CN113055446B - Method and device for protecting application flow in zero trust and computing equipment - Google Patents

Method and device for protecting application flow in zero trust and computing equipment Download PDF

Info

Publication number
CN113055446B
CN113055446B CN202110206666.2A CN202110206666A CN113055446B CN 113055446 B CN113055446 B CN 113055446B CN 202110206666 A CN202110206666 A CN 202110206666A CN 113055446 B CN113055446 B CN 113055446B
Authority
CN
China
Prior art keywords
traffic
application
virtual address
flow
zero
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110206666.2A
Other languages
Chinese (zh)
Other versions
CN113055446A (en
Inventor
范端胜
刘可
赵静谧
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Zhuyun Technology Co ltd
Original Assignee
Shenzhen Bamboocloud Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Bamboocloud Technology Co ltd filed Critical Shenzhen Bamboocloud Technology Co ltd
Priority to CN202110206666.2A priority Critical patent/CN113055446B/en
Publication of CN113055446A publication Critical patent/CN113055446A/en
Application granted granted Critical
Publication of CN113055446B publication Critical patent/CN113055446B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention relates to the technical field of computers, and discloses a method, a device and a computing device for protecting application flow in zero trust, wherein the method comprises the following steps: when an agent at a terminal side receives application flow data, acquiring a flow host address; judging whether the traffic host address exists in a pre-stored protection application virtual address table or not; and distinguishing and shunting the application flow according to the judgment result. Through the mode, the embodiment of the invention can correctly identify the protected and unprotected application flows and shunt, and the algorithm is simple.

