CN111726366A - Device communication method, device, system, medium and electronic device - Google Patents

Device communication method, device, system, medium and electronic device Download PDF

Info

Publication number
CN111726366A
CN111726366A CN202010616554.XA CN202010616554A CN111726366A CN 111726366 A CN111726366 A CN 111726366A CN 202010616554 A CN202010616554 A CN 202010616554A CN 111726366 A CN111726366 A CN 111726366A
Authority
CN
China
Prior art keywords
authentication
security
node
attribute information
sending node
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010616554.XA
Other languages
Chinese (zh)
Inventor
罗俊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Westone Information Industry Inc
Original Assignee
Chengdu Westone Information Industry Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Westone Information Industry Inc filed Critical Chengdu Westone Information Industry Inc
Priority to CN202010616554.XA priority Critical patent/CN111726366A/en
Publication of CN111726366A publication Critical patent/CN111726366A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network

Abstract

The embodiment of the disclosure discloses a zero trust-based equipment communication method, a device, a system, a medium and electronic equipment, wherein a sending node intercepts all network traffic data; when a network access request is detected to appear in the network flow data, acquiring attribute information related to the network access request; and transmitting the attribute information after format conversion to the gateway equipment. The gateway equipment uploads an authentication authorization request carrying attribute information to an authentication authorization server; and when receiving an authentication and authorization result fed back by the authentication and authorization server, issuing a security policy comprising the IP address of the sending node, the IP address of the destination node, the port of the sending node, the port of the destination node and the transport layer protocol number to the sending node and the destination node. The sending node and the destination node can complete the establishment of the security tunnel in the zero-trust network environment according to the security policy fed back by the gateway device, and realize the interaction of the node devices in the zero-trust network environment.

Description

Device communication method, device, system, medium and electronic device
Technical Field
The present disclosure relates to the field of information security technologies, and in particular, to a zero trust-based device communication method, apparatus, system, computer-readable storage medium, and electronic device.
Background
Internet Protocol Security (IPSec) is an open standard framework structure, and a secure tunnel based on a cryptographic technique is established between two communicating parties to ensure secure and safe communication over an Internet Protocol network. An Internet Key Exchange (IKE) protocol solves the problem of establishing or updating a shared Key securely in an insecure network environment such as the Internet.
Virtual Private Network (VPN) refers to a technology for establishing a Private Network on a public Network, which covers the extension of Private networks to encapsulate, encrypt, and authenticate links across a shared or public Network. VPNs employing IPSec and IKE protocols are referred to as IPSec VPNs.
Zero Trust security (Zero Trust) is a network security architecture and security concept, and is identity-centric to network dynamic access control. The central idea is that any user/device/application/traffic etc. inside and outside the network should not be trusted, and the trust basis for access control should be reconstructed based on authentication and authorization for any network access behavior.
The traditional IPSec VPN device is generally used as an important component of a boundary security solution, guarantees confidentiality and integrity of a data transmission channel, and has certain anti-replay and anti-traffic analysis attack capabilities. Both parties of communication protected by the IPSec tunnel are generally considered to be in a trusted internal network, and secure communication can be performed. For the network dynamic access control environment with zero trust and identity as the center, an internal network and an external network have no clear boundary, the trust relationship is dynamically changed, a security tunnel constructed by IPSec VPN equipment can not be regarded as a trusted security environment any more, and the traditional IPSec VPN equipment and the deployment and use mode thereof are not suitable for the network environment with zero trust any more.
It can be seen that how to implement the interaction of the IPSec VPN apparatus in the network environment with zero trust is a problem to be solved by those skilled in the art.
Disclosure of Invention
The embodiment of the disclosure aims to provide a zero trust-based device communication method, a device, a system, a computer readable storage medium and an electronic device, which can realize the interaction of IPSec VPN devices in a zero trust network environment.
In order to achieve the above object, the present disclosure provides a zero trust based device communication method, including:
intercepting all network traffic data;
when a network access request is detected to appear in the network traffic data, acquiring attribute information related to the network access request;
transmitting the attribute information after format conversion to gateway equipment;
establishing a security tunnel with a destination node according to the security policy fed back by the gateway equipment; the security policy is set when the gateway device receives an authentication authorization result fed back by an authentication authorization server after the attribute information passes security authentication; the security policy includes an IP address of the sending node, an IP address of the destination node, a port of the sending node, a port of the destination node, and a transport layer protocol number.
Optionally, the transmitting the attribute information after format conversion to the gateway device includes:
formatting the attribute information into attribute value pairs according to a preset authentication protocol;
and transmitting the attribute value pair to the gateway equipment through a virtual tunnel based on an extensible authentication protocol.
Optionally, after the establishing a security tunnel with a destination node according to the security policy fed back by the gateway device, the method further includes:
and when the service time of the security policy reaches the lifetime, deleting the security policy and the corresponding security tunnel.
Optionally, after the establishing a security tunnel with a destination node according to the security policy fed back by the gateway device, the method further includes:
and when the service time of the safety tunnel reaches a preset tunnel life cycle, refreshing the safety parameters of the safety tunnel.
Optionally, after the establishing a security tunnel with a destination node according to the security policy fed back by the gateway device, the method further includes:
setting a data transmission mode of a safety tunnel according to the safety level fed back by the gateway equipment; wherein, different security levels correspond to data transmission modes with different security strengths;
and transmitting the data to be transmitted to the destination node through the secure tunnel according to the data transmission mode.
The embodiment of the disclosure also provides a device communication apparatus based on zero trust, which includes an interception unit, an acquisition unit, a sending unit and an establishment unit;
the interception unit is used for intercepting all network flow data;
the acquiring unit is used for acquiring attribute information related to the network access request when the network access request is detected to appear in the network traffic data;
the sending unit is used for sending the attribute information after format conversion to the gateway equipment;
the establishing unit is used for establishing a security tunnel with a destination node according to the security policy fed back by the gateway equipment; the security policy is set when the gateway device receives an authentication authorization result fed back by an authentication authorization server after the attribute information passes security authentication; the security policy includes an IP address of the sending node, an IP address of the destination node, a port of the sending node, a port of the destination node, and a transport layer protocol number.
Optionally, the sending unit includes a formatting subunit and a transmission subunit;
the formatting subunit is configured to format the attribute information into an attribute value pair according to a preset authentication protocol;
and the transmission subunit is configured to transmit the attribute value pair to the gateway device through a virtual tunnel based on an extensible authentication protocol.
Optionally, a deleting unit is further included;
and the deleting unit is used for deleting the security policy and the corresponding security tunnel when the service time of the security policy reaches the life cycle.
Optionally, a refresh unit is further included;
and the refreshing unit is used for refreshing the safety parameters of the safety tunnel when the service time of the safety tunnel reaches the preset tunnel life cycle.
Optionally, the system further comprises a setting unit and a transmission unit;
the setting unit is used for setting a data transmission mode of the safety tunnel according to the safety level fed back by the gateway equipment; wherein, different security levels correspond to data transmission modes with different security strengths;
and the transmission unit is used for transmitting the data to be transmitted to the destination node through the secure tunnel according to the data transmission mode.
The embodiment of the present disclosure further provides a device communication method based on zero trust, including:
acquiring attribute information transmitted by a sending node;
uploading an authentication authorization request carrying the attribute information to an authentication authorization server;
when receiving an authentication and authorization result fed back by the authentication and authorization server after the attribute information passes the security authentication, issuing a security policy to the sending node and a destination node pointed by the network access request of the sending node; the security policy comprises an IP address of the sending node, an IP address of the destination node, a port of the sending node, a port of the destination node and a transport layer protocol number.
The embodiment of the disclosure also provides a device communication apparatus based on zero trust, which includes an obtaining unit, an uploading unit and a sending unit;
the acquiring unit is used for acquiring the attribute information transmitted by the sending node;
the uploading unit is used for uploading an authentication authorization request carrying the attribute information to an authentication authorization server;
the issuing unit is used for issuing a security policy to the sending node and a destination node pointed by a network access request of the sending node when receiving an authentication authorization result fed back by the authentication authorization server after the attribute information passes security authentication; the security policy comprises an IP address of the sending node, an IP address of the destination node, a port of the sending node, a port of the destination node and a transport layer protocol number.
The embodiment of the disclosure also provides a zero trust-based device communication system, which comprises a sending node, gateway equipment and an authentication authorization server;
the sending node is used for intercepting all network flow data; when a network access request is detected to appear in the network traffic data, acquiring attribute information related to the network access request; transmitting the attribute information after format conversion to gateway equipment; establishing a security tunnel with a destination node according to the security policy fed back by the gateway equipment;
the gateway equipment is used for acquiring the attribute information transmitted by the sending node; uploading an authentication authorization request carrying the attribute information to an authentication authorization server; when receiving an authentication and authorization result fed back by the authentication and authorization server after the attribute information passes the security authentication, issuing a security policy to the sending node and a destination node pointed by the network access request of the sending node; the security policy comprises an IP address of a sending node, an IP address of a destination node, a port of the sending node, a port of the destination node and a transport layer protocol number;
the authentication and authorization server is used for receiving the authentication and authorization request uploaded by the gateway equipment and carrying out security authentication on the attribute information carried in the authentication and authorization request; and when the attribute information passes the security authentication, feeding back an authentication authorization result to the gateway equipment.
The disclosed embodiments also provide a computer-readable storage medium, on which a computer program is stored, which when executed by a processor implements the steps of any of the above-described methods.
An embodiment of the present disclosure further provides an electronic device, including:
a memory having a computer program stored thereon;
a processor for executing the computer program in the memory to implement the steps of any of the above methods.
By the technical scheme, the sending node can intercept all network traffic data; when the network access request is detected to appear in the network flow data, the attribute information related to the network access request is obtained. In a network environment with zero trust, because an original communication tunnel is not trusted, a sending node cannot directly transmit data to a destination node, and therefore, the attribute information after format conversion is transmitted to gateway equipment in the method and the system; the gateway equipment uploads an authentication authorization request carrying attribute information to an authentication authorization server; when receiving an authentication and authorization result fed back by an authentication and authorization server after the attribute information passes the security authentication, issuing a security policy to a sending node and a destination node pointed by a network access request of the sending node; the security policy includes an IP address of the sending node, an IP address of the destination node, a port of the sending node, a port of the destination node, and a transport layer protocol number. The sending node and the destination node can complete the establishment of the secure tunnel under the network environment with zero trust according to the security policy fed back by the gateway device, and the information interaction is realized through the secure tunnel. In the method, the sending node intercepts all network flow data, uploads any network access request related to outgoing to an authentication authorization server through gateway equipment for security authentication, so that an access control mechanism based on zero trust is realized, and efficient and automatic full-flow encryption is realized under the condition of reducing the invasion degree to services and users. The gateway equipment can interact with a plurality of node equipment simultaneously, and the zero-trust deployment efficiency is greatly improved. And the negotiation process of the sending node and the gateway equipment does not involve the transmission of the actual data interacted between the sending node and the destination node, so that the data security is improved.
Additional features and advantages of the disclosure will be set forth in the detailed description which follows.
Drawings
The accompanying drawings, which are included to provide a further understanding of the disclosure and are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description serve to explain the disclosure without limiting the disclosure. In the drawings:
fig. 1 is a schematic view of a scenario of zero trust based device communication provided in an embodiment of the present disclosure;
fig. 2 is a signaling diagram of a zero trust-based device communication method according to an embodiment of the present disclosure;
fig. 3 is a schematic structural diagram of a zero trust-based device communication apparatus according to an embodiment of the present disclosure;
fig. 4 is a schematic structural diagram of another zero-trust-based device communication apparatus provided in the embodiment of the present disclosure;
fig. 5 is a schematic structural diagram of a zero trust based device communication system according to an embodiment of the present disclosure;
fig. 6 is a block diagram of an electronic device provided in an embodiment of the present disclosure.
Detailed Description
The following detailed description of specific embodiments of the present disclosure is provided in connection with the accompanying drawings. It should be understood that the detailed description and specific examples, while indicating the present disclosure, are given by way of illustration and explanation only, not limitation.
The present disclosure is described in further detail below with reference to the accompanying drawings and detailed description, in order to enable those skilled in the art to better understand the disclosure.
And data transmission is realized between the IPSec VPN devices by establishing a secure tunnel. In a zero trust network environment, there is no clear boundary between the internal network and the external network, the trust relationship is dynamically changed, and the secure tunnel constructed by the IPSec VPN apparatus can not be regarded as a trusted secure environment. The traditional IPSec VPN equipment and the deployment and use mode thereof are not suitable for a network environment with zero trust any more.
In the embodiment of the disclosure, one of important implementation means considering the zero trust security mechanism is full flow encryption, and if the full flow encryption of communication between the IPSec VPN devices can be realized and the zero trust security policy, trust evaluation, trust proxy and authentication and authorization process are combined, the interaction of the IPSec VPN devices can be realized in the zero trust network environment. Therefore, the embodiment of the disclosure provides a device communication method, device and system based on zero trust, a computer readable storage medium and an electronic device.
As shown in fig. 1, which is a schematic view of a scenario of device communication based on zero trust provided in an embodiment of the present disclosure, each node device may implement security authentication on an authentication authorization server through a gateway device, so as to construct a secure tunnel meeting the zero trust requirement. The node device may be a user terminal or a service server. A node device may act as both a sending node and a destination node. For example, the node device a needs to transmit data to the node device B, and at this time, the node device a is a sending node and the node device B is a destination node. When the node device B needs to transmit data to the node device a, the node device B is the sending node and the node device a is the destination node.
In fig. 1, each node device is provided with a VPN virtual device, a virtual network interface included in the VPN virtual device may be connected to a physical network interface of the node device, and all network traffic data of the node device is intercepted through the virtual network interface. When detecting that the sending node needs to communicate with the destination node, the VPN virtual device may perform IKE negotiation with the gateway device, and at this time, the gateway device may transmit the negotiated attribute information to the authentication authorization server for security authentication. When passing the security authentication, the authentication and authorization server feeds back an authentication and authorization result to the gateway device, and correspondingly, the gateway device can transmit a security policy to the sending node and the destination node according to the authentication and authorization result, so that the sending node and the destination node can establish a security tunnel according to the security policy. In the embodiment of the disclosure, the VPN virtual device may intercept all network traffic data, and upload any network access request related to the outside to the authentication authorization server through the gateway device for security authentication, thereby implementing an access control mechanism based on zero trust.
Next, a zero trust based device communication method provided by the embodiments of the present disclosure is described in detail. Fig. 2 is a signaling diagram of a zero trust-based device communication method according to an embodiment of the present disclosure, where the method includes:
s201: the sending node intercepts all network traffic data.
The VPN virtual equipment is deployed on the sending node, a virtual network interface on the VPN virtual equipment can be connected with a physical network interface, and all network traffic data flowing through the physical network interface is intercepted, so that the VPN virtual equipment becomes a unique traffic access channel for all applications of the equipment.
S202: and when the sending node detects that the network access request occurs in the network flow data, the sending node acquires attribute information related to the network access request.
In order to realize direct interaction between a sending node and a gateway device, after a VPN virtual device is deployed on the sending node, a default route and a default security policy are formed on a node device. The default route may direct all network communication paths to the virtual network interface. The security policy associates all network traffic with the IPSEC tunnel between the device and the gateway device, so that any outgoing network access request triggers IKE key negotiation from the device to the IPSEC VPN gateway, and any incoming network traffic can only pass through the IPSEC tunnel between the device and the IPSEC VPN gateway.
The VPN virtual device sends the attribute information to the gateway device to realize the IKE negotiation process with the gateway device. The attribute information may include device information, user information, traffic information, process/application information, and the like. In practical application, the VPN virtual device may collect device information, user information, traffic information, process/application information, and the like through the information collection plug-in.
The device information may include asset information, hardware information, system information, operation information, cryptographic module information, and the like. The user information may include a username, password, user credentials, user rating, etc. The traffic information may include quintuple information consisting of a source IP address, a destination IP address, a source port, a destination port, and a transport layer protocol number, as well as the number of connections, connection frequency, communication rate, and the like.
S203: and the sending node transmits the attribute information with the converted format to the gateway equipment.
In practical application, the sending node can format the attribute information into an attribute value pair according to a preset authentication protocol; based on Extensible Authentication Protocol (EAP), the attribute value pair is transmitted to the gateway device through the virtual tunnel.
The preset authentication protocol may be a Radius or Diameter authentication protocol.
The IPSEC tunnel between the sending node and the gateway device is a virtual tunnel, so that no real traffic passes through, and the IKE negotiation from the sending node to the gateway device does not generate a real session key and an encrypted tunnel, but only requests authentication, trust evaluation, and authorization from the authentication and authorization server through the extensible authentication protocol in the IKE negotiation process.
S204: the gateway equipment acquires the attribute information transmitted by the sending node.
The gateway device may extract the attribute information from the IKE protocol packet.
S205: and the gateway equipment uploads an authentication and authorization request carrying the attribute information to an authentication and authorization server.
The gateway equipment can request the authentication authorization server to perform identity authentication on the transmitting node and the destination node which need to perform network communication through Radius or Diameter protocol.
S206: and when receiving the authentication and authorization result fed back by the authentication and authorization server after the attribute information passes the security authentication, the gateway equipment issues the security policy to the sending node and the destination node pointed by the network access request of the sending node.
The authentication authorization server can perform security authentication on the sending node according to the information recorded in the database. The information recorded in the database may include an asset list, user credibility, historical access records, and the like.
The security authentication of the sending node may include identity authentication, trust evaluation, and authorization. After the sending node passes the security authentication, the authentication and authorization server may feed back an authentication and authorization result to the gateway device.
The authentication authorization result can carry an identifier used for representing that the attribute information passes the security authentication.
When the gateway device receives the authentication and authorization result fed back by the authentication and authorization server, it indicates that the sending node passes the security authentication, and at this time, the gateway device may issue a security policy to two node devices of the opposite communication terminal.
In practical application, the gateway device may issue the security policy to two node devices that are opposite to each other in communication through configuration mode (ModeConfig) of IKE. Two node devices of the communication opposite end are the sending node and the destination node pointed by the network access request of the sending node.
The security policy may include an IP address of the sending node, an IP address of the destination node, a port of the sending node, a port of the destination node, and a transport layer protocol number.
S207: and the sending node establishes a security tunnel with the destination node according to the security policy fed back by the gateway equipment.
The sending node and the destination node can construct a secure tunnel for transmitting data stream according to the IP address of the sending node, the IP address of the destination node, the port of the sending node, the port of the destination node and the transport layer protocol number contained in the security policy.
The security policy fed back by the gateway device is based on the security policy generated after the security authentication is passed, so that the security tunnel established by the sending node and the destination node depending on the security policy meets the requirement of the zero trust mechanism.
By the technical scheme, the sending node can intercept all network traffic data; when the network access request is detected to appear in the network flow data, the attribute information related to the network access request is obtained. In a network environment with zero trust, because an original communication tunnel is not trusted, a sending node cannot directly transmit data to a destination node, and therefore, the attribute information after format conversion is transmitted to gateway equipment in the method and the system; the gateway equipment uploads an authentication authorization request carrying attribute information to an authentication authorization server; when receiving an authentication and authorization result fed back by an authentication and authorization server after the attribute information passes the security authentication, issuing a security policy to a sending node and a destination node pointed by a network access request of the sending node; the security policy includes an IP address of the sending node, an IP address of the destination node, a port of the sending node, a port of the destination node, and a transport layer protocol number. The sending node and the destination node can complete the establishment of the secure tunnel under the network environment with zero trust according to the security policy fed back by the gateway device, and the information interaction is realized through the secure tunnel. In the method, the sending node intercepts all network flow data, uploads any network access request related to outgoing to an authentication authorization server through gateway equipment for security authentication, so that an access control mechanism based on zero trust is realized, and efficient and automatic full-flow encryption is realized under the condition of reducing the invasion degree to services and users. The gateway equipment can interact with a plurality of node equipment simultaneously, and the zero-trust deployment efficiency is greatly improved. And the negotiation process of the sending node and the gateway equipment does not involve the transmission of the actual data interacted between the sending node and the destination node, so that the data security is improved.
And after the sending equipment establishes a security tunnel with the destination node according to the security policy fed back by the gateway equipment, the security policy becomes effective.
The security policy has a corresponding lifetime, the node device may detect the state of the security policy after establishing the security tunnel with the destination node, and delete the security policy and the corresponding security tunnel when the service time of the security policy reaches the lifetime.
The security tunnel also has a corresponding lifetime, and the lifetime of the security tunnel is shorter than that of the security policy, so that the security tunnel may have already reached the preset tunnel lifetime when the security policy does not reach the corresponding lifetime. In order to ensure the availability of the security tunnel in the effective period of the security policy, the sending node may refresh the security parameters of the security tunnel when the usage time of the security tunnel reaches a preset tunnel lifetime, so as to update the security tunnel, and the security tunnel starts a new tunnel lifetime each time the security parameters are refreshed.
The security parameters may include a key and a security parameter index.
By refreshing the security parameters of the security tunnel, the security tunnel can be ensured to be used all the time in the period of validity of the security policy.
In the embodiment of the present disclosure, the authentication authorization result fed back to the gateway device by the security authentication server may carry a security level of the security evaluation performed by the authentication authorization server on the sending node. Correspondingly, the gateway device may feed back the security level to the sending node, and the sending node may set the data transmission mode of the secure tunnel according to the security level fed back by the gateway device. And transmitting the data to be transmitted to the destination node through the secure tunnel according to the data transmission mode.
Wherein different security levels correspond to data transmission modes of different security strengths.
For example, the data transmission mode may include a plaintext transmission mode, a ciphertext transmission mode, an integrity check mode, a ciphertext + integrity check mode, and so on.
The data transmission modes with corresponding security strengths are set according to different security levels, so that data transmission between node equipment is more suitable for practical application requirements, and the security requirement of data transmission between different node equipment can be met.
Fig. 3 is a schematic structural diagram of a zero trust-based device communication apparatus provided in an embodiment of the present disclosure, including an intercepting unit 31, an obtaining unit 32, a sending unit 33, and an establishing unit 34;
an intercepting unit 31, configured to intercept all network traffic data;
an obtaining unit 32, configured to obtain attribute information related to a network access request when it is detected that the network access request occurs in the network traffic data;
a sending unit 33, configured to send the attribute information after format conversion to the gateway device;
and the establishing unit 34 is configured to establish a secure tunnel with the destination node according to the security policy fed back by the gateway device.
Optionally, the sending unit includes a formatting subunit and a transmitting subunit;
the formatting subunit is used for formatting the attribute information into attribute value pairs according to a preset authentication protocol;
and the transmission subunit is used for transmitting the attribute value pair to the gateway equipment through the virtual tunnel based on the extensible authentication protocol.
Optionally, a deleting unit is further included;
and the deleting unit is used for deleting the security policy and the corresponding security tunnel when the service time of the security policy reaches the lifetime.
Optionally, a refresh unit is further included;
and the refreshing unit is used for refreshing the safety parameters of the safety tunnel when the service time of the safety tunnel reaches the preset tunnel life time.
Optionally, the system further comprises a setting unit and a transmission unit;
the setting unit is used for setting a data transmission mode of the safety tunnel according to the safety level fed back by the gateway equipment; wherein, different security levels correspond to data transmission modes with different security strengths;
and the transmission unit is used for transmitting the data to be transmitted to the destination node through the secure tunnel according to the data transmission mode.
The description of the features in the embodiment corresponding to fig. 3 may refer to the related description of the embodiment corresponding to fig. 2, and is not repeated here.
By the technical scheme, the interception unit of the sending node can intercept all network traffic data; the obtaining unit obtains attribute information related to the network access request when detecting that the network access request occurs in the network traffic data. In a network environment with zero trust, because an original communication tunnel is not trusted, a sending node cannot directly transmit data to a destination node, and therefore, a sending unit of the sending node in the disclosure can transmit the attribute information with the converted format to a gateway device, so that the gateway device can upload an authentication and authorization request carrying the attribute information to an authentication and authorization server; when receiving an authentication and authorization result fed back by an authentication and authorization server after the attribute information passes the security authentication, issuing a security policy to a sending node and a destination node pointed by a network access request of the sending node; the security policy includes an IP address of the sending node, an IP address of the destination node, a port of the sending node, a port of the destination node, and a transport layer protocol number. The sending node and the destination node can complete the establishment of the secure tunnel under the network environment with zero trust according to the security policy fed back by the gateway device, and the information interaction is realized through the secure tunnel. In the method, the sending node intercepts all network flow data, uploads any network access request related to outgoing to an authentication authorization server through gateway equipment for security authentication, so that an access control mechanism based on zero trust is realized, and efficient and automatic full-flow encryption is realized under the condition of reducing the invasion degree to services and users. And the negotiation process of the sending node and the gateway equipment does not involve the transmission of the actual data interacted between the sending node and the destination node, so that the data security is improved.
Fig. 4 is a schematic structural diagram of a zero trust-based device communication apparatus provided in the embodiment of the present disclosure, including an obtaining unit 41, an uploading unit 42, and a sending unit 43;
an obtaining unit 41, configured to obtain attribute information transmitted by a sending node;
an uploading unit 42, configured to upload an authentication authorization request carrying the attribute information to an authentication authorization server;
the issuing unit 43 is configured to issue a security policy to the sending node and a destination node to which a network access request of the sending node is directed when receiving an authentication authorization result fed back by the authentication authorization server after the attribute information passes security authentication; the security policy includes an IP address of the sending node, an IP address of the destination node, a port of the sending node, a port of the destination node, and a transport layer protocol number.
The description of the features in the embodiment corresponding to fig. 4 can refer to the related description of the embodiment corresponding to fig. 2, and is not repeated here.
Through the technical scheme, the acquiring unit of the gateway equipment is used for acquiring the attribute information transmitted by the sending node. The uploading unit of the gateway device may upload the authentication authorization request carrying the attribute information to the authentication authorization server. And when receiving an authentication authorization result fed back by the authentication authorization server after the attribute information passes the security authentication, the issuing unit of the gateway equipment issues a security policy to the sending node and a destination node pointed by the network access request of the sending node. The security policy may include an IP address of the sending node, an IP address of the destination node, a port of the sending node, a port of the destination node, and a transport layer protocol number, so that the sending node and the destination node may complete establishment of a security tunnel in a zero-trust network environment according to the security policy fed back by the gateway device, and information interaction is achieved through the security tunnel. In the method, the sending node intercepts all network flow data, uploads any network access request related to outgoing to an authentication authorization server through gateway equipment for security authentication, so that an access control mechanism based on zero trust is realized, and efficient and automatic full-flow encryption is realized under the condition of reducing the invasion degree to services and users. The gateway equipment can interact with a plurality of node equipment simultaneously, and the zero-trust deployment efficiency is greatly improved. And the negotiation process of the sending node and the gateway equipment does not involve the transmission of the actual data interacted between the sending node and the destination node, so that the data security is improved.
Fig. 5 is a schematic structural diagram of a zero trust-based device communication system provided in an embodiment of the present disclosure, including a sending node 51, a gateway device 52, and an authentication and authorization server 53;
a sending node 51, configured to intercept all network traffic data; when a network access request is detected to appear in the network flow data, acquiring attribute information related to the network access request; transmitting the attribute information after format conversion to the gateway device 52; and establishing a security tunnel with the destination node according to the security policy fed back by the gateway device 52.
In practical applications, each node device may be either a sending node or a destination node. A VPN virtual device may be set in the node device.
According to the functions required to be realized by the node equipment in the zero-trust network environment, the VPN virtual equipment can be composed of a virtual network card, a strategy executor, an information acquisition plug-in, an IKE client and an IKE server. When the node equipment is used as a sending node, the IKE client-side and the gateway equipment carry out IKE negotiation, and the IKE client-side and the destination node carry out negotiation so as to establish a safety tunnel. When the node equipment is used as a destination node, the node equipment negotiates with a sending node through the IKE server side so as to establish a secure tunnel.
The virtual network card may establish a virtual network interface in the node device, the virtual network interface of the VPN virtual device in fig. 5 may be connected to a physical network interface of the node device, and an IPSEC tunnel may be established between the two interfaces to implement data transmission. After the virtual network card is installed in the node device, a default route is formed on the node device, the route directs all network communication paths to the virtual network interface, and any network traffic data received from the physical network interface is redirected to the virtual network interface.
The policy enforcer may form a default security policy that associates all network traffic with the IPSEC tunnel between the node device and the gateway device, such that any outgoing network access request may trigger an IKE key negotiation from the node device to the gateway device. After the key negotiation is successful, the policy executor receives and loads the security policy issued by the gateway device, and the priority of the security policy is above the initial default security policy.
The node equipment can be provided with a collection plug-in unit to realize the collection of various information. The acquisition plug-in may include an equipment information acquisition plug-in, a user information acquisition plug-in, a traffic information acquisition plug-in, a process information acquisition plug-in, and the like, and these plug-ins call interfaces provided by the equipment system where they are located to read equipment information, user information, traffic information, and application information.
The device information may include asset information, hardware information, system information, operation information, cryptographic module information, and the like. The user information may include information such as a username, password, user credentials, user rating, etc. The traffic information may include information on the five-tuple (source and destination IP, source and destination port, transport layer protocol number), the number of connections, the frequency of connections, the communication rate, etc. The application information may include process/application information such as program name, vendor information, signature information, application type, etc.
The IKE client can format the collected device information, user information, flow information and application information as attribute information into an attribute value pair of a Radius or Diameter authentication protocol, and transmits the attribute value pair to the gateway device through IKE extended identity authentication.
A gateway device 52, configured to obtain attribute information transmitted by the sending node 51; uploading an authentication and authorization request carrying attribute information to the authentication and authorization server 53; when receiving an authentication and authorization result fed back by the authentication and authorization server 53 after passing the security authentication on the attribute information, issuing a security policy to the sending node 51 and a destination node to which a network access request of the sending node 51 is directed; the security policy includes an IP address of the sending node 51, an IP address of the destination node, a port of the sending node 51, a port of the destination node, and a transport layer protocol number.
The IPSEC VPN gateway is the only destination for all initial traffic and default routes, the only tunnel destination endpoint for the default security policy. Before normal communication, the network access data flow of any device firstly triggers key agreement with the VPN gateway, and identity authentication and trust rating are carried out through EAP (extensible authentication over IKE) extension authentication. The IPSEC VPN gateway forms a fine-grained security policy (five-tuple, namely source and destination IP, source and destination ports, a protocol or URL level) of the two devices at the opposite communication end according to the results of identity authentication and trust rating, and issues the policy to the two devices at the opposite communication end through an IKE configuration mode (ModConfig).
The authentication and authorization server 53 is configured to receive an authentication and authorization request uploaded by the gateway device 52, and perform security authentication on attribute information carried in the authentication and authorization request; when the attribute information passes the security authentication, the authentication authorization result is fed back to the gateway device 52.
The description of the features in the embodiment corresponding to fig. 5 may refer to the related description of the embodiment corresponding to fig. 2, and is not repeated here.
By the technical scheme, the sending node can intercept all network traffic data; when the network access request is detected to appear in the network flow data, the attribute information related to the network access request is obtained. In a network environment with zero trust, because an original communication tunnel is not trusted, a sending node cannot directly transmit data to a destination node, and therefore, the attribute information after format conversion is transmitted to gateway equipment in the method and the system; the gateway equipment uploads an authentication authorization request carrying attribute information to an authentication authorization server; when receiving an authentication and authorization result fed back by an authentication and authorization server after the attribute information passes the security authentication, issuing a security policy to a sending node and a destination node pointed by a network access request of the sending node; the security policy includes an IP address of the sending node, an IP address of the destination node, a port of the sending node, a port of the destination node, and a transport layer protocol number. The sending node and the destination node can complete the establishment of the secure tunnel under the network environment with zero trust according to the security policy fed back by the gateway device, and the information interaction is realized through the secure tunnel. In the method, the sending node intercepts all network flow data, uploads any network access request related to outgoing to an authentication authorization server through gateway equipment for security authentication, so that an access control mechanism based on zero trust is realized, and efficient and automatic full-flow encryption is realized under the condition of reducing the invasion degree to services and users. The gateway equipment can interact with a plurality of node equipment simultaneously, and the zero-trust deployment efficiency is greatly improved. And the negotiation process of the sending node and the gateway equipment does not involve the transmission of the actual data interacted between the sending node and the destination node, so that the data security is improved.
The embodiments of the present disclosure also provide a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the zero-trust-based device communication method described in any of the above embodiments.
With regard to the apparatus in the above-described embodiment, the specific manner in which each module performs the operation has been described in detail in the embodiment related to the method, and will not be elaborated here.
Fig. 6 is a block diagram illustrating an electronic device 600 according to an example embodiment. As shown in fig. 6, the electronic device 600 may include: a processor 601 and a memory 602. The electronic device 600 may also include one or more of a multimedia component 603, an input/output (I/O) interface 604, and a communications component 605.
The processor 601 is configured to control the overall operation of the electronic device 600 to complete all or part of the steps in the zero-trust-based device communication method. The memory 602 is used to store various types of data to support operation at the electronic device 600, such as instructions for any application or method operating on the electronic device 600 and application-related data, such as contact data, transmitted and received messages, pictures, audio, video, and so forth. The Memory 602 may be implemented by any type of volatile or non-volatile Memory device or combination thereof, such as Static Random Access Memory (SRAM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Erasable Programmable Read-Only Memory (EPROM), Programmable Read-Only Memory (PROM), Read-Only Memory (ROM), magnetic Memory, flash Memory, magnetic disk or optical disk. The multimedia components 603 may include a screen and audio components. Wherein the screen may be, for example, a touch screen and the audio component is used for outputting and/or inputting audio signals. For example, the audio component may include a microphone for receiving external audio signals. The received audio signal may further be stored in the memory 602 or transmitted through the communication component 605. The audio assembly also includes at least one speaker for outputting audio signals. The I/O interface 604 provides an interface between the processor 601 and other interface modules, such as a keyboard, mouse, buttons, etc. These buttons may be virtual buttons or physical buttons. The communication component 605 is used for wired or wireless communication between the electronic device 600 and other devices. Wireless communication, such as Wi-Fi, bluetooth, Near Field Communication (NFC), 2G, 3G, or 4G, or a combination of one or more of them, so that the corresponding communication component 605 may include: Wi-Fi module, bluetooth module, NFC module.
In an exemplary embodiment, the electronic Device 600 may be implemented by one or more Application Specific Integrated Circuits (ASICs), Digital Signal Processors (DSPs), Digital Signal Processing Devices (DSPDs), Programmable Logic Devices (PLDs), Field Programmable Gate Arrays (FPGAs), controllers, microcontrollers, microprocessors, or other electronic components for performing the zero trust based Device communication methods described above.
In another exemplary embodiment, a computer readable storage medium comprising program instructions which, when executed by a processor, implement the steps of the zero trust based device communication method described above is also provided. For example, the computer readable storage medium may be the memory 602 described above including program instructions executable by the processor 601 of the electronic device 600 to perform the zero trust based device communication method described above.
The preferred embodiments of the present disclosure are described in detail with reference to the accompanying drawings, however, the present disclosure is not limited to the specific details of the above embodiments, and various simple modifications may be made to the technical solution of the present disclosure within the technical idea of the present disclosure, and these simple modifications all belong to the protection scope of the present disclosure. It should be noted that the various features described in the above embodiments may be combined in any suitable manner without departing from the scope of the invention. In order to avoid unnecessary repetition, various possible combinations will not be separately described in this disclosure.
In addition, any combination of various embodiments of the present disclosure may be made, and the same should be considered as the disclosure of the present disclosure, as long as it does not depart from the spirit of the present disclosure.

Claims (11)

1. A zero trust based device communication method, comprising:
intercepting all network traffic data;
when a network access request is detected to appear in the network traffic data, acquiring attribute information related to the network access request;
transmitting the attribute information after format conversion to gateway equipment;
establishing a security tunnel with a destination node according to the security policy fed back by the gateway equipment; the security policy is set when the gateway device receives an authentication authorization result fed back by an authentication authorization server after the attribute information passes security authentication; the security policy includes an IP address of the sending node, an IP address of the destination node, a port of the sending node, a port of the destination node, and a transport layer protocol number.
2. The method of claim 1, wherein transmitting the formatted attribute information to a gateway device comprises:
formatting the attribute information into attribute value pairs according to a preset authentication protocol;
and transmitting the attribute value pair to the gateway equipment through a virtual tunnel based on an extensible authentication protocol.
3. The method according to claim 1, further comprising, after the establishing a secure tunnel with a destination node according to the security policy fed back by the gateway device:
and when the service time of the security policy reaches the lifetime, deleting the security policy and the corresponding security tunnel.
4. The method according to claim 1, further comprising, after the establishing a secure tunnel with a destination node according to the security policy fed back by the gateway device:
and when the service time of the safety tunnel reaches a preset tunnel life cycle, refreshing the safety parameters of the safety tunnel.
5. The method according to claim 1, further comprising, after the establishing a secure tunnel with a destination node according to the security policy fed back by the gateway device:
setting a data transmission mode of a safety tunnel according to the safety level fed back by the gateway equipment; wherein, different security levels correspond to data transmission modes with different security strengths;
and transmitting the data to be transmitted to the destination node through the secure tunnel according to the data transmission mode.
6. A zero trust-based equipment communication device is characterized by comprising an interception unit, an acquisition unit, a sending unit and an establishment unit;
the interception unit is used for intercepting all network flow data;
the acquiring unit is used for acquiring attribute information related to the network access request when the network access request is detected to appear in the network traffic data;
the sending unit is used for sending the attribute information after format conversion to the gateway equipment;
the establishing unit is used for establishing a security tunnel with a destination node according to the security policy fed back by the gateway equipment; the security policy is set when the gateway device receives an authentication authorization result fed back by an authentication authorization server after the attribute information passes security authentication; the security policy includes an IP address of the sending node, an IP address of the destination node, a port of the sending node, a port of the destination node, and a transport layer protocol number.
7. A zero trust based device communication method, comprising:
acquiring attribute information transmitted by a sending node;
uploading an authentication authorization request carrying the attribute information to an authentication authorization server;
when receiving an authentication and authorization result fed back by the authentication and authorization server after the attribute information passes the security authentication, issuing a security policy to the sending node and a destination node pointed by the network access request of the sending node; the security policy comprises an IP address of the sending node, an IP address of the destination node, a port of the sending node, a port of the destination node and a transport layer protocol number.
8. A zero trust-based device communication device is characterized by comprising an acquisition unit, an uploading unit and a sending unit;
the acquiring unit is used for acquiring the attribute information transmitted by the sending node;
the uploading unit is used for uploading an authentication authorization request carrying the attribute information to an authentication authorization server;
the issuing unit is used for issuing a security policy to the sending node and a destination node pointed by a network access request of the sending node when receiving an authentication authorization result fed back by the authentication authorization server after the attribute information passes security authentication; the security policy comprises an IP address of the sending node, an IP address of the destination node, a port of the sending node, a port of the destination node and a transport layer protocol number.
9. A zero trust-based device communication system is characterized by comprising a sending node, a gateway device and an authentication and authorization server;
the sending node is used for intercepting all network flow data; when a network access request is detected to appear in the network traffic data, acquiring attribute information related to the network access request; transmitting the attribute information after format conversion to gateway equipment; establishing a security tunnel with a destination node according to the security policy fed back by the gateway equipment;
the gateway equipment is used for acquiring the attribute information transmitted by the sending node; uploading an authentication authorization request carrying the attribute information to an authentication authorization server; when receiving an authentication and authorization result fed back by the authentication and authorization server after the attribute information passes the security authentication, issuing a security policy to the sending node and a destination node pointed by the network access request of the sending node; the security policy comprises an IP address of a sending node, an IP address of a destination node, a port of the sending node, a port of the destination node and a transport layer protocol number;
the authentication and authorization server is used for receiving the authentication and authorization request uploaded by the gateway equipment and carrying out security authentication on the attribute information carried in the authentication and authorization request; and when the attribute information passes the security authentication, feeding back an authentication authorization result to the gateway equipment.
10. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 5 and/or of claim 7.
11. An electronic device, comprising:
a memory having a computer program stored thereon;
a processor for executing the computer program in the memory to implement the steps of the method of any of claims 1-5 and/or claim 7.
CN202010616554.XA 2020-06-30 2020-06-30 Device communication method, device, system, medium and electronic device Pending CN111726366A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010616554.XA CN111726366A (en) 2020-06-30 2020-06-30 Device communication method, device, system, medium and electronic device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010616554.XA CN111726366A (en) 2020-06-30 2020-06-30 Device communication method, device, system, medium and electronic device

Publications (1)

Publication Number Publication Date
CN111726366A true CN111726366A (en) 2020-09-29

Family

ID=72570629

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010616554.XA Pending CN111726366A (en) 2020-06-30 2020-06-30 Device communication method, device, system, medium and electronic device

Country Status (1)

Country Link
CN (1) CN111726366A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112367188A (en) * 2020-10-16 2021-02-12 零氪科技(北京)有限公司 Privatization safety system based on zero trust model and implementation method
CN113311805A (en) * 2021-05-21 2021-08-27 上海振华重工(集团)股份有限公司 Zero trust network access control method for automatic port bridge crane operation system
CN113422768A (en) * 2021-06-21 2021-09-21 深圳竹云科技有限公司 Application access method and device in zero trust and computing equipment
CN113987560A (en) * 2021-12-29 2022-01-28 北京交研智慧科技有限公司 Zero trust authentication method and device for data and electronic equipment
US20220046024A1 (en) * 2019-01-18 2022-02-10 Vmware, Inc. Tls policy enforcement at a tunnel gateway

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101656645A (en) * 2008-08-20 2010-02-24 华为技术有限公司 Method, equipment and system for communication between external equipment and internal equipment of home network
CN108494729A (en) * 2018-02-07 2018-09-04 北京卓讯科信技术有限公司 A kind of zero trust model realization system
US20190109821A1 (en) * 2017-10-06 2019-04-11 Stealthpath, Inc. Methods for Internet Communication Security
CN110830507A (en) * 2019-11-29 2020-02-21 北京天融信网络安全技术有限公司 Resource access method, device, electronic equipment and system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101656645A (en) * 2008-08-20 2010-02-24 华为技术有限公司 Method, equipment and system for communication between external equipment and internal equipment of home network
US20190109821A1 (en) * 2017-10-06 2019-04-11 Stealthpath, Inc. Methods for Internet Communication Security
CN108494729A (en) * 2018-02-07 2018-09-04 北京卓讯科信技术有限公司 A kind of zero trust model realization system
CN110830507A (en) * 2019-11-29 2020-02-21 北京天融信网络安全技术有限公司 Resource access method, device, electronic equipment and system

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
SCOTT ROSE ETAL: "《NIST.SP.800-207-draft2 Zero Trust Architecture》", 《HTTPS://DOI.ORG/10.6028/NIST.SP.800-207-DRAFT2》 *
高国奇等: "基于IPSec技术的VPN安全实施", 《中国金融电脑》 *
魏小强: "基于零信任的远程办公系统安全模型研究与实现", 《信息安全研究》 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20220046024A1 (en) * 2019-01-18 2022-02-10 Vmware, Inc. Tls policy enforcement at a tunnel gateway
CN112367188A (en) * 2020-10-16 2021-02-12 零氪科技(北京)有限公司 Privatization safety system based on zero trust model and implementation method
CN113311805A (en) * 2021-05-21 2021-08-27 上海振华重工(集团)股份有限公司 Zero trust network access control method for automatic port bridge crane operation system
CN113422768A (en) * 2021-06-21 2021-09-21 深圳竹云科技有限公司 Application access method and device in zero trust and computing equipment
CN113422768B (en) * 2021-06-21 2022-05-31 深圳竹云科技有限公司 Application access method and device in zero trust and computing equipment
CN113987560A (en) * 2021-12-29 2022-01-28 北京交研智慧科技有限公司 Zero trust authentication method and device for data and electronic equipment

Similar Documents

Publication Publication Date Title
US9485228B2 (en) Selectively performing man in the middle decryption
US9461975B2 (en) Method and system for traffic engineering in secured networks
US10341300B2 (en) System, method, apparatus and machine-readable media for enterprise wireless calling
Pereira et al. An authentication and access control framework for CoAP-based Internet of Things
US20180270660A1 (en) Method and system for peer-to-peer enforcement
US10069800B2 (en) Scalable intermediate network device leveraging SSL session ticket extension
CN111726366A (en) Device communication method, device, system, medium and electronic device
US9350708B2 (en) System and method for providing secured access to services
US8595818B2 (en) Systems and methods for decoy routing and covert channel bonding
CN108702371A (en) System, apparatus and method for generating the addresses dynamic IP V6 for being used for safety verification
TW201624960A (en) User-plane security for next generation cellular networks
US8104082B2 (en) Virtual security interface
EP2909988B1 (en) Unidirectional deep packet inspection
CN107005534A (en) Secure connection is set up
EP3140955A1 (en) Collaborative business communication information system
Kang et al. ESSE: efficient secure session establishment for internet-integrated wireless sensor networks
Sanchez-Gomez et al. Integrating LPWAN technologies in the 5G ecosystem: A survey on security challenges and solutions
US20080133915A1 (en) Communication apparatus and communication method
US8015406B2 (en) Method to create an OSI network layer 3 virtual private network (VPN) using an HTTP/S tunnel
Park et al. Survey for secure IoT group communication
Biondi et al. Vulnerability Assessment and Penetration Testing on IP camera
CN111556084B (en) Communication method, device, system, medium and electronic equipment among VPN (virtual private network) devices
CN107547478B (en) Message transmission method, device and system
Saedy et al. Machine-to-machine communications and security solution in cellular systems
Tulimiero An All-Round Secure IoT Network Architecture

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination