CN114598540B - Access control system, method, device and storage medium - Google Patents
Access control system, method, device and storage medium Download PDFInfo
- Publication number
- CN114598540B CN114598540B CN202210272573.4A CN202210272573A CN114598540B CN 114598540 B CN114598540 B CN 114598540B CN 202210272573 A CN202210272573 A CN 202210272573A CN 114598540 B CN114598540 B CN 114598540B
- Authority
- CN
- China
- Prior art keywords
- access
- access control
- terminal
- token
- interface
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 43
- 238000004458 analytical method Methods 0.000 claims abstract description 41
- 238000011156 evaluation Methods 0.000 claims abstract description 38
- 238000011217 control strategy Methods 0.000 claims abstract description 26
- 230000002159 abnormal effect Effects 0.000 claims abstract description 11
- 238000013209 evaluation strategy Methods 0.000 claims abstract description 5
- 238000012795 verification Methods 0.000 claims description 30
- 230000006870 function Effects 0.000 claims description 19
- 238000004590 computer program Methods 0.000 claims 1
- 238000005516 engineering process Methods 0.000 description 15
- 230000008569 process Effects 0.000 description 9
- 239000000306 component Substances 0.000 description 5
- 230000008901 benefit Effects 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 4
- 230000003993 interaction Effects 0.000 description 4
- 238000007726 management method Methods 0.000 description 4
- 238000013475 authorization Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 238000013461 design Methods 0.000 description 3
- 238000001514 detection method Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000000977 initiatory effect Effects 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000005538 encapsulation Methods 0.000 description 2
- 230000007613 environmental effect Effects 0.000 description 2
- 239000000284 extract Substances 0.000 description 2
- 235000019580 granularity Nutrition 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 230000009897 systematic effect Effects 0.000 description 2
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 239000008358 core component Substances 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000003032 molecular docking Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
- 238000012502 risk assessment Methods 0.000 description 1
- 230000007723 transport mechanism Effects 0.000 description 1
- 238000012384 transportation and delivery Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/28—Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
Abstract
An access control system, method, apparatus and storage medium, the access control system comprising: the trust evaluation engine is used for periodically collecting the operation information and the environment information of the terminal, evaluating the obtained information according to a preset risk evaluation strategy to obtain an evaluation result, and sending the evaluation result to the trusted access control engine when the evaluation result is abnormal; the trusted access control engine is used for receiving an abnormal evaluation result, generating an access control strategy by combining a preset security access rule and transmitting the access control strategy to the trusted identification analysis access agent or the trusted identification analysis application agent; the access agent is used for carrying out access control according to the obtained access control policy. The access subject information can be continuously collected and dynamically evaluated, so that the access subject with risk can be dynamically controlled in time.
Description
Technical Field
The present disclosure relates to security control technologies, and in particular, to an access control system, method, apparatus, and storage medium.
Background
With the gradual popularization and application of industrial Internet identification, identification analysis opens a brand-new era of autonomous machines and intelligent processes, and great social and economic opportunities are brought to us. However, the interconnection and intercommunication will bring about unavoidable side effects, the identification analysis system stores a large amount of sensitive data, and the access control security of the identification analysis system is the most attention-causing problem in the deployment process of the industrial Internet identification analysis system.
In the prior art, the access control system usually verifies the identity information of the visitor at the initial login stage, and can directly access in the subsequent access process.
However, in such an access control system, since the visitor identity information is verified only when logging in, but the subsequent access process is not limited, the access behavior of the accessing subject with risk cannot be dynamically controlled in time.
Disclosure of Invention
The embodiment of the application provides an access control system, an access control method, an access control device and a storage medium, which can continuously collect and dynamically evaluate the information of an access subject, so that the access subject with risk can be dynamically controlled in time.
The application provides an access control system comprising:
the trust evaluation engine is used for periodically collecting the operation information and the environment information of the terminal, evaluating the obtained operation information and environment information according to a preset risk evaluation strategy to obtain an evaluation result, and sending the evaluation result to the trusted access control engine when the evaluation result is abnormal;
the trusted access control engine is used for receiving an abnormal evaluation result, generating an access control strategy by combining a preset security access rule and transmitting the access control strategy to the trusted identification analysis access agent or the trusted identification analysis application agent;
the trusted identification analysis access agent is used for performing access control according to the obtained access control strategy;
the trusted identification analysis application agent is used for performing access control according to the obtained access control policy.
Compared with the related art, the access control system provided by the application can periodically collect the running information and the environment information of the terminal, evaluate according to the obtained data and further obtain the access control strategy to perform access control, so that the access subject information can be continuously collected and dynamically evaluated, and the access subject with risk can be dynamically controlled in time.
Additional features and advantages of the application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the application. Other advantages of the present application may be realized and attained by the structure particularly pointed out in the written description and drawings.
Drawings
The accompanying drawings are included to provide an understanding of the technical aspects of the present application, and are incorporated in and constitute a part of this specification, illustrate the technical aspects of the present application and together with the examples of the present application, and not constitute a limitation of the technical aspects of the present application.
Fig. 1 is a schematic structural diagram of an access control system according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of an industrial internet identifier analysis access control system according to an embodiment of the present application;
fig. 3 is a schematic flow chart of an access control method according to an embodiment of the present application;
fig. 4 is an interaction schematic diagram of an access control method provided in an embodiment of the present application.
Detailed Description
There is provided an access control system, as shown in fig. 1, comprising:
the trust evaluation engine 11 is configured to periodically collect operation information and environment information of the terminal, evaluate the obtained operation information and environment information according to a preset risk evaluation policy to obtain an evaluation result, and send the evaluation result to the trusted access control engine 12 when the evaluation result is abnormal.
The trusted access control engine 12 is configured to receive an abnormal evaluation result, generate an access control policy in combination with a preset security access rule, and send the access control policy to the trusted identification analysis access agent 13 or the trusted identification analysis application agent 14.
The trusted identification resolution access agent 13 is configured to perform access control according to the obtained access control policy.
The trusted identification resolution application agent 14 is configured to perform access control according to the obtained access control policy.
In an exemplary embodiment, the environmental information of the terminal may also be referred to as security baseline status information, which refers to whether the current running status of the terminal device is a health-feasible status, for example, whether the terminal device is equipped with antivirus software, and whether the high-risk port is opened.
In an exemplary embodiment, the evaluation result may be expressed as a percentage score, and when the evaluation result is expressed as a percentage score, the policy control engine may pre-configure a percentage evaluation rule of the security baseline, and in combination with the pre-set security access rule, the access control policy may be generated as follows: if the security access rule of the user is higher, the security access rule can be set to be lower than 80 minutes, the high-sensitive application cannot be accessed, the trusted access control engine can issue a dynamic right-reducing strategy, so that the access terminal cannot access the corresponding high-sensitive application, and the security access rule is set to be lower than 60 minutes, and the access terminal is forced to be disconnected; if the security access rule of the user is lower, the security access rule can be set to be lower than 70 minutes, the high-sensitive application cannot be accessed, the trusted access control engine can issue a dynamic right-reducing strategy, so that the access terminal cannot access the corresponding high-sensitive application, and the security access rule is set to be lower than 40 minutes, and the access terminal is forced to be disconnected.
According to the access control system provided by the embodiment of the application, the running information and the environment information of the terminal can be periodically collected, and the access control strategy is further obtained for access control by evaluating according to the obtained data, so that the access subject information can be continuously collected and dynamically evaluated, and the access subject with risk can be dynamically controlled in time.
In one illustrative example, the trusted access control engine 12 is specifically configured to:
when the generated access control policy includes an application level policy, issuing the access control policy to the trusted identification resolution access agent 13; wherein the application-level access control policy includes at least one of: the user is forced to get off line and access to the application is prohibited.
When the generated access control policy includes an interface level policy, issuing the access control policy to the trusted identification resolution application agent 14; wherein the interface-level access control policy includes: the function of the access application is prohibited.
In one illustrative example, the trusted access control engine 12 is further configured to:
and acquiring equipment authentication information initiated by the terminal through the unidirectional message, and checking.
And when the verification passes, opening a corresponding authentication port, acquiring user identity information and environment information of the terminal through the authentication port, and verifying.
And when the verification is passed, synchronizing an access token and an interface token to the terminal.
Receiving a secure channel negotiation request of the terminal; wherein the secure channel negotiation request carries an access token for the terminal.
And verifying the access token, and establishing a secure channel with the terminal when the verification is passed.
In one illustrative example, the authentication port is a default port that can be configured and modified, typically using 443, secure transport layer protocol (Transport Layer Security, TLS) or secure socket protocol (Secure Sockets Layer, SSL).
In an exemplary embodiment, the trusted identification resolution access agent 13 is further configured to receive, through a pre-established secure channel, an application access request initiated by the terminal; the application access request carries an access token with application access authority of the terminal.
The access token is sent to the trusted access control engine 12, and is verified by the trusted access control engine 12, and when the verification is passed, a function page of the application corresponding to the application access request is displayed to the terminal to respond to the application access request.
Receiving an interface access request initiated by the terminal; the interface access request carries an access token of the terminal and an interface token of the terminal with function access authority.
The access token is sent to the trusted access control engine 12 for verification and when verification is passed, the interface access request is forwarded to the trusted identification resolution application agent 13.
In one illustrative example, the trusted beacon resolution application agent 14 is further configured to:
accepting an interface access request from the trusted identification resolution access agent 13, sending an access token and an interface token therein to the trusted access control engine 12, and verifying the interface token by the trusted access control engine 12 according to the access token.
And when the verification is passed, forwarding the application access request to an intranet.
In one illustrative example, the trusted access control engine 12 is specifically configured to:
and acquiring target terminal identity information corresponding to the access token in the interface access request according to the pre-established corresponding relation between the terminal identity information and the access token.
And acquiring a target interface token corresponding to the target terminal information according to the pre-established corresponding relation between the terminal identity information and the interface token, and verifying whether the target interface token is identical with the interface token in the interface access request.
If the interface tokens are the same, the interface tokens are confirmed to pass verification.
In an illustrative example, the trusted access control engine 12 is specifically configured to obtain device authentication information that the terminal employs a unidirectional connectionless port and originates in a fixed single Bao Jianquan format.
In one illustrative example, trusted access control engine 12 responds only to unidirectional messages in the format of sheet Bao Jianquan.
In one illustrative example, the device authentication information includes at least one of: the version number of the authentication packet, the token, the seed, the password, and the count value.
In one illustrative example, the user identity information includes at least one of: identity authentication credentials, device fingerprint information.
The access control system provided by the embodiment of the application can solve the problem of industrial Internet identification analysis access control. In the prior art, industrial internet identification analysis access control scenes are common, and autonomous access control technology, forced access control technology, access control list (Access Control List, ACL), role-based access control technology (roller-Based Access Control, RBAC) and the like are common access control technologies and are successfully applied to industrial internet identification analysis. The access control technology is one of important computer security protection technologies, and is widely applied in the early stage of network security development or at present. Access control is a control means for granting or limiting access capability through a certain way, so as to effectively control access to important resources and prevent hackers from invading or damaging legal users by careless operations.
The access control table is an access authority table built by taking a file as a center. Its main advantage lies in simple to realize, and is little to system performance influence. It is the access control scheme adopted by most operating systems (e.g. Windows, linux, etc.) at present. Meanwhile, the method is also an access control mode which is frequently adopted in the information security management system. The ACL has the advantages that the expression is visual and easy to understand, and all users with access rights to a specific resource can be easily detected, so that the authorization management is effectively implemented. However, ACLs are enormous when the number of users is large and the amount of management data is large. When personnel in an organization change and job functions change, maintenance of the ACL becomes very difficult. In the RBAC model, rights are not directly assigned to users, but are assigned to roles first, and then users are assigned to those roles, thereby obtaining rights of the roles. The RBAC system defines various roles, each role can fulfill a certain function, different users are assigned to the corresponding roles according to their functions and responsibilities, and once a certain user becomes a member of a certain role, the user can fulfill the functions of the role. In RBAC, a relationship between roles-rights may be predefined, and the user may be given predefined roles to explicitly account for and authorize, thereby enforcing a security policy. It is much easier and more flexible to assign roles to users than to assign rights to users, which simplifies the management of the system.
Both the ACL and RBAC described above are host-object based passive access control security models, which protect resources from a system perspective. In the passive security model, authorization is static, and the subject has rights before performing tasks, and is a pure access control model without considering changes in the context of operations, security baselines, and risks.
And the industrial Internet identification analysis system is oriented to open access interfaces of a system administrator, a system operation staff and a registration inquiry staff, and is interconnected and communicated with the identification analysis systems of different nodes. The industrial Internet identification analysis system stores a large amount of sensitive data, and the loss or loophole of access control in any link can cause serious safety problems and even threaten national safety. The current industrial Internet identification analysis system adopts the traditional access control technical means, defaults to be intranet credible, does not form effective linkage with the identity, the terminal, the network environment and the security risk of an operator, and lacks a cooperative system access control mechanism.
The access control system provided by the embodiment of the application is constructed based on the zero trust concept, and in 2010, john Kindervag (John Jin Dewei grid) firstly provides a zero trust or zero trust network method aiming at enterprise security when Forrester is used as a chief analyst to study. By now, over 11 years, the zero trust security concept has been increasingly known, accepted and practiced by the industry. Along with successful completion of the beyond dcorp project constructed by Google based on the zero trust idea, the zero trust protection idea can be rapidly spread, and wider practice and application can be obtained. NIST issues with respect to zero trust standards and microsoft proposes with respect to zero trust maturity model. The zero trust is quickly applied to the floor of the national public security, operators, communication departments and other units or industries, and a very remarkable effect is achieved. The design principle of zero trust is that as many risk acquisition sources as possible, in actual project scenes, a terminal environment sensing technology is often adopted, and some components which can acquire analysis results of the UEBA, such as network threat detection, situation sensing, security audit and the like can be used as data sources for trust evaluation. But requires a unified interface and evaluation criteria.
In general, the zero trust architecture five major security assertions include:
1. networks are always considered hostile;
2. the threat of the outside and the inside of the network always exists;
3. network location is insufficient to determine trust in the network;
4. each device, user, and network flow is authenticated and authorized;
5. the policy must be dynamic and revised based on as many sources of data as possible.
The access control system provided by the embodiment of the application has the system consideration from the aspect of systematicness, namely the access control full life cycle, from the establishment of an identity library and a permission library to the initiation of access, an access process, risk acquisition evaluation, dynamic treatment and log-out, which is not possessed by the traditional access control technology.
The data platform of the zero trust system generally comprises one or more security proxy gateways with different access control granularities, for example, only one network-level access control device can be used, and one access-level access control device or application-level access control device can be added. The access control system provided by the embodiment of the application mainly adopts access and application-level access control equipment. When a risk occurs, disabling the identity from accessing certain functional interfaces or from accessing certain applications or from accessing the network may be achieved with different control granularities. Corresponding trusted access agents may be deployed for different scenarios and the presence of the business system. The access control system provided by the embodiment of the application is designed and realized based on the technical standard of a software defined boundary (Software Defined Perimeter, SDP), adopts the control plane and the data plane to strip, and the default control plane provides external knocking and authentication services and externally exposes a user datagram protocol (User Datagram Protocol, UDP) monitoring port; the industrial identification system accesses through the zero trust proxy gateway proxy of the data plane, the default zero trust proxy gateway enables default_drop strategy, any port is not opened, all unauthorized requests cannot be connected, and network or service system hiding is achieved. The request for attempting to initiate system access initiates a knocking gate to the zero trust control through a single packet authentication (Single Packet Authorization, SPA) message, authentication is carried out after the knocking gate is successful, after the authentication is passed, a token is issued to the zero trust gateway by the zero trust controller, and a strategy is synchronized to the terminal initiating the access. The terminal initiates service system access via the zero trust proxy gateway. The method and the device realize that effective connection cannot be initiated without authentication, and realize convergence of the exposed surface of a network or a service system.
The embodiment of the application also provides an industrial internet identification analysis access control system, as shown in fig. 2, which comprises: access principals, access guests, trusted access agents, trusted access control engines, trust assessment engines, identity rights infrastructure, and other security analysis platforms. The access subject comprises an access person, equipment, an application and a branch network. The security engine at the equipment side of the access main body is deployed in the form of software, and provides the functions of personnel authentication, equipment authentication, a password engine, a list Bao Jianquan, terminal information acquisition, reporting and the like for the access main body.
And the core component is used for realizing continuous trust level assessment capability when the trust assessment engine is used for converging and analyzing terminal information reported by the security engine at the end side and docking other security analysis platform information, and is linked with the trusted access control engine to continuously provide the trust assessment of the main body for the trusted access control engine as a dynamic access control policy judgment basis. Strictly speaking, the more adequate the risk information collection information, the more accurate the trust assessment.
The trusted access control engine continuously receives the evaluation data from the trust evaluation engine, generates an access control policy based on the current trust level in combination with the identity authority infrastructure, and sends the access control policy to the trusted access agent, and the trusted access agent executes the corresponding security policy. And the data plane of the trusted access agent processing system is responsible for security encapsulation, security agent and security detection of the access traffic and is linked with the control plane, so that the execution of the dynamic access control strategy is realized. The security encapsulation mainly adopts a virtual private network (Virtual Private Network, VPN) technology to realize channel encryption; the security proxy, the bottom technology architecture is Nginx, similar to the reverse proxy technology of VPN technology SSLVPN which establishes a remote security access channel based on secure socket layer protocol (Security Socket Layer, SSL), namely, the terminal can only see the proxy gateway and can not see the real service address; the security detection mainly detects a token carried in an access request, is linked with a control plane, judges the validity of the token by the control plane, and then informs a trusted access agent to block or release.
Compared with the traditional access control system, the access control system provided by the embodiment of the application has the following characteristics:
1. the current access control system lacks the capability of multi-dimensional identity authentication of a main body, or adopts an identity authentication mode based on a user name/password with a weaker security level, which is easy to cause fake access (or fake access after being cracked by violence), and under the condition, the fake access main body can be caused to be legal to access an industrial Internet identification analysis system to obtain unauthorized data. Aiming at the identity authentication problem of the information interaction main body. The access control system provided by the embodiment of the application provides a multidimensional identity authentication mechanism, comprises comprehensive multidimensional identity authentication on the security attributes of users, devices and equipment, and ensures that an access subject is legal equipment which is used by trusted people and registered and approved, and the equipment meets the requirement of a security baseline. The security risk caused by the fact that the authentication certificate is lost or cracked or an unauthorized main body is used after the authentication certificate is cracked or the security baseline of the main body equipment is not compliant can be effectively relieved.
2. The lack of data confidentiality integrity protection capability of access control systems can easily lead to information being stolen or tampered with during transmission. Aiming at the problem of information security transmission among identification analysis systems, the access control system provided by the embodiment of the application adopts a national encryption algorithm engine to realize confidentiality and integrity protection of interaction information.
3. The access control system exposure identification resolves system addresses, possibly resulting in connection or pressure based attacks that result in failure to properly provide service. Aiming at the problem of address exposure of an identification analysis system, the access control system provided by the embodiment of the application adopts a design architecture of authentication before connection by introducing the idea of separating control from a data plane, defaults to steal an external network, only the control plane exposes a unidirectional monitoring port, and all attack modes based on network connection can be effectively defended.
4. The access control system lacks systematic consideration, only focuses on static, preset access control logic, lacks systematic protection means, and cannot combine risk identification discovery and dynamic response handling. The access control system provided by the embodiment of the application adopts the design trust evaluation and strategy control module, the trust degree of the main body is evaluated in real time through the collection of the main body baseline monitoring and the operation information, and once the risk is found, the dynamic control strategy is generated and issued and executed through the strategy control module, so that the dynamic treatment is realized.
Also provided herein is an access control method, as shown in fig. 3, including:
step 201, periodically collecting operation information and environment information of the terminal, and evaluating the obtained operation information and environment information according to a preset risk evaluation strategy to obtain an evaluation result.
Step 202, when the evaluation result is abnormal, generating an access control strategy by combining a preset user security access rule.
And 203, performing access control according to the generated access control strategy.
In one illustrative example, the access control policy includes: an application level access control policy and an interface level access control policy.
Wherein the application-level access control policy includes at least one of: and forcing the user to be offline and prohibiting access to the application, wherein the access control strategy of the interface level comprises the following steps: the function of the access application is prohibited.
In an exemplary embodiment, before acquiring the operation information periodically acquired by the terminal, the method further includes:
firstly, acquiring equipment authentication information initiated by a terminal through a unidirectional message, and checking.
And secondly, when the verification passes, opening a corresponding authentication port, acquiring user identity information and environment information of the terminal through the authentication port, and verifying.
And synchronizing the access token and the interface token to the terminal when the verification is passed.
Next, receiving a secure channel negotiation request of the terminal; wherein the secure channel negotiation request carries an access token for the terminal.
And finally, verifying the access token, and establishing a secure channel with the terminal when the verification is passed.
In an exemplary embodiment, after establishing a secure channel with the terminal, the method further includes:
firstly, receiving an application access request initiated by the terminal through an established secure channel; the application access request carries an access token of whether the terminal has application access permission.
Secondly, verifying the access token, and when the verification is passed, displaying a function page of the application corresponding to the application access request to the terminal to respond to the application access request.
Receiving an interface access request initiated by the terminal again; the interface access request carries an access token of the terminal and an interface token of the terminal with function access authority.
And finally, verifying the access token and the interface token, and forwarding the application access request to an intranet when the verification is passed.
In one illustrative example, validating the interface token includes:
firstly, acquiring target terminal identity information corresponding to an access token in the interface access request according to a pre-established corresponding relation between the terminal identity information and the access token.
And secondly, acquiring a target interface token corresponding to the target terminal information according to the pre-established corresponding relation between the terminal identity information and the interface token, and verifying whether the target interface token is identical with the interface token in the interface access request.
And finally, if the interface tokens are the same, determining that the interface tokens pass verification.
In an exemplary embodiment, obtaining device authentication information initiated by a terminal through a unidirectional message includes:
and acquiring equipment authentication information initiated by the terminal in a fixed single Bao Jianquan format by adopting a unidirectional connectionless port.
In one illustrative example, the device authentication information includes at least one of: the version number of the authentication packet, the token, the seed, the password, and the count value.
In one illustrative example, the user identity information includes at least one of: identity authentication credentials, device fingerprint information.
According to the access control method, the running information and the environment information of the terminal can be periodically collected, and the access control strategy is further obtained by evaluating according to the obtained data to perform access control, so that the access subject information can be continuously collected and dynamically evaluated, and the access subject with risk can be dynamically controlled in time.
Also provided herein is an access control method, as shown in fig. 4, comprising:
a.1, the access subject terminal security engine (the branch side proxy gateway if the access subject is a branch network) initiates a single Bao Jianquan with the control plane, and sends the single Bao Jianquan with a unidirectional connectionless port to the trusted access control engine in a fixed single Bao Jianquan format.
And A.2, the trusted access control engine only responds to the unidirectional message in the format of a single Bao Jianquan, verifies the information such as the version number, the token, the seed, the password, the count value and the like of the authentication data packet, and releases the corresponding authentication port after confirming that the information is correct.
And A.3, the terminal security engine initiates an authentication request, submits an identity authentication certificate (the suggestion at least comprises a national commercial secret digital certificate), collects equipment fingerprint information and equipment security baseline state information (corresponding to the environmental information in the embodiment) to a control plane.
And A.4, synchronizing the terminal identity token and the authority list information of the terminal security engine after the multidimensional identity verification of the trusted access control engine is passed.
And A.5, the terminal security engine carries the token to initiate the negotiation of the trusted identification analysis access agent security tunnel, and a security channel is established after the negotiation.
And A.6, the trusted identification analysis access agent extracts the token and links with the trusted access control engine to realize token validity verification.
A.7 token is valid, the trusted identifier parses the access agent access request, and the carrying token initiates access to the trusted identifier parsing application agent.
And A.8, the trusted identification analysis application agent extracts the token and links with the trusted access control engine to realize token validity verification.
The A.9 token is valid and the trusted authority resolves the application proxy interface access request.
The interaction information is forwarded to an intranet side target (mostly servers or applications) after protocol stripping, filtering and other operations are realized through the network security isolation device.
And B.1, the terminal security engine periodically collects information such as the running state of the terminal, a security baseline and the like according to the trust evaluation engine policy configuration, and reports the information to the trust evaluation engine.
And B.2, the trust evaluation engine performs trust evaluation scoring on the reported information in real time, discovers that the abnormal synchronous trust result is sent to the trusted access control engine, and the trusted access control engine generates a dynamic access control strategy by combining identity authority and sends the dynamic access control strategy to the trusted identity analysis access agent or the trusted identity analysis application agent.
And B.3, the trusted identification analysis access agent receives the trusted access control engine dynamic access control strategy and executes the trusted access control engine dynamic access control strategy to realize the access control of the application level.
And B.4, the trusted identification analysis application agent receives the trusted access control engine dynamic access control strategy and executes the trusted access control strategy to realize the access control of the interface level.
In one illustrative example, a.1-a.9 are one-time login access procedures, i.e., procedures from login to initiation of access; and B.1-B.4 are real-time periodic dynamic access control flows, and the risk assessment and the dynamic access control are carried out dynamically in real time.
In one illustrative example, only the knocked-through terminals, i.e., legitimate terminals, the zero trust control plane employs an open corresponding TLS authentication connection. Therefore, the first authentication and the last connection are realized, all terminals which are not authenticated can not find the system entrance or even the authentication entrance forever. Moreover, the unidirectional, zero-trust control plane of UDP only listens to SPA messages of UDP, even if an attacker initiates a large number of pressure attacks, which requires a cost of hundreds of times or even more of the traditional transmission control protocol (Transmission Control Protocol, TCP) connections, which is generally considered not viable. Such an architecture may mitigate or eliminate all pressure-based, connected, and offensive behaviors.
The present application describes a number of embodiments, but the description is illustrative and not limiting and it will be apparent to those of ordinary skill in the art that many more embodiments and implementations are possible within the scope of the embodiments described herein. Although many possible combinations of features are shown in the drawings and discussed in the detailed description, many other combinations of the disclosed features are possible. Any feature or element of any embodiment may be used in combination with or in place of any other feature or element of any other embodiment unless specifically limited.
The present application includes and contemplates combinations of features and elements known to those of ordinary skill in the art. The embodiments, features and elements of the present disclosure may also be combined with any conventional features or elements to form a unique inventive arrangement as defined in the claims. Any feature or element of any embodiment may also be combined with features or elements from other inventive arrangements to form another unique inventive arrangement as defined in the claims. Thus, it should be understood that any of the features shown and/or discussed in this application may be implemented alone or in any suitable combination. Accordingly, the embodiments are not to be restricted except in light of the attached claims and their equivalents. Further, various modifications and changes may be made within the scope of the appended claims.
Furthermore, in describing representative embodiments, the specification may have presented the method and/or process as a particular sequence of steps. However, to the extent that the method or process does not rely on the particular order of steps set forth herein, the method or process should not be limited to the particular sequence of steps described. Other sequences of steps are possible as will be appreciated by those of ordinary skill in the art. Accordingly, the particular order of the steps set forth in the specification should not be construed as limitations on the claims. Furthermore, the claims directed to the method and/or process should not be limited to the performance of their steps in the order written, and one skilled in the art can readily appreciate that the sequences may be varied and still remain within the spirit and scope of the embodiments of the present application.
Those of ordinary skill in the art will appreciate that all or some of the steps, systems, functional modules/units in the apparatus, and methods disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between the functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be performed cooperatively by several physical components. Some or all of the components may be implemented as software executed by a processor, such as a digital signal processor or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes both volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as known to those skilled in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by a computer. Furthermore, as is well known to those of ordinary skill in the art, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media.
Claims (14)
1. An access control system, comprising:
the trust evaluation engine is used for periodically collecting the operation information and the environment information of the terminal, evaluating the obtained operation information and environment information according to a preset risk evaluation strategy to obtain an evaluation result, and sending the evaluation result to the trusted access control engine when the evaluation result is abnormal;
the trusted access control engine is used for receiving an abnormal evaluation result, generating an access control strategy by combining a preset security access rule and transmitting the access control strategy to the trusted identification analysis access agent or the trusted identification analysis application agent;
the trusted identification analysis access agent is used for performing access control according to the obtained access control strategy;
the trusted identification analysis application agent is used for performing access control according to the obtained access control strategy;
the trusted access control engine is further to:
acquiring equipment authentication information initiated by a terminal through a unidirectional message, and checking;
when the verification passes, opening a corresponding authentication port, acquiring user identity information and environment information of the terminal through the authentication port, and verifying;
when the verification is passed, the access token and the interface token are synchronously accessed to the terminal;
receiving a secure channel negotiation request of the terminal; wherein, the secure channel negotiation request carries an access token of the terminal;
verifying the access token, and establishing a secure channel with the terminal when the verification is passed;
the trusted identification analysis access agent is further used for receiving an application access request initiated by the terminal through a pre-established secure channel; the application access request carries an access token with application access authority of the terminal;
the access token is sent to the trusted access control engine, the trusted access control engine verifies the access token, and when the access token passes the verification, a function page of an application corresponding to the application access request is displayed to the terminal to respond to the application access request;
receiving an interface access request initiated by the terminal; the interface access request carries an access token of the terminal and an interface token of the terminal with function access authority;
the access token is sent to the trusted access control engine to verify the access token, and when the access token passes the verification, the interface access request is forwarded to the trusted identification analysis application agent;
the trusted identification resolution application agent is further configured to:
receiving an interface access request from the trusted identification analysis access agent, sending an access token and an interface token therein to the trusted access control engine, and verifying the interface token by the trusted access control engine according to the access token;
and when the verification is passed, forwarding the application access request to an intranet.
2. The system of claim 1, wherein the trusted access control engine is specifically configured to:
when the generated access control policy comprises an application level policy, issuing the access control policy to the trusted identification resolution access agent; wherein the application-level access control policy includes at least one of: forcing the user to be offline and prohibiting access to the application;
when the generated access control policy comprises an interface level policy, issuing the access control policy to the trusted identification resolution application agent; wherein the interface-level access control policy includes: the function of the access application is prohibited.
3. The system according to claim 1, wherein the trusted access control engine is specifically configured to:
acquiring target terminal identity information corresponding to an access token in the interface access request according to a pre-established corresponding relation between the terminal identity information and the access token;
acquiring a target interface token corresponding to the target terminal identity information according to a pre-established corresponding relation between the terminal identity information and the interface token, and verifying whether the target interface token is identical to the interface token in the interface access request;
if the interface tokens are the same, the interface tokens are confirmed to pass verification.
4. The system of claim 1, wherein the trusted access control engine is configured to obtain device authentication information initiated by the terminal using a unidirectional connectionless port and in a fixed single Bao Jianquan format.
5. The system of claim 1 or 4, wherein the device authentication information comprises at least one of: the version number of the authentication packet, the token, the seed, the password, and the count value.
6. The system of claim 1, wherein the user identity information comprises at least one of: identity authentication credentials, device fingerprint information.
7. An access control method, the method comprising:
periodically acquiring operation information and environment information of a terminal, and evaluating the acquired operation information and environment information according to a preset risk evaluation strategy to obtain an evaluation result;
when the evaluation result is abnormal, generating an access control strategy by combining a preset user safety access rule;
performing access control according to the generated access control strategy;
before the operation information periodically collected by the terminal is obtained, the method further comprises the following steps:
acquiring equipment authentication information initiated by a terminal through a unidirectional message, and checking;
when the verification passes, opening a corresponding authentication port, acquiring user identity information and environment information of the terminal through the authentication port, and verifying;
when the verification is passed, the access token and the interface token are synchronously accessed to the terminal;
receiving a secure channel negotiation request of the terminal; wherein, the secure channel negotiation request carries an access token of the terminal;
verifying the access token, and establishing a secure channel with the terminal when the verification is passed;
after establishing the secure channel with the terminal, the method further comprises:
receiving an application access request initiated by the terminal through the established secure channel; the application access request carries an access token of whether the terminal has application access permission;
verifying the access token, and when the verification is passed, displaying a function page of an application corresponding to the application access request to the terminal to respond to the application access request;
receiving an interface access request initiated by the terminal; the interface access request carries an access token of the terminal and an interface token of the terminal with function access authority;
and verifying the access token and the interface token, and forwarding the application access request to an intranet when the verification is passed.
8. The method of claim 7, wherein the access control policy comprises: an access control policy at an application level and an access control policy at an interface level;
wherein the application-level access control policy includes at least one of: and forcing the user to be offline and prohibiting access to the application, wherein the access control strategy of the interface level comprises the following steps: the function of the access application is prohibited.
9. The method of claim 8, wherein validating the interface token comprises:
acquiring target terminal identity information corresponding to an access token in the interface access request according to a pre-established corresponding relation between the terminal identity information and the access token;
acquiring a target interface token corresponding to the target terminal identity information according to a pre-established corresponding relation between the terminal identity information and the interface token, and verifying whether the target interface token is identical to the interface token in the interface access request;
if the interface tokens are the same, the interface tokens are confirmed to pass verification.
10. The method of claim 7, wherein obtaining device authentication information initiated by the terminal through the unidirectional message comprises:
and acquiring equipment authentication information initiated by the terminal in a fixed single Bao Jianquan format by adopting a unidirectional connectionless port.
11. The method according to claim 7 or 10, wherein the device authentication information comprises at least one of: the version number of the authentication packet, the token, the seed, the password, and the count value.
12. The method of claim 7, wherein the user identity information comprises at least one of: identity authentication credentials, device fingerprint information.
13. An access control device comprising a memory and a processor, the memory having a computer program stored thereon, which when executed by the processor performs the access control method according to any of the preceding claims 7-12.
14. A storage medium having stored thereon computer executable instructions for performing the access control method according to any of claims 7-12 below.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210272573.4A CN114598540B (en) | 2022-03-18 | 2022-03-18 | Access control system, method, device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210272573.4A CN114598540B (en) | 2022-03-18 | 2022-03-18 | Access control system, method, device and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114598540A CN114598540A (en) | 2022-06-07 |
| CN114598540B true CN114598540B (en) | 2024-03-15 |
Family
ID=81819915
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210272573.4A Active CN114598540B (en) | 2022-03-18 | 2022-03-18 | Access control system, method, device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114598540B (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115118465B (en) * | 2022-06-13 | 2023-11-28 | 北京寰宇天穹信息技术有限公司 | Cloud edge end cooperative zero trust access control method and system based on trusted label |
| CN115102742A (en) * | 2022-06-16 | 2022-09-23 | 中移(杭州)信息技术有限公司 | Network request evaluation method, device, equipment and storage medium |
| CN115174185B (en) * | 2022-06-30 | 2023-09-22 | 中国人民解放军战略支援部队信息工程大学 | Access control method and device |
| CN115189957B (en) * | 2022-07-18 | 2023-09-29 | 浙江大学 | Active loadable access control engine of industrial control system |
| CN115001870B (en) * | 2022-08-02 | 2022-11-01 | 国汽智控(北京)科技有限公司 | Information security protection system, method and storage medium |
| CN115208689B (en) * | 2022-08-08 | 2023-03-14 | 北京雪诺科技有限公司 | Access control method, device and equipment based on zero trust |
| CN116319096B (en) * | 2023-05-19 | 2023-09-05 | 浪潮通信信息系统有限公司 | Access system, method, device, equipment and medium of computing power network operation system |
| CN117579403B (en) * | 2024-01-17 | 2024-03-29 | 永鼎行远(南京)信息科技有限公司 | Device for accessing trusted application |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111131202A (en) * | 2019-12-12 | 2020-05-08 | 厦门市美亚柏科信息股份有限公司 | Identity authentication method and system based on multiple information authentication |
| CN112165488A (en) * | 2020-09-28 | 2021-01-01 | 杭州安恒信息安全技术有限公司 | Risk assessment method, device and equipment and readable storage medium |
| CN112188493A (en) * | 2020-10-22 | 2021-01-05 | 深圳云之家网络有限公司 | Authentication method, system and related equipment |
| CN114021109A (en) * | 2021-11-03 | 2022-02-08 | 云南昆船设计研究院有限公司 | System and method for realizing identity authentication and access management of workshop-level industrial control system in tobacco industry |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TW201042973A (en) * | 2008-11-28 | 2010-12-01 | Ibm | Token-based client to server authentication of a secondary communication channel by way of primary authenticated communication channels |
| WO2012162397A1 (en) * | 2011-05-23 | 2012-11-29 | Twilio, Inc. | System and method for connecting a communication to a client |
-
2022
- 2022-03-18 CN CN202210272573.4A patent/CN114598540B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111131202A (en) * | 2019-12-12 | 2020-05-08 | 厦门市美亚柏科信息股份有限公司 | Identity authentication method and system based on multiple information authentication |
| CN112165488A (en) * | 2020-09-28 | 2021-01-01 | 杭州安恒信息安全技术有限公司 | Risk assessment method, device and equipment and readable storage medium |
| CN112188493A (en) * | 2020-10-22 | 2021-01-05 | 深圳云之家网络有限公司 | Authentication method, system and related equipment |
| CN114021109A (en) * | 2021-11-03 | 2022-02-08 | 云南昆船设计研究院有限公司 | System and method for realizing identity authentication and access management of workshop-level industrial control system in tobacco industry |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114598540A (en) | 2022-06-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114598540B (en) | Access control system, method, device and storage medium | |
| US10154049B2 (en) | System and method for providing an in-line sniffer mode network based identity centric firewall | |
| US7752320B2 (en) | Method and apparatus for content based authentication for network access | |
| US9729514B2 (en) | Method and system of a secure access gateway | |
| EP3643001B1 (en) | Actively monitoring encrypted traffic by inspecting logs | |
| CN111917714B (en) | Zero trust architecture system and use method thereof | |
| US10341350B2 (en) | Actively identifying and neutralizing network hot spots | |
| US20170063557A1 (en) | Detection of fraudulent certificate authority certificates | |
| US20070294759A1 (en) | Wireless network control and protection system | |
| WO2018157247A1 (en) | System and method for securing communications with remote security devices | |
| JP2019536157A (en) | System and method for transparent multi-factor authentication and security approach posture check | |
| CN113472758B (en) | Access control method, device, terminal, connector and storage medium | |
| Rani et al. | Cyber security techniques, architectures, and design | |
| CN114629719A (en) | Resource access control method and resource access control system | |
| CN116319024A (en) | Access control method and device of zero trust system and zero trust system | |
| CN104837159B (en) | Android platform OAuth agreements misapply safety detection method | |
| KR102336605B1 (en) | Method and apparatus for detecting malicious traffic | |
| CN111526150A (en) | Zero-trust automation rule releasing platform and releasing method for single-cluster or multi-cluster cloud computer remote operation and maintenance port | |
| CN102045310A (en) | Industrial Internet intrusion detection as well as defense method and device | |
| CN116192497B (en) | Network access and user authentication safe interaction method based on zero trust system | |
| Khandelwal et al. | Frontline techniques to prevent web application vulnerability | |
| Narula et al. | Novel Defending and Prevention Technique for Man‐in‐the‐Middle Attacks in Cyber‐Physical Networks | |
| Raja et al. | Threat Modeling and IoT Attack Surfaces | |
| US10419480B1 (en) | System, method, and computer program for real-time cyber intrusion detection and intruder identity analysis | |
| Choi | IoT (Internet of Things) based Solution Trend Identification and Analysis Research |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |