CN113301028A - Gateway protection method and data labeling method - Google Patents

Gateway protection method and data labeling method Download PDF

Info

Publication number
CN113301028A
CN113301028A CN202110521326.9A CN202110521326A CN113301028A CN 113301028 A CN113301028 A CN 113301028A CN 202110521326 A CN202110521326 A CN 202110521326A CN 113301028 A CN113301028 A CN 113301028A
Authority
CN
China
Prior art keywords
access request
domain name
data packet
request data
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110521326.9A
Other languages
Chinese (zh)
Other versions
CN113301028B (en
Inventor
黄士超
钟国新
吴梓宏
梁兆楷
温诗华
王辉鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Power Supply Bureau of Guangdong Power Grid Co Ltd
Original Assignee
Guangzhou Power Supply Bureau of Guangdong Power Grid Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Power Supply Bureau of Guangdong Power Grid Co Ltd filed Critical Guangzhou Power Supply Bureau of Guangdong Power Grid Co Ltd
Priority to CN202110521326.9A priority Critical patent/CN113301028B/en
Publication of CN113301028A publication Critical patent/CN113301028A/en
Application granted granted Critical
Publication of CN113301028B publication Critical patent/CN113301028B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/306Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • H04L12/4645Details on frame tagging
    • H04L12/4666Operational details on the addition or the stripping of a tag in a frame, e.g. at a provider edge node
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Technology Law (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application relates to a gateway protection method and a data labeling method. In the gateway protection method, a legal user passes the login verification of an authentication server, and the authentication server marks a specific tag on an access request data packet sent by a user terminal and sends the access request data packet to a security gateway server; and the domain name resolution server performs domain name resolution on the access request data packet, sends the resolved domain name information to the security gateway server, and sends an interception notification to the security gateway server if the resolution fails. When the security gateway server works, the security gateway server verifies the received access request data packet sent by any user terminal, and intercepts access which does not have a specific label or is illegal in user domain name. Through the double authentication of the domain name and the identity label, only the access request data packet which contains the specific label and has a legal domain name can pass through the gateway, and the protection reliability of the gateway is improved.

