CN114640497A - Network security isolation system - Google Patents

Network security isolation system Download PDF

Info

Publication number
CN114640497A
CN114640497A CN202210096314.0A CN202210096314A CN114640497A CN 114640497 A CN114640497 A CN 114640497A CN 202210096314 A CN202210096314 A CN 202210096314A CN 114640497 A CN114640497 A CN 114640497A
Authority
CN
China
Prior art keywords
security
resource
access request
authentication
certificate
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210096314.0A
Other languages
Chinese (zh)
Other versions
CN114640497B (en
Inventor
李鹏
袁畅
陈强
孙杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shandong Zhongwang Yunan Intelligent Technology Co ltd
Original Assignee
Shandong Zhongwang Yunan Intelligent Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shandong Zhongwang Yunan Intelligent Technology Co ltd filed Critical Shandong Zhongwang Yunan Intelligent Technology Co ltd
Priority to CN202210096314.0A priority Critical patent/CN114640497B/en
Publication of CN114640497A publication Critical patent/CN114640497A/en
Application granted granted Critical
Publication of CN114640497B publication Critical patent/CN114640497B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3239Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3297Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps

Abstract

The invention provides a network security isolation system, comprising: at least one network device; one or more application servers; a processor; the identification machine is configured to obtain a physical address and an authentication resource of an access request under an identification response of the identification machine based on the access request sent by the network device for accessing the application server resource of the application server, make the access request with an authentication certificate to be handed to the processing module to provide a security execution logic for the access request to obtain the application server resource of the application server, and if the access request does not contain the authentication resource, make the access request without the authentication resource to be handed to the processing module to provide a second security execution logic for the access request to obtain the application server resource of the application server, wherein the second security execution logic has a set second security execution policy, and the second security execution policy has a permission library, a permission unit, a tracking unit, a separation unit, a security writer, a security write interface and a clock unit.

Description

Network security isolation system
Technical Field
The invention relates to the technical field of network security, in particular to a network security isolation system.
Background
The access request of a common client is based on the mode of MD5 parameter signature to ensure the security of an API interface, generally, the clients all have a certificate (Token) for accessing a server, and the basic principle is that after a user logs in with a password or successfully logs in with an authentication code, the server returns the Token to the client, and stores the Token-UserId in a cache server in the form of key value pairs.
However, after the Token is hijacked, the request and the tampered parameters can be forged to achieve the trust of the server, so that a potential safety hazard is caused to the server, for this reason, the existing technical means guarantees the safety of the API interface based on the MD5 parameter signature, and since the MD5 parameter signature includes the timestamp verification, the Token, the service parameters and the client signature, these can be adjusted in sequence, and even after the Token is hijacked, the application credential that passes the access cannot be obtained.
The verification access is completed through the effective certificate in the mode, passive defense is realized, and unsafe isolation cannot be realized to achieve the purpose of active defense.
Disclosure of Invention
The present invention is directed to a network security isolation system to solve the above problems.
In order to achieve the purpose, the invention provides the following technical scheme:
a network security isolation system comprising:
at least one network device;
one or more application servers;
a processor having a processing module constituted by a plurality of processors or processing circuits;
the recognition machine is connected with the processor,
the identification machine is configured to obtain a physical address of an access request and an authentication resource under an identification response of the identification machine based on the access request sent by the network device to access the application server resource of the application server, the authentication resource contains an authentication certificate, the access request with the authentication certificate is made to pass through a processing module to provide a first security execution logic for the access request to obtain the application server resource of the application server, the first security execution logic has a set first security execution policy, the first security execution policy has a security level determination part and a first association control unit, the security level determination part determines a security level of the authentication resource according to an attribute of the authentication certificate, and forms an association certificate according to a set management mode through an authentication unit in the processor or the processing circuit according to the determined security level, the authentication resource and the associated certificate are written into the attribute table through the first associated control unit and then are deployed in a first security management machine of the application server;
the identification machine is configured to acquire a physical address and an authentication resource of an access request under an identification response of the identification machine based on the access request sent by the network device to access the application server resource of the application server, if the access request does not contain the authentication resource, the access request without the authentication resource is sent to the processing module to provide a second security execution logic for accessing the application server resource of the application server, the second security execution logic has a set second security execution policy, and the second security execution policy has a permission library, a permission unit, a tracking unit, an isolation unit, a security writer and a security write interface and a clock unit;
the license repository has a plurality of license certificates enabled based on time;
the permission unit loads a permission library to match a permission certificate for the access request without the authentication resource;
the association control unit deploys the license in a second security management machine of the trap server so that an access request without the authentication resource forms a trap server resource one-time response to the trap server based on the license;
the tracking unit is used for tracking a feedback result of an access request without containing an authentication resource in a response of accessing the trap server resource;
determining whether to execute a secure writer to write a security credential for a limited number of accesses to an access request that does not contain an authenticated resource based on the feedback;
or, based on the feedback result, determining whether the execution isolation unit marks and isolates the physical address of the access request without containing the authentication resource into a blacklist;
or, a security certificate of limited access is written for the access request without the authentication resource by the manual access security writing program through the security writing interface;
and determining a security level based on the security certificate, forming an associated certificate according to the determined security level through an authentication unit in the processor or the processing circuit according to a set management mode, writing the authentication resource and the associated certificate into an attribute table through an associated control unit, and deploying the authentication resource and the associated certificate in a first security management machine of the application server.
Further, the processing module has a first sub-module and a second sub-module;
the first sub-module has a first drive unit;
the second sub-module has a second drive unit;
the activation of the first drive unit and the second drive unit is determined based on an identification result obtained by an access request for accessing an application server resource of the application server sent by the network device in an identification response of the identification machine.
Further, the application server is provided with a signature library formed by the client, the signature library is transmitted to the recognizer through a set period, and the recognizer receives the signature library to update the verification library arranged in the recognizer.
Further, the recognition machine is provided with a recognition part, a verification library, a first output channel and a second output channel;
the identification part loads a verification library to verify the signature of the access request, and if the signature is consistent with the signature in the verification library, the signature is input to the first drive unit through the first output channel;
and if the signature is inconsistent with the signature in the verification library, inputting the signature to a second driving unit through a second output channel.
Further, the license certificate is verified with the uniqueness of the enabling time stamp and has access permission within a set time.
Further, the trap server is provided with a monitor for monitoring the access execution status of the one-time access request with the license certificate in the trap server, and the monitor is connected with the tracking unit.
Compared with the prior art, the invention has the beneficial effects that:
the application can input an access request to a first driving unit through a first output channel according to whether an authentication certificate is loaded or not through an identification machine, when the access request has the authentication certificate, the first driving unit drives a first submodule so that the access request with the authentication certificate is delivered to the first submodule to provide a first security execution logic for the access request to acquire an application server resource of an application server, the first security execution logic has a set first security execution policy, the first security execution policy has a security level determining part and a first association control unit, the security level determining part determines the security level of the authentication resource according to the attribute of the authentication certificate, for example, the security level based on MD5 parameter signature, Token + timestamp verification + business parameter, Token + timestamp verification and Token verification is sequentially reduced, when a client establishes an access request with an application server for the first time, an authentication unit in the processor or the processing circuit forms an associated certificate according to a set management mode, and an authentication resource and the associated certificate are written into an attribute table and then deployed in a first security management machine of the application server through a first associated control unit;
when the access request does not have the authentication certificate, providing a second security execution logic for the access request to acquire the application server resource of the application server by enabling the access request without the authentication resource to be handed to the processor, wherein the second security execution logic has a set second security execution policy, and the second security execution policy has a permission library, a permission unit, a tracking unit, an isolation unit, a security write program, a security write interface and a clock unit; the license base is provided with a plurality of license certificates which are enabled based on time; the permission unit loads a permission library to match a permission certificate for the access request without the authentication resource; the association control unit deploys the license in a second security management machine of the trap server so that an access request without the authentication resource forms a trap server resource one-time response to the trap server based on the license; the tracking unit is used for tracking a feedback result of an access request without containing an authentication resource in a response for accessing the trap server resource; and determining whether to execute a secure writer to write a security certificate of limited access for the access request without the authentication resource based on the feedback result.
Drawings
FIG. 1 is a schematic diagram of the framework of the system of the present invention;
fig. 2 is a detailed schematic diagram of the system of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1 to 2, the present application provides a network security isolation system, including:
a network security isolation system comprising:
at least one network device;
one or more application servers;
a processor having a processing module constituted by a plurality of processors or processing circuits;
the recognition machine is connected with the processor,
the identification machine is configured to obtain a physical address of an access request and an authentication resource under an identification response of the identification machine based on the access request sent by the network device to access the application server resource of the application server, the authentication resource contains an authentication certificate, the access request with the authentication certificate is made to pass through a processing module to provide a first security execution logic for the access request to obtain the application server resource of the application server, the first security execution logic has a set first security execution policy, the first security execution policy has a security level determination part and a first association control unit, the security level determination part determines a security level of the authentication resource according to an attribute of the authentication certificate, and forms an association certificate according to a set management mode through an authentication unit in the processor or the processing circuit according to the determined security level, the authentication resource and the associated certificate are written into the attribute table through the first associated control unit and then are deployed in a first security management machine of the application server;
the identification machine is configured to acquire a physical address and an authentication resource of an access request under an identification response of the identification machine based on the access request sent by the network device to access the application server resource of the application server, if the access request does not contain the authentication resource, the access request without the authentication resource is sent to the processing module to provide a second security execution logic for accessing the application server resource of the application server, the second security execution logic has a set second security execution policy, and the second security execution policy has a permission library, a permission unit, a tracking unit, an isolation unit, a security writer and a security write interface and a clock unit;
the license base is provided with a plurality of license certificates which are enabled based on time;
the permission unit loads a permission library and matches a permission certificate for the access request without the authentication resource;
the association control unit deploys the license in a second security management machine of the trap server so that an access request without the authentication resource forms a trap server resource one-time response to the trap server based on the license;
the tracking unit is used for tracking a feedback result of an access request without containing an authentication resource in a response for accessing the trap server resource;
determining whether to execute a secure writer to write a security credential for a limited number of accesses to an access request that does not contain an authenticated resource based on the feedback;
or, based on the feedback result, determining whether the execution isolation unit marks and isolates the physical address of the access request without containing the authentication resource into a blacklist;
or, a security certificate of limited access is written for the access request without the authentication resource by the manual access security writing program through the security writing interface;
and determining a security level based on the security certificate, forming an associated certificate according to the determined security level through an authentication unit in the processor or the processing circuit according to a set management mode, writing the authentication resource and the associated certificate into an attribute table through an associated control unit, and deploying the authentication resource and the associated certificate in a first security management machine of the application server.
Further, the processing module has a first sub-module and a second sub-module;
the first sub-module has a first drive unit;
the second sub-module has a second drive unit;
the activation of the first drive unit and the second drive unit is determined based on an identification result obtained by an access request for accessing an application server resource of the application server sent by the network device in an identification response of the identification machine.
Further, the application server is provided with a signature library formed by the client, the signature library is transmitted to the recognizer through a set period, and the recognizer receives the signature library to update the verification library arranged in the recognizer.
Further, the recognition machine is provided with a recognition part, a verification library, a first output channel and a second output channel;
the identification part loads a verification library to verify the signature of the access request, and if the signature is consistent with the signature in the verification library, the signature is input to the first drive unit through the first output channel;
and if the signature is inconsistent with the signature in the verification library, inputting the signature to a second driving unit through a second output channel.
Further, the license certificate is verified with the uniqueness of the enabling time stamp and has access permission within a set time.
Further, the trap server is provided with a monitor for monitoring the access execution status of the access request with the license certificate at the trap server, and the monitor is connected with the tracking unit.
The application can input an access request to a first driving unit through a first output channel according to whether an authentication certificate is loaded or not through an identification machine, when the access request has the authentication certificate, the first driving unit drives a first submodule so that the access request with the authentication certificate is handed to the first submodule to provide a first security execution logic for the access request to acquire an application server resource of an application server, the first security execution logic has a set first security execution strategy, the first security execution strategy has a security level determining part and a first association control unit, the security level determining part determines the security level of the authentication resource according to the attribute of the authentication certificate, such as the security level based on MD5 parameter signature, Token + timestamp verification + business parameter, Token + timestamp verification and Token verification is sequentially reduced, when a client establishes an access request with an application server for the first time, an authentication unit in the processor or the processing circuit forms an associated certificate according to a set management mode, and an authentication resource and the associated certificate are written into an attribute table and then deployed in a first security management machine of the application server through a first associated control unit;
in the above, the setting management mode is performed as follows:
when the security level determination section determines that the security level of the authentication resource is one level with the attribute of the authentication certificate, for example, the parameter signature based on MD5 is a first-level security level, the parameter signature based on MD5 comprises Token + timestamp verification + service parameter + one-time valid random string, in the parameter signature based on MD5, a valid random string is required to be different every request, and a valid random string is bound with the timestamp verification, so the parameter signature based on MD5 is the authentication resource with the highest security level, when the security level determination section determines that the authentication resource is signed based on the MD5 parameter with the attribute of the authentication certificate, the set management mode injects a valid random string once again for the request and establishes binding with the timestamp verification to form an authentication mode of authentication resource + associated certificate.
When the security level determining part determines that the security level of the authentication resource is the second level according to the attribute of the authentication certificate, for example, the security level determining part has Token + timestamp verification + service parameters, the set management mode injects two different once effective random character strings to the access request and establishes binding with the timestamp verification. In the same way other ways the security level is consistent with the principles described above. Therefore, when the access request with the application server side is established by the client side next time, since the previous access request is written into the associated certificate, an error occurs in verification during re-request, the expiration of the authentication certificate can be displayed, the client side needs to initiate an authentication request again at this moment, and a new authentication is updated, wherein the new authentication is the authentication resource plus the associated certificate, so that the access requests with different security levels can be unified into a new security authentication resource.
In the above, even if the low-level authentication resource is hijacked, the low-level authentication resource can only form effective access for setting time once, and when replay attack and tampering attack are carried out, verification cannot be completed twice, so that replay attack and tampering attack are effectively placed, and the security level of the system is enhanced.
When the access request does not have the authentication certificate, the access request is input into a second driving unit through a second output channel, the second driving unit drives a second sub-module, the access request without the authentication resource is delivered to the second sub-module to provide a second security execution logic for the access request to acquire the application server resource of the application server, the second security execution logic has a set second security execution policy, and the second security execution policy has a permission library, a permission unit, a tracking unit, an isolation unit, a security write-in program, a security write-in interface and a clock unit; the license base is provided with a plurality of license certificates which are enabled based on time; the permission unit loads a permission library to match a permission certificate for the access request without the authentication resource; the association control unit deploys the license in a second security management machine of the trap server so that an access request without the authentication resource forms a trap server resource one-time response to the trap server based on the license; the tracking unit is used for tracking a feedback result of an access request without containing an authentication resource in a response for accessing the trap server resource; determining whether to execute a secure writer to write a security credential for a limited number of accesses to an access request that does not contain an authenticated resource based on the feedback;
or, based on the feedback result, determining whether the execution isolation unit marks and isolates the physical address of the access request without containing the authentication resource into a blacklist;
or, a security certificate of limited access is written for the access request without the authentication resource by the manual access security writing program through the security writing interface;
and determining a security level based on the security certificate, forming an associated certificate according to the determined security level through an authentication unit in a processor or a processing circuit according to a set management mode, and writing the authentication resource and the associated certificate into an attribute table through an associated control unit and then deploying the authentication resource and the associated certificate in a first security management machine of the application server.
In the above, if the access request established by the client is considered to be secure (the authentication request may be initiated by the client through manual confirmation), the above-mentioned license certificate may be modified into an authentication manner in a uniform format to be deployed in the first security manager of the application server.
The parts not involved in the present invention are the same as or can be implemented by the prior art. Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.

Claims (6)

1. A network security isolation system, comprising:
at least one network device;
one or more application servers;
a processor having a processing module constituted by a plurality of processors or processing circuits;
the recognition machine is connected with the processor,
the identification machine is configured to obtain a physical address and an authentication resource of an access request under an identification response of the identification machine based on the access request sent by the network equipment to access the application server resource of the application server, the authentication resource comprises an authentication certificate, the access request with the authentication certificate is made to pass through a processing module to provide a first security execution logic for accessing the application server resource of the application server, the security execution logic has a set first security execution policy, the first security execution policy has a security level determination part and a first association control unit, the security level determination part determines the security level of the authentication resource according to the attribute of the authentication certificate, forms an association certificate according to a set management mode through an authentication unit in a processor or a processing circuit according to the determined security level, writes the authentication resource and the association certificate into an attribute table through the first association control unit, and deploys the authentication resource and the association certificate in the application server after the association certificate is written into the attribute table The first security manager of (1);
if the access request does not contain the authentication resource, the access request without the authentication resource is sent to a processing module to provide a second security execution logic for the access request to acquire the application server resource of the application server, the second security execution logic has a set second security execution policy, and the second security execution policy has a permission library, a permission unit, a tracking unit, an isolation unit, a security write-in program, a security write-in interface and a clock unit;
the license base is provided with a plurality of license certificates which are enabled based on time;
the permission unit loads a permission library to match a permission certificate for the access request without the authentication resource;
the association control unit deploys the license in a second security management machine of the trap server so that an access request without the authentication resource forms a trap server resource one-time response to the trap server based on the license;
the tracking unit is used for tracking a feedback result of an access request without containing an authentication resource in a response for accessing the trap server resource;
determining whether to execute a secure writer to write a security certificate of limited access for an access request not containing the authenticated resource based on the feedback result;
or, based on the feedback result, determining whether the execution isolation unit marks and isolates the physical address of the access request without containing the authentication resource into a blacklist;
or, a security certificate of limited access is written for the access request without the authentication resource by the manual access security writing program through the security writing interface;
and determining a security level based on the security certificate, forming an associated certificate according to the determined security level through an authentication unit in the processor or the processing circuit according to a set management mode, writing the authentication resource and the associated certificate into an attribute table through an associated control unit, and deploying the authentication resource and the associated certificate in a first security management machine of the application server.
2. The network security isolation system of claim 1 wherein the processing module has a first sub-module and a second sub-module;
the first sub-module has a first drive unit;
the second sub-module has a second drive unit;
the activation of the first drive unit and the second drive unit is determined based on an identification result obtained by an access request for accessing an application server resource of the application server sent by the network device in an identification response of the identification machine.
3. The network security isolation system of claim 1, wherein the application server has a signature library formed with the client, the signature library is transmitted to the identifier through a set period, and the identifier receives the signature library to update the verification library provided in the identifier.
4. The network security isolation system of claim 1, wherein the identification machine has an identification portion, a verification library, a first output channel, and a second output channel;
the identification part loads a verification library to verify the signature of the access request, and if the signature is consistent with the signature in the verification library, the signature is input to the first drive unit through the first output channel;
and if the signature is inconsistent with the signature in the verification library, inputting the signature to a second driving unit through a second output channel.
5. The network security isolation system of claim 1 wherein the license credential is authenticated with an enablement timestamp as unique and has access permission for a set time.
6. The network security isolation system according to claim 1, wherein the trap server is provided with a monitor for monitoring an access execution status of the one-time access request with the license certificate at the trap server, and the monitor is connected to the tracking unit.
CN202210096314.0A 2022-01-26 2022-01-26 Network security isolation system Active CN114640497B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210096314.0A CN114640497B (en) 2022-01-26 2022-01-26 Network security isolation system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210096314.0A CN114640497B (en) 2022-01-26 2022-01-26 Network security isolation system

Publications (2)

Publication Number Publication Date
CN114640497A true CN114640497A (en) 2022-06-17
CN114640497B CN114640497B (en) 2023-03-17

Family

ID=81946652

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210096314.0A Active CN114640497B (en) 2022-01-26 2022-01-26 Network security isolation system

Country Status (1)

Country Link
CN (1) CN114640497B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102487383A (en) * 2010-12-02 2012-06-06 上海可鲁系统软件有限公司 Industrial internet distributed system safety access control device
US10333977B1 (en) * 2018-08-23 2019-06-25 Illusive Networks Ltd. Deceiving an attacker who is harvesting credentials
CN110957025A (en) * 2019-12-02 2020-04-03 重庆亚德科技股份有限公司 Medical health information safety management system
CN111131336A (en) * 2020-03-30 2020-05-08 腾讯科技(深圳)有限公司 Resource access method, device, equipment and storage medium under multi-party authorization scene

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102487383A (en) * 2010-12-02 2012-06-06 上海可鲁系统软件有限公司 Industrial internet distributed system safety access control device
US10333977B1 (en) * 2018-08-23 2019-06-25 Illusive Networks Ltd. Deceiving an attacker who is harvesting credentials
CN110957025A (en) * 2019-12-02 2020-04-03 重庆亚德科技股份有限公司 Medical health information safety management system
CN111131336A (en) * 2020-03-30 2020-05-08 腾讯科技(深圳)有限公司 Resource access method, device, equipment and storage medium under multi-party authorization scene

Also Published As

Publication number Publication date
CN114640497B (en) 2023-03-17

Similar Documents

Publication Publication Date Title
EP1914658B1 (en) Identity controlled data center
US8713672B2 (en) Method and apparatus for token-based context caching
CN101453458B (en) Personal identification process for dynamic cipher password bidirectional authentication based on multiple variables
US8566918B2 (en) Method and apparatus for token-based container chaining
US10447682B1 (en) Trust management in an electronic environment
CN108462687B (en) Anti-swipe login method and device, terminal device and storage medium
US9485255B1 (en) Authentication using remote device locking
US8458781B2 (en) Method and apparatus for token-based attribute aggregation
US8474056B2 (en) Method and apparatus for token-based virtual machine recycling
CN110175466B (en) Security management method and device for open platform, computer equipment and storage medium
CN111414612B (en) Security protection method and device for operating system mirror image and electronic equipment
US8726361B2 (en) Method and apparatus for token-based attribute abstraction
WO2019178763A1 (en) Certificate importing method and terminal
US9361443B2 (en) Method and apparatus for token-based combining of authentication methods
WO2023093500A1 (en) Access verification method and apparatus
CN115242546A (en) Industrial control system access control method based on zero trust architecture
CN114301617A (en) Identity authentication method and device for multi-cloud application gateway, computer equipment and medium
CN102571874A (en) On-line audit method and device in distributed system
US11868476B2 (en) Boot-specific key access in a virtual device platform
US8752143B2 (en) Method and apparatus for token-based reassignment of privileges
JP2009003501A (en) Onetime password authentication system
CN111783047A (en) RPA (resilient packet Access) automatic safety protection method and device
CN111988279A (en) Method, system, device and medium for accessing memory cache service through SASL authentication
CN114640497B (en) Network security isolation system
CN112929388B (en) Network identity cross-device application rapid authentication method and system, and user agent device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant