CN113206852A - Safety protection method, device, equipment and storage medium - Google Patents

Safety protection method, device, equipment and storage medium Download PDF

Info

Publication number
CN113206852A
CN113206852A CN202110491417.2A CN202110491417A CN113206852A CN 113206852 A CN113206852 A CN 113206852A CN 202110491417 A CN202110491417 A CN 202110491417A CN 113206852 A CN113206852 A CN 113206852A
Authority
CN
China
Prior art keywords
trusted
target flow
firewall
information
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110491417.2A
Other languages
Chinese (zh)
Other versions
CN113206852B (en
Inventor
赵宇成
陆明友
秦臻
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN202110491417.2A priority Critical patent/CN113206852B/en
Publication of CN113206852A publication Critical patent/CN113206852A/en
Application granted granted Critical
Publication of CN113206852B publication Critical patent/CN113206852B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application discloses a safety protection method, which is applied to a firewall and comprises the following steps: obtaining target flow to be detected; if the access identifier of the target flow is in a credible mapping relation obtained in advance through a credible identity authentication platform, carrying out safety detection on the target flow through a safety control strategy based on identity configuration to obtain a first detection result; and determining whether to open the target flow according to the first detection result. By applying the technical scheme provided by the application, the accuracy of target flow safety detection can be improved through the combination of the credible mapping relation and the safety control strategy based on identity configuration, the safety protection is effectively carried out on a service system and the whole network, and the safety is improved. The application also discloses a safety protection method, a safety protection device, equipment and a storage medium applied to the credible identity authentication platform, and the corresponding technical effects are achieved.

Description

Safety protection method, device, equipment and storage medium
Technical Field
The present application relates to the field of security technologies, and in particular, to a security protection method, apparatus, device, and storage medium.
Background
With the rapid development of computer technology and network technology, networks bring much convenience to the life and work of people, and the application range of the networks is wider and wider. But at the same time, malicious visitors also pose many security risks to the network. In enterprises and public institutions, a firewall is deployed to deal with network threats, and security protection is performed on a business system and an entire network.
Therefore, how to perform effective security protection is a technical problem that needs to be solved urgently by those skilled in the art.
Disclosure of Invention
The present application aims to provide a security protection method, device, equipment and storage medium, so as to effectively perform security protection on a service system and an entire network and improve security.
In order to solve the technical problem, the application provides the following technical scheme:
a safety protection method is applied to a firewall and comprises the following steps:
obtaining target flow to be detected;
if the access identifier of the target flow is in a credible mapping relation obtained in advance through a credible identity authentication platform, determining a user identifier corresponding to the access identifier based on the credible mapping relation, and performing security detection on the target flow through a security control strategy based on identity configuration to obtain a first detection result;
and determining whether to open the target flow according to the first detection result.
In one embodiment of the present application, the method further includes:
if the access identifier of the target flow is not in the trusted mapping relation, performing security detection on the target flow through a security control strategy configured based on a quintuple to obtain a second detection result;
correspondingly, the determining whether to let the target flow through according to the first detection result includes:
and determining whether to open the target flow according to the first detection result or the second detection result.
In a specific embodiment of the present application, the obtaining process of the trusted mapping relationship is:
and receiving a trusted mapping relation which is sent by the trusted identity authentication platform and is established based on the user identification and the access identification of the user.
In one embodiment of the present application, the method further includes:
under the condition that suspicious traffic is detected, sending notification information including an access identifier to the trusted identity authentication platform, wherein the notification information is used for indicating the trusted identity authentication platform to push information to be confirmed to an initiator of the suspicious traffic;
and determining whether to release the suspicious flow according to the received information fed back by the trusted identity authentication platform according to the confirmation result of the initiator on the information to be confirmed.
A safety protection method is applied to a trusted identity authentication platform and comprises the following steps:
receiving a trusted authentication request sent by a user;
and if the trusted authentication request passes the authentication, sending a trusted mapping relation established based on the user identifier and the access identifier to a firewall so that the firewall performs security detection on the target flow to be detected based on the trusted mapping relation.
In one embodiment of the present application, the method further includes:
if notification information including an access identifier sent by the firewall is received, pushing information to be confirmed to an initiator of suspicious traffic according to a user identifier corresponding to the access identifier, wherein the notification information is information which indicates the trusted identity authentication platform to push the information to be confirmed to the initiator of the suspicious traffic when the firewall detects the suspicious traffic;
and feeding back information to the firewall according to the confirmation result of the initiator on the information to be confirmed.
In a specific embodiment of the present application, the pushing the to-be-confirmed information to the initiator of the suspicious traffic includes:
and encapsulating the information to be confirmed in a safety link and pushing the information to the initiator of the suspicious traffic.
In one embodiment of the present application, the information to be confirmed is valid at one time.
A safety protection device is applied to a firewall and comprises:
the target flow obtaining module is used for obtaining target flow to be detected;
the security detection module is used for determining a user identifier corresponding to the access identifier based on a credible mapping relation under the condition that the access identifier of the target flow is in the credible mapping relation obtained in advance through a credible identity authentication platform, and performing security detection on the target flow through a security control strategy based on identity configuration to obtain a first detection result;
and the target flow processing module is used for determining whether to release the target flow according to the first detection result.
A safety protection device is applied to a trusted identity authentication platform, and comprises:
the trusted authentication request receiving module is used for receiving a trusted authentication request sent by a user;
and the trusted mapping relation sending module is used for sending a trusted mapping relation established based on the user identifier and the access identifier to a firewall if the trusted authentication request passes the authentication so as to enable the firewall to perform security detection on the target flow to be detected based on the trusted mapping relation.
A safety shield apparatus, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the security method of any one of the above when executing the computer program.
A computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the method of safeguarding as described in any of the above.
By applying the technical scheme provided by the embodiment of the application, after the target flow to be detected is obtained, whether the access identifier of the target flow is in the trusted mapping relation obtained in advance through the trusted identity authentication platform is determined. And if the access identifier of the target flow is in the trusted mapping relation, determining a user identifier corresponding to the access identifier based on the trusted mapping relation, and performing security detection on the target flow through a security control strategy based on identity configuration to obtain a first detection result. Based on the first detection result, it can be determined whether to let through the target traffic. By combining the credible mapping relation and the security control strategy based on identity configuration, the accuracy of target flow security detection can be improved, the security protection is effectively carried out on a service system and the whole network, and the security is improved.
In addition, the trusted identity authentication platform authenticates the trusted authentication request after receiving the trusted authentication request sent by the user, and if the authentication is passed, the mapping relation established based on the user identifier and the access identifier is sent to the firewall, so that the firewall performs security detection on the target flow to be detected based on the trusted mapping relation. The credible mapping relation established by the credible identity authentication platform provides an important basis for the safety detection of the target flow to be detected by the firewall, can improve the accuracy of the safety detection of the target flow, effectively performs safety protection on a service system and the whole network, and improves the safety.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a flow chart of an embodiment of a security protection method;
FIG. 2 is a schematic diagram of a safety shield embodiment of the present application;
FIG. 3 is a schematic diagram of another embodiment of the security protection process of the present application;
FIG. 4 is a flow chart of another embodiment of a security method according to the present application;
FIG. 5 is a schematic structural view of a safety shield apparatus corresponding to FIG. 1 in an embodiment of the present application;
FIG. 6 is a schematic structural view of a safety shield apparatus corresponding to FIG. 4 in an embodiment of the present application;
fig. 7 is a schematic structural diagram of a safety device in an embodiment of the present application.
Detailed Description
The core of the application is to provide a safety protection method, and the method can be applied to a firewall in a safety protection system.
The security protection system may include firewalls deployed at multiple locations, such as a firewall deployed at a network gateway, where the firewall may perform security detection on traffic generated by an external connection behavior, a suspicious address access, and the like, and further, the firewall may perform security detection on traffic generated by an upload code, a database operation, and the like, such as a firewall deployed in front of a specific system, such as a core asset and a system. The technical scheme provided by the embodiment of the application can be applied to any firewall.
Identity configuration based security control policies may be deployed within the firewall. After the firewall obtains the target flow to be detected, whether the access identifier of the target flow is in a trusted mapping relation obtained in advance through the trusted identity authentication platform is determined. If the access identifier of the target flow is in the trusted mapping relationship, the user identifier corresponding to the access identifier can be determined based on the trusted mapping relationship, and then the target flow is subjected to security detection through a security control strategy based on identity configuration to obtain a first detection result. Based on the first detection result, it can be determined whether to let through the target traffic. By combining the credible mapping relation and the security control strategy based on identity configuration, the accuracy of target flow security detection can be improved, the security protection is effectively carried out on a service system and the whole network, and the security is improved.
In order that those skilled in the art will better understand the disclosure, the following detailed description will be given with reference to the accompanying drawings. It is to be understood that the embodiments described are only a few embodiments of the present application and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Referring to fig. 1, a flowchart of an implementation of a safety protection method in an embodiment of the present application is shown, where the method may include the following steps:
s110: and obtaining the target flow to be detected.
The firewall can perform security detection on the flow passing through the firewall to determine whether to open the firewall.
The target flow to be detected can be any flow passing through the firewall. Or, if a black and white list is deployed in the firewall, the target traffic to be detected may also be any traffic that passes through the firewall and is not matched with the black and white list.
After the target flow to be detected is obtained, the operation of the subsequent steps can be continuously executed.
S120: and if the access identifier of the target flow is in a credible mapping relation obtained in advance through a credible identity authentication platform, determining a user identifier corresponding to the access identifier based on the credible mapping relation, and performing security detection on the target flow through a security control strategy configured based on the identity to obtain a first detection result.
The trusted mapping relation obtaining process comprises the following steps: and receiving a trusted mapping relation which is sent by the trusted identity authentication platform and is established based on the user identification and the access identification of the user.
In the embodiment of the application, when a user has an access requirement, the user can be authenticated trustfully through a trustful identity authentication platform (IDTrust). When receiving a trusted authentication request of a user, the trusted identity authentication platform can perform trusted authentication on the user according to a set rule, and if the authentication is passed, a trusted mapping relation can be established based on a user identifier and an access identifier of the user. The user ID may uniquely identify a user, such as a user ID, and the access ID may be IP (Internet Protocol ), etc.
In one embodiment of the present application, the trusted authentication request may be issued by a user to a trusted identity authentication platform when the user is to perform a privileged operation.
The trusted identity authentication platform can be used as a portal server to authenticate all traffic passing through the three-layer switch, and can also take over authentication of a Virtual Private Network (VPN) or a desktop cloud, or require a user to actively access an address of the trusted identity authentication platform to perform authentication when the user needs to perform privileged operation.
The privileged operation may be an operation of system management, change, or the like, such as an operation based on a Protocol such as RDP (Remote Desktop Protocol), SSH (Secure Shell Protocol), or the like, or an operation of uploading code, a database, or the like.
After the user is authenticated, the trusted identity authentication platform can send the trusted mapping relation to each firewall. Specifically, the corresponding trusted mapping relationship of the firewall can be notified through the authentication forwarding interface. Thus, the firewall can obtain the trusted mapping relationship between the user identifier and the access identifier of the user which passes the authentication of the trusted identity authentication platform. The authentication forwarding interface may apply an authentication forwarding protocol, i.e. an interface protocol for synchronizing the association of network addresses with user identities.
After the firewall obtains the target traffic to be detected, the access identifier of the target traffic can be searched in the pre-obtained trusted mapping relation, if the access identifier of the target traffic can be searched, the access identifier of the target traffic is indicated to be in the trusted mapping relation, and if the access identifier of the target traffic is not searched, the access identifier of the target traffic is indicated not to be in the trusted mapping relation.
If the access identifier of the target traffic is in the trusted mapping relationship, determining a user identifier corresponding to the access identifier based on the trusted mapping relationship, and performing security detection on the target traffic through a security control policy configured based on the identity to obtain a first detection result.
The security control policy configured based on the identity may be configured based on user identification, role, department, etc. The security Control policy configured based on the identity may include an ACL (Access Control list) policy based on the identity, a security policy allowing a privileged operation, and the like. The security control strategy based on identity configuration is easier to manage, and for the temporarily opened strategy, the user identity can be associated, so that the strategy can be recovered in a targeted manner, and compared with the strategy which cannot be associated with the user identity, the management difficulty can be reduced.
The user identifier corresponding to the access identifier of the target flow, namely the user identifier with the mapping relation, can be obtained in the trusted mapping relation through the access identifier of the target flow, so that the user identifier can be matched with a security control strategy based on identity configuration, security detection is carried out on the target flow, and a first detection result is obtained.
S130: and determining whether to open the target flow according to the first detection result.
And under the condition that the access identifier of the target flow is in the trusted mapping relation, performing security detection on the target flow through a security control strategy configured based on the identity to obtain a first detection result, and further determining whether to release the target flow according to the first detection result.
If yes, executing corresponding release operation, otherwise, intercepting the target flow, or reporting the related information of the target flow to a safety processing platform for judgment by technical personnel so as to reduce the harm to a service system or the whole network.
By applying the method provided by the embodiment of the application, after the target flow to be detected is obtained, whether the access identifier of the target flow is in the trusted mapping relation obtained in advance through the trusted identity authentication platform is determined. And if the access identifier of the target flow is in the trusted mapping relation, determining a user identifier corresponding to the access identifier based on the trusted mapping relation, and performing security detection on the target flow through a security control strategy based on identity configuration to obtain a first detection result. Based on the first detection result, it can be determined whether to let through the target traffic. By combining the credible mapping relation and the security control strategy based on identity configuration, the accuracy of target flow security detection can be improved, the security protection is effectively carried out on a service system and the whole network, and the security is improved.
In addition, the security control strategy configured based on the identity is used for carrying out security detection on the target flow, and the target flow can correspond to the identity of the user, so that the risk of IP spoofing can be reduced, and the security is further improved.
In one embodiment of the present application, the method may further comprise the steps of:
if the access identifier of the target flow is not in the trusted mapping relation, performing security detection on the target flow through a security control strategy configured based on the quintuple to obtain a second detection result;
correspondingly, according to the first detection result, whether the target flow is put through is determined, and the method comprises the following steps:
and determining whether to open the target flow according to the first detection result or the second detection result.
In practical application, when the trusted identity authentication platform fails to perform trusted authentication on the user, the corresponding trusted mapping relationship will not be sent to the firewall, and in this case, the access identifier of the target flow sent by the user, which is obtained by the firewall, is not in the trusted mapping relationship. In addition, according to the actual configuration, under the condition that the user has an access requirement but does not need to perform trusted authentication through the trusted identity authentication platform, the firewall does not obtain the trusted mapping relationship corresponding to the user through the trusted identity authentication platform, and under the condition, the access identifier of the target flow of the user, which is obtained by the firewall, is not in the trusted mapping relationship.
And if the access identifier of the target flow is not in the trusted mapping relation, performing security detection on the target flow through a security control strategy configured based on the quintuple to obtain a second detection result.
The five-tuple may specifically include a source IP, a source port, a destination IP, a destination port, and a protocol number.
The security control policy configured based on the five tuple may include an ACL policy based on the five tuple, a security policy that does not allow a privileged operation, and the like.
The source IP, the source port, the destination IP, the destination port, the protocol number, and the like of the target traffic may be matched with the security control policy configured based on the quintuple, and the target traffic may be security detected to obtain a second detection result.
That is to say, under the condition that the access identifier of the target traffic is in the trusted mapping relationship, the target traffic is subjected to security detection through a security control policy configured based on the identity, so as to obtain a first detection result, and further, whether the target traffic is released or not can be determined according to the first detection result.
And under the condition that the access identifier of the target flow is not in the credible mapping relation, carrying out security detection on the target flow through a security control strategy configured based on the quintuple to obtain a second detection result, and further determining whether to put through the target flow according to the second detection result.
And determining whether the target flow is put through or not according to the first detection result or the second detection result, executing put-through operation if the target flow is confirmed to be put through, and intercepting the target flow or reporting related information of the target flow to a safety processing platform for judgment by technical personnel if the target flow is not confirmed to be put through. Reducing the harm to the service system or the whole network.
Each firewall of the embodiment of the application is provided with a security control strategy based on identity configuration and a security control strategy based on quintuple configuration, and for target traffic to be detected, according to whether an access identifier of the target traffic is in a credible mapping relation, the security control strategy based on which type of security control strategy is used for performing security detection on the target traffic is determined, so that the firewall has better flexibility, and the security control strategies based on different feature configurations can effectively perform security detection on the target traffic, so that the network security can be improved.
For the sake of understanding, the specific process of safety protection shown in fig. 2 is taken as an example to describe the technical solution provided by the embodiment of the present application.
The specific process of safety protection mainly comprises three steps:
1) and authenticating the identity. When a privileged user needs to perform privileged operation, such as access to core assets and a system, a trusted authentication request is sent to a trusted identity authentication platform to perform identity authentication.
2) And sending the credible mapping relation. The trusted identity authentication platform receives a trusted authentication request, establishes a trusted mapping relation based on a user identifier and an access identifier after passing user authentication, and sends the trusted mapping relation to a Firewall, wherein the Firewall comprises a Firewall 1 and a Firewall 2, the Firewall 1 is a Firewall deployed at a network entrance and exit and can detect external connection behaviors, suspicious address access and the like, and the Firewall 2 is a Firewall deployed in front of a core asset and a system, such as a WAF (Web Application Firewall) and can detect operations, uploading codes, database operations and the like based on RDP and SSH protocols.
3) And put through the access. And the firewall determines that the access identifier of the flow to be detected is in the trusted mapping relation, performs security detection on the corresponding flow through a security control strategy configured based on the identity, and executes a release operation if the flow is determined to be released according to a detection result, such as access of a release privileged user to the core asset and the system.
In the specific process of the safety protection, each firewall is provided with a safety control strategy based on identity configuration, a trusted identity authentication platform can perform unified trusted authentication on any link in user access behaviors, the trusted mapping relation between the access identification of a user passing the authentication and the user identification is notified to the firewall through an authentication forwarding interface, and the firewall can automatically match the flow of the corresponding access identification to the safety control strategy related to the corresponding user identification to perform safety detection.
If the trusted identity authentication platform fails to authenticate the user, a trusted mapping relation cannot be established, the firewall cannot obtain the trusted mapping relation, the corresponding flow can be subjected to security detection based on the security control strategy configured by the quintuple, and whether the corresponding flow is released or not is determined according to the detection result. If the access flow of the external network attacker passes through the firewall, the firewall can perform security detection on the access flow through a security control strategy configured based on the quintuple, and can intercept the access flow or report the access flow to a security processing platform under the condition that the threat exists. If the access flow of the external network attacker is not identified with the threat, the meat machine is controlled, the meat machine is required to access the core asset and the system through the meat machine to perform privileged operation, but when the meat machine accesses the core asset and the system, the meat machine needs to be authenticated through the trusted identity authentication platform, if the meat machine is not authenticated, the firewall cannot obtain a corresponding trusted mapping relation, the behavior of privileged operation is intercepted, and the threat of the external network attacker can be blocked.
In one embodiment of the present application, the method may further comprise the steps of:
the method comprises the following steps: under the condition that suspicious traffic is detected, sending notification information including an access identifier to a trusted identity authentication platform, wherein the notification information is used for indicating the trusted identity authentication platform to push information to be confirmed to an initiator of the suspicious traffic;
step two: and determining whether to put through the suspicious flow according to the received information fed back by the trusted identity authentication platform according to the confirmation result of the information to be confirmed by the initiator.
The above steps are combined for convenience of description.
In the embodiment of the application, a firewall performs security detection on traffic passing through the firewall, and when the preset security control policy cannot determine whether to put through the firewall, the traffic can be determined as suspicious traffic. In the case of detecting suspicious traffic, an access identifier of the suspicious traffic, such as a source IP, may be obtained, and other relevant information of the suspicious traffic, such as a protocol, target system information, and the like, may also be obtained. And then sending the notification information including the access identifier to a trusted identity authentication platform, wherein the notification information may also include other related information of suspicious traffic. Specifically, the trusted identity authentication platform may be notified via a risk and threat forwarding protocol. The notification information is used for indicating the trusted identity authentication platform to push the information to be confirmed to the initiator of the suspicious traffic.
The trusted identity authentication platform receives the notification information, can obtain the access identifier of the suspicious traffic and other related information, such as information of a source IP (Internet protocol), a protocol, a target system and the like, and can generate information to be confirmed, such as information for determining whether to access the target system and the like. And pushing the information to be confirmed to the initiator of the suspicious traffic according to a set pushing mode according to the user identifier corresponding to the access identifier.
Specifically, the information to be confirmed can be encapsulated in a secure link through a trusted identity authentication platform and pushed to the initiator of the suspicious traffic, so that the security of the information to be confirmed is ensured.
The pushing mode can comprise at least one of a mobile phone number pushing mode, a mailbox pushing mode and a chat account pushing mode. The mobile phone number, mailbox, chat account number, etc. may be pre-specified by the user. The user may also specify other platforms that may receive information.
After obtaining the information to be confirmed, the initiator may confirm the information to be confirmed, and may give a confirmed result if the suspicious traffic is actually sent by the user, or may give a negative result if the suspicious traffic is not sent by the user.
Specifically, the confirmation result may be a result of selecting, by the initiator, the information to be confirmed in the confirmation page, where the information to be confirmed is valid once. That is, the initiator may click on the secure link to reach the confirmation page, and perform a positive or negative selection on the information to be confirmed in the confirmation page. The information to be confirmed is valid once, and when the same secure link is clicked again and reaches the confirmation page, the information to be confirmed can not be displayed in the confirmation page any more, or a corresponding selection button is not provided, so that illegal users can be prevented from using the information.
The trusted identity authentication platform can feed back information to the firewall according to a confirmation result of the information to be confirmed by the initiator, and the firewall can determine whether suspicious flow is released or not based on the information fed back by the trusted identity authentication platform. If yes, the put-through operation can be executed, otherwise, the suspicious traffic can be intercepted or reported to the safety processing platform.
The embodiment of the application carries out secondary confirmation on the gray level risk event, can effectively avoid the situation that normal service flow is influenced due to misjudgment, and gives consideration to safety and stability.
For the sake of understanding, the specific process of safety protection shown in fig. 3 is taken as an example to describe the technical solution provided by the embodiment of the present application.
The specific process of safety protection mainly comprises four steps:
1) and suspicious flow notification. And when the firewall detects suspicious traffic, the trusted identity authentication platform is informed. The firewall 1 is a firewall deployed at a network entrance and exit, and can determine flows such as suspected illegal external connection, suspicious address access and the like as suspicious flows, and the firewall 2 is a firewall deployed in front of core assets and systems, such as a WAF, and can determine flows such as suspected injection behaviors, suspected malicious codes, suspected blasting and the like as suspicious flows.
2) And pushing the information to be confirmed. The trusted identity authentication platform pushes the information to be confirmed to an initiator of the suspicious traffic, such as a privileged user, according to a set pushing mode.
3) And feeding back a result. And after receiving the confirmation result of the initiator to-be-confirmed information, the trusted identity authentication platform forwards the confirmation result to the firewall for result feedback.
4) And determining whether to open the tube. And the firewall determines whether to put through the suspicious flow according to the confirmation result of the initiator.
In the specific process of the safety protection, the firewall can determine suspicious flow by a risk event receiving interface in combination with the credible mapping relation between the access identifier and the user identifier notified by the credible identity authentication platform through the authentication forwarding interface, notify the credible identity authentication platform of the gray level risk event, require the user corresponding to the source address of the suspicious flow to perform secondary confirmation, return a corresponding result to the firewall after the credible identity authentication platform completes the secondary confirmation, and determine whether to release the suspicious flow according to the secondary confirmation result by the firewall.
Compared with the mode of directly handling the gray level risk event or reporting the gray level risk event to operation and maintenance personnel in the related technology, the secondary confirmation mode can reduce the false alarm rate, reduce the workload of the operation and maintenance personnel, improve the processing efficiency of the gray level risk event and give consideration to safety and service stability.
Referring to fig. 4, there is shown a flowchart of another security protection method provided in this embodiment, where the method may be applied to a trusted identity authentication platform, and the method may include the following steps:
s410: receiving a trusted authentication request sent by a user;
s420: and if the trusted authentication request passes the authentication, sending a trusted mapping relation established based on the user identifier and the access identifier to the firewall so that the firewall performs security detection on the target flow to be detected based on the trusted mapping relation.
For convenience of description, the above two steps are combined for illustration.
In the embodiment of the application, when the user has an access requirement, the user can be authenticated by the trusted identity authentication platform. The trusted identity authentication platform can perform trusted authentication on the user according to a set rule when receiving a trusted authentication request of the user, and if the authentication is passed, a trusted mapping relation can be established based on a user identifier and an access identifier of the user, and the trusted mapping relation is sent to the firewall. Specifically, the corresponding trusted mapping relationship of the firewall can be notified through the authentication forwarding interface. Thus, the firewall can obtain the trusted mapping relationship between the user identifier and the access identifier of the user which passes the authentication of the trusted identity authentication platform. The authentication forwarding interface may apply an authentication forwarding protocol, i.e. an interface protocol for synchronizing the association of network addresses with user identities.
After the firewall obtains the target flow to be detected, the target flow can be safely detected based on the credible mapping relation. Specifically, the firewall may search the access identifier of the target traffic in a trusted mapping relationship obtained in advance, if the access identifier of the target traffic can be found, it indicates that the access identifier of the target traffic is in the trusted mapping relationship, and if the access identifier of the target traffic is not found, it indicates that the access identifier of the target traffic is not in the trusted mapping relationship. If the access identifier of the target traffic is in the trusted mapping relationship, the user identifier corresponding to the access identifier can be determined based on the trusted mapping relationship, and the target traffic is subjected to security detection through a security control policy configured based on the identity. If the access identifier of the target traffic is not in the trusted mapping relationship, security detection can be performed on the target traffic through a security control policy configured based on the quintuple. Then, based on the detection result, it is determined whether to vent the target flow rate.
By applying the method provided by the embodiment of the application, the trusted identity authentication platform authenticates the trusted authentication request after receiving the trusted authentication request sent by the user, and if the authentication is passed, the mapping relation established based on the user identifier and the access identifier is sent to the firewall, so that the firewall carries out security detection on the target flow to be detected based on the trusted mapping relation. The credible mapping relation established by the credible identity authentication platform provides an important basis for the safety detection of the target flow to be detected by the firewall, can improve the accuracy of the safety detection of the target flow, effectively performs safety protection on a service system and the whole network, and improves the safety.
In one embodiment of the present application, the method may further comprise the steps of:
the method comprises the following steps: if notification information including an access identifier sent by the firewall is received, pushing the information to be confirmed to an initiator of the suspicious flow according to a user identifier corresponding to the access identifier, wherein the notification information is information which indicates the trusted identity authentication platform to push the information to be confirmed to the initiator of the suspicious flow when the firewall detects the suspicious flow;
step two: and feeding back the information to the firewall according to the confirmation result of the initiator to the information to be confirmed.
For convenience of description, the above two steps are combined for illustration.
In the embodiment of the application, a firewall performs security detection on traffic passing through the firewall, and when the preset security control policy cannot determine whether to put through the firewall, the traffic can be determined as suspicious traffic. In the case of detecting suspicious traffic, an access identifier of the suspicious traffic, such as a source IP, may be obtained, and other relevant information of the suspicious traffic, such as a protocol, target system information, and the like, may also be obtained. And then sending the notification information including the access identifier to a trusted identity authentication platform, wherein the notification information may also include other related information of suspicious traffic. Specifically, the trusted identity authentication platform may be notified via a risk and threat forwarding protocol. The notification information is used for indicating the trusted identity authentication platform to push the information to be confirmed to the initiator of the suspicious traffic.
The trusted identity authentication platform receives the notification information sent by the firewall, can obtain the access identifier of the suspicious traffic and other related information, such as information of a source IP (Internet protocol), a protocol, target system information and the like, and can generate information to be confirmed, such as information for determining whether to access a target system and the like. And pushing the information to be confirmed to the initiator of the suspicious traffic according to a set pushing mode according to the user identifier corresponding to the access identifier. Specifically, the information to be confirmed is encapsulated in the security link and pushed to the initiator of the suspicious traffic, so as to ensure the security of the information to be confirmed.
After obtaining the information to be confirmed, the initiator may confirm the information to be confirmed, and may give a confirmed result if the suspicious traffic is actually sent by the user, or may give a negative result if the suspicious traffic is not sent by the user. According to the confirmation result of the initiator to the information to be confirmed, the information can be fed back to the firewall so that the firewall can determine whether to put through the suspicious traffic. If yes, the put-through operation can be executed, otherwise, the suspicious traffic can be intercepted or reported to the safety processing platform.
The information to be confirmed is valid once to avoid the use of illegal users.
The embodiment of the application carries out secondary confirmation on the gray level risk event, can effectively avoid the situation that normal service flow is influenced due to misjudgment, and gives consideration to safety and stability.
Corresponding to the method embodiment shown in fig. 1, the embodiment of the present application further provides a security device, which is applied to a firewall, and the below-described security device and the above-described security method may be referred to in correspondence.
Referring to fig. 5, the safety shield apparatus 500 may include the following modules:
a target flow obtaining module 510, configured to obtain a target flow to be detected;
the security detection module 520 is configured to, when the access identifier of the target traffic is in a trusted mapping relationship obtained in advance through a trusted identity authentication platform, determine, based on the trusted mapping relationship, a user identifier corresponding to the access identifier, and perform security detection on the target traffic through a security control policy configured based on an identity, to obtain a first detection result;
and a target traffic processing module 530, configured to determine whether to let through the target traffic according to the first detection result.
By applying the device provided by the embodiment of the application, after the target flow to be detected is obtained, whether the access identifier of the target flow is in the trusted mapping relation obtained in advance through the trusted identity authentication platform is determined. And if the access identifier of the target flow is in the trusted mapping relation, determining a user identifier corresponding to the access identifier based on the trusted mapping relation, and performing security detection on the target flow through a security control strategy based on identity configuration to obtain a first detection result. Based on the first detection result, it can be determined whether to let through the target traffic. By combining the credible mapping relation and the security control strategy based on identity configuration, the accuracy of target flow security detection can be improved, the security protection is effectively carried out on a service system and the whole network, and the security is improved.
In a specific embodiment of the present application, the security detection module 520 is further configured to:
under the condition that the access identifier of the target flow is not in the credible mapping relation, carrying out security detection on the target flow through a security control strategy configured based on the quintuple to obtain a second detection result;
and a target traffic processing module 530, configured to determine whether to let through the target traffic according to the first detection result or the second detection result.
In a specific embodiment of the present application, the system further includes a trusted mapping relationship obtaining module, configured to:
and receiving a trusted mapping relation which is sent by the trusted identity authentication platform and is established based on the user identification and the access identification of the user.
In a specific embodiment of the present application, the system further includes a suspicious traffic processing module, configured to:
under the condition that suspicious traffic is detected, sending notification information including an access identifier to a trusted identity authentication platform, wherein the notification information is used for indicating the trusted identity authentication platform to push information to be confirmed to an initiator of the suspicious traffic;
and determining whether to put through the suspicious flow according to the received information fed back by the trusted identity authentication platform according to the confirmation result of the information to be confirmed by the initiator.
Corresponding to the method embodiment shown in fig. 4, the embodiment of the present application further provides a security device, which is applied to a trusted identity authentication platform, and the security device described below and the security method described above may be referred to in correspondence.
Referring to fig. 6, the safety shield apparatus 600 may include the following modules:
a trusted authentication request receiving module 610, configured to receive a trusted authentication request sent by a user;
and the trusted mapping relation sending module 620 is configured to send, if the trusted authentication request passes the authentication, a trusted mapping relation established based on the user identifier and the access identifier to the firewall, so that the firewall performs security detection on the target traffic to be detected based on the trusted mapping relation.
By applying the device provided by the embodiment of the application, the trusted identity authentication platform authenticates the trusted authentication request after receiving the trusted authentication request sent by the user, and if the authentication is passed, the mapping relation established based on the user identifier and the access identifier is sent to the firewall, so that the firewall carries out security detection on the target flow to be detected based on the trusted mapping relation. The credible mapping relation established by the credible identity authentication platform provides an important basis for the safety detection of the target flow to be detected by the firewall, can improve the accuracy of the safety detection of the target flow, effectively performs safety protection on a service system and the whole network, and improves the safety.
In a specific embodiment of the present application, the apparatus further includes a suspicious traffic information confirmation module, configured to:
if notification information including an access identifier sent by the firewall is received, pushing the information to be confirmed to an initiator of the suspicious flow according to a user identifier corresponding to the access identifier, wherein the notification information is information which indicates the trusted identity authentication platform to push the information to be confirmed to the initiator of the suspicious flow when the firewall detects the suspicious flow;
and feeding back the information to the firewall according to the confirmation result of the initiator to the information to be confirmed.
In a specific embodiment of the present application, the suspicious traffic information confirmation module is configured to:
and encapsulating the information to be confirmed in a safety link and pushing the information to the initiator of the suspicious traffic.
And the suspicious flow information confirmation module is used for confirming that the information to be confirmed is effective once.
Corresponding to the above method embodiment, an embodiment of the present application further provides a safety protection device, including:
a memory for storing a computer program;
and the processor is used for realizing the steps of the safety protection method when executing the computer program.
As shown in fig. 7, which is a schematic view of a composition structure of a safety protection device, the safety protection device may include: a processor 10, a memory 11, a communication interface 12 and a communication bus 13. The processor 10, the memory 11 and the communication interface 12 all communicate with each other through a communication bus 13.
In the embodiment of the present application, the processor 10 may be a Central Processing Unit (CPU), an application specific integrated circuit, a digital signal processor, a field programmable gate array or other programmable logic device, etc.
The processor 10 may call a program stored in the memory 11, and in particular, the processor 10 may perform operations in embodiments of the security method.
The memory 11 is used for storing one or more programs, the program may include program codes, the program codes include computer operation instructions, in this embodiment, the memory 11 stores at least the program for implementing the following functions:
obtaining target flow to be detected;
if the access identifier of the target flow is in a credible mapping relation obtained in advance through a credible identity authentication platform, determining a user identifier corresponding to the access identifier based on the credible mapping relation, and performing security detection on the target flow through a security control strategy configured based on an identity to obtain a first detection result;
determining whether to open the target flow according to the first detection result;
and/or the presence of a gas in the gas,
receiving a trusted authentication request sent by a user;
and if the trusted authentication request passes the authentication, sending a trusted mapping relation established based on the user identifier and the access identifier to the firewall so that the firewall performs security detection on the target flow to be detected based on the trusted mapping relation.
In a possible implementation manner, the memory 11 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required by at least one function (such as a flow monitoring function, an information interaction function), and the like; the storage data area can store data created in the using process, such as flow monitoring data, strategy matching data and the like.
Further, the memory 11 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device or other volatile solid state storage device.
The communication interface 12 may be an interface of a communication module for connecting with other devices or systems.
Of course, it should be noted that the configuration shown in fig. 7 is not intended to limit the safety shield apparatus of the embodiments of the present application, and in practice, the safety shield apparatus may include more or less components than those shown in fig. 7, or some combination of components.
Corresponding to the above method embodiments, this application embodiment further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the above safety protection method.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The principle and the implementation of the present application are explained in the present application by using specific examples, and the above description of the embodiments is only used to help understanding the technical solution and the core idea of the present application. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.

Claims (12)

1. A safety protection method is applied to a firewall, and comprises the following steps:
obtaining target flow to be detected;
if the access identifier of the target flow is in a credible mapping relation obtained in advance through a credible identity authentication platform, determining a user identifier corresponding to the access identifier based on the credible mapping relation, and performing security detection on the target flow through a security control strategy based on identity configuration to obtain a first detection result;
and determining whether to open the target flow according to the first detection result.
2. The method of safeguarding according to claim 1, further comprising:
if the access identifier of the target flow is not in the trusted mapping relation, performing security detection on the target flow through a security control strategy configured based on a quintuple to obtain a second detection result;
correspondingly, the determining whether to let the target flow through according to the first detection result includes:
and determining whether to open the target flow according to the first detection result or the second detection result.
3. The security protection method according to claim 1, wherein the trusted mapping relationship is obtained by:
and receiving a trusted mapping relation which is sent by the trusted identity authentication platform and is established based on the user identification and the access identification of the user.
4. A method of safeguarding according to any of claims 1 to 3, further comprising:
under the condition that suspicious traffic is detected, sending notification information including an access identifier to the trusted identity authentication platform, wherein the notification information is used for indicating the trusted identity authentication platform to push information to be confirmed to an initiator of the suspicious traffic;
and determining whether to release the suspicious flow according to the received information fed back by the trusted identity authentication platform according to the confirmation result of the initiator on the information to be confirmed.
5. A security protection method is applied to a trusted identity authentication platform, and comprises the following steps:
receiving a trusted authentication request sent by a user;
and if the trusted authentication request passes the authentication, sending a trusted mapping relation established based on the user identifier and the access identifier to a firewall so that the firewall performs security detection on the target flow to be detected based on the trusted mapping relation.
6. The method of safeguarding according to claim 5, further comprising:
if notification information including an access identifier sent by the firewall is received, pushing information to be confirmed to an initiator of suspicious traffic according to a user identifier corresponding to the access identifier, wherein the notification information is information which indicates the trusted identity authentication platform to push the information to be confirmed to the initiator of the suspicious traffic when the firewall detects the suspicious traffic;
and feeding back information to the firewall according to the confirmation result of the initiator on the information to be confirmed.
7. The security protection method according to claim 6, wherein the pushing the information to be confirmed to the initiator of the suspicious traffic includes:
and encapsulating the information to be confirmed in a safety link and pushing the information to the initiator of the suspicious traffic.
8. A method of safeguarding according to any of claims 5 to 7, characterized in that the information to be confirmed is valid once.
9. A safety protection device is characterized in that the safety protection device is applied to a firewall, and comprises:
the target flow obtaining module is used for obtaining target flow to be detected;
the security detection module is used for determining a user identifier corresponding to the access identifier based on a credible mapping relation under the condition that the access identifier of the target flow is in the credible mapping relation obtained in advance through a credible identity authentication platform, and performing security detection on the target flow through a security control strategy based on identity configuration to obtain a first detection result;
and the target flow processing module is used for determining whether to release the target flow according to the first detection result.
10. A security protection device applied to a trusted identity authentication platform, the security protection device comprising:
the trusted authentication request receiving module is used for receiving a trusted authentication request sent by a user;
and the trusted mapping relation sending module is used for sending a trusted mapping relation established based on the user identifier and the access identifier to a firewall if the trusted authentication request passes the authentication so as to enable the firewall to perform security detection on the target flow to be detected based on the trusted mapping relation.
11. A safety shield apparatus, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the security method of any one of claims 1 to 8 when executing the computer program.
12. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, which computer program, when being executed by a processor, carries out the steps of the security method according to one of claims 1 to 8.
CN202110491417.2A 2021-05-06 2021-05-06 Safety protection method, device, equipment and storage medium Active CN113206852B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110491417.2A CN113206852B (en) 2021-05-06 2021-05-06 Safety protection method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110491417.2A CN113206852B (en) 2021-05-06 2021-05-06 Safety protection method, device, equipment and storage medium

Publications (2)

Publication Number Publication Date
CN113206852A true CN113206852A (en) 2021-08-03
CN113206852B CN113206852B (en) 2023-03-24

Family

ID=77030121

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110491417.2A Active CN113206852B (en) 2021-05-06 2021-05-06 Safety protection method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN113206852B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113660177A (en) * 2021-09-23 2021-11-16 深信服科技股份有限公司 Flow control method, device and system and readable storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102752266A (en) * 2011-04-20 2012-10-24 中国移动通信集团公司 Access control method and equipment thereof
CN105959298A (en) * 2016-06-24 2016-09-21 乐视控股(北京)有限公司 Data transmission method and data transmission device
CN110311929A (en) * 2019-08-01 2019-10-08 江苏芯盛智能科技有限公司 A kind of access control method, device and electronic equipment and storage medium
CN110971569A (en) * 2018-09-29 2020-04-07 北京奇虎科技有限公司 Network access authority management method and device and computing equipment
CN111385244A (en) * 2018-12-27 2020-07-07 中国移动通信集团四川有限公司 Abnormal flow identification method, device, equipment, system and medium
CN111510453A (en) * 2020-04-15 2020-08-07 深信服科技股份有限公司 Business system access method, device, system and medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102752266A (en) * 2011-04-20 2012-10-24 中国移动通信集团公司 Access control method and equipment thereof
CN105959298A (en) * 2016-06-24 2016-09-21 乐视控股(北京)有限公司 Data transmission method and data transmission device
CN110971569A (en) * 2018-09-29 2020-04-07 北京奇虎科技有限公司 Network access authority management method and device and computing equipment
CN111385244A (en) * 2018-12-27 2020-07-07 中国移动通信集团四川有限公司 Abnormal flow identification method, device, equipment, system and medium
CN110311929A (en) * 2019-08-01 2019-10-08 江苏芯盛智能科技有限公司 A kind of access control method, device and electronic equipment and storage medium
CN111510453A (en) * 2020-04-15 2020-08-07 深信服科技股份有限公司 Business system access method, device, system and medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113660177A (en) * 2021-09-23 2021-11-16 深信服科技股份有限公司 Flow control method, device and system and readable storage medium

Also Published As

Publication number Publication date
CN113206852B (en) 2023-03-24

Similar Documents

Publication Publication Date Title
US10264104B2 (en) Systems and methods for malicious code detection accuracy assurance
Ghafir et al. Botdet: A system for real time botnet command and control traffic detection
US6775657B1 (en) Multilayered intrusion detection system and method
US7197563B2 (en) Systems and methods for distributed network protection
US7089303B2 (en) Systems and methods for distributed network protection
US9009828B1 (en) System and method for identification and blocking of unwanted network traffic
US20020023227A1 (en) Systems and methods for distributed network protection
US11888882B2 (en) Network traffic correlation engine
CN103746956A (en) Virtual honeypot
US20210352104A1 (en) Detecting malicious activity in a cluster
US20210409446A1 (en) Leveraging network security scanning to obtain enhanced information regarding an attack chain involving a decoy file
CN106209907B (en) Method and device for detecting malicious attack
CN113206852B (en) Safety protection method, device, equipment and storage medium
CN113660222A (en) Situation awareness defense method and system based on mandatory access control
CN113411296B (en) Situation awareness virtual link defense method, device and system
CN113328976B (en) Security threat event identification method, device and equipment
Choi IoT (Internet of Things) based Solution Trend Identification and Analysis Research
Hostiadi et al. Improving Automatic Response Model System for Intrusion Detection System
Kaskar et al. A system for detection of distributed denial of service (DDoS) attacks using KDD cup data set
Holik Protecting IoT Devices with Software-Defined Networks
JP2022038148A (en) Distribution processing apparatus, distribution processing program, and distribution processing method
CN115499198A (en) Honeypot management method, honeypot management device, honeypot defense system and storage medium
JP2020149553A (en) Computer program, event abnormality detection method, and computer
CN117424711A (en) Network security management method, device, computer equipment and storage medium
CN117955690A (en) Honey court defense method, system, device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant