer protocol, the IP address segment to which the destination IP address belongs may be determined according to the destination IP address in the data packet, and then the network resource (set) to which the IP address segment belongs, the network resource (set) to which the destination port number in the data packet belongs, and the network resource (set) to which the transport layer protocol in the data packet belongs are and-operated, and the operation result is the target network resource.
Optionally, the method further includes establishing a correspondence between the attribute information of the network resource and the network resource set by:
and dividing the network resources into multiple types of network resources according to the attribute information of the network resources, and numbering each type of network resources.
For example, the attribute information includes an IP address field, a port number, and a transport layer protocol of the network resource. The network resources are divided into three types of office systems, research and development systems and financial systems according to the attribute information, the numbers of the office systems, the research and development systems and the financial systems are respectively 1, 2 and 3, and the attribute information included by each type of network resources is shown in fig. 2. Actually, as shown in fig. 3, the IP address segments corresponding to the office system are 10.0.0.64-10.0.0.127, the IP address segments corresponding to the development system are 10.0.0.16-10.0.0.127, and the IP address segments corresponding to the financial system are 10.0.0.32-10.0.0.95. And performing intersection operation on the IP network segments corresponding to the office system, the research and development system and the financial system in the FIG. 3 to obtain 10.0.0.16-10.0.0.32, 10.0.0.32-10.0.0.64, 10.0.0.64-10.0.0.95 and 10.0.0.95-10.0.0.127. Therefore, as shown in FIG. 2, the IP network segment class attribute information of the office system is 10.0.0.64-10.0.0.95 and 10.0.0.95-10.0.0.127; developing system IP network segment class attribute information of 10.0.0.16-10.0.0.32, 10.0.0.32-10.0.0.64, 10.0.0.64-10.0.0.95 and 10.0.0.95-10.0.0.127; the financial system IP network segment class attribute information is 10.0.0.32-10.0.0.64 and 10.0.0.64-10.0.0.95.
And calculating a BitMap value of each type of network resource through a BitMap algorithm according to the number of each type of network resource, and calculating BitMap values of various network resource collections according to the BitMap values of each type of network resource, wherein each network resource collection comprises at least one type of network resource.
Then for fig. 2, the BitMap values for numbers 1, 2, 3 for the office system, development system, and finance system, respectively, are 0010, 0100, 1000 as calculated using the BitMap algorithm. The BitMap value may be expressed by 8 bits, 16 bits, or the like, and 0 may be added to the missing part. For a network resource set, performing or operation according to the BitMap values of multiple types of network resources included in the network resource set, and calculating to obtain the BitMap value of the network resource set.
And aiming at each attribute information, establishing a corresponding relation between each attribute information of the network resources and the network resource set by taking the attribute information as a main key and taking a BitMap value of the network resource set corresponding to the attribute information as a value.
Based on the network resource division result of fig. 2, for an attribute information, for example, it is IP segments 10.0.0.95-10.0.0.127, the network resource set corresponding to the IP segments 10.0.0.95-10.0.0.127 is the set of office system and development system, the BitMap value of the set of office system and development system is the BitMap value of office system and the BitMap value of development system, and the result is 0110. The BitMap value for the set of network resources corresponding to IP segments 10.0.0.95-10.0.0.127 is 0110. Similarly, the BitMap values of the sets of network resources corresponding to the IP network segments 10.0.0.16-10.0.0.32, 10.0.0.32-10.0.0.64 and 10.0.0.64-10.0.0.95 are obtained, as shown in FIG. 3. The result of fig. 3 may be stored in a second hash table, where the primary key of the second hash table is an IP network segment and the value is a BitMap value of the network resource set corresponding to the IP network segment.
Based on the network resource division result of fig. 2, for one attribute information, for example, it is a port number 53, the set of network resources corresponding to the port number 53 is a set of an office system, a development system, and a financial system, a BitMap value of the set of the office system, the development system, and the financial system is an or operation, that is, an or operation of 0010, 0100, and 1000 is performed, and the result is 1110. The BitMap value of the set of network resources corresponding to port number 53 is 1110. Similarly, the BitMap values of the set of network resources corresponding to port numbers 0, 22, 80, and 443 are obtained, as shown in fig. 4. Where a port number of 0 indicates wildcard ports 1-65535. The result of fig. 4 may be stored in a third hash table, where the primary key of the third hash table is the port number and the value is the BitMap value of the network resource set corresponding to the port number.
