CN114374543A - Network security protection method, system, device, security switch and storage medium - Google Patents

Network security protection method, system, device, security switch and storage medium Download PDF

Info

Publication number
CN114374543A
CN114374543A CN202111566810.XA CN202111566810A CN114374543A CN 114374543 A CN114374543 A CN 114374543A CN 202111566810 A CN202111566810 A CN 202111566810A CN 114374543 A CN114374543 A CN 114374543A
Authority
CN
China
Prior art keywords
access terminal
security
security policy
management platform
identity
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111566810.XA
Other languages
Chinese (zh)
Other versions
CN114374543B (en
Inventor
林皓
刘建兵
王振欣
杨泳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Vrv Information Technology Co ltd
Original Assignee
Beijing VRV Software Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing VRV Software Corp Ltd filed Critical Beijing VRV Software Corp Ltd
Priority to CN202111566810.XA priority Critical patent/CN114374543B/en
Publication of CN114374543A publication Critical patent/CN114374543A/en
Application granted granted Critical
Publication of CN114374543B publication Critical patent/CN114374543B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application relates to a network security protection method, a system, a device, a security switch and a storage medium, wherein the method comprises the following steps: when the access of a terminal is monitored, a first identity identification of the access terminal is obtained from a management platform device according to an MAC address of the access terminal and used for identity authentication of the access terminal, and a security policy request is sent to the managed platform device under the condition that the access terminal is successfully authenticated, wherein the security policy request carries the IP address and the first identity identification of the access terminal, so that when the management platform device determines that a security policy issued for the access terminal exists according to the first identity identification, a preset placeholder in the security policy is replaced by the IP address to obtain a target security policy, the target security policy is issued to a security switch accessed by the access terminal, and the security switch executes the target security policy after receiving the target security policy. The application can realize the unified formulation of the security policy and improve the efficiency and effect of the security protection.

Description

Network security protection method, system, device, security switch and storage medium
Technical Field
The present application relates to the field of network security technologies, and in particular, to a network security protection method, system, apparatus, security switch, and storage medium, which can be applied to network security access control in the field of network security.
Background
Information point-to-point communication and internal and external network communication are indispensable business requirements in an enterprise network, and various security protection requirements exist in the existing enterprise network security protection work, and the security protection requirements need to be realized through a security policy.
However, the security policy of the enterprise is mostly on paper or distributed discretely among different network security devices at present. The paper security policy and the discrete security policy cannot play a role in safety protection in nature, and when a security threat or attack occurs, the security policy cannot find a uniform hand grip for uniform and rapid formulation and execution, so that the efficiency and the effect of safety emergency response are poor.
Therefore, it is crucial for enterprise networks to find a method and a technology that can uniformly establish security policies and perform them quickly on the ground.
Disclosure of Invention
In order to solve the technical problems or at least partially solve the technical problems, the present application provides a network security protection method, system, apparatus, security switch, and storage medium.
According to a first aspect of the present application, there is provided a network security protection method applied to a security switch, including:
when the terminal access is monitored, acquiring the MAC address of the access terminal;
acquiring a first identity identifier of the access terminal from management platform equipment according to the MAC address of the access terminal for identity authentication of the access terminal;
sending a security policy request to the management platform device under the condition that the access terminal is successfully authenticated, wherein the security policy request carries an IP address of the access terminal and the first identity identifier, so that when the management platform device determines that a security policy issued for the access terminal exists according to the first identity identifier, the management platform device replaces a preset placeholder in the security policy with the IP address to obtain a target security policy, and sends the target security policy to a security switch accessed by the access terminal;
after receiving the target security policy, executing the target security policy.
According to a second aspect of the present application, there is provided a network security protection system, including a management platform device, at least one security switch, and at least one access terminal; wherein,
the security switch is used for acquiring an MAC address of an access terminal when the access of the terminal is detected, acquiring a first identity identifier of the access terminal from the management platform equipment according to the MAC address of the access terminal for identity authentication of the access terminal, sending a security policy request to the management platform equipment under the condition that the authentication of the access terminal is successful, wherein the security policy request carries the IP address of the access terminal and the first identity identifier, and executing a target security policy after receiving the target security policy sent by the management platform equipment;
the management platform device is configured to, after receiving the security policy request sent by the security switch, determine whether a security policy issued for the access terminal exists according to the first identity identifier carried in the security policy request, and when it is determined that the security policy issued for the access terminal exists, replace a placeholder preset in the security policy with the IP address to obtain the target security policy, and issue the target security policy to the security switch to which the access terminal accesses.
According to a third aspect of the present application, there is provided a network security protection device, comprising:
the access terminal comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring the MAC address of the access terminal when monitoring that the terminal is accessed;
the processing module is used for acquiring a first identity identifier of the access terminal from management platform equipment according to the MAC address of the access terminal and carrying out identity authentication on the access terminal;
a sending module, configured to send a security policy request to the management platform device when the access terminal is successfully authenticated, where the security policy request carries an IP address of the access terminal and the first identity identifier, so that when the management platform device determines that a security policy issued for the access terminal exists according to the first identity identifier, the management platform device replaces a placeholder preset in the security policy with the IP address to obtain a target security policy, and issues the target security policy to a security switch to which the access terminal accesses;
and the protection module is used for executing the target security policy after receiving the target security policy.
According to a fourth aspect of the present application, there is provided a security switch comprising: a processor configured to execute a computer program stored in the memory, wherein the computer program, when executed by the processor, implements the network security defense method of the first aspect.
According to a fifth aspect of the present application, there is provided a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the network security defending method of the first aspect.
According to a sixth aspect of the present application, there is provided a computer program product, which, when run on a computer, causes the computer to execute the network security protection method of the first aspect.
Compared with the prior art, the technical scheme provided by the embodiment of the application has the following advantages:
the method comprises the steps that when the fact that a terminal is accessed is monitored, the security switch acquires an MAC address of the access terminal, acquires a first identity mark of the access terminal from a management platform device according to the MAC address of the access terminal for identity authentication of the access terminal, and sends a security policy request to the managed platform device under the condition that the access terminal is successfully authenticated, wherein the security policy request carries an IP address and the first identity mark of the access terminal, so that when the management platform device determines that a security policy issued by the access terminal exists according to the first identity mark, a preset placeholder in the security policy is replaced by the IP address to obtain a target security policy, the target security policy is issued to the security switch accessed by the access terminal, and the security switch executes the target security policy after receiving the target security policy. By adopting the technical scheme, the management platform equipment uniformly formulates the security policy, after the access terminal is successfully authenticated, the security switch sends the IP address and the first identity mark of the successfully authenticated terminal to the management platform equipment, the management platform equipment formulates the security policy aiming at the access terminal and issues the security policy to the terminal, and the security policy is issued to the security switch for execution, so that the uniform formulation of the security policy is realized, the security policy can be quickly executed by the security switch to play the role of the security policy, the efficiency and the effect of security protection can be remarkably improved, and the problems that the security policy cannot be uniformly formulated and is difficult to efficiently fall on the ground to resist security threats and attacks in the prior art are solved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present application and together with the description, serve to explain the principles of the application.
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, and it is obvious for those skilled in the art to obtain other drawings without inventive exercise.
Fig. 1 is a schematic network topology diagram of a network security protection system for implementing the network security protection method according to the embodiment of the present application;
fig. 2 is a schematic flowchart of a network security protection method according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of a network security protection system according to an embodiment of the present application;
fig. 4 is a schematic diagram illustrating an interaction process of a network security protection system according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of a network security protection device according to an embodiment of the present application.
Detailed Description
Embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While certain embodiments of the present disclosure are shown in the drawings, it is to be understood that the present disclosure may be embodied in various forms and should not be construed as limited to the embodiments set forth herein, but rather are provided for a more thorough and complete understanding of the present disclosure. It should be understood that the drawings and embodiments of the disclosure are for illustration purposes only and are not intended to limit the scope of the disclosure.
It should be understood that the various steps recited in the method embodiments of the present disclosure may be performed in a different order, and/or performed in parallel. Moreover, method embodiments may include additional steps and/or omit performing the illustrated steps. The scope of the present disclosure is not limited in this respect.
The term "include" and variations thereof as used herein are open-ended, i.e., "including but not limited to". The term "based on" is "based, at least in part, on". The term "one embodiment" means "at least one embodiment"; the term "another embodiment" means "at least one additional embodiment"; the term "some embodiments" means "at least some embodiments". Relevant definitions for other terms will be given in the following description. It should be noted that the terms "first", "second", and the like in the present disclosure are only used for distinguishing different devices, modules or units, and are not used for limiting the order or interdependence relationship of the functions performed by the devices, modules or units.
It is noted that references to "a", "an", and "the" modifications in this disclosure are intended to be illustrative rather than limiting, and that those skilled in the art will recognize that "one or more" may be used unless the context clearly dictates otherwise.
Aiming at the problem that the security strategy of the existing enterprise network cannot find a uniform hand grip for uniform and rapid establishment and execution, which results in poor efficiency and effect of security emergency response, the application provides a network security protection method, a security switch acquires the MAC address of an access terminal when monitoring that the terminal is accessed, acquires a first identity of the access terminal from a management platform device according to the MAC address of the access terminal for identity authentication of the access terminal, and sends a security strategy request to the management platform device under the condition that the access terminal is successfully authenticated, wherein the security strategy request carries the IP address and the first identity of the access terminal, so that the management platform device replaces a placeholder IP address preset in the security strategy when determining that the security strategy issued by the access terminal exists according to the first identity, and obtaining a target security policy, issuing the target security policy to a security switch accessed by the access terminal, and executing the target security policy by the security switch after receiving the target security policy.
By adopting the technical scheme, the management platform equipment uniformly formulates the security policy, after the access terminal is successfully authenticated, the security switch sends the IP address and the first identity mark of the successfully authenticated terminal to the management platform equipment, the management platform equipment formulates the security policy aiming at the access terminal and issues the security policy to the terminal, and the security policy is issued to the security switch for execution, so that the uniform formulation of the security policy is realized, the security policy can be quickly executed by the security switch to play the role of the security policy, the efficiency and the effect of security protection can be remarkably improved, and the problems that the security policy cannot be uniformly formulated and is difficult to efficiently fall on the ground to resist security threats and attacks in the prior art are solved.
Fig. 1 is a schematic diagram of a network topology of a network security protection system for implementing a network security protection method according to an embodiment of the present application, and as shown in fig. 1, the network security protection system includes a management platform device, a security switch (a switch with an embedded security function), and a terminal, where the management platform device is installed with management platform software, the management platform device issues a security policy to the security switch that succeeds in authentication, and the terminal is installed with authentication client software, and the security switch implements the security function and implements execution of the security policy by executing the network security protection method provided in the embodiment of the present application.
In the network topology shown in fig. 1, a security switch needs to perform registration authentication on management platform software, only the security switch that has succeeded in the registration authentication can interact with the management platform software to obtain identity information of a terminal, and finally complete authentication admission of the terminal, and receive a security policy issued by a management platform device for the terminal that has succeeded in the authentication, and execute the security policy; the security switch which is not registered successfully belongs to an illegal and non-compliant security switch, and cannot interact with the management platform software to acquire the identity information of the access terminal for terminal authentication, so that the terminal cannot access the network, and the security switch which is not authenticated successfully cannot acquire the security policy from the management platform equipment. According to the scheme, the management platform is authenticated through the safety switch, and unified and complete management and control of the network boundary are achieved. All terminals access the network through the security switch, the complete and unified network boundary for terminal access of an enterprise is formed by the complete set of the security switch, the security switch authenticates and permits the accessed terminals, the network access is opened only through the authenticated terminals, otherwise, the network access is closed, and the fact that only legal and compliant terminals can successfully authenticate and can access the network for communication is ensured. The security switch which is successfully authenticated sends the IP address and the identity of the access terminal which is successfully authenticated to the management platform device, the management platform device formulates the security policy corresponding to the access terminal and sends the security policy to the security switch which is accessed by the access terminal for execution, so that the unified formulation of the security policy is realized, the security policy can be quickly executed by the security switch, the effect of the security policy is exerted, and the efficiency and the effect of security protection can be obviously improved.
Fig. 2 is a schematic flowchart of a network security protection method according to an embodiment of the present application, where the method may be executed by a network security protection device according to an embodiment of the present application, where the device may be implemented by software and/or hardware, and may be integrated in the security switch shown in fig. 1. As shown in fig. 2, the network security protection method may include the following steps:
step 101, when it is monitored that a terminal accesses, acquiring the MAC address of the access terminal.
In the embodiment of the application, the security switch may monitor each port of the security switch, and when it is monitored that a network cable is inserted into the port of the security switch, it is determined that a terminal is accessed, and then an MAC (media Access Control) address of the Access terminal is obtained.
Step 102, according to the MAC address of the access terminal, acquiring a first identity of the access terminal from a management platform device for performing identity authentication on the access terminal.
In this embodiment of the application, after the security switch acquires the MAC address of the access terminal, the first identity identifier of the access terminal may be acquired from the management platform device according to the MAC address of the access terminal, so as to perform identity authentication on the access terminal by using the first identity identifier.
The management platform device stores a mapping relationship between MAC addresses of different terminals and corresponding first identity identifiers, each pair of MAC address and first identity identifier in the mapping relationship may be stored when the terminal registers on management platform software in the management platform device, the first identity identifier is generated by an access terminal, and the access terminal may determine the corresponding first identity identifier according to its own MAC address, for example, using its own MAC address as its own first identity identifier.
In an optional implementation manner, the security switch sends the acquired MAC address of the access terminal to the management platform device, and after receiving the MAC address of the access terminal, the management platform device queries a stored mapping relationship between the MAC addresses of different terminals and corresponding first identity identifiers, and returns a query result to the security switch. If the management platform device inquires the first identity identifier corresponding to the MAC address of the access terminal from the mapping relation, returning an inquiry result carrying the first identity identifier, and otherwise, returning an inquiry result of failure inquiry. The security switch receives a query result returned by the management platform device, if the first identity identification of the access terminal is obtained from the query result, the query result is used for authenticating the terminal, and if the query result is the information of query failure, the access terminal is determined to belong to an illegal terminal.
In an optional implementation manner, after the security switch acquires the first identity of the access terminal from the management platform device, the security switch may encrypt a preset message according to the acquired first identity, generate a ciphertext and send the ciphertext to the access terminal, the access terminal decrypts the generated ciphertext and sends a decryption result back to the security switch, and the security switch determines whether the access terminal is successfully authenticated according to the decryption result. And if the decryption information sent to the security switch by the access terminal is consistent with the preset message, determining that the authentication of the access terminal is successful.
103, sending a security policy request to the management platform device under the condition that the access terminal is successfully authenticated, where the security policy request carries the IP address of the access terminal and the first identity identifier, so that when the management platform device determines that a security policy issued for the access terminal exists according to the first identity identifier, the management platform device replaces a preset placeholder in the security policy with the IP address to obtain a target security policy, and sends the target security policy to a security switch to which the access terminal accesses.
The management platform device may formulate a security policy in the form of an Access Control List (ACL) to implement effective Access Control. The content of the security policy can be formulated according to the actual access control requirement, and the content contained in the security policy is not limited by the application.
In an optional embodiment, the security policy may include a placeholder, a preset source port number, a preset destination IP address, a preset destination port number, a preset transport layer protocol, and a preset action. In this embodiment, in the security policy formulated by the management platform device, the source IP address field in the ACL five-tuple information is not filled with data, but is occupied by one placeholder. And presetting corresponding data according to actual access control requirements for the data of other fields in the ACL five-tuple information. The preset action may be, for example, a denial or an allowance, and may be specifically set according to an actual access control requirement.
In the embodiment of the application, after determining that the access terminal is successfully authenticated, the security switch may allocate an IP address to the access terminal, and send a security policy request carrying the IP address and the first identity identifier of the successfully authenticated access terminal to the management platform device. After receiving a security policy request sent by a security switch, a management platform device firstly judges whether a security policy issued for a corresponding access terminal exists according to a first identity carried in the security policy request, and when determining that the security policy issued for the access terminal exists, replaces a preset placeholder in the security policy with an IP address carried in the security policy request to generate a target security policy, and then sends the generated target security policy to the security switch accessed by the access terminal.
For example, assume that a plurality of terminals A, B, C, D, E and F are registered on the management platform device, wherein the management platform device establishes security policies for the terminals A, E and F. Assuming that the policy security request received by the management platform device carries the first identity identifier of the terminal E, after receiving the security policy request, the management platform device may determine that a security policy for the terminal E exists, replace the placeholder in the security policy corresponding to the terminal E with an IP address carried in the security policy request, generate a target security policy for the terminal E, and send the target security policy to the security switch to which the terminal E is connected.
In the embodiment of the application, the management platform device formulates the security policy in advance, occupies the place in the security policy by using the preset placeholder, issues the security policy to the access terminal, and generates the target security policy by replacing the placeholder with the IP address, thereby realizing the uniform formulation of the security policy.
And 104, after receiving the target security policy, executing the target security policy.
In the embodiment of the application, after receiving the target security policy sent by the management platform device, the security switch can execute the target security policy to control the flow of the access terminal according to the target security policy, so that the security policy is quickly executed to effectively resist threats and attacks.
In the network security protection method of this embodiment, the security switch acquires the MAC address of the access terminal when monitoring that the terminal is accessed, and according to the MAC address of the access terminal, acquiring the first identity of the access terminal from the management platform device for authenticating the identity of the access terminal, and sends a security policy request to the managed platform device under the condition that the access terminal is successfully authenticated, the security policy request carries the IP address and the first identity identifier of the access terminal, so that when the management platform device determines that the security policy issued for the access terminal exists according to the first identity, replacing the preset placeholder in the security policy with the IP address to obtain the target security policy, and the target security policy is issued to the security switch accessed by the access terminal, and the security switch executes the target security policy after receiving the target security policy. By adopting the technical scheme, the management platform equipment uniformly formulates the security policy, after the access terminal is successfully authenticated, the security switch sends the IP address and the first identity identification of the successfully authenticated terminal to the management platform equipment, the management platform equipment formulates the security policy aiming at the access terminal and issues the security policy to the security switch for execution, the uniform formulation of the security policy is realized, the security policy can be quickly executed by the security switch, the effect of the security policy is exerted, and the efficiency and the effect of security protection can be obviously improved.
In the embodiment of the application, the security switch can perform registration authentication on the management platform equipment, the security switch which succeeds in authentication can interact with the management platform equipment, the security switch which succeeds in authentication establishes a uniform and complete network boundary of the terminal access network, and all network access terminals are uniformly accessed through the security switch to ensure network security. Thus, in an optional implementation manner of the present application, before the secure switch acquires the first identity of the access terminal from the management platform device according to the MAC address of the access terminal, the method may further include:
acquiring a second identity of the security switch and a third identity of the management platform equipment;
encrypting the second identity by using the third identity to generate a first ciphertext;
sending the first ciphertext to the management platform equipment for identity authentication, so that the management platform equipment decrypts the second identity identifier from the first ciphertext by using a first private key, determines that the security switch is successfully authenticated when inquiring that the second identity identifier exists in a local identity database of the management platform equipment, and establishes TCP connection with the security switch; the first private key is generated by a public key identification security technology according to the third identity;
and determining that the TCP connection is successfully established.
The third identity is used for uniquely identifying the management platform device, the identity of the management platform device is generated according to a Media Access Control (MAC) of the management platform device, and the generated third identity is imported into management platform software installed in the management platform device; the second identity is used for uniquely identifying the security switch, the second identity of the security switch is generated according to the MAC of the security switch, the generated second identity can be stored in the local storage space of the security switch and is imported into the management platform software, and the management platform software stores the second identity of the security switch in the local identity database of the management platform equipment.
In an optional implementation manner, the product serial number of the management platform device may be used as the third identity, and the product serial number of the security switch may be used as the second identity.
In an alternative embodiment, the third identity may be determined according to a unique physical feature of the management platform device, that is, the MAC address, and the second identity may be determined according to the MAC address of the security switch. For example, the MAC address of the management platform device may be used as the third identifier, and the MAC address of the security switch may be used as the second identifier.
In the embodiment of the application, the management platform device can send the third identification of the management platform device to the security switch through the management platform software, and the security switch acquires the third identification and acquires the second identification of the security switch from the local storage space.
Then, after the security switch acquires the third identity and the second identity, the security switch may use the third identity as a public key, perform encryption operation on the second identity by using the third identity, generate a first ciphertext, and send the first ciphertext to the management platform device, so that the management platform device performs identity authentication on the security switch according to the first ciphertext.
Specifically, when the management platform device performs Identity authentication on the security switch according to the first ciphertext, the first private Key is used to perform decryption operation on the first ciphertext to decrypt the second Identity from the first ciphertext, wherein the first private Key is generated in advance by the management platform device, and after the management platform device determines the third Identity, the management platform device may perform operation on the third Identity and an IPK matrix through an Identity Public Key security (IPK) technology according to the third Identity to generate the first private Key. After the management platform device decrypts the second identity from the first ciphertext, the management platform device may query the local identity database, determine whether the second identity exists in the local identity database, and if the management platform device queries that the second identity exists in the local identity database, consider that the security switch corresponding to the second identity is registered on the management platform device, thereby determining that the authentication of the security switch is successful, and establish a TCP (Transmission Control Protocol) connection between the management platform device and the security switch that has succeeded in authentication. And if the management platform equipment does not inquire the decrypted second identity identifier from the local identity database, the security switch fails to authenticate and does not establish TCP connection.
Furthermore, after the TCP connection is successfully established between the security switch and the management platform device, the security switch can determine that the self authentication is successful, otherwise, the authentication is failed. The security switch successfully authenticated can interact with the management platform device, and acquire the first identity identifier of the access terminal from the management platform device, acquire the target security policy issued by the management platform device, and the like.
In the embodiment of the application, the security switch performs registration authentication on the management platform device, and the security switch which succeeds in authentication constructs a network boundary of a unified and complete terminal access network of an enterprise network.
As described above, when the security switch performs identity authentication on the access terminal, the security switch may encrypt the preset packet by using the first identity of the access terminal, and authenticate the identity of the access terminal according to a decryption result of the ciphertext generated by the access terminal. Therefore, in an optional implementation manner of the present application, an authentication client software is installed in an access terminal, and acquiring, from a management platform device according to an MAC address of the access terminal, a first identity identifier of the access terminal for performing identity authentication on the access terminal includes:
sending an information request to the management platform equipment, wherein the information request comprises an MAC address of the access terminal;
receiving response information returned by the management platform equipment based on the information request, wherein the response information comprises a first identity identifier of the access terminal inquired by the management platform equipment according to the MAC address of the access terminal;
encrypting a preset message by using the first identity mark to generate a second ciphertext;
sending the second ciphertext to the authentication client software so that the authentication client software decrypts the second ciphertext by using a second private key to obtain decryption information, and returning the decryption information to the security switch; the second private key is generated through the identification public key security technology according to the first identity identification;
and under the condition that the decryption information is determined to be consistent with the preset message, determining that the access terminal is successfully authenticated.
In this embodiment of the application, after acquiring the MAC address of the access terminal, the security switch may send an information request to the management platform device, where the information request includes the MAC address of the access terminal, so that the management platform device, after receiving the information request, queries, according to the MAC address of the access terminal carried in the information request, a first identity identifier of the access terminal corresponding to the MAC address of the access terminal, and sends response information to the security switch after querying the first identity identifier, where the response information includes the first identity identifier of the access terminal queried by the management platform device. The management platform device stores a mapping relationship between MAC addresses of different terminals and corresponding first identity identifiers, and the mapping relationship may be established and stored when each terminal registers on the management platform device.
And then, the security switch receives response information returned by the management platform device based on the information request, acquires a first identity identifier of the access terminal from the response information, and further uses the first identity identifier as a public key to encrypt a preset message by using the first identity identifier to generate a second ciphertext, wherein the preset message can be any preset random number. And then, the security switch sends the generated second ciphertext to authentication client software of the access terminal, so that the authentication client software decrypts the second ciphertext by using a second private key to obtain decryption information, and the decryption information is returned to the security switch.
Wherein the second private key is generated by the access terminal. After the access terminal generates the first identity, the access terminal performs operation on the first identity and the matrix of the IPK through an identity public key security technology according to the generated first identity, and generates a second private key, so that the first identity is associated with the second private key. And the generated second private key is stored in the authentication client software of the access terminal.
Finally, after the security switch receives the decryption information returned by the access terminal, the decryption information can be compared with the preset message, and when the decryption information is determined to be consistent with the preset message, the access terminal is determined to be successfully authenticated.
The security switch utilizes the first identity identification of the access terminal as a public key to perform encryption operation on the preset message to generate a second ciphertext, the access terminal utilizes a second private key to perform decryption operation on the second ciphertext, and the second private key is associated with the first identity identification through an IPK (internet protocol K) technology, so that only the access terminal with the second private key can successfully decrypt the second ciphertext, and identity authentication is completed by utilizing decrypted decryption information.
Further, after the security switch determines that the access terminal is successfully authenticated, the security switch opens a network path for the successfully authenticated access terminal, so that the successfully authenticated access terminal can perform network communication.
In the embodiment of the application, the access terminals need to be accessed through the security switch uniformly, the access terminals which are successfully authenticated by the security switch allow the access network to carry out communication, the access network is allowed to be accessed by legal terminals, the access network is forbidden by illegal terminals, the illegal behavior of illegal access of the terminals is avoided, and the network security is maintained.
Corresponding to the method embodiment, the embodiment of the application also provides a network security protection system.
Fig. 3 is a schematic structural diagram of a network security protection system according to an embodiment of the present application, and as shown in fig. 3, the network security protection system 30 includes: management platform device 301, at least one security switch 302, and at least one access terminal 303. It should be noted that, the network security protection system provided in the embodiment of the present application includes at least one security switch, each security switch may access at least one access terminal, and fig. 3 illustrates the present application by taking only one security switch and one access terminal as an example, and should not be taken as a limitation to the present application.
The security switch 302 is configured to, when it is detected that a terminal accesses, acquire an MAC address of an access terminal 303, acquire, from the management platform device 301, a first identity identifier of the access terminal 303 according to the MAC address of the access terminal 303, where the first identity identifier is used to perform identity authentication on the access terminal, and, when the access terminal 303 successfully authenticates, send a security policy request to the management platform device 301, where the security policy request carries an IP address of the access terminal 303 and the first identity identifier, and, after receiving a target security policy sent by the management platform device 301, execute the target security policy;
the management platform device 301 is configured to, after receiving the security policy request sent by the security switch 302, determine whether a security policy issued for the access terminal 303 exists according to the first identity identifier carried in the security policy request, and when determining that the security policy issued for the access terminal 303 exists, replace a placeholder preset in the security policy with the IP address to obtain the target security policy, and issue the target security policy to the security switch accessed by the access terminal 303.
In an optional implementation, the management platform device 301 is further configured to formulate the security policy in the form of an access control list, where the security policy includes the placeholder, the preset source port number, the preset destination IP address, the preset destination port number, the preset transport layer protocol, and the preset action.
In an optional implementation manner of the present application, the security switch 302 is further configured to obtain a second identity of the security switch and a third identity of the management platform device 301, encrypt the second identity by using the third identity, generate a first ciphertext, and send the first ciphertext to the management platform device 301 for identity authentication;
the management platform device 301 is further configured to send a third identity identifier of the management platform device to the secure switch 302, receive the first ciphertext sent by the secure switch 302, decrypt the second identity identifier from the first ciphertext by using the first private key, determine that the secure switch 302 is successfully authenticated when querying that the second identity identifier exists in the local identity database, and establish a TCP connection with the secure switch 302; and the first private key is generated by using a public key identification security technology according to the third identity identification.
In an optional embodiment, the access terminal 303 has authentication client software installed therein;
the management platform device 301 is further configured to receive an information request which is sent by the security switch 302 and carries the MAC address of the access terminal 303, query the first identity identifier of the access terminal 303 according to the MAC address of the access terminal, and return response information carrying the first identity identifier to the security switch 302;
the security switch 302 is further configured to receive the response information returned by the management platform device 301 after sending the information request to the management platform device 301, encrypt a preset packet by using the first identity identifier, generate a second ciphertext, and send the second ciphertext to the authentication client software;
the authentication client software is configured to decrypt the second ciphertext with a second private key to obtain decryption information, and return the decryption information to the security switch 302; the second private key is generated through the identification public key security technology according to the first identity identification;
the security switch 302 is further configured to determine that the access terminal 303 is successfully authenticated under the condition that it is determined that the decryption information is consistent with the preset message.
Further, in an optional embodiment of the present application, the secure switch 302 is further configured to open a network path, so that the access terminal 303 performs network communication through the network path opened by the secure switch 302, if it is determined that the access terminal 303 is successfully authenticated.
In an optional implementation manner, the secure switch 302 is further configured to generate a second identity according to the MAC address of the secure switch 302, store the second identity, and import the second identity to the management platform software 301;
the access terminal 303 is further configured to generate the first identity identifier according to the MAC address of the access terminal 303, generate the second private key according to the first identity identifier by using an identifier public key security technology, import the second private key to the authentication client software, and import the MAC address of the access terminal 303 and the first identity identifier to the management platform device 301;
the management platform device 301 is further configured to generate the third identity according to the MAC address of the management platform device 301, generate the first private key according to the third identity through the identification public key security technology, and store the third identity and the first private key; the second identity is stored in the local identity database and the mapping relationship between the MAC address of the access terminal 303 and the first identity is stored.
In an optional implementation manner, the management platform device 301 may further include a display screen. The Management platform device 301 is further configured to monitor the successfully authenticated security switch through a Simple Network Management Protocol (SNMP), and display terminal access information of the successfully authenticated security switch in the display screen.
In this embodiment, the management platform device 301 monitors the operation condition of the security switch that is successfully registered and authenticated in a centralized manner through the SNMP protocol, including monitoring the CPU, the memory, the port usage condition, etc. of the security switch, monitor the number of access terminals on each port of the security switch in real time, the time that each terminal accesses, the time that the access terminal authenticates successfully, the time that the access terminal has accessed, the offline time of the access terminal, etc. and display them through the display screen, so as to grasp the terminal access condition of the unified network boundary constructed by the security switch in real time, realize the visual monitoring and protection of the unified network boundary, and when a security problem occurs, trace back and locate the access terminal in time through the monitoring of the management platform device, and find the root cause of the security problem.
Fig. 4 is a schematic view of an interaction process of the network security protection system according to an embodiment of the present application, and as shown in fig. 4, a security switch and a terminal need to register on a management platform device, and the management platform device further has a function of making and issuing a security policy. The process of implementing the network security protection method provided by the application by the interaction of the security switch, the management platform equipment and the terminal specifically comprises the following steps: the safety switch firstly carries out identity authentication on the management platform equipment, and after the authentication is successful, TCP connection is established between the management platform equipment and the safety switch. When the terminal is accessed into the safety switch, the safety switch which is successfully authenticated inquires the management platform equipment about the first identity identification of the access terminal, the management platform equipment returns the first identity identification to the safety switch, the safety switch authenticates the access terminal based on the first identity identification, the safety switch opens the network access after the access terminal is successfully authenticated, and the safety switch refuses to open the network access when the access terminal is failed in authentication. For the authentication process of the security switch and the access terminal, reference may be made to the foregoing embodiments, which are not described herein again.
As shown in fig. 4, after the access terminal is successfully authenticated, the security switch reports terminal information to the management platform device, where the terminal information may include an IP address and a first identity identifier of the access terminal, and when the management platform device queries that a security policy of the access terminal exists, the management platform device replaces a placeholder in the security policy with the IP address, issues the replaced security policy to the security switch, and the security switch executes the security policy. The scheme of the application establishes a unified and complete network boundary, avoids illegal behaviors of illegal access of the terminal, makes the security policy by the management platform equipment and issues the security policy to the security switch for execution, realizes unified making of the security policy, can quickly execute the security policy by the security switch, plays a role in the security policy, and can remarkably improve the efficiency and effect of security protection.
The network security protection system provided by the embodiment of the application can execute any network security protection method provided by the embodiment of the application, and has the corresponding functional modules and beneficial effects of the execution method. Reference may be made to the description of any method embodiment of the present application for a matter not explicitly described in the system embodiments of the present application.
Corresponding to the method embodiment, the embodiment of the application also provides a network security protection device.
Fig. 5 is a schematic structural diagram of a network security protection apparatus according to an embodiment of the present application, where the apparatus is applied to a security switch, and as shown in fig. 5, the network security protection apparatus 50 may include: an acquisition module 510, a processing module 520, a sending module 530, and a guard module 540.
The acquiring module 510 is configured to acquire an MAC address of an access terminal when it is monitored that a terminal is accessed;
a processing module 520, configured to obtain, according to the MAC address of the access terminal, a first identity identifier of the access terminal from a management platform device for performing identity authentication on the access terminal;
a sending module 530, configured to send a security policy request to the management platform device when the access terminal is successfully authenticated, where the security policy request carries an IP address of the access terminal and the first identity identifier, so that when the management platform device determines that a security policy issued for the access terminal exists according to the first identity identifier, the management platform device replaces a placeholder preset in the security policy with the IP address to obtain a target security policy, and issues the target security policy to a security switch to which the access terminal accesses;
the protection module 540 is configured to execute the target security policy after receiving the target security policy.
Optionally, the security policy includes the placeholder, a preset source port number, a preset destination IP address, a preset destination port number, a preset transport layer protocol, and a preset action.
Optionally, the network security guard 50 further comprises:
the identity acquisition module is used for acquiring a second identity of the security switch and a third identity of the management platform equipment;
the encryption module is used for encrypting the second identity by using the third identity to generate a first ciphertext;
a ciphertext sending module, configured to send the first ciphertext to the management platform device for identity authentication, so that the management platform device decrypts the second identity from the first ciphertext by using a first private key, and determines that the security switch is successfully authenticated when querying that the second identity exists in a local identity database of the management platform device, and establishes a TCP connection with the security switch; the first private key is generated by a public key identification security technology according to the third identity;
and the determining module is used for determining that the TCP connection is successfully established.
Optionally, the access terminal is installed with authentication client software, and the processing module 520 is further configured to:
sending an information request to the management platform equipment, wherein the information request comprises an MAC address of the access terminal;
receiving response information returned by the management platform equipment based on the information request, wherein the response information comprises a first identity identifier of the access terminal inquired by the management platform equipment according to the MAC address of the access terminal;
encrypting a preset message by using the first identity mark to generate a second ciphertext;
sending the second ciphertext to the authentication client software so that the authentication client software decrypts the second ciphertext by using a second private key to obtain decryption information, and returning the decryption information to the security switch; the second private key is generated through the identification public key security technology according to the first identity identification;
and under the condition that the decryption information is determined to be consistent with the preset message, determining that the access terminal is successfully authenticated.
Optionally, the network security guard 50 further comprises:
and the starting module is used for starting a network path so as to enable the access terminal to carry out network communication.
The network security protection device provided by the embodiment of the application can execute any network security protection method provided by the embodiment of the application, and has the corresponding functional modules and beneficial effects of the execution method. Reference may be made to the description of any method embodiment of the present application for details not explicitly described in the apparatus embodiments of the present application.
It should be noted that although in the above detailed description several modules or units of the device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit, according to embodiments of the application. Conversely, the features and functions of one module or unit described above may be further divided into embodiments by a plurality of modules or units.
In an exemplary embodiment of the present application, there is also provided a security switch, including: a processor for executing a computer program stored in the memory, the computer program, when executed by the processor, implementing the steps of the network security defending method according to the above embodiments.
In an exemplary embodiment of the present application, a computer-readable storage medium is further provided, on which a computer program is stored, which when executed by a processor implements the steps of the network security defending method described in the above embodiment.
It should be noted that the computer readable storage medium shown in the present application can be, for example but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the above. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory, a read-only memory, an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present application, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable storage medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, radio frequency, etc., or any suitable combination of the foregoing.
In an exemplary embodiment of the present application, a computer program product is also provided, which when running on a computer causes the computer to execute the steps of the network security defending method described in the above embodiment.
It is noted that, in this document, relational terms such as "first" and "second," and the like, may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The above description is merely exemplary of the present application and is presented to enable those skilled in the art to understand and practice the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

1. A network security protection method is applied to a security switch, and comprises the following steps:
when the terminal access is monitored, acquiring the MAC address of the access terminal;
acquiring a first identity identifier of the access terminal from management platform equipment according to the MAC address of the access terminal for identity authentication of the access terminal;
sending a security policy request to the management platform device under the condition that the access terminal is successfully authenticated, wherein the security policy request carries an IP address of the access terminal and the first identity identifier, so that when the management platform device determines that a security policy issued for the access terminal exists according to the first identity identifier, the management platform device replaces a preset placeholder in the security policy with the IP address to obtain a target security policy, and sends the target security policy to a security switch accessed by the access terminal;
after receiving the target security policy, executing the target security policy.
2. The method of claim 1, wherein the security policy comprises the placeholder, a preset source port number, a preset destination IP address, a preset destination port number, a preset transport layer protocol, and a preset action.
3. The method of claim 1, further comprising, prior to said obtaining the first identity of the access terminal from the management platform device:
acquiring a second identity of the security switch and a third identity of the management platform equipment;
encrypting the second identity by using the third identity to generate a first ciphertext;
sending the first ciphertext to the management platform equipment for identity authentication, so that the management platform equipment decrypts the second identity identifier from the first ciphertext by using a first private key, determines that the security switch is successfully authenticated when inquiring that the second identity identifier exists in a local identity database of the management platform equipment, and establishes TCP connection with the security switch; the first private key is generated by a public key identification security technology according to the third identity;
and determining that the TCP connection is successfully established.
4. The method of claims 1-3, wherein the access terminal has authentication client software installed therein, and the obtaining the first identity of the access terminal from a management platform device for authenticating the access terminal according to the MAC address of the access terminal comprises:
sending an information request to the management platform equipment, wherein the information request comprises an MAC address of the access terminal;
receiving response information returned by the management platform equipment based on the information request, wherein the response information comprises a first identity identifier of the access terminal inquired by the management platform equipment according to the MAC address of the access terminal;
encrypting a preset message by using the first identity mark to generate a second ciphertext;
sending the second ciphertext to the authentication client software so that the authentication client software decrypts the second ciphertext by using a second private key to obtain decryption information, and returning the decryption information to the security switch; the second private key is generated through the identification public key security technology according to the first identity identification;
and under the condition that the decryption information is determined to be consistent with the preset message, determining that the access terminal is successfully authenticated.
5. The method of claim 4, wherein after determining that the access terminal authentication is successful, the method further comprises:
and opening a network path to enable the access terminal to carry out network communication.
6. A network security protection system is characterized by comprising a management platform device, at least one security switch and at least one access terminal; wherein,
the security switch is used for acquiring an MAC address of an access terminal when the access of the terminal is detected, acquiring a first identity identifier of the access terminal from the management platform equipment according to the MAC address of the access terminal for identity authentication of the access terminal, sending a security policy request to the management platform equipment under the condition that the authentication of the access terminal is successful, wherein the security policy request carries the IP address of the access terminal and the first identity identifier, and executing a target security policy after receiving the target security policy sent by the management platform equipment;
the management platform device is configured to, after receiving the security policy request sent by the security switch, determine whether a security policy issued for the access terminal exists according to the first identity identifier carried in the security policy request, and when it is determined that the security policy issued for the access terminal exists, replace a placeholder preset in the security policy with the IP address to obtain the target security policy, and issue the target security policy to the security switch to which the access terminal accesses.
7. The system of claim 6, wherein the management platform device is further configured to:
and formulating the security policy in the form of an access control list, wherein the security policy comprises the placeholder, a preset source port number, a preset target IP address, a preset destination port number, a preset transport layer protocol and a preset action.
8. A network security guard, comprising:
the access terminal comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring the MAC address of the access terminal when monitoring that the terminal is accessed;
the processing module is used for acquiring a first identity identifier of the access terminal from management platform equipment according to the MAC address of the access terminal and carrying out identity authentication on the access terminal;
a sending module, configured to send a security policy request to the management platform device when the access terminal is successfully authenticated, where the security policy request carries an IP address of the access terminal and the first identity identifier, so that when the management platform device determines that a security policy issued for the access terminal exists according to the first identity identifier, the management platform device replaces a placeholder preset in the security policy with the IP address to obtain a target security policy, and issues the target security policy to a security switch to which the access terminal accesses;
and the protection module is used for executing the target security policy after receiving the target security policy.
9. A security switch, comprising: processor for executing a computer program stored in a memory, the computer program, when executed by the processor, implementing the steps of the network security protection method according to any of claims 1 to 5.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the network security protection method according to any one of claims 1 to 5.
CN202111566810.XA 2021-12-20 2021-12-20 Network security protection method, system, device, security switch and storage medium Active CN114374543B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111566810.XA CN114374543B (en) 2021-12-20 2021-12-20 Network security protection method, system, device, security switch and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111566810.XA CN114374543B (en) 2021-12-20 2021-12-20 Network security protection method, system, device, security switch and storage medium

Publications (2)

Publication Number Publication Date
CN114374543A true CN114374543A (en) 2022-04-19
CN114374543B CN114374543B (en) 2023-10-13

Family

ID=81139852

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111566810.XA Active CN114374543B (en) 2021-12-20 2021-12-20 Network security protection method, system, device, security switch and storage medium

Country Status (1)

Country Link
CN (1) CN114374543B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114938295A (en) * 2022-05-10 2022-08-23 北京北信源软件股份有限公司 Active safety network and construction method
WO2024109129A1 (en) * 2022-11-23 2024-05-30 海信视像科技股份有限公司 Electronic device and data processing method

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105049446A (en) * 2015-08-20 2015-11-11 中国联合网络通信集团有限公司 Method and system for filtering URL (Uniform Resource Locator)
CN106470206A (en) * 2015-08-14 2017-03-01 纬创资通股份有限公司 Abnormity prediction method and system suitable for heterogeneous network architecture
CN108418806A (en) * 2018-02-05 2018-08-17 新华三信息安全技术有限公司 A kind of processing method and processing device of message
CN110311929A (en) * 2019-08-01 2019-10-08 江苏芯盛智能科技有限公司 A kind of access control method, device and electronic equipment and storage medium
CN111654464A (en) * 2015-12-31 2020-09-11 华为技术有限公司 Access control method, authentication device and system
CN112615829A (en) * 2020-12-08 2021-04-06 北京北信源软件股份有限公司 Terminal access authentication method and system
CN113315754A (en) * 2021-04-25 2021-08-27 中国民生银行股份有限公司 Intelligent linkage method, device, equipment and medium for firewall of container visit

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106470206A (en) * 2015-08-14 2017-03-01 纬创资通股份有限公司 Abnormity prediction method and system suitable for heterogeneous network architecture
CN105049446A (en) * 2015-08-20 2015-11-11 中国联合网络通信集团有限公司 Method and system for filtering URL (Uniform Resource Locator)
CN111654464A (en) * 2015-12-31 2020-09-11 华为技术有限公司 Access control method, authentication device and system
CN108418806A (en) * 2018-02-05 2018-08-17 新华三信息安全技术有限公司 A kind of processing method and processing device of message
CN110311929A (en) * 2019-08-01 2019-10-08 江苏芯盛智能科技有限公司 A kind of access control method, device and electronic equipment and storage medium
CN112615829A (en) * 2020-12-08 2021-04-06 北京北信源软件股份有限公司 Terminal access authentication method and system
CN113315754A (en) * 2021-04-25 2021-08-27 中国民生银行股份有限公司 Intelligent linkage method, device, equipment and medium for firewall of container visit

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114938295A (en) * 2022-05-10 2022-08-23 北京北信源软件股份有限公司 Active safety network and construction method
CN114938295B (en) * 2022-05-10 2024-04-23 北京北信源软件股份有限公司 Active safety network and construction method
WO2024109129A1 (en) * 2022-11-23 2024-05-30 海信视像科技股份有限公司 Electronic device and data processing method

Also Published As

Publication number Publication date
CN114374543B (en) 2023-10-13

Similar Documents

Publication Publication Date Title
US11483143B2 (en) Enhanced monitoring and protection of enterprise data
CN108370381B (en) System and method for detecting advanced attackers using client-side honey marks
CN106034104B (en) Verification method, device and system for network application access
EP3090520B1 (en) System and method for securing machine-to-machine communications
US12101416B2 (en) Accessing hosts in a computer network
US10735195B2 (en) Host-storage authentication
US11652637B2 (en) Enforcing a segmentation policy using cryptographic proof of identity
US10764263B2 (en) Authentication of users in a computer network
CN101488950A (en) Symmetric key distribution framework for the internet
CN114374543B (en) Network security protection method, system, device, security switch and storage medium
CN110225017B (en) Identity authentication method, equipment and storage medium based on alliance block chain
KR20190048587A (en) METHOD FOR SECURITING REMOTELY INTERNET OF THINGS(IoT) AND APPARATUS USING THE SAME
US11784993B2 (en) Cross site request forgery (CSRF) protection for web browsers
EP3328025A1 (en) Accessing hosts in a hybrid computer network
Domenech et al. An authentication and authorization infrastructure for the web of things
CN114374508B (en) Network security protection method, system, device, security switch and storage medium
CN103139201A (en) Network strategy acquiring method and data center switchboard
EP3580885B1 (en) Private key updating
Batista et al. Using externals IdPs on OpenStack: A security analysis of OpenID connect, Facebook connect, and OpenStack authentication
KR20060101800A (en) Communication service system and method for managing security of a service server and communication equipment
CN113225298A (en) Message verification method and device
CN117061140A (en) Penetration defense method and related device
CN118432914A (en) Data interaction method, device, equipment and storage medium based on identity authentication
CN116015961A (en) Control processing method, security CPE, system and medium of down-hanging terminal equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20240104

Address after: Room 303-1, No. 4, Lane 1369, Lianhang Road, Minhang District, Shanghai, 201100

Patentee after: SHANGHAI VRV INFORMATION TECHNOLOGY CO.,LTD.

Address before: Room 1602, block C, Zhongguancun Science and technology development building, 34 Zhongguancun South Street, Haidian District, Beijing 100081

Patentee before: BEIJING VRV SOFTWARE Corp.,Ltd.

TR01 Transfer of patent right