Description

Method and device for protecting application flow in zero trust and computing equipment
Technical Field
The embodiment of the invention relates to the technical field of computers, in particular to a method and a device for protecting application flow in zero trust and computing equipment.
Background
In a zero trust network operation scenario, a public application and an application protected by zero trust are commonly used at the same time, for example, a hundred-degree website and an Office Automation (OA) system of the user are used at the same time, and may be in the same browser or on different application software, so how to distinguish traffic and implement protection becomes a problem to be solved. The problem of distinguishing traffic is that how to separate protected application traffic from unprotected traffic to protect the application traffic from safely entering the access gateway, and the public application traffic goes directly to the local outlet, because their addresses are different or their domain names are different.
In the prior art, host hosts can be modified, because the IP corresponding to the named host is first found in hosts to access the network during the process of accessing the network by the device. Whenever redirection is performed here, the corresponding protected traffic can be directed to the host that needs to flow to. This approach has many drawbacks and is not particularly suitable for zero trust networks. First, in a zero trust network, although protected traffic can be redirected, this traffic cannot be encapsulated and encrypted, and what is done by intermediate hijacking, so it cannot solve the man-in-the-middle attack problem. Second, many antivirus software will prohibit the software from changing this. There should also be a major problem if the host is networked via proxy, which will not be possible. Therefore, this method cannot be used favorably in a zero-trust environment.
In the prior art, the DNS can also be modified, that is, the DNS of the host is changed to a specific DNS server, and then the DNS performs host resolution of protected and unprotected traffic, which is equivalent to the first method. This approach is substantially equivalent to the previous one, but has the advantage over the previous one that the antivirus software does not provide any interception of the modified DNS.
Disclosure of Invention
In view of the foregoing, embodiments of the present invention provide a method, an apparatus, and a computing device for protecting application traffic in zero trust, which overcome or at least partially solve the above problems.
According to an aspect of an embodiment of the present invention, a method for protecting application traffic in zero trust is provided, where the method includes: when an agent at a terminal side receives application flow data, acquiring a flow host address; judging whether the traffic host address exists in a pre-stored protection application virtual address table or not; and distinguishing and shunting the application flow according to the judgment result.
In an optional manner, before obtaining the traffic host address when receiving the application traffic data, the method includes: arranging an agent at a terminal side, supporting socks5 and an http agent protocol, and setting a local address and a port of the agent; and when the agent is started, acquiring protected virtual address information from the zero trust gateway to form the protection application virtual address table and storing the protection application virtual address table in a memory.
In an optional manner, the obtaining an address of a traffic host includes: and acquiring the flow host address from the command of the proxy according to the proxy protocol.
In an optional manner, the distinguishing and splitting the application traffic according to the determination result includes: if the virtual address table exists in the protection application virtual address table, the protected application traffic is put into a zero trust gateway, and traffic interaction is carried out between the zero trust gateway and an application server; and if the virtual address table does not exist in the protection application virtual address table, controlling the application flow to go to an original channel for flow interaction.
In an optional manner, the placing protected application traffic into a zero trust gateway includes: establishing a flow channel between an agent and the zero-trust gateway; and applying the traffic channel to place the protected application traffic into the zero trust gateway.
According to another aspect of the embodiments of the present invention, there is provided a method for protecting application traffic in zero trust, including: the zero trust gateway receives the protected application traffic transmitted from the terminal side; determining whether the flow host address of the application flow is in a pre-stored protection application virtual address table; if yes, finding the real address of the application according to the protection application virtual address table; and establishing a flow channel between the zero trust gateway and the application server according to the real address to carry out flow interaction.
According to another aspect of the embodiments of the present invention, there is provided an apparatus for protecting application traffic in zero trust, the apparatus including: the first flow receiving unit is used for receiving the application flow data by an agent at a terminal side and acquiring a flow host address; the first judging unit is used for judging whether the flow host address exists in a pre-stored protection application virtual address table or not; the traffic distinguishing unit is used for putting the protected application traffic into the zero trust gateway and carrying out traffic interaction with the application server through the zero trust gateway if the protected application virtual address exists in the protected application virtual address table; and if the virtual address table does not exist in the protection application virtual address table, controlling the application flow to go to an original channel for flow interaction.
According to another aspect of the embodiments of the present invention, there is provided an apparatus for protecting application traffic in zero trust, the apparatus including: a second traffic receiving unit, configured to receive, by the zero-trust gateway, the protected application traffic transmitted from the terminal side; a second judging unit, configured to determine whether a traffic host address of the application traffic is in a pre-stored protection application virtual address table; the address acquisition unit is used for finding out the real address of the application according to the protection application virtual address table if the virtual address table is the real address of the application; and the channel establishing unit is used for establishing a flow channel between the zero trust gateway and the application server according to the real address so as to carry out flow interaction.
According to another aspect of embodiments of the present invention, there is provided a computing device including: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is configured to store at least one executable instruction that causes the processor to perform the steps of the method for securing application traffic in zero trust described above.
According to another aspect of the embodiments of the present invention, there is provided a computer storage medium having at least one executable instruction stored therein, the executable instruction causing the processor to perform the steps of the method for protecting application traffic in zero trust described above.
When receiving application flow data through an agent at a terminal side, the embodiment of the invention acquires a flow host address; judging whether the traffic host address exists in a pre-stored protection application virtual address table or not; the application traffic is distinguished and shunted according to the judgment result, the protected and unprotected application traffic can be correctly identified and shunted, and the algorithm is simple.