Description

Gateway protection method and data labeling method
Technical Field
The present application relates to the technical field of network security protection, and in particular, to a gateway protection method and a data tagging method.
Background
The popularization of mobile application meets the requirement of accessing an internal system during remote office work and field operation, and provides great convenience for enterprise staff. However, as users increase, the security problem of the mobile terminal also becomes very important, and introduction of a Virtual Private Network (VPN) provides a solution for secure access to enterprise resources. A plurality of key technologies are applied in the VPN, network data packet interception is the most important technology, encryption protection of application access is realized by filtering and intercepting the data packets, and a user can be ensured to safely access an internal system of an enterprise.
The existing data packet intercepting method is based on Domain Name to intercept, that is, based on a Domain Name address stored in a Domain Name Server (DNS) to judge whether access is valid, when a user accesses, a security gateway compares the accessed Domain Name, thereby intercepting an illegal or invalid Domain Name.
However, in the implementation process, the inventor finds that once an attacker acquires a correct domain name, the attacker even bypasses a user authentication link to illegally access an internal system of an enterprise, thereby threatening the data security.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a gateway protection method and a data tagging method capable of improving reliability of illegal access interception, in view of the above technical problems.
An aspect of the embodiments of the present application provides a gateway protection method, where the method includes:
the user terminal sends an access request data packet;
the authentication server marks a specific tag on an access request data packet sent by the user terminal and sends the tagged access request data packet to the security gateway server;
the domain name resolution server carries out domain name resolution on the access request data packet;
when the domain name resolution server successfully resolves the domain name, sending domain name information to a security gateway server;
when the domain name resolution server fails in resolution, an interception notification is sent to a security gateway server;
the security gateway server receives an access request data packet sent by any user terminal and verifies whether the access request data packet has a specific tag or not;
the security gateway server intercepts data when verifying that the access request data packet has no specific tag; or when the access request data packet is verified to have a specific label and the domain name of the user is verified to be illegal according to the domain name information, intercepting the data; or when the interception notification is received, carrying out data interception.
In one embodiment, the specific tag is a tag that includes business information.
In one embodiment, the step of "the authentication server specifically tags the access request packet sent by the user terminal" includes:
the authentication server adds a specific tag to the request header of the access request packet.
In one embodiment, the gateway protection method further includes:
the authentication server periodically updates the contents of the specific tag.
In one embodiment, the gateway protection method further includes:
and when the security gateway server verifies that the access request data packet has the specific label and verifies that the domain name of the user is legal according to the domain name information, the security gateway server allows the user terminal sending the access request data packet to access.
On the other hand, the embodiment of the present application further provides a gateway protection method, which is applied to a system composed of a VPN and a security gateway server, and the method includes:
the authentication server marks a specific tag on an access request data packet sent by the user terminal and sends the tagged access request data packet to the security gateway server;
the security gateway server receives an access request data packet sent by any user terminal and verifies whether the access request data packet has a specific tag or not;
the security gateway server intercepts data when verifying that the access request data packet has no specific tag; or when the access request data packet is verified to have a specific label and the domain name of the user is verified to be illegal according to the domain name information, intercepting the data; or when the interception notification is received, carrying out data interception;
the domain name information is information fed back after the domain name resolution server performs domain name resolution on the access request data packet, and the interception notification is information sent by the domain name resolution server when the resolution fails.
In addition, an embodiment of the present application further provides a gateway protection method, which is applied to a security gateway server, and the gateway protection method includes:
receiving an access request data packet sent by any user terminal, and verifying whether the access request data packet has a specific label or not; the specific label is marked by an access request data packet sent by the authentication server to the user terminal after the user successfully logs in the authentication server at the user terminal;
if the specific label does not exist in the access request data packet, intercepting the data; or the like, or, alternatively,
if the access request data packet is verified to have a specific label, but the domain name of the user is verified to be illegal according to the domain name information, data interception is carried out; the domain name information is information fed back after the domain name resolution server performs domain name resolution on the access request data packet; or the like, or, alternatively,
and if the interception notification is received, carrying out data interception, wherein the interception notification is information sent by the domain name resolution server when the resolution fails.
In one embodiment, the gateway protection method further includes the steps of:
and if the specific label exists in the access request data packet and the domain name of the user is verified to be legal according to the domain name information, allowing the user terminal sending the access request data packet to access.
On the other hand, the embodiment of the application also provides a data tagging method, which is applied to an authentication server and comprises the following steps:
marking a specific tag on an access request data packet sent by a user terminal, and sending the access request data packet marked with the specific tag to a security gateway server, so that the security gateway server performs data interception when verifying that the access request data packet does not have the specific tag; or when the access request data packet is verified to have a specific label and the domain name of the user is verified to be illegal according to the domain name information, intercepting the data; or when the interception notification is received, carrying out data interception.
In one embodiment, the data tagging method further comprises the steps of:
the contents of a particular tag are updated periodically.
One or more embodiments of the present application have at least the following beneficial effects in implementation: by providing the gateway protection method, a user can log in the authentication server, after the login is successful, the authentication server marks a specific tag on an access request data packet sent by a user terminal, and sends the access request data packet with the tag to the security gateway server; and meanwhile, the domain name resolution server performs domain name resolution on the access request data packet, sends domain name information to the security gateway server when the resolution is successful, and sends an interception notification to the security gateway server if the resolution is failed. The security gateway server receives an access request data packet sent by any user terminal and verifies whether the access request data packet has a specific tag or not; and when the access request data packet is verified to have no specific label, or the access request data packet is verified to have the specific label but the user domain name is verified to be illegal according to the domain name information, or when an interception notification is received, data interception is carried out. Through the double authentication of the domain name and the identity label, the internal systems of objects such as enterprises and the like are prevented from being illegally accessed, and only the access request data packet which contains a specific label and has a legal domain name can pass through the gateway, so that the system, such as the internal system of the enterprise, is successfully accessed, the reliability of gateway protection is improved, and the data safety is ensured.
Drawings
FIG. 1 is a diagram of an application environment of a gateway defense method in one embodiment;
fig. 2 is a timing diagram of a gateway protection method applied to a system architecture consisting of a user terminal, an authentication server, a security gateway server, a domain name resolution server, and a system server in one embodiment;
fig. 3 is a schematic flowchart of a gateway protection method applied to a system architecture composed of a user terminal, an authentication server, a security gateway server, a domain name resolution server, and a system server in one embodiment;
FIG. 4 is a flowchart illustrating a method for gateway defense in one embodiment;
fig. 5 is a schematic flowchart of a gateway protection method applied to a system architecture composed of a user terminal, an authentication server, a security gateway server, a domain name resolution server, and a system server in one embodiment;
FIG. 6 is a flowchart illustrating a gateway protection method applied to a security gateway server according to an embodiment;
FIG. 7 is a flowchart illustrating a data tagging method applied to an authentication server in one embodiment;
FIG. 8 is a diagram of the internal architecture of a security gateway server in one embodiment;
fig. 9 is an internal structural view of an authentication server main body in one embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
The gateway protection method and the data tagging method provided by the application can be applied to the application environment shown in fig. 1. Wherein, the user can log in and authenticate the authentication server 103 on the user terminal 102. The domain name resolution server 106 may perform domain name resolution for the user's access request. The security gateway server 104 performs data communication with the user terminal 102 through the VPN103, and may perform domain name validity verification on an access request initiated by the user at the user terminal 102, so as to ensure data security of an accessed system, and when verifying security, the security gateway server 104 allows data sent by the user terminal 102 to pass through and enter the system server 105. The user terminal 102 may be, but is not limited to, various personal computers, notebook computers, smart phones, tablet computers, and portable wearable devices, and the DNS server 106 and the security gateway server 104 may be implemented by independent servers or a server cluster composed of a plurality of servers. The user terminal 102 can communicate with each server through the API gateway, so that the service is transparent to a caller, the coupling degree of the user terminal 102 and a back-end server is reduced, background services are aggregated, the flow is saved, the performance is improved, and the API management functions of improving the user experience, providing safety, flow control, filtering, caching, charging, monitoring and the like can be realized.
The authentication server 103 may be a VPN or a server using SDP (Software Defined Perimeter) Software. VPN refers to a virtual private network, and performs encrypted communication by establishing a private network on a public network. Here, the execution subject of the VPN may also be a carrier device of a server, hardware, or virtual software.
In view of the above technical problems, an aspect of the present invention provides a gateway protection method, which is applied to a system architecture composed of a user terminal 102, an authentication server 103, a domain name resolution server 106, a security gateway server 104, and a system server 105 in fig. 1, as shown in fig. 2 and 3, the method includes:
s100: the user terminal sends an access request data packet;
s120: the authentication server marks a specific label on an access request data packet sent by the user terminal, and sends the labeled access request data packet to the security gateway server.
The specific label refers to a label with identification function agreed by the system to be accessed, such as a label including enterprise information.
S130: and the domain name resolution server performs domain name resolution on the access request data packet.
The domain name is the name of a computer or group of computers on the Internet, and is used to identify the electronic location (sometimes also referred to as the geographic location) of the computer during data transmission. A Domain Name Server (DNS) is a Server that converts a Domain Name (Domain Name) and an IP address (IP address) corresponding to the Domain Name, that is, converts the Domain Name into an IP address that can be recognized by a computer.
S140: and when the domain name resolution server successfully resolves the domain name, sending domain name information to the security gateway server.
The domain name information refers to information related to a domain name, and may include, for example, a domain name certificate, an administrative right, legal record information, and the like.
S150: and when the domain name resolution server fails in resolution, sending an interception notification to the security gateway server.
And if the domain name information is unsuccessfully analyzed in the domain name analysis server, judging that the domain name information is invalid for domain name access, marking the access request data packet as an illegal data packet, and informing the security gateway server of intercepting.
S160: the security gateway server receives an access request data packet sent by any user terminal and verifies whether a specific label exists in the access request data packet.
After acquiring the domain name of a system to be accessed, any user can make an access request through different terminals such as a mobile terminal and a computer terminal, and the request data packets are received at a security gateway server, and the security gateway server performs legitimacy verification and interception of illegal access.
S170: the security gateway server intercepts data when verifying that the access request data packet has no specific tag; or when the access request data packet is verified to have a specific label and the domain name of the user is verified to be illegal according to the domain name information, intercepting the data; or when the interception notification is received, carrying out data interception.
For the user access which is not verified by the authentication server, the access request data packet sent by the user access which is not verified by the authentication server is not marked with a specific label by the authentication server, so that the security gateway server can intercept the data packet by verifying whether the access request data packet has the specific label or not, and if not, the access is illegal. For the access of the user after the login verification of the authentication server, after the authentication server passes the authentication, the authentication server marks a specific label on the access request data and sends the access request data to the security gateway server, and at the moment, the security gateway server further verifies whether the domain name is legal or not to determine whether the data packet is allowed to pass the gateway access system for the purpose of improving the protection reliability for the access request data packet with the specific label. The domain name resolution server determines that the domain name is an illegal domain name after being verified according to the domain name information, and the security gateway server also needs to intercept the domain name, for example, the domain name is determined to be the illegal domain name under the conditions of no certificate, no management right and the like. Only those access request data packet security gateway servers which both include the specific signature and have the legal domain name allow the access request data packet security gateway servers to enter the system server through the gateway and access the data. Of course, for those failed DNS resolution, it indicates that it is an invalid domain name, at this time, the domain name resolution server marks the access request packet as an illegal packet, and needs to inform the security gateway server to intercept the access request packet.
According to the gateway protection method provided by the embodiment of the application, a user can log in a user name and a password, the authentication server verifies the user name and the password, after the user name and the password are verified, namely after the login is successful, the authentication server marks a specific tag on an access request data packet sent by a user terminal, and sends the access request data packet with the tagged tag to a security gateway server; meanwhile, a domain name resolution server (DNS server) performs domain name resolution on the access request data packet, and sends domain name information to a security gateway server when the resolution is successful, and sends an interception notification to the security gateway server if the resolution is failed. The security gateway server receives an access request data packet sent by any user terminal and verifies whether the access request data packet has a specific tag or not; and when the access request data packet is verified to have no specific label, or the access request data packet is verified to have the specific label but the user domain name is verified to be illegal according to the domain name information, or when an interception notification is received, data interception is carried out. Through the double authentication of the domain name and the identity label, the internal systems of objects such as enterprises and the like are prevented from being illegally accessed, and only the access request data packet containing a specific label and with a legal domain name can pass through the gateway, namely, the security gateway server transmits the access request data packet to the system server, so that the system is successfully accessed, the reliability of gateway protection is improved, and the data safety is ensured. The system server may be an internal system server of an enterprise.
In one embodiment, in the gateway protection method, the authentication server is a VPN, and the user needs to perform VPN authentication login on one or more of an account number, a password, a mobile token and device information at the user terminal. By improving the difficulty of VPN login authentication, external personnel are prevented from logging in the VPN, and the login success can be ensured only by internal personnel of an enterprise, so that the data security is improved.
In one embodiment, in order to ensure the security of data access, a user terminal may communicate with an authentication server through a WAF (Web Application security system), the WAF performs content detection and verification on various requests sent by the user terminal to ensure the security and validity of the requests, and blocks illegal requests in real time, thereby effectively protecting various website sites.
In one embodiment, the specific tag is a tag that includes business information. In an enterprise application scenario, once relevant data such as important research results, finance and the like of an enterprise are leaked, irreparable loss is caused to the enterprise, so that the security of data access of the enterprise is particularly critical to the enterprise. By configuring notes related to enterprise information, such as a specific label of 'VPN _ gz 2020' including enterprise abbreviation gz, after a user successfully logs in the VPN, the VPN adds the specific label to a received access request data packet and transmits the access request data packet added with the specific label to the security gateway server, so that the security gateway server of the enterprise can allow the access request data packet to pass through the security gateway server to successfully access the system server when the security gateway server verifies that the access request data packet includes the configured specific label and the domain name is legal.
In one embodiment, the step of "the authentication server specifically tags the access request packet sent by the user terminal" includes:
the authentication server adds a specific tag to the request header of the access request packet. The access request packet is tagged by including a specific tag, e.g., "vpn _ gz2020," in the request header of the packet. Therefore, it is ensured that the internal system access of the enterprise is not carried out through logging in the authentication server, namely, the access request data packet without a specific label is not marked, the security gateway server intercepts the access request data packet without the specific label due to verification, and certainly, the access request data packet with the illegal domain name is intercepted. This ensures that even if an attacker obtains the correct domain name, the attacker cannot pass through the security gateway server only by the legitimacy of the domain name, thereby improving the reliability of the gateway protection.
In one embodiment, the gateway protection method further includes:
s110: the authentication server periodically updates the contents of the specific tag. In order to further improve the reliability of gateway protection, the content of a specific tag is changed regularly and is not disclosed to the outside, so as to ensure that an attacker cannot imitate a legal access request data packet. The authentication server synchronously sends the updated specific tags to the security gateway server, so that the security gateway server can verify the validity of the access request data packet according to the latest specific tag content. For example, after the VPN modifies a particular label, a packet including the particular label may be sent to the security gateway server.
In one embodiment, as shown in fig. 2 and fig. 3, the gateway protection method further includes:
s180: and when the security gateway server verifies that the access request data packet has the specific label and verifies that the domain name of the user is legal according to the domain name information, the security gateway server allows the user terminal sending the access request data packet to access.
The security gateway server receives access request data packets sent by users of different terminals such as a mobile terminal and a computer terminal, and obtains domain name information from the domain name resolution server. Among the users, a legal user initiates an access request through the authentication server, after the user successfully logs in (after the user passes the login verification of the authentication server), the authentication server marks a specific label on an access request data packet received by the user, namely, the data packet sent to the security gateway server by the authentication server is the labeled access request data packet, and an illegal user bypasses the login of the authentication server, so the access request data packet sent by the illegal user is an illegal untagged data packet. In the access process, the domain name resolution server resolves the domain name accessed by the user, returns the domain name information to the security gateway server, and meanwhile, an access request data packet passes through the security gateway server. And the security gateway server is responsible for intercepting the illegal access request according to the double verification result of the validity of the specific label and the domain name in the access request data packet.
Specifically, the security gateway server determines whether a specific tag (for example, a tag specific to an enterprise to be accessed) exists in the access request packet, and marks the packet without the specific tag as an illegal packet, the security gateway server intercepts the illegal access request packet, if the request header of the data packet is verified to contain the specific tag (for example, an enterprise tag of "vpn _ gz 2020"), the domain name resolution server performs domain name resolution, and if the domain name information can be resolved unsuccessfully in the domain name resolution server, it determines that the domain name access is invalid, and the domain name resolution server marks the packet as an illegal packet, and informs the security gateway server of performing packet interception. Only the access request data packet which contains a specific label and has a legal domain name can pass through the security gateway server, so that the internal system of the enterprise can be successfully accessed. Through double verification, the reliability of gateway protection is improved.
In order to better explain the implementation process of the gateway protection method provided by the present application, as shown in fig. 4, an authentication server is now taken as an example for the VPN103, but the example herein does not limit the actual protection scope of the present application. A legal user performs login authentication of a VPN103 at a user terminal 102, specifically, communicates with the VPN103 through a WAF110, after the VPN103 is verified, the VPN103 allocates an IP to the user, the user terminal 102 initiates an access after taking the IP allocated by the VPN103, the VPN103 applies a specific tag to the access request data packet and sends the access request data packet to a security gateway server 104, and a firewall 120 is arranged between the security gateway server 104 and the VPN103 to prevent malicious intrusion and propagation of malicious codes. The security gateway server 104 receives access from any terminal in the area, which may include access by some unauthorized user, for example, some unauthorized user attempting to access the system server 105 (e.g., an intra-enterprise system) through the gateway server by controlling a server in the same area. In order to avoid the information security problem caused by the access of an illegal user, the security gateway server 104 performs double authentication of a specific label and a domain name (domain name authentication is performed according to domain name information fed back by the domain name resolution server 106), and only if the access request data packet includes the specific label marked on the VPN103 and the corresponding domain name accessed by the user is legal (for example, the domain name has a record, the user has authority, etc.), the access is allowed to enter the system server 105 through the gateway to perform internal data access. For those illegal users' accesses, since they do not label the access request packet with a specific label through the VPN103, they can be intercepted by the authentication of the specific label. For those accesses whose domain name cannot be resolved or whose domain name is illegal, security gateway server 104 intercepts the corresponding accesses for data security. By using the gateway protection method, even if an illegal user obtains a correct domain name, the illegal user cannot pass through the security gateway server 104, and the reliability of gateway protection is greatly improved.
On the other hand, an embodiment of the present application further provides a gateway protection method, which is applied to a system formed by an authentication server and a security gateway server, and as shown in fig. 5, the method includes:
s220: the authentication server marks a specific tag on an access request data packet sent by the user terminal and sends the tagged access request data packet to the security gateway server;
s230: the security gateway server receives an access request data packet sent by any user terminal and verifies whether the access request data packet has a specific tag or not;
s240: the security gateway server intercepts data when verifying that the access request data packet has no specific tag; when the access request data packet is verified to have a specific label and the domain name of the user is verified to be illegal according to the domain name information, intercepting data; when receiving the interception notification, carrying out data interception;
the domain name information is information fed back after the domain name resolution server performs domain name resolution on the access request data packet, and the interception notification is information sent by the domain name resolution server when the resolution fails.
The definitions of the terms such as specific labels are the same as those in the above embodiments, and are not described herein. The gateway protection method improves programs of an authentication server and a security gateway server, and the authentication server marks specific labels on access request data packets sent by a user terminal so as to distinguish the access request data packets from request data packets sent by illegal access users, thereby providing important data basis for the security gateway server to carry out validity verification. The security gateway server only allows the access request data packet which comprises a specific label and is legal in domain name verification to access the internal system through the gateway. The security gateway server intercepts all the request data packets which fail to resolve the domain name, have no specific label and have the specific label but illegal domain name. The gateway protection method can intercept illegal access of an attacker under the condition of acquiring the correct domain name, and improves protection reliability and data security.
It should be noted that, when the gateway protection method is applied to a system formed by an authentication server and a security gateway server, the authentication server can also perform other steps in the above-described gateway protection method embodiment, and achieve corresponding beneficial effects, which are not described herein again.
In addition, an embodiment of the present application further provides a gateway protection method, as shown in fig. 6, which is applied to a security gateway server, and the gateway protection method includes:
s310: receiving an access request data packet sent by any user terminal, and verifying whether the access request data packet has a specific label or not; the specific label is marked by an access request data packet sent by the authentication server to the user terminal after the user terminal successfully passes the login verification of the authentication server;
s320: if the specific label does not exist in the access request data packet, intercepting the data; or if the specific label exists in the access request data packet, but the domain name of the user is verified to be illegal according to the domain name information, data interception is carried out; the domain name information is information fed back after the domain name resolution server performs domain name resolution on the access request data packet; or if the interception notification is received, performing data interception, wherein the interception notification is information sent by the domain name resolution server when the resolution fails.
In one embodiment, the gateway protection method further includes the steps of:
s330: and if the specific label exists in the access request data packet and the domain name of the user is verified to be legal according to the domain name information, allowing the user terminal sending the access request data packet to access.
The explanations of specific labels and the like are the same as those in the above embodiments, and are not described herein. Specifically, when being executed, the program stored in the security gateway server may perform validity verification on a received access request packet of any user terminal, where the verification includes double verification of validity of a specific tag and a domain name, and only allows the request packet including the specific tag and having the valid domain name to pass through the gateway and access the internal system. And those packets for which no particular tag exists are intercepted. When the access request data packet is verified to have the specific label, the validity of the domain name is further verified, if the domain name is verified to be illegal, the data packet is also required to be intercepted, and internal external attack and data leakage are avoided. In addition, for the access which fails to be resolved by the domain name resolution server, the security gateway server also needs to intercept the access request data packet after receiving the interception notification fed back by the domain name resolution server. The gateway protection method can greatly improve the reliability of gateway protection.
On the other hand, an embodiment of the present application further provides a data tagging method, as shown in fig. 7, which is applied to an authentication server, and the method includes:
s410: marking a specific tag on an access request data packet sent by a user terminal, and sending the access request data packet marked with the specific tag to a security gateway server, so that the security gateway server performs data interception when verifying that the access request data packet does not have the specific tag; or when the access request data packet is verified to have a specific label and the domain name of the user is verified to be illegal according to the domain name information, intercepting the data; or when the interception notification is received, carrying out data interception. The user terminal herein refers to a user terminal that has successfully been login-verified by the authentication server.
According to the data labeling method provided by the embodiment of the application, through improvement of the steps of the method executed by the authentication server and setting of a loading mechanism of the specific label, the specific label is labeled on the access request data packet sent by the user terminal which successfully passes the login verification of the authentication server, one more dimensional verification basis is provided for the data security verification of the security gateway server, the validity of the data access request can be judged by verifying whether the data packet comprises the specific label or not while the domain name is verified, and the reliability of the security protection of the gateway is improved.
In one embodiment, the data tagging method further comprises the steps of:
s420: the contents of a particular tag are updated periodically. By updating the content of a particular tag periodically, data security risks due to leakage of the tag content can be further avoided. After a particular tag is periodically updated, a data packet including the contents of the particular tag may be sent to the security gateway server. The authentication server executing the data tagging method may also execute other steps in the gateway protection method, and achieve corresponding beneficial effects, which are not described herein again.
It should be understood that although the various steps in the flow charts of fig. 2-7 are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least some of the steps in fig. 2-7 may include multiple steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, which are not necessarily performed in sequence, but may be performed in turn or alternately with other steps or at least some of the other steps.
In one embodiment, the present application further provides a gateway defense system, including:
the user terminal is used for sending an access request data packet;
the authentication server is used for marking a specific label on the access request data packet sent by the user terminal and sending the labeled access request data packet to the security gateway server;
the domain name resolution server is used for carrying out domain name resolution on the access request data packet and sending domain name information to the security gateway server when the resolution is successful; and is used for sending an interception notification to the security gateway server when the analysis fails;
the security gateway server is used for receiving an access request data packet sent by any user terminal and verifying whether the access request data packet has the specific label or not; and is used for intercepting data when verifying that the access request data packet does not have the specific label; or when the access request data packet is verified to have the specific label and the domain name of the user is verified to be illegal according to the domain name information, intercepting data; or when the interception notification is received, carrying out data interception.
The process of implementing gateway protection by the gateway protection system is described in the above embodiment of the gateway protection method, and is not described herein again.
In one embodiment, the security gateway server is further configured to allow the user terminal that sent the access request packet to access when the specific tag is verified to exist in the access request packet and the domain name of the user is verified to be legal according to the domain name information. The security gateway server may further perform other method steps in the above-described gateway protection method embodiment, which are not described herein again.
In one embodiment, the present application further provides a gateway defense system, including:
the authentication server is used for marking a specific label on the access request data packet sent by the user terminal and sending the labeled access request data packet to the security gateway server;
the security gateway server is used for receiving the access request data packet sent by any user terminal and verifying whether the access request data packet has a specific label or not; the system comprises a data acquisition module, a data processing module and a data processing module, wherein the data acquisition module is used for acquiring an access request data packet; or when the access request data packet is verified to have a specific label and the domain name of the user is verified to be illegal according to the domain name information, intercepting the data; or when the interception notification is received, carrying out data interception;
the domain name information is information fed back after the domain name resolution server performs domain name resolution on the access request data packet, and the interception notification is information sent by the domain name resolution server when the resolution fails.
In one embodiment, there is provided a gateway protection apparatus applied to a security gateway server, the apparatus including:
the data packet receiving module is used for receiving an access request data packet sent by any user terminal and verifying whether the access request data packet has a specific label or not; the specific label is marked by an access request data packet sent by the user terminal by the authentication server after the user terminal successfully passes the login verification of the authentication server;
the illegal access interception execution module is used for intercepting data when the specific label does not exist in the access request data packet; or when the specific label exists in the access request data packet and the domain name of the user is verified to be illegal according to the domain name information, intercepting the data; the domain name information is information fed back after the domain name resolution server performs domain name resolution on the access request data packet; or when receiving the interception notification, performing data interception, wherein the interception notification is information sent by the domain name resolution server when the resolution fails.
For specific definition of the gateway protection device, reference may be made to the definition of the gateway protection method in the foregoing, and details are not described here. The modules in the gateway guard device can be implemented in whole or in part by software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, there is provided a data tagging apparatus applied to an authentication server, the apparatus including:
the system comprises a tagging execution module, a security gateway server and a data processing module, wherein the tagging execution module is used for tagging a specific tag to an access request data packet sent by a user terminal, and sending the tagged access request data packet to the security gateway server so that the security gateway server performs data interception when verifying that the specific tag does not exist in the access request data packet; or when the access request data packet is verified to have the specific label and the domain name of the user is verified to be illegal according to the domain name information, intercepting data; or when the interception notification is received, carrying out data interception.
For specific limitations of the data labeling device, reference may be made to the above limitations of the data labeling method, which is not described herein again. The modules in the data labeling device can be wholly or partially realized by software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, a security gateway server is provided, the internal structure of which may be as shown in fig. 7. The security gateway server includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the security gateway server is configured to provide computing and control capabilities. The memory of the security gateway server comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the security gateway server is used to store tag-specific data. The network interface of the security gateway server is used for communicating with an external terminal through network connection. The computer program is executed by a processor to implement a gateway defense method.
Those skilled in the art will appreciate that the configuration shown in fig. 8 is a block diagram of only a portion of the configuration associated with the present application and does not constitute a limitation on the security gateway server to which the present application is applied, and that a particular security gateway server may include more or fewer components than shown, or combine certain components, or have a different arrangement of components.
In one embodiment, there is provided a security gateway server comprising a memory and a processor, the memory having a computer program stored therein, the processor when executing the computer program implementing the steps of:
receiving an access request data packet sent by any user terminal, and verifying whether the access request data packet has a specific label or not; the specific label is marked by an access request data packet sent by the authentication server to the user terminal after the user terminal successfully passes the login verification of the authentication server;
if the specific label does not exist in the access request data packet, carrying out data interception; or the like, or, alternatively,
if the access request data packet is verified to have the specific label, and the domain name of the user is verified to be illegal according to the domain name information, data interception is carried out; the domain name information is information fed back after the domain name resolution server performs domain name resolution on the access request data packet; or the like, or, alternatively,
and if the interception notification is received, performing data interception, wherein the interception notification is information sent by the domain name resolution server when the resolution fails.
In one embodiment, the processor, when executing the computer program, may further perform the steps of:
and if the specific label exists in the access request data packet and the user domain name is verified to be legal according to the domain name information, allowing the user terminal sending the access request data packet to access.
In one embodiment, an authentication server is provided, and the internal structure of the authentication server may be as shown in fig. 8. The authentication server includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the authentication server is configured to provide computing and control capabilities. The memory of the authentication server includes a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the authentication server is used to store specific tag data. The network interface of the authentication server is used for communicating with an external terminal through network connection. The computer program is executed by a processor to implement a data tagging method.
It will be appreciated by those skilled in the art that the configuration shown in fig. 9 is a block diagram of only a portion of the configuration associated with the present application and does not constitute a limitation on the authentication server to which the present application is applied, and a particular security gateway server may include more or fewer components than shown, or combine certain components, or have a different arrangement of components.
In one embodiment, the processor, when executing the computer program, performs the steps of:
marking a specific label on an access request data packet sent by a user terminal, and sending the access request data packet subjected to labeling to a security gateway server, so that the security gateway server performs data interception when verifying that the access request data packet does not have the specific label; or when the access request data packet is verified to have the specific label and the domain name of the user is verified to be illegal according to the domain name information, intercepting data; or when the interception notification is received, carrying out data interception.
In one embodiment, the processor, when executing the computer program, further performs other method steps performed by the authentication server in the above-described gateway defense method and data tagging method.
In one embodiment, a computer readable storage medium is provided, having stored thereon a computer program that, when executed by a processor, performs the steps of the network defense method and/or the steps of the data tagging method performed by any of the above-described subjects. And achieves the corresponding beneficial effects.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database or other medium used in the embodiments provided herein can include at least one of non-volatile and volatile memory. Non-volatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical storage, or the like. Volatile Memory can include Random Access Memory (RAM) or external cache Memory. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM), among others.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (10)

1. A method for gateway protection, the method comprising:
the user terminal sends an access request data packet;
the authentication server marks a specific label on the access request data packet sent by the user terminal and sends the labeled access request data packet to the security gateway server;
the domain name resolution server carries out domain name resolution on the access request data packet;
when the domain name resolution server successfully resolves the domain name, sending domain name information to a security gateway server;
when the domain name resolution server fails in resolution, an interception notification is sent to the security gateway server;
the security gateway server receives an access request data packet sent by any user terminal and verifies whether the access request data packet has the specific tag or not;
the security gateway server intercepts data when verifying that the access request data packet does not have the specific tag; or when the access request data packet is verified to have the specific label and the domain name of the user is verified to be illegal according to the domain name information, intercepting data; or when the interception notification is received, carrying out data interception.
2. The method of claim 1, wherein the specific tag is a tag that includes business information.
3. The method of claim 2, wherein the step of "the authentication server specifically tags the access request packet sent by the user terminal" comprises:
and the authentication server adds the specific label in the request head of the access request data packet.
4. The method of claim 1, further comprising:
the authentication server updates the content of the specific tag periodically.
5. The method according to any one of claims 1-4, further comprising:
and when the security gateway server verifies that the access request data packet has the specific label and verifies that the domain name of the user is legal according to the domain name information, the security gateway server allows the user terminal sending the access request data packet to access.
6. A method for gateway protection, the method comprising:
the authentication server marks a specific tag on an access request data packet sent by the user terminal and sends the tagged access request data packet to the security gateway server;
the security gateway server receives an access request data packet sent by any user terminal and verifies whether the access request data packet has the specific tag or not;
the security gateway server intercepts data when verifying that the access request data packet does not have the specific tag; or when the access request data packet is verified to have the specific label and the domain name of the user is verified to be illegal according to the domain name information, intercepting data; or when the interception notification is received, carrying out data interception;
the domain name information is information fed back after the domain name resolution server performs domain name resolution on the access request data packet, and the interception notification is information sent by the domain name resolution server when the resolution fails.
7. A gateway protection method is applied to a security gateway server, and comprises the following steps:
receiving an access request data packet sent by any user terminal, and verifying whether the access request data packet has a specific label or not; the specific label is marked by an access request data packet sent by the authentication server to the user terminal after the user successfully logs in the authentication server at the user terminal;
if the specific label does not exist in the access request data packet, carrying out data interception; or the like, or, alternatively,
if the access request data packet is verified to have the specific label, and the domain name of the user is verified to be illegal according to the domain name information, data interception is carried out; the domain name information is information fed back after the domain name resolution server performs domain name resolution on the access request data packet; or the like, or, alternatively,
and if the interception notification is received, performing data interception, wherein the interception notification is information sent by the domain name resolution server when the resolution fails.
8. The method of claim 7, further comprising the step of:
and if the specific label exists in the access request data packet and the user domain name is verified to be legal according to the domain name information, allowing the user terminal sending the access request data packet to access.
9. A data tagging method is applied to an authentication server, and the method comprises the following steps:
marking a specific label on an access request data packet sent by a user terminal, and sending the access request data packet subjected to labeling to a security gateway server, so that the security gateway server performs data interception when verifying that the access request data packet does not have the specific label; or when the access request data packet is verified to have the specific label and the domain name of the user is verified to be illegal according to the domain name information, intercepting data; or when the interception notification is received, carrying out data interception.
10. The method of claim 9, further comprising the step of:
the content of the particular tag is updated periodically.
CN202110521326.9A 2021-05-13 2021-05-13 Gateway protection method and data labeling method Active CN113301028B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110521326.9A CN113301028B (en) 2021-05-13 2021-05-13 Gateway protection method and data labeling method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110521326.9A CN113301028B (en) 2021-05-13 2021-05-13 Gateway protection method and data labeling method

Publications (2)

Publication Number Publication Date
CN113301028A true CN113301028A (en) 2021-08-24
CN113301028B CN113301028B (en) 2023-04-14

Family

ID=77321919

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110521326.9A Active CN113301028B (en) 2021-05-13 2021-05-13 Gateway protection method and data labeling method

Country Status (1)

Country Link
CN (1) CN113301028B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114157503A (en) * 2021-12-08 2022-03-08 北京天融信网络安全技术有限公司 Access request authentication method and device, API gateway equipment and storage medium
CN117411733A (en) * 2023-12-15 2024-01-16 北京从云科技有限公司 Intranet access protection system based on user identity

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101741817A (en) * 2008-11-21 2010-06-16 中国移动通信集团安徽有限公司 System, device and method for multi-network integration
CN107277025A (en) * 2017-06-28 2017-10-20 维沃移动通信有限公司 A kind of Secure Network Assecc method, mobile terminal and computer-readable recording medium
US20180103008A1 (en) * 2016-10-11 2018-04-12 Canadian Internet Registration Authority Registry domain name management
WO2019157333A1 (en) * 2018-02-08 2019-08-15 Nussbaum Jared Peeirs:passive evaluation of endpoint identity and risk as a surrogate authentication factor
CN112039909A (en) * 2020-09-03 2020-12-04 平安科技(深圳)有限公司 Authentication method, device, equipment and storage medium based on unified gateway

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101741817A (en) * 2008-11-21 2010-06-16 中国移动通信集团安徽有限公司 System, device and method for multi-network integration
US20180103008A1 (en) * 2016-10-11 2018-04-12 Canadian Internet Registration Authority Registry domain name management
CN107277025A (en) * 2017-06-28 2017-10-20 维沃移动通信有限公司 A kind of Secure Network Assecc method, mobile terminal and computer-readable recording medium
WO2019157333A1 (en) * 2018-02-08 2019-08-15 Nussbaum Jared Peeirs:passive evaluation of endpoint identity and risk as a surrogate authentication factor
CN112039909A (en) * 2020-09-03 2020-12-04 平安科技(深圳)有限公司 Authentication method, device, equipment and storage medium based on unified gateway

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114157503A (en) * 2021-12-08 2022-03-08 北京天融信网络安全技术有限公司 Access request authentication method and device, API gateway equipment and storage medium
CN117411733A (en) * 2023-12-15 2024-01-16 北京从云科技有限公司 Intranet access protection system based on user identity
CN117411733B (en) * 2023-12-15 2024-03-01 北京从云科技有限公司 Intranet access protection system based on user identity

Also Published As

Publication number Publication date
CN113301028B (en) 2023-04-14

Similar Documents

Publication Publication Date Title
CN107948204B (en) One-key login method and system, related equipment and computer readable storage medium
US9692743B2 (en) Securing organizational computing assets over a network using virtual domains
US7234157B2 (en) Remote authentication caching on a trusted client or gateway system
US9071600B2 (en) Phishing and online fraud prevention
US7793094B2 (en) HTTP cookie protection by a network security device
CN107634967B (en) CSRFtoken defense system and method for CSRF attack
US20080028444A1 (en) Secure web site authentication using web site characteristics, secure user credentials and private browser
US20090319793A1 (en) Portable device for use in establishing trust
US9490986B2 (en) Authenticating a node in a communication network
CN113301028B (en) Gateway protection method and data labeling method
US20020129239A1 (en) System for secure communication between domains
CN113536250B (en) Token generation method, login verification method and related equipment
CN114553540A (en) Zero-trust-based Internet of things system, data access method, device and medium
US20210314355A1 (en) Mitigating phishing attempts
CN111935123B (en) Method, equipment and storage medium for detecting DNS spoofing attack
CN110943840A (en) Signature verification method and system
CN114024751B (en) Application access control method and device, computer equipment and storage medium
CN117155716B (en) Access verification method and device, storage medium and electronic equipment
CN116996305A (en) Multi-level security authentication method, system, equipment, storage medium and entry gateway
Tsow Phishing with Consumer Electronics-Malicious Home Routers.
CN113556365B (en) Authentication result data transmission system, method and device
US20240054209A1 (en) Identification of a computing device during authentication
Wu et al. A Comprehensive Set of Security Measures for IoT
CN115733674A (en) Security reinforcement method and device, electronic equipment and readable storage medium
CN116232648A (en) Authentication method, authentication device, gateway device and computer readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant