CN113890767B - Network access method, device, equipment and storage medium - Google Patents

Network access method, device, equipment and storage medium Download PDF

Info

Publication number
CN113890767B
CN113890767B CN202111337144.2A CN202111337144A CN113890767B CN 113890767 B CN113890767 B CN 113890767B CN 202111337144 A CN202111337144 A CN 202111337144A CN 113890767 B CN113890767 B CN 113890767B
Authority
CN
China
Prior art keywords
software defined
network
wide area
access
defined network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111337144.2A
Other languages
Chinese (zh)
Other versions
CN113890767A (en
Inventor
王宏鼎
李长连
蔺旋
王娜
刘果
余思阳
曹京卫
杨飞
杨丽丽
李彤
戚大强
陈征
张彬
寇东梅
徐人勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
China Information Technology Designing and Consulting Institute Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
China Information Technology Designing and Consulting Institute Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd, China Information Technology Designing and Consulting Institute Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN202111337144.2A priority Critical patent/CN113890767B/en
Publication of CN113890767A publication Critical patent/CN113890767A/en
Application granted granted Critical
Publication of CN113890767B publication Critical patent/CN113890767B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a network access method, a device, equipment and a storage medium, wherein the method receives an authentication result and user information sent by a wide area software defined network controller; establishing a public network encryption tunnel with the wide area software defined network client according to the authentication result and the user information, modifying the firewall, and establishing connection with the wide area software defined network client according to the public network encryption tunnel; determining access control authority of the wide area software defined network client according to the firewall; if the access control authority of the wide area software defined network client is in-authority access, the wide area software defined network client is controlled to access the wide area software defined network through a public network encryption tunnel, so that one-point access to the whole network is realized, devices such as a gateway are not required to be deployed at each resource node, network access cost is reduced, a VPN private network is not required to be built, access speed is improved, and safety is also improved.

Description

Network access method, device, equipment and storage medium
Technical Field
The present disclosure relates to the field of network security technologies, and in particular, to a network access method, device, equipment, and storage medium.
Background
Wide area software defined network (SD-WAN) is a service that can apply software defined network (Software Defined Network, SDN) technology to wide area network scenarios for connecting enterprise networks, data centers, internet applications and cloud services over a wide geographic range. The application scene of the SD-WAN in the enterprise networking process comprises headquarter-branch, headquarter-branch-mixed cloud and the like, the SD-WAN realizes a flexible, convenient, safe and reliable enterprise wide area networking mode, and a client can realize the access of the SD-WAN network in the enterprise and can not realize the mobile access in different places.
At present, in order to realize the remote mobile access of enterprise networking, an SD-WAN network is set up between an enterprise branch and a headquarter, a set of virtual private networks (Virtual Private Network, VPN) is set up for mobile office independently of the SD-WAN in a mobile access scheme, VPN is independent of the SD-WAN network, VPN services are deployed at different resource nodes respectively, and a plurality of VPN networks are set up.
However, in the prior art, the access mode of the enterprise networking by the remote mobile access through the VPN is slow, the security is low, and the cost for building a plurality of VPN networks is high.
Disclosure of Invention
The application provides a network access method, device, equipment and storage medium, which are used for solving the technical problems of low access speed and low safety of a different-place mobile access of an enterprise network through VPN and high cost of building a plurality of VPN networks in the prior art.
In a first aspect, the present application provides a network access method, including:
receiving an authentication result and user information sent by a wide area software defined network controller;
establishing a public network encryption tunnel with a wide area software defined network client according to the authentication result and the user information, modifying a firewall, and establishing connection with the wide area software defined network client according to the public network encryption tunnel;
determining access control authority of the wide area software defined network client according to the firewall;
and if the access control authority of the wide area software defined network client is in-authority access, controlling the wide area software defined network client to access the wide area software defined network through the public network encryption tunnel.
Here, an SDP gateway is deployed in the SD-WAN network in the embodiment of the present application, where the SDP gateway may establish a public network encryption tunnel with a client of a mobile access user according to an authentication result of the SDP client by the SDP controller and user information sent by the SDP client, modify a firewall policy, establish connection, and determine access control permission of the user of the SDP client according to the firewall, and implement strong authentication of an identity of the access user by using a mobile access manner of the SDP, and may perform access control and minimum permission access based on the identity, so that an access behavior of the SDP client in a user permission range may access the SD-WAN network through the public network encryption tunnel, thereby implementing access to a whole network without deploying devices such as a gateway at each resource node, thereby reducing network access cost, avoiding building a VPN private network, and improving access speed and security.
Optionally, the controlling the wide area software defined network client to access the wide area software defined network through the public network encrypted tunnel includes:
controlling the user flow of the wide area software defined network client to pass through the public network encryption tunnel, and dividing a virtual local area network and isolating data at a convergence gateway;
and the user traffic subjected to virtual local area network division and data isolation enters a wide area software defined network through an access router.
Here, in the embodiment of the present application, after passing through the SDP gateway, the user traffic passes through the convergence gateway, and performs virtual local area network (Virtual Local Area Network, VLAN) division and data isolation at the convergence gateway, where the traffic enters the SD-WAN network of the client to which the user traffic belongs through the access router, so that each node resource of the SD-WAN of the client can be accessed, and thus, mobile access of the SD-WAN is completed, and access of a point to the whole network is realized.
Optionally, after the determining, according to the firewall, the access control authority of the wide area software defined network client, the method further includes:
and if the access control authority of the wide area software defined network client is not in-authority access, intercepting and alarming the wide area software defined network client.
Here, the application can intercept and alarm for clients which are not access in the authority or access behaviors such as unauthorized access and malicious operation, so that the security of the SD-WAN network is further ensured.
In a second aspect, an embodiment of the present application provides a network access method, including:
receiving an access request sent by a wide area software defined network client, wherein the access request carries user information;
performing identity authentication according to the user information;
sending the authentication result and the user information to a software defined border gateway corresponding to a user in a network service providing point, so that the software defined border gateway establishes a public network encryption tunnel with a wide area software defined network client according to the authentication result and the user information, modifies a firewall, and establishes connection with the wide area software defined network client according to the public network encryption tunnel; determining access control authority of the wide area software defined network client according to the firewall; and if the access control authority of the wide area software defined network client is in-authority access, controlling the wide area software defined network client to access the wide area software defined network through the public network encryption tunnel.
In this embodiment of the present application, a mobile access POP node is newly added in the SD-WAN network, after an SDP gateway is disposed in the POP node and an SDP controller performs identity authentication on an SDP client terminal, an authentication result and user information are sent to the SDP gateway corresponding to a user in the mobile access POP node, so that the mobile network is accessed through the SDP gateway, and by combining with the SD-WAN, only a single node of the access POP needs to be deployed, so that multi-branch resources of the user can be accessed, thereby reducing the cost of network access, and further improving the security of network access and the network access speed.
In a third aspect, an embodiment of the present application provides a network access method, including:
sending an access request to a wide area software defined network controller so that the wide area software defined network controller performs identity authentication according to the user information; transmitting the authentication result and the user information to a software defined border gateway corresponding to a user in a network service providing point, wherein the access request carries the user information;
establishing connection with a software defined border gateway according to a public network encryption tunnel, wherein the public network encryption tunnel is established for the software defined border gateway according to an authentication result and the user information;
And accessing the wide area software defined network through the public network encryption tunnel according to the control of the software defined border gateway.
When the user realizes access in a mobile office scene through the SDP client, network access can be performed through the SDP gateway, wherein the network access is performed for the inside deployment of a newly added mobile access POP node of the SD-WAN network, the user can access all node resources of the SD-WAN in the authority by using the client to realize one-point access through the Internet, the availability and the safety of the SD-WAN mobile access are ensured, and the cost of the mobile access is reduced.
In a fourth aspect, embodiments of the present application provide a network access system, including a wide area software defined network client, a wide area software defined network controller, and a software defined border gateway;
the wide area software defined network client sends an access request to a wide area software defined network controller, wherein the access request carries user information;
the wide area software defined network controller receives an access request sent by a wide area software defined network client, wherein the access request carries user information;
the wide area software defined network controller performs identity authentication according to the user information;
The wide area software defined network controller sends the authentication result and the user information to a software defined border gateway corresponding to a user in a network service providing point;
the software defined border gateway receives an authentication result and user information sent by a wide area software defined network controller;
the software defined border gateway establishes a public network encryption tunnel with a wide area software defined network client according to the authentication result and the user information, modifies a firewall, and establishes connection with the wide area software defined network client according to the public network encryption tunnel;
the software defined border gateway determines the access control authority of the wide area software defined network client according to the firewall;
and if the access control authority of the wide area software defined network client is in-authority access, the software defined border gateway controls the wide area software defined network client to access the wide area software defined network through the public network encrypted tunnel.
In a fifth aspect, an embodiment of the present application provides a network access device, including:
the first receiving module is used for receiving the authentication result and the user information sent by the wide area software defined network controller;
The first establishing module is used for establishing a public network encryption tunnel with the wide area software defined network client according to the authentication result and the user information, modifying a firewall and establishing connection with the wide area software defined network client according to the public network encryption tunnel;
the determining module is used for determining the access control authority of the wide area software defined network client according to the firewall;