The foregoing description is only an overview of the technical solutions of the embodiments of the present invention, and the embodiments of the present invention can be implemented according to the content of the description in order to make the technical means of the embodiments of the present invention more clearly understood, and the detailed description of the present invention is provided below in order to make the foregoing and other objects, features, and advantages of the embodiments of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
fig. 1 is a flowchart illustrating a method for protecting application traffic in zero trust according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating a method for protecting application traffic in zero trust according to another embodiment of the present invention;
fig. 3 is a schematic diagram illustrating another method for protecting application traffic in zero trust according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram illustrating an apparatus for protecting application traffic in zero trust according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram illustrating an apparatus for protecting application traffic in zero trust according to an embodiment of the present invention;
FIG. 6 is a schematic structural diagram of a computing device provided by an embodiment of the invention;
fig. 7 is a schematic structural diagram of another computing device provided by an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the invention are shown in the drawings, it should be understood that the invention can be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.
Fig. 1 is a flowchart illustrating a method for protecting application traffic in zero trust according to an embodiment of the present invention. The method is performed by a terminal. As shown in fig. 1, the method for protecting application traffic in zero trust includes:
step S11: and when the agent at the terminal side receives the application flow data, acquiring the flow host address.
In the embodiment of the present invention, before step S11, an agent is set on the terminal side, which supports socks5 and http agent protocols, and sets the local address and port of the agent. The agent has the function of proxy application networking, and the local address and the port of the agent can be set through the applied proxy server.
And when the agent is started, after the zero trust gateway confirms that the terminal is trusted, the agent acquires the protected virtual address information from the zero trust gateway and stores the protected virtual address information in the memory. The protection application virtual address table is shown in table 1, and includes virtual address information, real address information, a user, an application name, a protocol type, and the like. Where the real address information includes an IP address and a port.
Table 1 protection application virtual address table
Figure GDA0003585001080000051
In step S11, the traffic host address is obtained from the instruction of the agent according to the agent protocol. Specifically, when the application traffic passes through the agent, according to the agent protocol, an access address is always present in a target address in the instruction of the agent (different agents may have different formats, of course), and the access address is the traffic host address.
Step S12: and judging whether the traffic host address exists in a pre-stored protection application virtual address table or not.
And comparing the traffic host address with the virtual address in the protection application virtual address table, and determining whether the traffic host address exists in a pre-stored protection application virtual address table.
Step S13: and distinguishing and shunting the application flow according to the judgment result.
In the embodiment of the invention, if the virtual address table exists in the protected application, the protected application traffic is put into the zero trust gateway, and the traffic interaction is carried out with the application server through the zero trust gateway. Specifically, a flow channel between the proxy and the zero-trust gateway is established; and the protected application traffic related to the traffic host address is packaged and encrypted by applying the traffic channel and then is put into the zero trust gateway. And if the virtual address table does not exist in the protection application virtual address table, controlling the application flow to go to an original channel for flow interaction. Therefore, the flow can be automatically distinguished and shunted, the use habit of a user is not changed, the protected application flow is put into the zero-trust gateway, the unprotected application flow goes through the original channel, the original flow use channel can be compatible, the protected flow can be encapsulated and encrypted, the realization is simple, the whole flow at the terminal side is not required to be analyzed, only the target address in the proxy protocol instruction is required to be compared, the flow is analyzed, the algorithm is simple, and the calculated amount is very small; and the implementation at the terminal is not required to be limited by the system and is less limited by the antivirus software.
When receiving application flow data through an agent at a terminal side, the embodiment of the invention acquires a flow host address; judging whether the traffic host address exists in a pre-stored protection application virtual address table or not; the application traffic is distinguished and shunted according to the judgment result, the protected and unprotected application traffic can be correctly identified and shunted, and the algorithm is simple. Fig. 2 is a flowchart illustrating a method for protecting application traffic in zero trust according to an embodiment of the present invention. The method is performed by a zero trust gateway. As shown in fig. 2, the method for protecting application traffic in zero trust includes:
step S21: the zero trust gateway receives the protected application traffic transmitted from the terminal side.
Before step S21, entries of virtual address information and real address information of the protected application are added and stored in the protecting application virtual address table.
All application flows are distinguished and shunted at a terminal side through a set agent, wherein the protected application flows are packaged and encrypted and then are put into a zero trust gateway, and the zero trust gateway receives the protected application flows.
Step S22: and determining whether the flow host address of the application flow is in a pre-stored protection application virtual address table.
After the protected application traffic reaches the zero trust gateway, the zero trust gateway confirms security through packet analysis processing. Specifically, a traffic host address is acquired according to the received protected application traffic, the acquired traffic host address is compared with a pre-stored protection application virtual address table, and whether the traffic host address of the application traffic is in the pre-stored protection application virtual address table or not is determined.
Step S23: if yes, finding the real address of the application according to the protection application virtual address table.
In the embodiment of the present invention, if the traffic host address of the application traffic is in the pre-stored protection application virtual address table, the real address of the application is found according to the protection application virtual address table, and specifically, the corresponding real address information in the protection application virtual address table is searched according to the traffic host address, so as to obtain the real address of the application. And if the flow host address of the application flow is not in the pre-stored protection application virtual address table, discarding the application flow and directly ending.
Step S24: and establishing a flow channel between the zero trust gateway and the application server according to the real address to carry out flow interaction.
And establishing a flow channel between the zero trust gateway and the application server according to the direct address of the application, and performing flow interaction between the flow channel established by the protected application flow application butted by the gateway and the application server.
The embodiment of the invention receives the protected application flow transmitted from the terminal side through the zero-identification trust gateway; determining whether the flow host address of the application flow is in a pre-stored protection application virtual address table; if yes, finding the real address of the application according to the protection application virtual address table; and establishing a flow channel between the zero trust gateway and the application server according to the real address to perform flow interaction, so that the flow can be automatically distinguished, the algorithm is simple, and the calculated amount is very small.
The method for protecting application traffic in complete zero trust is shown in fig. 3, and includes:
step S301: and judging whether the traffic host address is in the protection application virtual address table or not through an agent at the terminal side. If not, executing step S302, otherwise, jumping to executing step S304.
Before step S301, an agent is set on the terminal side, the agent has an agent application internet function, supports socks5 and http proxy protocol, and can set the local address and port of the agent through the applied proxy server.
When all application traffic passes through the proxy agent, according to the proxy protocol, an access address is always present in a target address in the command of the proxy, and the access address is the traffic host address. And judging whether the traffic host address is in the protection application virtual address table or not.
Step S302: the application flow directly goes through the original channel and carries out flow interaction.
If the host address of the flow is not in the protection application virtual address table, which indicates that the application flow is the unprotected application flow, the original channel is directly walked and the flow interaction is processed.
Step S303: and finishing the interaction process.
And finishing the interaction of the unprotected application flow.
Step S304: and establishing a traffic channel with the zero-trust gateway.
And if the traffic host address is in the protection application virtual address table, the application traffic is the protected application traffic, and a traffic channel between the proxy and the zero-trust gateway is established.
Step S305: and putting the protected application traffic into a zero trust gateway.
The traffic tunnel established in step S304 is applied to place the protected into the zero trust gateway through proxy application traffic. In the process, the protected application traffic needs to be encapsulated and encrypted.
Step S306: the zero trust gateway receives protected application traffic.
Step S307: and judging whether the traffic host address is in the protection application virtual address table or not at the zero-trust gateway side. If not, executing step S308, otherwise, jumping to executing step S309.
Step S308: discarded and ended.
And if the flow host address is judged not to be in the protection application virtual address table, directly discarding the corresponding flow packet, and ending the flow.
Step S309: and finding out the corresponding actual address and establishing a flow channel.
And if the traffic host address is judged to be in the protection application virtual address table, searching corresponding real address information in the protection application virtual address table according to the traffic host address, thereby acquiring the real address of the application. And establishing a flow channel between the zero trust gateway and the application server according to the real address.
Step S310: and interacting the application flow of the zero-trust gateway interface with the server.
After the traffic channel of step S309 is established, the traffic channel established by the protected and application traffic application docked by the zero-trust gateway is subjected to traffic interaction with the application server. The protected application traffic also needs to be encapsulated and encrypted in the process.
Step S311: and completing the interaction process.
And finishing the interaction of the protected application traffic.
Fig. 4 is a schematic structural diagram illustrating an apparatus for protecting application traffic in zero trust according to an embodiment of the present invention. The device for protecting the application flow in the zero trust is applied to the terminal. As shown in fig. 4, the apparatus for protecting application traffic in zero trust includes: a first traffic receiving unit 401, a first judging unit 402, a traffic distinguishing unit 403, and a setting unit 404. Wherein:
The first traffic receiving unit 401 is configured to receive application traffic data by an agent on a terminal side, and acquire a traffic host address; the first judging unit 402 is configured to judge whether the traffic host address exists in a pre-stored protection application virtual address table; the traffic distinguishing unit 403 is configured to, if the virtual address table exists in the protected application virtual address table, place the protected application traffic in a zero trust gateway, and perform traffic interaction with the application server through the zero trust gateway; and if the virtual address table does not exist in the protection application virtual address table, controlling the application flow to go to an original channel for flow interaction.
In an alternative manner, the setting unit 404 is configured to: an agent is arranged on a terminal side, socks5 and an http agent protocol are supported, and a local address and a port of the agent are set; and when the agent is started, acquiring protected virtual address information from the zero-trust gateway to form the protection application virtual address table and storing the protection application virtual address table in a memory.
In an optional manner, the first traffic receiving unit 401 is configured to: and acquiring the flow host address from the instruction of the proxy according to the proxy protocol.
In an alternative manner, the traffic differentiation unit 403 is configured to: if the virtual address table exists in the protection application virtual address table, the protected application traffic is put into a zero trust gateway, and traffic interaction is carried out between the zero trust gateway and an application server; and if the application traffic does not exist in the protection application virtual address table, controlling the application traffic to go to the original channel for traffic interaction.
In an alternative manner, the traffic differentiation unit 403 is configured to: establishing a flow channel between an agent and the zero-trust gateway; and applying the flow channel to place the protected application flow into the zero trust gateway.
When receiving application flow data through an agent at a terminal side, the embodiment of the invention acquires a flow host address; judging whether the traffic host address exists in a pre-stored protection application virtual address table or not; the application traffic is distinguished and shunted according to the judgment result, the protected and unprotected application traffic can be correctly identified and shunted, and the algorithm is simple.
Fig. 5 is a schematic structural diagram of an apparatus for protecting application traffic in zero trust according to an embodiment of the present invention. The device for protecting the application flow in the zero trust is applied to the zero trust gateway. As shown in fig. 5, the apparatus for protecting application traffic in zero trust includes: a second traffic receiving unit 501, a second judging unit 502, an address obtaining unit 503, and a channel establishing unit 504. Wherein:
the second traffic receiving unit 501 is configured to receive, by the zero-trust gateway, the protected application traffic transmitted from the terminal side; the second judging unit 502 is configured to determine whether a traffic host address of the application traffic is in a pre-stored protection application virtual address table; the address obtaining unit 503 is configured to find a real address of the application according to the protected application virtual address table if the virtual address is the same as the real address of the application; the channel establishing unit 504 is configured to establish a traffic channel between the zero-trust gateway and the application server according to the real address to perform traffic interaction.
The embodiment of the invention receives the protected application flow transmitted from the terminal side through the zero-identification trust gateway; determining whether the flow host address of the application flow is in a pre-stored protection application virtual address table; if yes, finding out the real address of the application according to the protection application virtual address table; and a flow channel between the zero trust gateway and the application server is established according to the real address to carry out flow interaction, so that the flow can be automatically distinguished, the algorithm is simple, and the calculated amount is very small.
The embodiment of the invention provides a nonvolatile computer storage medium, wherein at least one executable instruction is stored in the computer storage medium, and the computer executable instruction can execute the method for protecting the application flow in the zero trust in any method embodiment.
The executable instructions may be specifically configured to cause the processor to:
when an agent at a terminal side receives application flow data, acquiring a flow host address;
judging whether the traffic host address exists in a pre-stored protection application virtual address table or not;
and distinguishing and shunting the application flow according to the judgment result.
In an alternative, the executable instructions cause the processor to:
An agent is arranged on a terminal side, socks5 and an http agent protocol are supported, and a local address and a port of the agent are set;
and when the agent is started, acquiring protected virtual address information from the zero-trust gateway to form the protection application virtual address table and storing the protection application virtual address table in a memory.
In an alternative, the executable instructions cause the processor to:
and acquiring the flow host address from the command of the proxy according to the proxy protocol.
In an alternative, the executable instructions cause the processor to:
if the virtual address table exists in the protection application virtual address table, the protected application traffic is put into a zero trust gateway, and traffic interaction is carried out between the zero trust gateway and an application server;
and if the virtual address table does not exist in the protection application virtual address table, controlling the application flow to go to an original channel for flow interaction.
In an alternative, the executable instructions cause the processor to:
establishing a flow channel between an agent and the zero-trust gateway;
and applying the traffic channel to place the protected application traffic into the zero trust gateway.
When receiving application flow data through an agent at a terminal side, the embodiment of the invention acquires a flow host address; judging whether the traffic host address exists in a pre-stored protection application virtual address table or not; the application traffic is distinguished and shunted according to the judgment result, the protected and unprotected application traffic can be correctly identified and shunted, and the algorithm is simple.
The embodiment of the invention also provides a nonvolatile computer storage medium, wherein the computer storage medium stores at least one executable instruction, and the computer executable instruction can execute the method for protecting the application flow in the zero trust in any method embodiment.
The executable instructions may be specifically configured to cause the processor to:
the zero trust gateway receives the protected application traffic transmitted from the terminal side;
determining whether the flow host address of the application flow is in a pre-stored protection application virtual address table;
if yes, finding the real address of the application according to the protection application virtual address table;
and establishing a flow channel between the zero trust gateway and the application server according to the real address to carry out flow interaction.
The embodiment of the invention receives the protected application flow transmitted from the terminal side through the zero-identification trust gateway; determining whether the flow host address of the application flow is in a pre-stored protection application virtual address table; if yes, finding out the real address of the application according to the protection application virtual address table; and establishing a flow channel between the zero trust gateway and the application server according to the real address to perform flow interaction, so that the flow can be automatically distinguished, the algorithm is simple, and the calculated amount is very small.
The embodiment of the invention provides a device for protecting application flow in zero trust, which is used for executing the method for protecting the application flow in the zero trust.
Embodiments of the present invention provide a computer program, where the computer program can be called by a processor to enable a base station device to execute a method for protecting application traffic in zero trust in any of the above method embodiments.
Embodiments of the present invention provide a computer program product comprising a computer program stored on a computer storage medium, the computer program comprising program instructions that, when executed by a computer, cause the computer to perform a method for protecting application traffic in zero trust in any of the above-mentioned method embodiments.
The executable instructions may be specifically configured to cause the processor to perform the following operations:
when an agent at a terminal side receives application flow data, acquiring a flow host address;
judging whether the traffic host address exists in a pre-stored protection application virtual address table or not;
and distinguishing and shunting the application flow according to the judgment result.
In an alternative, the executable instructions cause the processor to:
An agent is arranged on a terminal side, socks5 and an http agent protocol are supported, and a local address and a port of the agent are set;
and when the agent is started, acquiring protected virtual address information from the zero-trust gateway to form the protection application virtual address table and storing the protection application virtual address table in a memory.
In an alternative, the executable instructions cause the processor to:
and acquiring the flow host address from the command of the proxy according to the proxy protocol.
In an alternative, the executable instructions cause the processor to:
if the virtual address table exists in the protection application virtual address table, the protected application traffic is put into a zero trust gateway, and traffic interaction is carried out between the zero trust gateway and an application server;
and if the virtual address table does not exist in the protection application virtual address table, controlling the application flow to go to an original channel for flow interaction.
In an alternative, the executable instructions cause the processor to:
establishing a flow channel between an agent and the zero trust gateway;
and applying the traffic channel to place the protected application traffic into the zero trust gateway.
In the embodiment of the invention, when the application flow data is received by the agent at the terminal side, the flow host address is obtained; judging whether the flow host address exists in a prestored protection application virtual address table or not; the application traffic is distinguished and shunted according to the judgment result, the protected and unprotected application traffic can be correctly identified and shunted, and the algorithm is simple.
Embodiments of the present invention provide a computer program product comprising a computer program stored on a computer storage medium, the computer program comprising program instructions that, when executed by a computer, cause the computer to perform a method for protecting application traffic in zero trust in any of the above-mentioned method embodiments.
The executable instructions may be specifically configured to cause the processor to perform the following operations:
the zero trust gateway receives the protected application traffic transmitted from the terminal side;
determining whether the flow host address of the application flow is in a pre-stored protection application virtual address table;
if yes, finding the real address of the application according to the protection application virtual address table;
and establishing a flow channel between the zero trust gateway and the application server according to the real address to carry out flow interaction.
The embodiment of the invention receives the protected application flow transmitted from the terminal side through the zero-identification trust gateway; determining whether the flow host address of the application flow is in a pre-stored protection application virtual address table; if yes, finding out the real address of the application according to the protection application virtual address table; and a flow channel between the zero trust gateway and the application server is established according to the real address to carry out flow interaction, so that the flow can be automatically distinguished, the algorithm is simple, and the calculated amount is very small.
Fig. 6 illustrates a schematic structural diagram of a computing device according to an embodiment of the present invention, where the specific embodiment of the present invention does not limit a specific implementation of the device.
As shown in fig. 6, the computing device may include: a processor (processor)602, a communication Interface 604, a memory 606, and a communication bus 608.
Wherein: the processor 602, communication interface 604, and memory 606 communicate with one another via a communication bus 608. A communication interface 604 for communicating with network elements of other devices, such as clients or other servers. The processor 602 is configured to execute the program 610, and may specifically perform relevant steps in the above method embodiment for protecting application traffic in zero trust.
In particular, program 610 may include program code comprising computer operating instructions.
The processor 602 may be a central processing unit CPU or an application Specific Integrated circuit asic or an Integrated circuit or Integrated circuits configured to implement embodiments of the present invention. The one or each processor included in the device may be the same type of processor, such as one or each CPU; or may be different types of processors such as one or each CPU and one or each ASIC.
And a memory 606 for storing a program 610. Memory 606 may comprise high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
The program 610 may specifically be configured to cause the processor 602 to perform the following operations:
when an agent at a terminal side receives application flow data, acquiring a flow host address;
judging whether the traffic host address exists in a pre-stored protection application virtual address table or not;
and distinguishing and shunting the application flow according to the judgment result.
In an alternative, the program 610 causes the processor to:
An agent is arranged on a terminal side, socks5 and an http agent protocol are supported, and a local address and a port of the agent are set;
and when the agent is started, acquiring protected virtual address information from the zero-trust gateway to form the protection application virtual address table and storing the protection application virtual address table in a memory.
In an alternative, the program 610 causes the processor to:
and acquiring the flow host address from the command of the proxy according to the proxy protocol.
In an alternative, the program 610 causes the processor to:
if the virtual address table exists in the protection application virtual address table, the protected application traffic is put into a zero trust gateway, and traffic interaction is carried out between the zero trust gateway and an application server;
and if the application traffic does not exist in the protection application virtual address table, controlling the application traffic to go to the original channel for traffic interaction.
Establishing a flow channel between an agent and the zero-trust gateway;
and applying the traffic channel to place the protected application traffic into the zero trust gateway.
When receiving application flow data through an agent at a terminal side, the embodiment of the invention acquires a flow host address; judging whether the traffic host address exists in a pre-stored protection application virtual address table or not; the application traffic is distinguished and shunted according to the judgment result, the protected and unprotected application traffic can be correctly identified and shunted, and the algorithm is simple.
Fig. 7 is a schematic structural diagram of another computing device provided in an embodiment of the present invention, and a specific embodiment of the present invention does not limit a specific implementation of the device.
As shown in fig. 7, the computing device may include: a processor (processor)702, a Communications Interface 704, a memory 706, and a communication bus 708.
Wherein: the processor 702, communication interface 704, and memory 706 communicate with each other via a communication bus 708. A communication interface 704 for communicating with network elements of other devices, such as clients or other servers. The processor 702 is configured to execute the program 710, and may specifically execute relevant steps in the method embodiment for protecting application traffic in zero trust.
In particular, the program 710 may include program code that includes computer operating instructions.
The processor 702 may be a central processing unit CPU, or a specific integrated circuit ASIC, or one or more integrated circuits configured to implement embodiments of the present invention. The one or each processor included in the device may be the same type of processor, such as one or each CPU; or may be different types of processors such as one or each CPU and one or each ASIC.
The memory 706 stores a program 710. The memory 706 may comprise high-speed RAM memory, and may also include non-volatile memory, such as at least one disk memory.
The program 710 may specifically be used to cause the processor 702 to perform the following operations:
the zero trust gateway receives the protected application traffic transmitted from the terminal side;
determining whether the flow host address of the application flow is in a pre-stored protection application virtual address table;
if yes, finding the real address of the application according to the protection application virtual address table;
and establishing a flow channel between the zero trust gateway and the application server according to the real address to carry out flow interaction.
The embodiment of the invention receives the protected application flow transmitted from the terminal side through the zero-identification trust gateway; determining whether the flow host address of the application flow is in a pre-stored protection application virtual address table; if yes, finding the real address of the application according to the protection application virtual address table; and establishing a flow channel between the zero trust gateway and the application server according to the real address to perform flow interaction, so that the flow can be automatically distinguished, the algorithm is simple, and the calculated amount is very small.
The algorithms or displays presented herein are not inherently related to any particular computer, virtual system, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. In addition, embodiments of the present invention are not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the embodiments of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names. The steps in the above embodiments should not be construed as limited to the order of execution unless otherwise specified.

Claims (10)

1. A method for protecting application traffic in zero trust, the method comprising:
when receiving application traffic data, an agent on a terminal side acquires a traffic host address, wherein the agent supports socks5 and an http proxy protocol;
judging whether the traffic host address exists in prestored virtual address information or not, wherein when the agent is started, the virtual address information is obtained from a zero-trust gateway;
distinguishing and shunting the application flow according to the judgment result;
further, the distinguishing and shunting the application traffic according to the judgment result includes:
if the virtual address information exists in the virtual address information, the protected application flow is put into a zero trust gateway, and flow interaction is carried out with an application server through the zero trust gateway, wherein the zero trust gateway stores the virtual address information and real address information corresponding to the virtual address information;
the zero trust gateway is used for receiving protected application traffic transmitted from a terminal side, determining whether a traffic host address of the application traffic is in the pre-stored virtual address information, if so, finding a real address of a corresponding application according to the traffic host address, and establishing a traffic channel between the zero trust gateway and an application server according to the real address to perform traffic interaction.
2. The method according to claim 1, wherein before obtaining the traffic host address when receiving the application traffic data, the method comprises:
and arranging an agent at the terminal side, supporting socks5 and an http agent protocol, and setting a local address and a port of the agent.
3. The method of claim 1, wherein obtaining the traffic host address comprises:
and acquiring the flow host address from the instruction of the proxy according to the proxy protocol.
4. The method according to claim 1, wherein the distinguishing and shunting the application traffic according to the determination result comprises:
and if the virtual address information does not exist in the virtual address information, controlling the application flow to go to the original channel for flow interaction.
5. The method of claim 4, wherein placing protected application traffic into a zero trust gateway comprises:
establishing a flow channel between an agent and the zero-trust gateway;
and applying the traffic channel to place the protected application traffic into the zero trust gateway.
6. A method for protecting application traffic in zero trust, the method comprising:
The zero trust gateway receives the protected application traffic transmitted from the terminal side;
determining whether the traffic host address of the application traffic is in the pre-stored virtual address information;
if so, finding a real address corresponding to the application according to the traffic host address, wherein the zero trust gateway stores the virtual address information and real address information corresponding to the virtual address information;
establishing a flow channel between the zero trust gateway and an application server according to the real address to carry out flow interaction;
the terminal side is used for acquiring a traffic host address when an agent of the terminal side receives application traffic data; judging whether the traffic host address exists in prestored virtual address information or not, and acquiring the virtual address information from a zero-trust gateway when the agent is started; distinguishing and shunting the application flow according to the judgment result; further, the distinguishing and shunting the application traffic according to the judgment result includes: and if the protected application traffic exists in the virtual address information, the protected application traffic is put into a zero trust gateway, traffic interaction is carried out with an application server through the zero trust gateway, and the proxy at the terminal side supports socks5 and an http proxy protocol.
7. An apparatus for protecting application traffic in zero trust, the apparatus comprising:
the first traffic receiving unit is used for receiving application traffic data by an agent at a terminal side and acquiring a traffic host address, wherein the agent supports socks5 and an http proxy protocol;
the first judging unit is used for judging whether the flow host address exists in pre-stored virtual address information or not, wherein when the agent is started, the virtual address information is obtained from a zero-trust gateway;
the traffic distinguishing unit is used for putting protected application traffic into a zero trust gateway if the protected application traffic exists in the virtual address information, and performing traffic interaction with an application server through the zero trust gateway, wherein the zero trust gateway stores the virtual address information and real address information corresponding to the virtual address information; if the virtual address information does not exist in the virtual address information, controlling the application flow to go through an original channel for flow interaction;
the zero trust gateway is used for receiving the protected application traffic transmitted from the terminal side; determining whether the traffic host address of the application traffic is in the pre-stored virtual address information; if yes, finding a real address corresponding to the application according to the flow host address; and establishing a flow channel between the zero trust gateway and the application server according to the real address to carry out flow interaction.
8. An apparatus for protecting application traffic in zero trust, the apparatus comprising:
a second traffic receiving unit, configured to receive, by the zero-trust gateway, the protected application traffic transmitted from the terminal side;
a second judging unit, configured to determine whether a traffic host address of the application traffic is in pre-stored virtual address information;
an address obtaining unit, configured to find a real address corresponding to the application according to the traffic host address if the traffic host address is the real address, where the zero trust gateway stores the virtual address information and real address information corresponding to the virtual address information;
the channel establishing unit is used for establishing a flow channel between the zero trust gateway and the application server according to the real address so as to carry out flow interaction;
the terminal side is used for acquiring a traffic host address when an agent of the terminal side receives application traffic data; judging whether the traffic host address exists in prestored virtual address information or not, and acquiring the virtual address information from a zero-trust gateway when the agent is started; distinguishing and shunting the application flow according to the judgment result; further, the distinguishing and shunting the application traffic according to the judgment result includes: and if the protected application traffic exists in the virtual address information, the protected application traffic is put into a zero trust gateway, traffic interaction is carried out with an application server through the zero trust gateway, and the proxy at the terminal side supports socks5 and an http proxy protocol.
9. A computing device, comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is configured to store at least one executable instruction that causes the processor to perform the steps of the method for securing application traffic in zero trust according to any of claims 1-6.
10. A computer storage medium having stored therein at least one executable instruction for causing a processor to perform the steps of the method for zero trust application traffic according to any one of claims 1 to 6.
CN202110206666.2A 2021-02-24 2021-02-24 Method and device for protecting application flow in zero trust and computing equipment Active CN113055446B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110206666.2A CN113055446B (en) 2021-02-24 2021-02-24 Method and device for protecting application flow in zero trust and computing equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110206666.2A CN113055446B (en) 2021-02-24 2021-02-24 Method and device for protecting application flow in zero trust and computing equipment

Publications (2)

Publication Number Publication Date
CN113055446A CN113055446A (en) 2021-06-29
CN113055446B true CN113055446B (en) 2022-06-14

Family

ID=76509032

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110206666.2A Active CN113055446B (en) 2021-02-24 2021-02-24 Method and device for protecting application flow in zero trust and computing equipment

Country Status (1)

Country Link
CN (1) CN113055446B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105704053A (en) * 2014-11-28 2016-06-22 中国电信股份有限公司 Application traffic protection method and system, and gateway
CN108111619A (en) * 2017-12-28 2018-06-01 西安抱朴通信科技有限公司 A kind of data distribution method and device, computer equipment, storage medium

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017223104A1 (en) * 2016-06-21 2017-12-28 Imperva, Inc. Infrastructure distributed denial of service protection
CN112272179B (en) * 2020-10-23 2022-02-22 新华三信息安全技术有限公司 Network security processing method, device, equipment and machine readable storage medium

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105704053A (en) * 2014-11-28 2016-06-22 中国电信股份有限公司 Application traffic protection method and system, and gateway
CN108111619A (en) * 2017-12-28 2018-06-01 西安抱朴通信科技有限公司 A kind of data distribution method and device, computer equipment, storage medium

Also Published As

Publication number Publication date
CN113055446A (en) 2021-06-29

Similar Documents

Publication Publication Date Title
US7073198B1 (en) Method and system for detecting a vulnerability in a network
EP3318042B1 (en) Security service for an unmanaged device
US20100100954A1 (en) Method and apparatus for reducing firewall rules
US20100107240A1 (en) Network location determination for direct access networks
WO2015078388A1 (en) Processing method and device for denial of service attacks
CN108259457B (en) WEB authentication method and device
CN105991640B (en) Handle the method and device of HTTP request
CN110557358A (en) Honeypot server communication method, SSLStrip man-in-the-middle attack perception method and related device
CN111182537A (en) Network access method, device and system for mobile application
CN107294910B (en) Login method and server
WO2017155789A1 (en) System and method for implementing virtual platform media access control (mac) address-based layer 3 network switching
CN107623693B (en) Domain name resolution protection method, device, system, computing equipment and storage medium
CN104811507A (en) IP address acquiring method and IP address acquiring device
CN112243013A (en) Method, system, server and storage medium for realizing cross-domain resource caching
CN113055446B (en) Method and device for protecting application flow in zero trust and computing equipment
CN108076500B (en) Method and device for managing local area network and computer readable storage medium
CN111225038B (en) Server access method and device
CN110049106B (en) Service request processing system and method
CN110943962B (en) Authentication method, network equipment, authentication server and forwarding equipment
WO2016000162A1 (en) Webpage pushing method, device and terminal
CN112688899A (en) In-cloud security threat detection method and device, computing equipment and storage medium
JP2015127843A (en) Communication control device, communication control method, and communication control program
US10623421B2 (en) Detecting IP address theft in data center networks
CN105991641A (en) Portal authentication method and portal authentication device
CN111885063B (en) Open source system access control method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP03 Change of name, title or address

Address after: 518000 4001, Block D, Building 1, Chuangzhi Yuncheng Lot 1, Liuxian Avenue, Xili Community, Xili Street, Nanshan District, Shenzhen, Guangdong

Patentee after: Shenzhen Zhuyun Technology Co.,Ltd.

Address before: 518000 East, 3rd floor, incubation building, China Academy of science and technology, 009 Gaoxin South 1st Road, Nanshan District, Shenzhen City, Guangdong Province

Patentee before: SHENZHEN BAMBOOCLOUD TECHNOLOGY CO.,LTD.

CP03 Change of name, title or address