Based on the network resource partitioning result of fig. 2, for one attribute information, which is, for example, the transport layer protocol TCP, it can be represented by protocol number 6 of the RFC rule. The network resource set corresponding to the transport layer protocol 6 is a set of an office system, a research and development system, and a financial system, the BitMap value of the set of the office system, the research and development system, and the financial system is the BitMap value of the office system, the BitMap value of the research and development system, and the BitMap value of the financial system, and the result is 1110. The BitMap value of the set of network resources corresponding to transport layer protocol 6 is 1110. Similarly, a BitMap value of the set of network resources corresponding to the transport layer protocol 0 is obtained, as shown in fig. 5. Wherein transport layer protocol 0 represents a generic 4-layer protocol 1-255. The result of fig. 5 may be stored in a fourth hash table, where a primary key of the fourth hash table is a transport layer protocol and a value of the fourth hash table is a BitMap value of a network resource set corresponding to the transport layer protocol.
By adopting the technical scheme, the BitMap algorithm can save storage space and accelerate query speed.
Optionally, the attribute information includes an IP address field, a port number, and a transport layer protocol of the network resource, and the destination information includes a destination IP address, a destination port number, and a transport layer protocol in the data packet. The judging of the target attribute information corresponding to the target information and the determining of the target network resource through the corresponding relation between the attribute information of the network resource and the network resource set according to the target attribute information comprise:
and determining a corresponding target IP address field according to the target IP address in the data packet.
And determining the BitMap value of the network resource set corresponding to the target IP address field according to the corresponding relation between the IP address field of the network resource and the network resource set.
And determining the BitMap value of the network resource set corresponding to the destination port number in the data packet according to the corresponding relation between the port number of the network resource and the network resource set.
And determining the BitMap value of the network resource set corresponding to the transport layer protocol in the data packet according to the corresponding relation between the transport layer protocol of the network resource and the network resource set.
And calculating the BitMap value of the network resource set corresponding to the target IP address field, the BitMap value of the network resource set corresponding to the target port number in the data packet and the BitMap value of the network resource set corresponding to the transport layer protocol in the data packet, and determining the BitMap value of the target network resource.
For example, based on the network resource partitioning result of fig. 2, when the packet accesses the web server (22 port of TCP) with destination IP address 10.0.0.16: the destination IP address 10.0.0.16 in the data packet is 10.0.0.16-10.0.0.32, the BitMap value of the destination IP address 10.0.0.16-10.0.0.32 is 0100 according to the second hash table, the BitMap value of the network resource set corresponding to the destination port number 22 in the data packet is 0110 according to the third hash table, and the BitMap value of the network resource set corresponding to the transport layer protocol TCP (6) in the data packet is 1110 according to the fourth hash table, then the BitMap value of the destination network resource is 0100 (the and operation result of 0100, 0110 and 1110). The BitMap value of the target network resource is equal to that of the research and development system, and the BitMap value is consistent with the representation of FIG. 2, so that the correctness of the method is indirectly proved.
Optionally, the forwarding the data packet to the target network resource when the target network resource belongs to the network resource set includes:
performing AND operation on the BitMap value of the target network resource and the BitMap value of the network resource set to obtain an operation result;
forwarding the data packet to the target network resource under the condition that the operation result is not 0;
the method further comprises the following steps: and if the operation result is 0, discarding the data packet.
For example, based on the network resource division result in fig. 2, for a user side (for example, user side a in fig. 2), a network resource set whose user identity information in a data packet sent by the user side has access right is an office system and a research and development system, a BitMap value of the network resource set is 0110, the data packet sent by the user side accesses a web server (22 ports of TCP) whose destination IP address is 10.0.0.16, the target network resource is the research and development system, a BitMap value of the target network resource is 0100, and the BitMap value of the target network resource and the BitMap value of the network resource set are and-operated to obtain 0100, and if the result is not 0, the data packet is forwarded to the target network resource. The meaning is that the target network resource (research and development system) to be accessed by the data packet forwards the data packet when the target network resource belongs to the network resource set (including the set of the research and development system and the office system) with the access right.
For another example, based on the network resource division result in fig. 2, for a user side (for example, user side B in fig. 2), a network resource set whose user identity information in a data packet sent by the user side has access right is an office system and a financial system, then the BitMap value of the network resource set is 1010 (or the result of the or operation of the BitMap value 0010 of the office system and the BitMap value 1000 of the financial system), the data packet sent by the user side accesses the web server (22 ports of TCP) whose destination IP address is 10.0.0.16, then the target network resource is a development system, the BitMap value of the target network resource is 0100, and the BitMap value of the target network resource and the BitMap value of the network resource set are and operated to obtain 0000, and if the result is 0, the data packet is discarded. The meaning is that when the target network resource (research and development system) to be accessed by the data packet does not belong to the network resource set (including the set of the office system and the financial system) with the access right, the data packet is discarded.
Based on the inventive concept, the embodiment of the present disclosure further provides a gateway 10. As shown in fig. 6, the gateway 10 includes:
the access right acquiring module 11 is configured to determine, according to an access control list rule, a network resource set in which user identity information in a data packet sent by a user side has an access right, where the access control list rule includes a correspondence between each piece of user identity information and the network resource set in which the user identity information has the access right.
And the target network area obtaining module 12 is configured to determine, according to the destination information in the data packet, a target network resource that the user terminal requests to access.
A determining module 13, configured to forward the data packet to the target network resource when the target network resource belongs to the network resource set.
Through the technical scheme, the ACL access control list rule is set according to the user identity information which is the unique user identification, such as a source IP address, and if the number of employees is increased, the network segment does not need to be divided again, so that the resource waste is avoided.
Optionally, the access right obtaining module 11, the target network area obtaining module 12, and the determining module 13 are operated in a packet receiving process of the gateway 10, where the packet receiving process is based on a Linux kernel fast data channel XDP technology and an extended burley packet filter eBPF technology.
Through the technical scheme, compared with the traditional ACL tools (such as iptables and nfables), when the number of clients is large (such as the number of enterprise employees is large (ten thousand), better performance and smaller resource consumption can be brought, and reasonable and efficient ACL management is carried out.
Optionally, there are multiple gateways 10, an etcd cluster is operated by the multiple gateways 10, and a corresponding relationship between each piece of user identity information and a network resource set of which the user identity information has an access right is stored in the etcd cluster. The gateways 10 call a watch method of the etcd to monitor the corresponding relationship, and notify the plurality of gateways 10 of the change information after the network resource set corresponding to the user identity information is changed; and the gateways 10 synchronously update the network resource sets corresponding to the user identity information according to the change information.
By the above technical solution, when the gateway 10 is deployed in a cluster, after the network resource set corresponding to the user identity information is changed, the network resource sets corresponding to the user identity information of a plurality of gateways 10 (gateway 10 clusters) are updated synchronously.
Optionally, the access control list rule is established by:
and calculating a BitMap value of each type of network resource through a BitMap BitMap algorithm according to the identification information of each type of network resource, and calculating BitMap values of various network resource collections according to the BitMap values of each type of network resource, wherein each network resource collection comprises at least one type of network resource.
And taking the identity information of each user as a main key, taking the BitMap value of the network resource set with the access authority of the identity information of each user as a value, establishing a corresponding relation between the identity information of each user and the BitMap value of the network resource set with the access authority of the identity information of the user, and storing the corresponding relation into a first hash table.
By adopting the technical scheme, the BitMap algorithm can save storage space and accelerate query speed.
Optionally, the user identity information is an initial IP address of the user side, and the gateway 10 further includes:
an updating module, configured to replace the initial IP address of the user side in the first hash table with the detected IP address when it is detected that the IP address associated with the user account of the user side is different from the initial IP address.
When a user goes to a non-affiliated office area, after the user side of the user is connected with WiFi of the non-affiliated office area, the IP address of the user side changes, and the user can be identified according to a user account logged in by the user side. If the access control list rule is simply set by using the source IP address, when the user terminal goes to an office other than the office, the set of network resources that the user terminal can access after the source IP address of the user terminal changes will change, and effective network authority management cannot be performed through the access control list rule. By the technical scheme, when the IP address associated with the user account of the user side is detected to be different from the initial IP address, the initial IP address of the user side in the first hash table is replaced by the detected IP address, so that when the user goes out of an office, the network resource set which can be accessed by the user is unchanged, namely the user access authority is unchanged.
Optionally, the first hash table includes a primary hash table and a secondary hash table, and the update module is specifically configured to: replacing the initial IP address of the user side in the secondary hash table with the detected IP address so as to update the secondary hash table; and after the updating of the auxiliary hash table is finished, setting the auxiliary hash table as a main hash table, and setting the original main hash table as an auxiliary hash table.
The access right obtaining module 11 is specifically configured to: and determining a network resource set with access authority for the user identity information in the data packet sent by the user side according to the main hash table.
Through the technical scheme, the main hash table and the auxiliary hash table are arranged, the searching (network resource collection with user identity information having access authority) operation is performed on the main hash table, and the updating (user identity information) operation is performed on the auxiliary hash table, and when the updating is completed, the main bitmap table and the auxiliary bitmap table are replaced. Thus, lock-free operation is realized, and performance bottleneck is solved.
Optionally, the network resource is divided according to attribute information of the network resource, where the attribute information includes at least one of an IP address field, a port number, and a transport layer protocol of the network resource;
the target network area obtaining module 12 is specifically configured to: and judging target attribute information corresponding to the target information, and determining the target network resource according to the target attribute information through the corresponding relation between the attribute information of the network resource and the network resource set, wherein the target information comprises at least one of a target IP address, a target port number and a transport layer protocol in the data packet.
Optionally, the correspondence between the attribute information of the network resource and the network resource set is established as follows: dividing the network resources into multiple types of network resources according to the attribute information of the network resources, and numbering each type of network resources; calculating a BitMap value of each type of network resource through a BitMap algorithm according to the number of each type of network resource, and calculating BitMap values of various network resource collections according to the BitMap values of each type of network resource, wherein each network resource collection comprises at least one type of network resource; and aiming at each attribute information, establishing a corresponding relation between each attribute information of the network resources and the network resource set by taking the attribute information as a main key and taking a BitMap value of the network resource set corresponding to the attribute information as a value.
By adopting the technical scheme, the BitMap algorithm can save storage space and accelerate query speed.
Optionally, the attribute information includes an IP address field, a port number, and a transport layer protocol of the network resource, and the destination information includes a destination IP address, a destination port number, and a transport layer protocol in the data packet;
the target network area obtaining module 12 is specifically configured to: determining a corresponding target IP address field according to the target IP address in the data packet; determining a BitMap value of the network resource set corresponding to the target IP address field according to the corresponding relation between the IP address field of the network resource and the network resource set; determining a BitMap value of the network resource set corresponding to the destination port number in the data packet according to the corresponding relation between the port number of the network resource and the network resource set; determining a BitMap value of a network resource set corresponding to a transport layer protocol in the data packet according to the corresponding relation between the transport layer protocol of the network resource and the network resource set; and calculating the BitMap value of the network resource set corresponding to the target IP address field, the BitMap value of the network resource set corresponding to the target port number in the data packet and the BitMap value of the network resource set corresponding to the transport layer protocol in the data packet, and determining the BitMap value of the target network resource.
Optionally, the determining module 13 is specifically configured to: performing AND operation on the BitMap value of the target network resource and the BitMap value of the network resource set to obtain an operation result; forwarding the data packet to the target network resource under the condition that the operation result is not 0;
the gateway 10 further includes: and the discarding module is used for discarding the data packet under the condition that the operation result is 0.
Based on the above inventive concept, the disclosed embodiments also provide a computer readable medium, on which a computer program is stored, which when executed by a processing apparatus, implements the steps of the above network resource access control method.
Referring now to FIG. 7, a block diagram of an electronic device 600 suitable for use in implementing embodiments of the present disclosure is shown. The electronic device may be applied to a gateway. The electronic device shown in fig. 7 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 7, electronic device 600 may include a processing means (e.g., central processing unit, graphics processor, etc.) 601 that may perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)602 or a program loaded from a storage means 608 into a Random Access Memory (RAM) 603. In the RAM 603, various programs and data necessary for the operation of the electronic apparatus 600 are also stored. The processing device 601, the ROM 602, and the RAM 603 are connected to each other via a bus 604. An input/output (I/O) interface 605 is also connected to bus 604.
Generally, the following devices may be connected to the I/O interface 605: input devices 606 including, for example, a touch screen, touch pad, keyboard, mouse, camera, microphone, accelerometer, gyroscope, etc.; output devices 607 including, for example, a Liquid Crystal Display (LCD), a speaker, a vibrator, and the like; storage 608 including, for example, tape, hard disk, etc.; and a communication device 609. The communication means 609 may allow the electronic device 600 to communicate with other devices wirelessly or by wire to exchange data. While fig. 7 illustrates an electronic device 600 having various means, it is to be understood that not all illustrated means are required to be implemented or provided. More or fewer devices may alternatively be implemented or provided.
In particular, according to an embodiment of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program carried on a non-transitory computer readable medium, the computer program containing program code for performing the method illustrated by the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network via the communication means 609, or may be installed from the storage means 608, or may be installed from the ROM 602. The computer program, when executed by the processing device 601, performs the above-described functions defined in the methods of the embodiments of the present disclosure.
It should be noted that the computer readable medium in the present disclosure can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In contrast, in the present disclosure, a computer readable signal medium may comprise a propagated data signal with computer readable program code embodied therein, either in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, optical cables, RF (radio frequency), etc., or any suitable combination of the foregoing.
The computer readable medium may be embodied in the electronic device; or may exist separately without being assembled into the electronic device.
The computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to: determining a network resource set with access authority for user identity information in a data packet sent by a user side according to an access control list rule, wherein the access control list rule comprises a corresponding relation between each user identity information and the network resource set with the access authority for the user identity information; determining the target network resource which the user side requests to access according to the target information in the data packet; and forwarding the data packet to the target network resource under the condition that the target network resource belongs to the network resource set.
Computer program code for carrying out operations for the present disclosure may be written in any combination of one or more programming languages, including but not limited to an object oriented programming language such as Java, Smalltalk, C + +, and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules described in the embodiments of the present disclosure may be implemented by software or hardware. Wherein the name of a module in some cases does not constitute a limitation on the module itself.
The functions described herein above may be performed, at least in part, by one or more hardware logic components. For example, without limitation, exemplary types of hardware logic components that may be used include: field Programmable Gate Arrays (FPGAs), Application Specific Integrated Circuits (ASICs), Application Specific Standard Products (ASSPs), systems on a chip (SOCs), Complex Programmable Logic Devices (CPLDs), and the like.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
According to one or more embodiments of the present disclosure, an example provides a network resource access control method, including determining, according to an access control list rule, a network resource set in which user identity information in a data packet sent by a user side has an access right, where the access control list rule includes a correspondence relationship between each user identity information and the network resource set in which the user identity information has the access right; determining the target network resource which the user side requests to access according to the target information in the data packet; and forwarding the data packet to the target network resource under the condition that the target network resource belongs to the network resource set.
Example two provides the method of example one, further comprising establishing the access control list rule by: calculating a BitMap value of each type of network resource through a BitMap BitMap algorithm according to the identification information of each type of network resource, and calculating BitMap values of various network resource collections according to the BitMap values of each type of network resource, wherein each network resource collection comprises at least one type of network resource; and taking the identity information of each user as a main key, taking the BitMap value of the network resource set with the access authority of the identity information of each user as a value, establishing a corresponding relation between the identity information of each user and the BitMap value of the network resource set with the access authority of the identity information of the user, and storing the corresponding relation into a first hash table.
According to one or more embodiments of the present disclosure, example three provides the method of example two, where the user identity information is an initial IP address of the user side, and the method further includes: and under the condition that the IP address associated with the user account of the user side is detected to be different from the initial IP address, replacing the initial IP address of the user side in the first hash table with the detected IP address.
In accordance with one or more embodiments of the present disclosure, example four provides the method of example three, the first hash table includes a primary hash table and a secondary hash table, and the replacing the initial IP address of the user terminal in the first hash table with the detected IP address includes: replacing the initial IP address of the user side in the secondary hash table with the detected IP address so as to update the secondary hash table; after the secondary hash table is updated, setting the secondary hash table as a primary hash table, and setting an original primary hash table as a secondary hash table;
the determining, according to the access control list rule, a network resource set for which user identity information in a data packet sent by a user side has an access right includes: and determining a network resource set with access authority for the user identity information in the data packet sent by the user side according to the main hash table.
Example five provides the method of examples one to four, the network resource is partitioned according to attribute information of the network resource, the attribute information includes at least one of an IP address field, a port number, and a transport layer protocol of the network resource; the determining the target network resource which the user terminal requests to access according to the destination information in the data packet includes: and judging target attribute information corresponding to the target information, and determining the target network resource according to the target attribute information through the corresponding relation between the attribute information of the network resource and the network resource set, wherein the target information comprises at least one of a target IP address, a target port number and a transport layer protocol in the data packet.
Example six provides the method of example five, further comprising, in accordance with one or more embodiments of the present disclosure: establishing the corresponding relation between the attribute information of the network resource and the network resource set in the following way: dividing the network resources into multiple types of network resources according to the attribute information of the network resources, and numbering each type of network resources; calculating a BitMap value of each type of network resource through a BitMap algorithm according to the number of each type of network resource, and calculating BitMap values of various network resource collections according to the BitMap values of each type of network resource, wherein each network resource collection comprises at least one type of network resource; and aiming at each attribute information, establishing a corresponding relation between each attribute information of the network resources and the network resource set by taking the attribute information as a main key and taking a BitMap value of the network resource set corresponding to the attribute information as a value.
In accordance with one or more embodiments of the present disclosure, example seven provides the method of example six, the attribute information includes an IP address field, a port number, and a transport layer protocol of the network resource, and the destination information includes a destination IP address, a destination port number, and a transport layer protocol in the packet; the judging of the target attribute information corresponding to the target information and the determining of the target network resource through the corresponding relation between the attribute information of the network resource and the network resource set according to the target attribute information comprise: determining a corresponding target IP address field according to the target IP address in the data packet; determining a BitMap value of the network resource set corresponding to the target IP address field according to the corresponding relation between the IP address field of the network resource and the network resource set; determining a BitMap value of the network resource set corresponding to the destination port number in the data packet according to the corresponding relation between the port number of the network resource and the network resource set; determining a BitMap value of a network resource set corresponding to a transport layer protocol in the data packet according to the corresponding relation between the transport layer protocol of the network resource and the network resource set; and calculating the BitMap value of the network resource set corresponding to the target IP address field, the BitMap value of the network resource set corresponding to the target port number in the data packet and the BitMap value of the network resource set corresponding to the transport layer protocol in the data packet, and determining the BitMap value of the target network resource.
In accordance with one or more embodiments of the present disclosure, example eight provides the method of example seven, the forwarding the data packet to the target network resource if the target network resource belongs to the set of network resources, comprising: performing AND operation on the BitMap value of the target network resource and the BitMap value of the network resource set to obtain an operation result; forwarding the data packet to the target network resource under the condition that the operation result is not 0;
the method further comprises the following steps: and if the operation result is 0, discarding the data packet.
Example nine provides a gateway applied to network resource access control according to one or more embodiments of the present disclosure, the gateway including: the access authority acquisition module is used for determining a network resource set of which the user identity information in a data packet sent by a user side has access authority according to an access control list rule, wherein the access control list rule comprises a corresponding relation between each user identity information and the network resource set of which the user identity information has the access authority; the target network area acquisition module is used for determining the target network resource which the user side requests to access according to the target information in the data packet; and the judging module is used for forwarding the data packet to the target network resource under the condition that the target network resource belongs to the network resource set.
In accordance with one or more embodiments of the present disclosure, example ten provides the gateway of example nine, where the access right obtaining module, the target network area obtaining module, and the determining module are run in a packet receiving process of the gateway, and the packet receiving process is based on a fast data channel XDP technology of a Linux kernel and an extended burley packet filter eBPF technology.
According to one or more embodiments of the present disclosure, an eleventh example provides a gateway of the ninth or tenth example, where the number of gateways is multiple, an etcd cluster is operated by the multiple gateways, and a corresponding relationship between each piece of user identity information and a network resource set of which the user identity information has an access right is stored in the etcd cluster; the gateways call a watch method of the etcd to monitor the corresponding relation, and after a network resource set corresponding to the user identity information is changed, the gateways are notified of the change information; and the plurality of gateways synchronously update the network resource sets corresponding to the user identity information according to the change information.
Example twelve provides a computer readable medium, on which a computer program is stored, which when executed by a processing device implements the steps of the method of any of examples one to eight, in accordance with one or more embodiments of the present disclosure.
Example thirteen provides an electronic device, according to one or more embodiments of the present disclosure, comprising: a storage device having a computer program stored thereon; processing means for executing the computer program in the storage means to carry out the steps of the method of any one of examples one to eight.
The foregoing description is only exemplary of the preferred embodiments of the disclosure and is illustrative of the principles of the technology employed. It will be appreciated by those skilled in the art that the scope of the disclosure herein is not limited to the particular combination of features described above, but also encompasses other embodiments in which any combination of the features described above or their equivalents does not depart from the spirit of the disclosure. For example, the above features and (but not limited to) the features disclosed in this disclosure having similar functions are replaced with each other to form the technical solution.
Further, while operations are depicted in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order. Under certain circumstances, multitasking and parallel processing may be advantageous. Likewise, while several specific implementation details are included in the above discussion, these should not be construed as limitations on the scope of the disclosure. Certain features that are described in the context of separate embodiments can also be implemented in combination in a single embodiment. Conversely, various features that are described in the context of a single embodiment can also be implemented in multiple embodiments separately or in any suitable subcombination.
Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as example forms of implementing the claims. With regard to the apparatus in the above-described embodiment, the specific manner in which each module performs the operation has been described in detail in the embodiment related to the method, and will not be elaborated here.
Claims (13)
1. A method for controlling access to network resources, comprising:
determining a network resource set with access authority for user identity information in a data packet sent by a user side according to an access control list rule, wherein the access control list rule comprises a corresponding relation between each user identity information and the network resource set with the access authority for the user identity information;
determining the target network resource which the user side requests to access according to the target information in the data packet;
and forwarding the data packet to the target network resource under the condition that the target network resource belongs to the network resource set.
2. The method of claim 1, further comprising establishing the access control list rule by:
calculating a BitMap value of each type of network resource through a BitMap BitMap algorithm according to the identification information of each type of network resource, and calculating BitMap values of various network resource collections according to the BitMap values of each type of network resource, wherein each network resource collection comprises at least one type of network resource;
and taking the identity information of each user as a main key, taking the BitMap value of the network resource set with the access authority of the identity information of each user as a value, establishing a corresponding relation between the identity information of each user and the BitMap value of the network resource set with the access authority of the identity information of the user, and storing the corresponding relation into a first hash table.
3. The method of claim 2, wherein the user identity information is an initial IP address of the user terminal, and the method further comprises:
and under the condition that the IP address associated with the user account of the user side is detected to be different from the initial IP address, replacing the initial IP address of the user side in the first hash table with the detected IP address.
4. The method of claim 3, wherein the first hash table comprises a primary hash table and a secondary hash table, and wherein replacing the initial IP address of the user end in the first hash table with the detected IP address comprises:
replacing the initial IP address of the user side in the secondary hash table with the detected IP address so as to update the secondary hash table;
after the secondary hash table is updated, setting the secondary hash table as a primary hash table, and setting an original primary hash table as a secondary hash table;
the determining, according to the access control list rule, a network resource set for which user identity information in a data packet sent by a user side has an access right includes:
and determining a network resource set with access authority for the user identity information in the data packet sent by the user side according to the main hash table.
5. The method according to any one of claims 1-4, wherein the network resource is divided according to attribute information of the network resource, the attribute information comprising at least one of an IP address field, a port number, and a transport layer protocol of the network resource;
the determining the target network resource which the user terminal requests to access according to the destination information in the data packet includes:
and judging target attribute information corresponding to the target information, and determining the target network resource according to the target attribute information through the corresponding relation between the attribute information of the network resource and the network resource set, wherein the target information comprises at least one of a target IP address, a target port number and a transport layer protocol in the data packet.
6. The method of claim 5, further comprising establishing a correspondence between the attribute information of the network resource and a set of network resources by:
dividing the network resources into multiple types of network resources according to the attribute information of the network resources, and numbering each type of network resources;
calculating a BitMap value of each type of network resource through a BitMap algorithm according to the number of each type of network resource, and calculating BitMap values of various network resource collections according to the BitMap values of each type of network resource, wherein each network resource collection comprises at least one type of network resource;
and aiming at each attribute information, establishing a corresponding relation between each attribute information of the network resources and the network resource set by taking the attribute information as a main key and taking a BitMap value of the network resource set corresponding to the attribute information as a value.
7. The method of claim 6, wherein the attribute information comprises an IP address field, a port number and a transport layer protocol of the network resource, and the destination information comprises a destination IP address, a destination port number and a transport layer protocol in the data packet;
the judging of the target attribute information corresponding to the target information and the determining of the target network resource through the corresponding relation between the attribute information of the network resource and the network resource set according to the target attribute information comprise:
determining a corresponding target IP address field according to the target IP address in the data packet;
determining a BitMap value of the network resource set corresponding to the target IP address field according to the corresponding relation between the IP address field of the network resource and the network resource set;
determining a BitMap value of the network resource set corresponding to the destination port number in the data packet according to the corresponding relation between the port number of the network resource and the network resource set;
determining a BitMap value of a network resource set corresponding to a transport layer protocol in the data packet according to the corresponding relation between the transport layer protocol of the network resource and the network resource set;
and calculating the BitMap value of the network resource set corresponding to the target IP address field, the BitMap value of the network resource set corresponding to the target port number in the data packet and the BitMap value of the network resource set corresponding to the transport layer protocol in the data packet, and determining the BitMap value of the target network resource.
8. The method of claim 7, wherein the forwarding the data packet to the target network resource if the target network resource belongs to the set of network resources comprises:
performing AND operation on the BitMap value of the target network resource and the BitMap value of the network resource set to obtain an operation result;
forwarding the data packet to the target network resource under the condition that the operation result is not 0;
the method further comprises the following steps: and if the operation result is 0, discarding the data packet.
9. A gateway, for use in network resource access control, the gateway comprising:
the access authority acquisition module is used for determining a network resource set of which the user identity information in a data packet sent by a user side has access authority according to an access control list rule, wherein the access control list rule comprises a corresponding relation between each user identity information and the network resource set of which the user identity information has the access authority;
the target network area acquisition module is used for determining the target network resource which the user side requests to access according to the target information in the data packet;
and the judging module is used for forwarding the data packet to the target network resource under the condition that the target network resource belongs to the network resource set.
10. The gateway according to claim 9, wherein the access right obtaining module, the target network region obtaining module and the determining module are run in a packet receiving process of the gateway, and the packet receiving process is based on a fast data channel XDP technology and an extended burley packet filter eBPF technology of a Linux kernel.
11. The gateway according to claim 9 or 10, wherein there are a plurality of gateways, the plurality of gateways operate an etcd cluster, and a corresponding relationship between each piece of user identity information and a network resource set of which the user identity information has an access right is stored in the etcd cluster;
the gateways call a watch method of the etcd to monitor the corresponding relation, and after a network resource set corresponding to the user identity information is changed, the gateways are notified of the change information;
and the plurality of gateways synchronously update the network resource sets corresponding to the user identity information according to the change information.
12. A computer-readable medium, on which a computer program is stored, characterized in that the program, when being executed by processing means, carries out the steps of the method of any one of claims 1 to 8.
13. An electronic device, comprising:
a storage device having a computer program stored thereon;
processing means for executing the computer program in the storage means to carry out the steps of the method according to any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010159076.4A CN111355741B (en) | 2020-03-09 | 2020-03-09 | Network resource access control method, gateway, readable medium and electronic device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010159076.4A CN111355741B (en) | 2020-03-09 | 2020-03-09 | Network resource access control method, gateway, readable medium and electronic device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111355741A true CN111355741A (en) | 2020-06-30 |
| CN111355741B CN111355741B (en) | 2022-05-17 |
Family
ID=71196051
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010159076.4A Active CN111355741B (en) | 2020-03-09 | 2020-03-09 | Network resource access control method, gateway, readable medium and electronic device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111355741B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113347072A (en) * | 2021-06-23 | 2021-09-03 | 北京天融信网络安全技术有限公司 | VPN resource access method, device, electronic equipment and medium |
| CN115396537A (en) * | 2022-10-31 | 2022-11-25 | 深圳万物安全科技有限公司 | Internet of things access control method, device, equipment and medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1953455A (en) * | 2006-11-15 | 2007-04-25 | 北京北大方正电子有限公司 | A method, module and server to control access to network resource |
| US20100081417A1 (en) * | 2008-09-30 | 2010-04-01 | Thomas William Hickie | System and Method for Secure Management of Mobile User Access to Enterprise Network Resources |
| CN102843366A (en) * | 2012-08-13 | 2012-12-26 | 北京百度网讯科技有限公司 | Network resource access permission control method and device |
-
2020
- 2020-03-09 CN CN202010159076.4A patent/CN111355741B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1953455A (en) * | 2006-11-15 | 2007-04-25 | 北京北大方正电子有限公司 | A method, module and server to control access to network resource |
| US20100081417A1 (en) * | 2008-09-30 | 2010-04-01 | Thomas William Hickie | System and Method for Secure Management of Mobile User Access to Enterprise Network Resources |
| CN102843366A (en) * | 2012-08-13 | 2012-12-26 | 北京百度网讯科技有限公司 | Network resource access permission control method and device |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113347072A (en) * | 2021-06-23 | 2021-09-03 | 北京天融信网络安全技术有限公司 | VPN resource access method, device, electronic equipment and medium |
| CN113347072B (en) * | 2021-06-23 | 2022-12-13 | 北京天融信网络安全技术有限公司 | VPN resource access method, device, electronic equipment and medium |
| CN115396537A (en) * | 2022-10-31 | 2022-11-25 | 深圳万物安全科技有限公司 | Internet of things access control method, device, equipment and medium |
| CN115396537B (en) * | 2022-10-31 | 2023-01-13 | 深圳万物安全科技有限公司 | Internet of things access control method, device, equipment and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111355741B (en) | 2022-05-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11200081B2 (en) | Systems and methods for tuning containers in a high availability environment | |
| US10985981B2 (en) | Multi-threaded server architecture supporting dynamic reconfiguration | |
| US11089007B2 (en) | Role-based resource access control | |
| CN111581563A (en) | Page response method and device, storage medium and electronic equipment | |
| US9059973B2 (en) | Securing sensitive information in a network cloud | |
| CN111355741B (en) | Network resource access control method, gateway, readable medium and electronic device | |
| CN110753089A (en) | Method, device, medium and electronic equipment for managing client | |
| US20170264460A1 (en) | On-premise and off-premise communication | |
| US20200045101A1 (en) | On-premises and off-premises communication | |
| US11636104B2 (en) | Analytics center having a natural language query (NLQ) interface | |
| US11816119B2 (en) | System and methods for querying and updating databases | |
| US20210377718A1 (en) | Pattern affinity for discovery | |
| US10824432B2 (en) | Systems and methods for providing multiple console sessions that enable line-by-line execution of scripts on a server application | |
| US11514184B1 (en) | Database query information protection using skeletons | |
| CN113127550A (en) | Information processing method, information processing device, electronic equipment and storage medium | |
| US11743259B2 (en) | Managing operator pattern service connections to an environment | |
| US20230246916A1 (en) | Service map conversion with preserved historical information | |
| US11886394B2 (en) | Composable query language gateway routing protocol | |
| CN110633324B (en) | Method, apparatus, electronic device and computer readable medium for synchronizing data | |
| CN116243926A (en) | Service processing method, device, medium and electronic equipment | |
| CN116450725A (en) | Method, apparatus, electronic device, and medium for performing database operations | |
| CA3157578A1 (en) | System and methods for querying and updating databases | |
| CN113779315A (en) | Information generation method and device, electronic equipment and computer readable medium | |
| CN111209350A (en) | System development method, device, terminal equipment and storage medium | |
| CN117271586A (en) | Data processing method, device, server and medium supporting configuration |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100041 B-0035, 2 floor, 3 building, 30 Shixing street, Shijingshan District, Beijing. Patentee after: Douyin Vision Co.,Ltd. Address before: 100041 B-0035, 2 floor, 3 building, 30 Shixing street, Shijingshan District, Beijing. Patentee before: Tiktok vision (Beijing) Co.,Ltd. Address after: 100041 B-0035, 2 floor, 3 building, 30 Shixing street, Shijingshan District, Beijing. Patentee after: Tiktok vision (Beijing) Co.,Ltd. Address before: 100041 B-0035, 2 floor, 3 building, 30 Shixing street, Shijingshan District, Beijing. Patentee before: BEIJING BYTEDANCE NETWORK TECHNOLOGY Co.,Ltd. |
|
| CP01 | Change in the name or title of a patent holder | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20230712 Address after: 100190 1309, 13th floor, building 4, Zijin Digital Park, Haidian District, Beijing Patentee after: Beijing volcano Engine Technology Co.,Ltd. Address before: 100041 B-0035, 2 floor, 3 building, 30 Shixing street, Shijingshan District, Beijing. Patentee before: Douyin Vision Co.,Ltd. |
|
| TR01 | Transfer of patent right |