and the control module is used for controlling the wide area software defined network client to access the wide area software defined network through the public network encryption tunnel if the access control authority of the wide area software defined network client is access in authority.
Optionally, the control module is specifically configured to:
controlling the user flow of the wide area software defined network client to pass through the public network encryption tunnel, and dividing a virtual local area network and isolating data at a convergence gateway;
and the user traffic subjected to virtual local area network division and data isolation enters a wide area software defined network through an access router.
Optionally, after the determining module determines the access control authority of the wide area software defined network client according to the firewall, the apparatus further includes:
And the interception module is used for intercepting and alarming the wide area software defined network client if the access control authority of the wide area software defined network client is not access in the authority.
In a sixth aspect, an embodiment of the present application provides a network access device, including:
the second receiving module is used for receiving an access request sent by the wide area software defined network client, wherein the access request carries user information;
the authentication module is used for carrying out identity authentication according to the user information;
the first sending module is used for sending the authentication result and the user information to a software defined border gateway corresponding to a user in a network service providing point, so that the software defined border gateway establishes a public network encryption tunnel with a wide area software defined network client according to the authentication result and the user information, modifies a firewall, and establishes connection with the wide area software defined network client according to the public network encryption tunnel; determining access control authority of the wide area software defined network client according to the firewall; and if the access control authority of the wide area software defined network client is in-authority access, controlling the wide area software defined network client to access the wide area software defined network through the public network encryption tunnel.
In a seventh aspect, an embodiment of the present application provides a network access device, including:
the second sending module is used for sending an access request to the wide area software defined network controller so that the wide area software defined network controller can perform identity authentication according to the user information; transmitting the authentication result and the user information to a software defined border gateway corresponding to a user in a network service providing point, wherein the access request carries the user information;
the second establishing module is used for establishing connection with the software defined border gateway according to a public network encryption tunnel, wherein the public network encryption tunnel is established by the software defined border gateway according to an authentication result and the user information;
and the access module is used for accessing the wide area software defined network through the public network encryption tunnel according to the control of the software defined border gateway.
In an eighth aspect, the present application provides a network access device, including: at least one processor and memory;
the memory stores computer-executable instructions;
the at least one processor executes the computer-executable instructions stored by the memory, causing the at least one processor to perform the network access method as described above in the first aspect and the various possible designs of the first aspect.
In a ninth aspect, the present application provides a computer readable storage medium, in which computer executable instructions are stored, which when executed by a processor, implement the network access method according to the first aspect and the various possible designs of the first aspect.
In a tenth aspect, the present application provides a computer program product comprising a computer program which, when executed by a processor, implements the network access method according to the first aspect and the various possible designs of the first aspect.
In an eleventh aspect, the present application provides a network access device, including: at least one processor and memory;
the memory stores computer-executable instructions;
the at least one processor executes the computer-executable instructions stored by the memory, causing the at least one processor to perform the network access method as described above in the second aspect and the various possible designs of the second aspect.
In a twelfth aspect, the present application provides a computer-readable storage medium, where computer-executable instructions are stored, when executed by a processor, to implement the network access method according to the above second aspect and the various possible designs of the second aspect.
In a thirteenth aspect, the present application provides a computer program product comprising a computer program which, when executed by a processor, implements the network access method according to the above second aspect and the various possible designs of the second aspect.
In a fourteenth aspect, the present application provides a network access device, including: at least one processor and memory;
the memory stores computer-executable instructions;
the at least one processor executes the computer-executable instructions stored by the memory, causing the at least one processor to perform the network access method as described above in the third aspect and the various possible designs of the third aspect.
In a fifteenth aspect, the present application provides a computer readable storage medium having stored therein computer executable instructions which, when executed by a processor, implement the network access method according to the third aspect and the various possible designs of the third aspect.
In a sixteenth aspect, the present application provides a computer program product comprising a computer program which, when executed by a processor, implements the network access method according to the above third aspect and the various possible designs of the third aspect.
According to the network access method, the device, the server and the storage medium, the SDP gateway is deployed in the SD-WAN network of the method, the SDP gateway can establish a public network encryption tunnel with the client of the mobile access user according to the authentication result of the SDP client by the SDP controller and the user information sent by the SDP client, modify firewall strategies, establish connection, judge the access control authority of the user of the SDP client according to the firewall, realize strong authentication of the identity of the access user by the mobile access mode of the SDP, and perform access control and minimum authority access based on the identity, so that the access behavior of the SDP client in the user authority range can access the SD-WAN network through the public network encryption tunnel, one-point access is realized, devices such as the gateway are not required to be deployed at each resource node, the network access cost is reduced, the VPN private network is not required to be built, the access speed is improved, and the security is also improved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive faculty for a person skilled in the art.
Fig. 1 is a schematic diagram of a network access system architecture according to an embodiment of the present application;
fig. 2 is a flow chart of a network access method according to an embodiment of the present application;
fig. 3 is a flow chart of another network access method according to an embodiment of the present application;
fig. 4 is a flow chart of another network access method according to an embodiment of the present application; the method comprises the steps of carrying out a first treatment on the surface of the
Fig. 5 is a flow chart of another network access method according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of a network access device according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of a network access device according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of another network access device according to an embodiment of the present application;
fig. 9 is a schematic structural diagram of another network access device according to an embodiment of the present application.
Specific embodiments of the present disclosure have been shown by way of the above drawings and will be described in more detail below. These drawings and the written description are not intended to limit the scope of the disclosed concepts in any way, but rather to illustrate the disclosed concepts to those skilled in the art by reference to specific embodiments.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples are not representative of all implementations consistent with the present disclosure. Rather, they are merely examples of apparatus and methods consistent with some aspects of the present disclosure as detailed in the accompanying claims.
The terms "first," "second," "third," and "fourth" and the like in the description and in the claims of this application and in the above-described figures, if any, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that embodiments of the present application described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The SD-WAN applies the concept of software definition to a wide area network, realizes flexible distribution and visual operation and maintenance of services, and enables enterprises to realize high-quality ad hoc networks by utilizing Internet network links. The application scene of the SD-WAN in the enterprise networking process comprises headquarter-branch, headquarter-branch-mixed cloud and the like, the SD-WAN realizes a flexible, convenient, safe and reliable enterprise wide area networking mode, and clients need to realize the access of the SD-WAN network in the enterprise, and can not realize the mobile access in different places. The software defined boundary (Software Defined Perimeter, SDP) is a new generation network security model based on the zero trust concept, utilizing an identity-based access control mechanism to hide core network assets and facilities from direct exposure to the internet, and from external security threats. Because the safety of the network transmission line needs to be ensured in the SD-WAN access and the mobile transformation of the access equipment is complex, the current SD-WAN general solution does not support mobile access. At present, the enterprise network access mode mainly comprises the steps of setting up an SD-WAN network between branches and headquarters of an enterprise, and setting up a set of VPN for mobile office independently of the SD-WAN in a mobile access scheme.
However, the VPN is used for intranet access of the mobile user, and has a series of security problems such as slow access speed, unreliability, incapability of realizing access authority control, incapability of guaranteeing security of the local user, and the like. The introduced VPN is independent of the SD-WAN network, the coupling is low, VPN services are required to be deployed at different resource nodes respectively, a plurality of VPN networks are built, the cost is high, and the network is complex.
In order to solve the technical problems, the embodiments of the present application provide a network access method, device, server and storage medium, which build an enterprise wide area network by means of SD-WAN, create or select POP points as mobile access gateways in the SD-WAN network, and deploy SDP gateway clusters in the POP points, so as to realize mobile access of the SD-WAN network of the client, and realize access of all network resources in user rights in one point.
Optionally, fig. 1 is a schematic diagram of a network access system architecture according to an embodiment of the present application. As shown in fig. 1, the above architecture includes a private line bearer network 100, a network service providing point 101, a network service providing point 102, a network service providing point 103, and a mobile access network service providing point 104.
The network service providing point 101, the network service providing point 102, the network service providing point 103, and the network service providing point 104 for mobile access are all disposed on the private bearer network 100.
The network service providing point 101, the network service providing point 102, and the network service providing point 103 are connected to the enterprise headquarters, the enterprise branches, and the data center through the client head office 105, the client head office 106, and the client head office 107, respectively.
Wherein the customer premise equipment (Customer Premise Equipment, CPE) is a wireless terminal access device that receives wireless network signals.
The network service providing point 104 includes a software defined border gateway 1041, a defined border gateway 1042 and a defined border gateway 1043, where the network service providing point may include one or more defined border gateways, and the number of the defined border gateways may be determined according to practical situations.
Also included in the network service providing point 104 are an aggregation gateway 1045 and an access router 1046.
The architecture of fig. 1 further includes a wide area software defined network client 108 and a wide area software defined network controller 109, wherein the wide area software defined network client 108 is connectable to the wide area software defined network controller 109, the wide area software defined network client 108 is connectable to an arbitrary defined border gateway, and the wide area software defined network client 108 is connectable to the defined border gateway through a public network encrypted tunnel established by the arbitrary defined border gateway.
It should be understood that the architecture illustrated in the embodiments of the present application does not constitute a specific limitation on the architecture of the network access system. In other possible embodiments of the present application, the architecture may include more or fewer components than those illustrated, or some components may be combined, some components may be separated, or different component arrangements may be specifically determined according to the actual application scenario, and the present application is not limited herein. The components shown in fig. 1 may be implemented in hardware, software, or a combination of software and hardware.
In addition, the network architecture and the service scenario described in the embodiments of the present application are for more clearly describing the technical solution of the embodiments of the present application, and do not constitute a limitation on the technical solution provided in the embodiments of the present application, and as a person of ordinary skill in the art can know, with evolution of the network architecture and appearance of a new service scenario, the technical solution provided in the embodiments of the present application is also applicable to similar technical problems.
The following description of the technical solutions of the present application will take several embodiments as examples, and the same or similar concepts or processes may not be described in detail in some embodiments.
Fig. 2 is a schematic flow chart of a network access method provided in the embodiment of the present application, where an execution body of the embodiment of the present application may be any border gateway definition or a server defining a border gateway in the embodiment shown in fig. 1, and the specific execution body may be determined according to an actual application scenario. As shown in fig. 2, the method comprises the steps of:
s201: and receiving the authentication result and the user information sent by the wide area software defined network controller.
The authentication result and the user information are obtained after the SDP controller authenticates the user information by using the SDP client to firstly submit the user information and the access request to the SDP controller through the Internet.
S202: and establishing a public network encryption tunnel with the wide area software defined network client according to the authentication result and the user information, modifying the firewall, and establishing connection with the wide area software defined network client according to the public network encryption tunnel.
Optionally, the SDP gateway establishes a public network encryption tunnel with the client of the mobile access user according to the user network information, modifies a firewall policy and establishes connection; the SDP gateway performs access control on the mobile access user according to the access policy of the user, releases the access behavior in the authority range of the user, and intercepts and alarms unauthorized access and malicious operation.
S203: and determining the access control authority of the wide area software defined network client according to the firewall.
Optionally, after determining the access control authority of the wide area software defined network client according to the firewall, the method further includes: and if the access control authority of the wide area software defined network client is not access in the authority, intercepting and alarming the wide area software defined network client.
Here, the application can intercept and alarm for clients which are not access in the authority or access behaviors such as unauthorized access and malicious operation, so that the security of the SD-WAN network is further ensured.
S204: and if the access control authority of the wide area software defined network client is in-authority access, controlling the wide area software defined network client to access the wide area software defined network through the public network encrypted tunnel.
Optionally, controlling the wide area software defined network client to access the wide area software defined network through the public network encrypted tunnel includes: controlling the user flow of the wide area software defined network client to pass through a public network encryption tunnel, and dividing and isolating the virtual local area network at the convergence gateway; and the user traffic subjected to virtual local area network division and data isolation enters a wide area software defined network through an access router.
After the SDP gateway establishes a public network encryption tunnel with a client of a mobile access user according to user network information, the mobile access user flow passes through the SDP gateway and then passes through an aggregation gateway, and VLAN division and data isolation are carried out at the aggregation gateway; the flow enters the SD-WAN network of the affiliated client through PE, and can access the resources of each node of the SD-WAN of the client, so as to finish the mobile access of the SD-WAN, realize one-point access whole network access (enterprise headquarters, data centers), and do not need to deploy equipment such as gateway and the like at each resource node.
Here, after passing through the SDP gateway, the user traffic in the embodiment of the present application passes through the convergence gateway, and VLAN division and data isolation are performed at the convergence gateway, where the traffic enters the SD-WAN network of the client through the access router, so that each node resource of the SD-WAN of the client can be accessed, and thus, mobile access of the SD-WAN is completed, and access of one point to the whole network is realized. The access user can realize the strong authentication of identity through the SDP mobile access mode, and can carry out the access control and the minimum authority access based on the identity.
In some possible implementations, the embodiment of the present application further provides a network access method, where the execution body may be the wide area software defined network controller 109 in fig. 1, and correspondingly, fig. 3 is a schematic flow diagram of another network access method provided in the embodiment of the present application, as shown in fig. 3, and the method includes:
s301: and receiving an access request sent by the wide area software defined network client, wherein the access request carries user information.
S302: and carrying out identity authentication according to the user information.
S303: and sending the authentication result and the user information to a software defined border gateway corresponding to the user in the network service providing point.
The authentication result and the user information are sent to a software defined border gateway corresponding to a user in a network service providing point, so that the software defined border gateway establishes a public network encryption tunnel with a wide area software defined network client according to the authentication result and the user information, modifies a firewall, and establishes connection with the wide area software defined network client according to the public network encryption tunnel; determining access control authority of the wide area software defined network client according to the firewall; and if the access control authority of the wide area software defined network client is in-authority access, controlling the wide area software defined network client to access the wide area software defined network through the public network encrypted tunnel.
In this embodiment of the present application, a mobile access POP node is newly added in the SD-WAN network, after an SDP gateway is disposed in the POP node and an SDP controller performs identity authentication on an SDP client terminal, an authentication result and user information are sent to the SDP gateway corresponding to a user in the mobile access POP node, so that the mobile network is accessed through the SDP gateway, and by combining with the SD-WAN, only a single node of the access POP needs to be deployed, so that multi-branch resources of the user can be accessed, thereby reducing the cost of network access, and further improving the security of network access and the network access speed.
In some possible implementations, the embodiment of the present application further provides a network access method, where an execution body may be the wide area software defined network client 108 in fig. 1, and correspondingly, fig. 4 is a schematic flow chart of another network access method provided in the embodiment of the present application, as shown in fig. 4, and the method includes:
s401: an access request is sent to a wide area software defined network controller.
The network controller sends an access request to enable the wide area software defined network controller to perform identity authentication according to the user information; and sending the authentication result and the user information to a software defined border gateway corresponding to the user in the network service providing point.
Wherein, the access request carries user information.
Optionally, submitting the access request using single packet authentication (Single Packet Authorization, SPA) may transmit more messages and strengthen its security.
S402: and establishing connection with the software defined border gateway according to the public network encryption tunnel.
The public network encryption tunnel is established by the software defined border gateway according to the authentication result and the user information.
S403: and accessing the wide area software defined network through the public network encryption tunnel according to the control of the software defined border gateway.
The authentication result and the user information are sent to a software defined border gateway corresponding to a user in a network service providing point, so that the software defined border gateway establishes a public network encryption tunnel with a wide area software defined network client according to the authentication result and the user information, modifies a firewall, and establishes connection with the wide area software defined network client according to the public network encryption tunnel; determining access control authority of the wide area software defined network client according to the firewall; and if the access control authority of the wide area software defined network client is in-authority access, controlling the wide area software defined network client to access the wide area software defined network through the public network encrypted tunnel.
In this embodiment of the present application, a mobile access POP node is newly added in the SD-WAN network, after an SDP gateway is disposed in the POP node and an SDP controller performs identity authentication on an SDP client terminal, an authentication result and user information are sent to the SDP gateway corresponding to a user in the mobile access POP node, so that the mobile network is accessed through the SDP gateway, and by combining with the SD-WAN, only a single node of the access POP needs to be deployed, so that multi-branch resources of the user can be accessed, thereby reducing the cost of network access, and further improving the security of network access and the network access speed.
Optionally, fig. 5 is a flow chart of yet another network access method provided in an embodiment of the present application, where an execution body of the method is a network access system, and includes a wide area software defined network client, a wide area software defined network controller, and a software defined border gateway. As shown in fig. 5, the method includes:
s501: the wide area software defined network client sends an access request to the wide area software defined network controller.
Wherein, the access request carries user information.
S502: the wide area software defined network controller receives an access request sent by a wide area software defined network client.
Wherein, the access request carries user information.
S503: and the wide area software defined network controller performs identity authentication according to the user information.
S504: the wide area software defined network controller sends the authentication result and the user information to a software defined border gateway corresponding to the user in the network service providing point.
S505: the software defined border gateway receives the authentication result and the user information sent by the wide area software defined network controller.
S506: and the software defined border gateway establishes a public network encryption tunnel with the wide area software defined network client according to the authentication result and the user information, modifies the firewall and establishes connection with the wide area software defined network client according to the public network encryption tunnel.
S507: and the software defined border gateway determines the access control authority of the wide area software defined network client according to the firewall.
S508: if the access control authority of the wide area software defined network client is in-authority access, the software defined border gateway controls the wide area software defined network client to access the wide area software defined network through the public network encryption tunnel.
Here, the closer the network service provider point, i.e., POP point, is, the less line signal loss, the higher the bandwidth guarantee that can be provided to the connected user. According to the network access system, an enterprise wide area network is built by means of an SD-WAN, a POP point is newly built or selected on the SD-WAN to serve as a mobile access gateway, an SDP gateway cluster is deployed on the POP point, the SD-WAN mobile access of a client is realized, one-point access can realize the access of all-network resources in user permission, the mobile access problem of the SD-WAN is solved, meanwhile, the availability and the safety of the user access are guaranteed, the permission control of the user access is realized, and the safety risk of the mobile access is further reduced.
Fig. 6 is a schematic structural diagram of a network access device provided in an embodiment of the present application, and as shown in fig. 6, the device in the embodiment of the present application includes: a first receiving module 601, a first establishing module 602, a determining module 603 and a control module 604. The network access device may be the above-described border gateway or a server defining the border gateway, or a chip or an integrated circuit implementing the functions of the server. Here, the division of the first receiving module 601, the first establishing module 602, the determining module 603, and the control module 604 is just a division of a logic function, and both may be integrated or independent physically.
The first receiving module is used for receiving the authentication result and the user information sent by the wide area software defined network controller;
the first establishing module is used for establishing a public network encryption tunnel with the wide area software defined network client according to the authentication result and the user information, modifying the firewall and establishing connection with the wide area software defined network client according to the public network encryption tunnel;
the determining module is used for determining the access control authority of the wide area software defined network client according to the firewall;
and the control module is used for controlling the wide area software defined network client to access the wide area software defined network through the public network encryption tunnel if the access control authority of the wide area software defined network client is access in authority.
Optionally, the control module is specifically configured to:
controlling the user flow of the wide area software defined network client to pass through a public network encryption tunnel, and dividing and isolating the virtual local area network at the convergence gateway;
and the user traffic subjected to virtual local area network division and data isolation enters a wide area software defined network through an access router.
Optionally, after the determining module determines the access control authority of the wide area software defined network client according to the firewall, the apparatus further includes:
And the interception module is used for intercepting and alarming the wide area software defined network client if the access control authority of the wide area software defined network client is not access in the authority.
Fig. 7 is a schematic structural diagram of a network access device (which may be the border gateway definition or the border gateway definition server in fig. 1) according to an embodiment of the present application. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not limiting of the implementations of the application described and/or claimed herein.
As shown in fig. 7, the network access device includes: the processor 701 and the memory 702, the respective components are connected to each other using different buses, and may be mounted on a common motherboard or in other manners as appropriate. The processor 701 may process instructions executed within the terminal, including instructions stored in or on memory for display of graphical information on an external input/output device, such as a display device coupled to an interface. In other embodiments, multiple processors and/or multiple buses may be used, if desired, along with multiple memories and multiple memories. One processor 701 is illustrated in fig. 7.
The memory 702 is used as a non-transitory computer readable storage medium and is used to store non-transitory software programs, non-transitory computer executable programs, and modules, such as program instructions/modules (e.g., the first receiving module 601, the first establishing module 602, the determining module 603, and the control module 604 shown in fig. 6) corresponding to a method of a network access device in an embodiment of the present application. The processor 701 executes various functional applications and data processing of the network access device by running non-transitory software programs, instructions, and modules stored in the memory 702, i.e., implements the method of the network access device in the method embodiments described above.
The network access device may further include: an input device 703 and an output device 704. The processor 701, the memory 702, the input device 703 and the output device 704 may be connected by a bus or otherwise, in fig. 7 by way of example.
The input device 703 may receive input numeric or character information and generate key signal inputs related to user settings and function control of the network access device, such as a touch screen, a keypad, a mouse, or a plurality of mouse buttons, a trackball, a joystick, or the like. The output device 704 may be an output device such as a display device of a network access device. The display device may include, but is not limited to, a Liquid Crystal Display (LCD), a Light Emitting Diode (LED) display, and a plasma display. In some implementations, the display device may be a touch screen.
The network access device of the embodiment of the present application may be used to execute the technical solutions in the embodiments of the methods of the present application, and its implementation principle and technical effects are similar, and are not repeated here.
The embodiment of the application also provides a computer readable storage medium, wherein computer executing instructions are stored in the computer readable storage medium, and the computer executing instructions are used for realizing any one of the network access methods when being executed by a processor.
The embodiment of the application also provides a computer program product, which comprises a computer program, and the computer program is used for realizing the network access method of any one of the above steps when being executed by a processor.
Fig. 8 is a schematic structural diagram of another network access device provided in an embodiment of the present application, and as shown in fig. 8, the device in the embodiment of the present application includes: a second receiving module 801, an authentication module 802 and a first transmitting module 803. The network access means may be the wide area software defined network controller 109 described above or a server of the wide area software defined network controller 109, or a chip or integrated circuit implementing the functions of the wide area software defined network controller 109. Here, the division of the second receiving module 801, the authentication module 802, and the first transmitting module 803 is merely a division of logic functions, and both may be integrated or independent physically.
The second receiving module is used for receiving an access request sent by the wide area software defined network client, wherein the access request carries user information;
the authentication module is used for carrying out identity authentication according to the user information;
the first sending module is used for sending the authentication result and the user information to the software defined border gateway corresponding to the user in the network service providing point, so that the software defined border gateway establishes a public network encryption tunnel with the wide area software defined network client according to the authentication result and the user information, modifies the firewall and establishes connection with the wide area software defined network client according to the public network encryption tunnel; determining access control authority of the wide area software defined network client according to the firewall; and if the access control authority of the wide area software defined network client is in-authority access, controlling the wide area software defined network client to access the wide area software defined network through the public network encrypted tunnel.
The embodiment of the present application further provides a schematic structural diagram of a network access device (may be the wide area software defined network controller 109 in fig. 1 or a server of the wide area software defined network controller 109). The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not limiting of the implementations of the application described and/or claimed herein.
The network access device includes: the processor and memory, the various components are interconnected using different buses, and may be mounted on a common motherboard or in other manners as desired. The processor may process instructions executing within the terminal, including instructions stored in or on memory for display of graphical information on an external input/output device, such as a display device coupled to the interface. In other embodiments, multiple processors and/or multiple buses may be used, if desired, along with multiple memories and multiple memories.
The memory is used as a non-transitory computer readable storage medium, and may be used to store non-transitory software programs, non-transitory computer executable programs, and modules, such as program instructions/modules (e.g., the second receiving module 801, the authentication module 802, and the first transmitting module 803 shown in fig. 8) corresponding to a method of a network access device in an embodiment of the present application. The processor executes various functional applications and data processing of the network access device by running non-transitory software programs, instructions, and modules stored in the memory, i.e., the method of implementing the network access device in the method embodiments described above.
The network access device may further include: input means and output means. The processor, memory, input devices, and output devices may be connected by a bus or other means.
The input device may receive entered numeric or character information and generate key signal inputs related to user settings and function control of the network access device, such as a touch screen, a keypad, a mouse, or a plurality of mouse buttons, a trackball, a joystick, or the like. The output means may be an output device such as a display device of the network access device. The display device may include, but is not limited to, a Liquid Crystal Display (LCD), a Light Emitting Diode (LED) display, and a plasma display. In some implementations, the display device may be a touch screen.
The network access device of the embodiment of the present application may be used to execute the technical solutions in the embodiments of the methods of the present application, and its implementation principle and technical effects are similar, and are not repeated here.
The embodiment of the application also provides a computer readable storage medium, wherein computer executing instructions are stored in the computer readable storage medium, and the computer executing instructions are used for realizing any one of the network access methods when being executed by a processor.
The embodiment of the application also provides a computer program product, which comprises a computer program, and the computer program is used for realizing the network access method of any one of the above steps when being executed by a processor.
Fig. 9 is a schematic structural diagram of another network access device provided in an embodiment of the present application, and as shown in fig. 9, the device in the embodiment of the present application includes: a second sending module 901, a second establishing module 902 and an accessing module 903. The network access device may be the wide area software defined network client 108 described above or a server of the wide area software defined network client 108, or a chip or integrated circuit implementing the functions of the wide area software defined network client 108. Here, the division of the second transmitting module 901, the second establishing module 902, and the accessing module 903 is merely a division of logic functions, and both may be integrated or independent physically.
The second sending module is used for sending an access request to the wide area software defined network controller so that the wide area software defined network controller can perform identity authentication according to the user information; transmitting the authentication result and the user information to a software defined border gateway corresponding to a user in a network service providing point, wherein the access request carries the user information;
The second establishing module is used for establishing connection with the software defined border gateway according to the public network encryption tunnel, wherein the public network encryption tunnel is established by the software defined border gateway according to the authentication result and the user information;
and the access module is used for accessing the wide area software defined network through the public network encryption tunnel according to the control of the software defined border gateway.
The embodiment of the present application further provides a schematic structural diagram of a network access device (may be the wide area software defined network client 108 or the server of the wide area software defined network client 108 in fig. 1). The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not limiting of the implementations of the application described and/or claimed herein.
The network access device includes: the processor and memory, the various components are interconnected using different buses, and may be mounted on a common motherboard or in other manners as desired. The processor may process instructions executing within the terminal, including instructions stored in or on memory for display of graphical information on an external input/output device, such as a display device coupled to the interface. In other embodiments, multiple processors and/or multiple buses may be used, if desired, along with multiple memories and multiple memories.
The memory is used as a non-transitory computer readable storage medium, and may be used to store non-transitory software programs, non-transitory computer executable programs, and modules, such as program instructions/modules (e.g., the second sending module 901, the second establishing module 902, and the accessing module 903 shown in fig. 9) corresponding to a method of a network access device in an embodiment of the present application. The processor executes various functional applications and data processing of the network access device by running non-transitory software programs, instructions, and modules stored in the memory, i.e., the method of implementing the network access device in the method embodiments described above.
The network access device may further include: input means and output means. The processor, memory, input devices, and output devices may be connected by a bus or other means.
The input device may receive entered numeric or character information and generate key signal inputs related to user settings and function control of the network access device, such as a touch screen, a keypad, a mouse, or a plurality of mouse buttons, a trackball, a joystick, or the like. The output means may be an output device such as a display device of the network access device. The display device may include, but is not limited to, a Liquid Crystal Display (LCD), a Light Emitting Diode (LED) display, and a plasma display. In some implementations, the display device may be a touch screen.
The network access device of the embodiment of the present application may be used to execute the technical solutions in the embodiments of the methods of the present application, and its implementation principle and technical effects are similar, and are not repeated here.
The embodiment of the application also provides a computer readable storage medium, wherein computer executing instructions are stored in the computer readable storage medium, and the computer executing instructions are used for realizing any one of the network access methods when being executed by a processor.
The embodiment of the application also provides a computer program product, which comprises a computer program, and the computer program is used for realizing the network access method of any one of the above steps when being executed by a processor.
In the several embodiments provided in this application, it should be understood that the disclosed systems, apparatuses, and methods may be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of elements is merely a logical functional division, and there may be additional divisions of actual implementation, e.g., multiple elements or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the application disclosed herein. This application is intended to cover any adaptations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
It is to be understood that the present disclosure is not limited to the precise arrangements and instrumentalities shown in the drawings, and that various modifications and changes may be effected without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.

Claims (10)

1. A network access method applied to a software defined border gateway, comprising:
Receiving an authentication result and user information sent by a wide area software defined network controller;
establishing a public network encryption tunnel with a wide area software defined network client according to the authentication result and the user information, modifying a firewall, and establishing connection with the wide area software defined network client according to the public network encryption tunnel;
determining access control authority of the wide area software defined network client according to the firewall;
if the access control authority of the wide area software defined network client is in-authority access, controlling the user flow of the wide area software defined network client to pass through the public network encryption tunnel, and performing virtual local area network division and data isolation at a convergence gateway; and the user traffic subjected to virtual local area network division and data isolation enters a wide area software defined network through an access router.
2. The method of claim 1, further comprising, after said determining access control rights for said wide area software defined network client from said firewall:
and if the access control authority of the wide area software defined network client is not in-authority access, intercepting and alarming the wide area software defined network client.
3. A network access method applied to a wide area software defined network controller, comprising:
receiving an access request sent by a wide area software defined network client, wherein the access request carries user information;
performing identity authentication according to the user information;
sending the authentication result and the user information to a software defined border gateway corresponding to a user in a network service providing point, so that the software defined border gateway establishes a public network encryption tunnel with a wide area software defined network client according to the authentication result and the user information, modifies a firewall, and establishes connection with the wide area software defined network client according to the public network encryption tunnel; determining access control authority of the wide area software defined network client according to the firewall; if the access control authority of the wide area software defined network client is in-authority access, controlling the user flow of the wide area software defined network client to pass through the public network encryption tunnel, and performing virtual local area network division and data isolation at a convergence gateway; and the user traffic subjected to virtual local area network division and data isolation enters a wide area software defined network through an access router.
4. A network access method applied to a wide area software defined network client, comprising:
sending an access request to a wide area software defined network controller so that the wide area software defined network controller performs identity authentication according to user information; transmitting the authentication result and the user information to a software defined border gateway corresponding to a user in a network service providing point, wherein the access request carries the user information;
establishing connection with a software defined border gateway according to a public network encryption tunnel, wherein the public network encryption tunnel is established for the software defined border gateway according to an authentication result and the user information;
according to the control of the software defined border gateway, accessing the wide area software defined network through a public network encryption tunnel;
the control of the software defined border gateway includes:
controlling the user flow of the wide area software defined network client to pass through the public network encryption tunnel, and dividing a virtual local area network and isolating data at a convergence gateway;
and the user traffic subjected to virtual local area network division and data isolation enters a wide area software defined network through an access router.
5. A network access system, comprising a wide area software defined network client, a wide area software defined network controller and a software defined border gateway;
The wide area software defined network client sends an access request to a wide area software defined network controller, wherein the access request carries user information;
the wide area software defined network controller receives an access request sent by a wide area software defined network client, wherein the access request carries user information;
the wide area software defined network controller performs identity authentication according to the user information;
the wide area software defined network controller sends the authentication result and the user information to a software defined border gateway corresponding to a user in a network service providing point;
the software defined border gateway receives an authentication result and user information sent by a wide area software defined network controller;
the software defined border gateway establishes a public network encryption tunnel with a wide area software defined network client according to the authentication result and the user information, modifies a firewall, and establishes connection with the wide area software defined network client according to the public network encryption tunnel;
the software defined border gateway determines the access control authority of the wide area software defined network client according to the firewall;
if the access control authority of the wide area software defined network client is in-authority access, the software defined border gateway controls the user flow of the wide area software defined network client to pass through the public network encryption tunnel, and virtual local area network division and data isolation are performed at the convergence gateway; and the user traffic subjected to virtual local area network division and data isolation enters a wide area software defined network through an access router.
6. A network access device, comprising:
the first receiving module is used for receiving the authentication result and the user information sent by the wide area software defined network controller;
the first establishing module is used for establishing a public network encryption tunnel with the wide area software defined network client according to the authentication result and the user information, modifying a firewall and establishing connection with the wide area software defined network client according to the public network encryption tunnel;
the determining module is used for determining the access control authority of the wide area software defined network client according to the firewall;
the control module is used for controlling the user flow of the wide area software defined network client to pass through the public network encryption tunnel and carrying out virtual local area network division and data isolation at the convergence gateway if the access control authority of the wide area software defined network client is access in authority; and the user traffic subjected to virtual local area network division and data isolation enters a wide area software defined network through an access router.
7. A network access device, comprising:
the second receiving module is used for receiving an access request sent by the wide area software defined network client, wherein the access request carries user information;
The authentication module is used for carrying out identity authentication according to the user information;
the first sending module is used for sending the authentication result and the user information to a software defined border gateway corresponding to a user in a network service providing point, so that the software defined border gateway establishes a public network encryption tunnel with a wide area software defined network client according to the authentication result and the user information, modifies a firewall, and establishes connection with the wide area software defined network client according to the public network encryption tunnel; determining access control authority of the wide area software defined network client according to the firewall; if the access control authority of the wide area software defined network client is in-authority access, controlling the user flow of the wide area software defined network client to pass through the public network encryption tunnel, and performing virtual local area network division and data isolation at a convergence gateway; and the user traffic subjected to virtual local area network division and data isolation enters a wide area software defined network through an access router.
8. A network access device, comprising:
the second sending module is used for sending an access request to the wide area software defined network controller so that the wide area software defined network controller can perform identity authentication according to the user information; transmitting the authentication result and the user information to a software defined border gateway corresponding to a user in a network service providing point, wherein the access request carries the user information;
The second establishing module is used for establishing connection with the software defined border gateway according to a public network encryption tunnel, wherein the public network encryption tunnel is established by the software defined border gateway according to an authentication result and the user information;
the access module is used for accessing the wide area software defined network through the public network encryption tunnel according to the control of the software defined border gateway;
the control of the software defined border gateway includes:
controlling the user flow of the wide area software defined network client to pass through the public network encryption tunnel, and dividing a virtual local area network and isolating data at a convergence gateway;
and the user traffic subjected to virtual local area network division and data isolation enters a wide area software defined network through an access router.
9. A network access device, comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1 or 2, claim 3 or claim 4.
10. A computer readable storage medium having stored therein computer executable instructions which when executed by a processor are adapted to implement the network access method of any one of claims 1 or 2, claim 3 or claim 4.
CN202111337144.2A 2021-11-12 2021-11-12 Network access method, device, equipment and storage medium Active CN113890767B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111337144.2A CN113890767B (en) 2021-11-12 2021-11-12 Network access method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111337144.2A CN113890767B (en) 2021-11-12 2021-11-12 Network access method, device, equipment and storage medium

Publications (2)

Publication Number Publication Date
CN113890767A CN113890767A (en) 2022-01-04
CN113890767B true CN113890767B (en) 2023-07-11

Family

ID=79017393

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111337144.2A Active CN113890767B (en) 2021-11-12 2021-11-12 Network access method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN113890767B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114389880A (en) * 2022-01-13 2022-04-22 中电福富信息科技有限公司 Cross-cloud-pool secure access method and system combined with zero trust thought
CN114448700B (en) * 2022-01-28 2024-06-14 杭州亿格云科技有限公司 Data access method, data access system, computer device, and storage medium
CN114679323B (en) * 2022-03-30 2023-11-24 中国联合网络通信集团有限公司 Network connection method, device, equipment and storage medium
CN115037573B (en) * 2022-05-25 2023-08-08 天翼云科技有限公司 Network interconnection method, device, equipment and storage medium
CN114900374B (en) * 2022-07-13 2022-10-14 深圳市乙辰科技股份有限公司 Intelligent remote network resource intercommunication deployment method, system and cloud platform

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9560015B1 (en) * 2016-04-12 2017-01-31 Cryptzone North America, Inc. Systems and methods for protecting network devices by a firewall
CN112911001A (en) * 2021-02-01 2021-06-04 紫光云技术有限公司 Cloud VPN and enterprise network automatic networking scheme
CN113141260A (en) * 2021-06-22 2021-07-20 深圳市光联世纪信息科技有限公司 Secure access method, system and equipment based on software-defined wide area network (SD-WAN)
CN113632437A (en) * 2019-03-29 2021-11-09 Abb瑞士股份有限公司 Secure remote connection in industrial internet of things

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8675601B2 (en) * 2010-05-17 2014-03-18 Cisco Technology, Inc. Guest access support for wired and wireless clients in distributed wireless controller system
US10785190B2 (en) * 2017-12-13 2020-09-22 Adaptiv Networks Inc. System, apparatus and method for providing a unified firewall manager
US10749876B2 (en) * 2018-08-09 2020-08-18 Cyberark Software Ltd. Adaptive and dynamic access control techniques for securely communicating devices

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9560015B1 (en) * 2016-04-12 2017-01-31 Cryptzone North America, Inc. Systems and methods for protecting network devices by a firewall
CN113632437A (en) * 2019-03-29 2021-11-09 Abb瑞士股份有限公司 Secure remote connection in industrial internet of things
CN112911001A (en) * 2021-02-01 2021-06-04 紫光云技术有限公司 Cloud VPN and enterprise network automatic networking scheme
CN113141260A (en) * 2021-06-22 2021-07-20 深圳市光联世纪信息科技有限公司 Secure access method, system and equipment based on software-defined wide area network (SD-WAN)

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
网络可信接入认证方法及在VPN客户端上的实现;刘小杰;韦卫;;计算机工程(第09期);全文 *

Also Published As

Publication number Publication date
CN113890767A (en) 2022-01-04

Similar Documents

Publication Publication Date Title
CN113890767B (en) Network access method, device, equipment and storage medium
US8843998B2 (en) Apparatus, systems and methods for secure and selective access to services in hybrid public-private infrastructures
US11706205B2 (en) Extending single-sign-on to relying parties of federated logon providers
US9992176B2 (en) Systems and methods for encrypted communication in a secure network
CN114041277B (en) System and method for distributing SD-WAN policies
US10225246B2 (en) Certificate acquiring method and device
Bhat et al. Edge computing and its convergence with blockchain in 5G and beyond: Security, challenges, and opportunities
Flauzac et al. SDN based architecture for IoT and improvement of the security
CN110944330B (en) MEC platform deployment method and device
Ertaul et al. Security Challenges in Cloud Computing.
Rahouti et al. Secure software-defined networking communication systems for smart cities: Current status, challenges, and trends
US11075999B2 (en) Accessing resources in a remote access or cloud-based network environment
CN107534557A (en) The Identity Proxy of access control and single-sign-on is provided
US9674669B2 (en) Determining and navigating to a target location
US20170142096A1 (en) Endpoint privacy preservation with cloud conferencing
Li et al. A fast and scalable authentication scheme in IOT for smart living
AU2019356039A1 (en) Local mapped accounts in virtual desktops
CN105306483A (en) Safe and rapid anonymous network communication method and system
Jhanjhi et al. A canvass of 5G network slicing: Architecture and security concern
Massonet et al. Enforcement of global security policies in federated cloud networks with virtual network functions
CN106992964A (en) A kind of micro services safety proxy system suitable for mixed cloud
CN110121857A (en) A kind of method and apparatus of authority distribution
KR20180046476A (en) Apparatus and method for controlling access based on software defined perimeter
CN115174062B (en) Cloud service authentication method, device, equipment and storage medium
CN105227641A (en) A kind of based on virtualized electrical network mobile office system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant