CN114726617B - Device authentication method, device, computer device, storage medium, and program product - Google Patents
Device authentication method, device, computer device, storage medium, and program product Download PDFInfo
- Publication number
- CN114726617B CN114726617B CN202210361572.7A CN202210361572A CN114726617B CN 114726617 B CN114726617 B CN 114726617B CN 202210361572 A CN202210361572 A CN 202210361572A CN 114726617 B CN114726617 B CN 114726617B
- Authority
- CN
- China
- Prior art keywords
- service
- identification information
- information
- port
- policy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 60
- 238000004891 communication Methods 0.000 claims abstract description 22
- 238000001514 detection method Methods 0.000 claims description 110
- 238000004458 analytical method Methods 0.000 claims description 39
- 238000004590 computer program Methods 0.000 claims description 33
- 230000002093 peripheral effect Effects 0.000 claims description 9
- 230000008569 process Effects 0.000 claims description 9
- 238000007726 management method Methods 0.000 description 31
- 238000012550 audit Methods 0.000 description 12
- 238000010586 diagram Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 7
- 238000012545 processing Methods 0.000 description 6
- 238000013461 design Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 3
- 239000000523 sample Substances 0.000 description 3
- 230000003068 static effect Effects 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 238000001914 filtration Methods 0.000 description 2
- 239000010410 layer Substances 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- OKTJSMMVPCPJKN-UHFFFAOYSA-N Carbon Chemical compound [C] OKTJSMMVPCPJKN-UHFFFAOYSA-N 0.000 description 1
- 108700009610 FLAG protocol Proteins 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 229910021389 graphene Inorganic materials 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 239000002346 layers by function Substances 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
- 238000012800 visualization Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Abstract
The present application relates to a device authentication method, apparatus, computer device, storage medium, and program product. The server receives first identification information of each device sent by the client, generates a network access permission rule according to each first identification information, sends the network access permission rule to the switch, further receives second identification information of the device to be authenticated sent by the switch, authenticates the second identification information, and establishes communication connection with the device to be authenticated under the condition that the authentication passes. According to the method, the switch authenticates the equipment to be authenticated according to the network access permission rule, and sends the second identification information to the server under the condition that the authentication is passed, and the server further authenticates the equipment to be authenticated.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a device authentication method, apparatus, computer device, storage medium, and program product.
Background
Lightweight network-related networks are widely applied to various industries such as power industry, new energy industry and the like, but network attack means and network security threats are gradually changed, various attack technologies are layered endlessly, various high-risk vulnerabilities are continuously utilized maliciously, and power enterprises are facing increasingly severe network security situations. Therefore, based on the new energy plant station and the subscriber station power monitoring system, the security state of the access equipment of the system has an important influence on the network security, so that the equipment authentication of the access equipment is a problem which is urgently needed to be solved at present.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a device authentication method, apparatus, computer device, storage medium, and program product that can improve the level of network security.
In a first aspect, the present application provides a device authentication method, the method comprising:
Receiving first identification information of each device sent by a client;
generating a network access permission rule according to each piece of first identification information, and sending the network access permission rule to a switch;
Receiving second identification information of equipment to be authenticated, which is sent by a switch, wherein the second identification information is information which is sent to the server when the switch authenticates the equipment to be authenticated according to the network access permission rule;
And authenticating the second identification information, and establishing communication connection with the equipment to be authenticated under the condition that authentication is passed.
In one embodiment, the generating a rule for allowing network access according to each piece of the first identification information, and sending the rule for allowing network access to the switch, includes:
authenticating each piece of first identification information;
And if the authentication of each piece of first identification information is passed, generating the network access permission rule according to each piece of first identification information, and sending the network access permission rule to a switch.
In one embodiment, the method further comprises:
Acquiring detection information from a local database;
And generating a detection message according to the detection information, and sending the detection message to detection analysis equipment so that the detection analysis equipment can analyze and process the detection message to obtain an analysis result.
In one embodiment, the method further comprises:
Obtaining a target security policy, wherein the target security policy comprises an asset policy, a peripheral intervention policy, an access policy, a USB flash disk policy, a compliance baseline detection policy and an illegal external connection and cross-region interconnection detection policy;
and managing the safety of each device according to the target safety strategy.
In one embodiment, the method further comprises:
acquiring service identifiers of enabled port services of the equipment to be authenticated;
Acquiring service information of each port service;
and generating a port service information table according to the service identification of each port service and the service information of each port service.
In one embodiment, the generating a port service information table according to the service identifier of each port service and the service information of each port service includes:
determining the service type of each port service according to the service information of each port service;
And generating the port service information table according to the service identification and the service type of each port service.
In a second aspect, the present application also provides a device authentication apparatus, the apparatus comprising:
the first receiving module is used for receiving first identification information of each device sent by the client;
The first generation module is used for generating a network access permission rule according to each piece of first identification information and sending the network access permission rule to the switch;
The second receiving module is used for receiving second identification information of equipment to be authenticated, which is sent by the switch, wherein the second identification information is information which is sent to the server when the switch authenticates the equipment to be authenticated according to the network access permission rule;
and the authentication module is used for authenticating the second identification information and establishing communication connection with the equipment to be authenticated under the condition that the authentication passes.
In a third aspect, the present application also provides a computer device comprising a memory and a processor, the memory storing a computer program, the processor implementing the following steps when executing the computer program:
Receiving first identification information of each device sent by a client;
generating a network access permission rule according to each piece of first identification information, and sending the network access permission rule to a switch;
Receiving second identification information of equipment to be authenticated, which is sent by a switch, wherein the second identification information is information which is sent to the server when the switch authenticates the equipment to be authenticated according to the network access permission rule;
And authenticating the second identification information, and establishing communication connection with the equipment to be authenticated under the condition that authentication is passed.
In a fourth aspect, the present application also provides a computer-readable storage medium. The computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of:
Receiving first identification information of each device sent by a client;
generating a network access permission rule according to each piece of first identification information, and sending the network access permission rule to a switch;
Receiving second identification information of equipment to be authenticated, which is sent by a switch, wherein the second identification information is information which is sent to the server when the switch authenticates the equipment to be authenticated according to the network access permission rule;
And authenticating the second identification information, and establishing communication connection with the equipment to be authenticated under the condition that authentication is passed.
In a fifth aspect, the present application also provides a computer program product comprising a computer program which when executed by a processor performs the steps of:
Receiving first identification information of each device sent by a client;
generating a network access permission rule according to each piece of first identification information, and sending the network access permission rule to a switch;
Receiving second identification information of equipment to be authenticated, which is sent by a switch, wherein the second identification information is information which is sent to the server when the switch authenticates the equipment to be authenticated according to the network access permission rule;
And authenticating the second identification information, and establishing communication connection with the equipment to be authenticated under the condition that authentication is passed.
The device authentication method, the device, the computer device, the storage medium and the program product are characterized in that the server receives first identification information of each device sent by the client, generates a network access permission rule according to each first identification information, sends the network access permission rule to the switch, further receives second identification information of the device to be authenticated sent by the switch, authenticates the second identification information, and establishes communication connection with the device to be authenticated under the condition that authentication passes. According to the method, an allowed network access rule is generated according to the first identification information of each device, the allowed network access rule is sent to the switch, the switch authenticates the device to be authenticated according to the allowed network access rule, and under the condition that authentication is passed, the second identification information is sent to the server, and the server further authenticates the device to be authenticated.
Drawings
FIG. 1 is an application environment diagram of a device authentication method in one embodiment;
FIG. 2 is a flow diagram of a device authentication method in one embodiment;
FIG. 3 is a flow chart illustrating a method for generating a rule for allowing network access according to first identification information and sending the rule for allowing network access to a switch in one embodiment;
FIG. 4 is a flow chart illustrating analysis processing according to a probe message in one embodiment;
FIG. 5 is a flow diagram of managing security of devices in one embodiment;
FIG. 6 is a flow diagram of generating a port service information table in one embodiment;
FIG. 7 is a flow chart of generating a port service information table according to another embodiment;
FIG. 8 is a block diagram of the device authentication apparatus in one embodiment;
FIG. 9 is a block diagram showing the structure of a device authentication apparatus according to another embodiment;
fig. 10 is an internal structural view of a computer device in one embodiment.
Detailed Description
The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
The device authentication method provided by the embodiment of the application can be applied to an application environment shown in fig. 1. The application environment comprises equipment 1, equipment 2 to be authenticated, a switch 3 and a server 4, wherein the server 4 receives first identification information of the equipment 1, generates a network access permission rule according to the first identification information, sends the network access permission rule to the switch 3, authenticates the equipment 2 to be authenticated according to the network access permission rule, sends second identification information of the equipment 2 to be authenticated to the server 4 when the authentication is passed, authenticates the second identification information, and establishes communication connection with the equipment to be authenticated when the authentication is passed. The server 4 may be implemented as a stand-alone server or as a server cluster composed of a plurality of servers.
In one embodiment, as shown in fig. 2, a device authentication method is provided, and the method is applied to the server in fig. 1 for illustration, and includes the following steps:
S201, first identification information of each device sent by the client is received.
The first identification information may include an IP/MAC address, an ID, etc., and may be used to uniquely identify each device.
In this embodiment, the method is applied to a server, and the first identification information is taken as an IP/MAC address as an example, where the server receives the IP/MAC address of each device sent by the client.
S202, generating a network access permission rule according to each piece of first identification information, and sending the network access permission rule to the switch.
In this embodiment, taking the first identification information as an IP/MAC address as an example, the server may authenticate the IP/MAC address sent by the client according to the IP/MAC address sent by the client, obtain a legal IP/MAC address list after the authentication is passed, generate an allowed access rule according to the legal IP/MAC address list, and send the allowed access rule to the switch.
Further, the validated IP/MAC address may also be stored in an IP/MAC address database.
S203, receiving second identification information of the equipment to be authenticated, which is sent by the switch, wherein the second identification information is information which is sent to the server when the equipment to be authenticated passes authentication according to the network access permission rule.
Wherein the second identification information includes a MAC address or the like.
In this embodiment, the switch has a MAC authentication function, and can directly perform address authentication on a device to be authenticated, where the switch is a main body of MAC address authentication, collects a MAC address of the device to be authenticated and generates a MAC address account, and if the device to be authenticated passes authentication according to a rule of allowing access to the network, the switch initiates authentication to the server by using the MAC address of the device to be authenticated as a user name and a password, and the server receives the MAC address of the device to be authenticated sent by the switch.
S204, authenticating the second identification information, and establishing communication connection with the equipment to be authenticated under the condition that authentication is passed.
In this embodiment, the server queries whether there is a device corresponding to the MAC address according to the sent second identification information of the device to be authenticated, whether the device expires, whether the device can be accessed, and the like, if the device corresponding to the MAC address is queried, and the device does not expire, and can be accessed, or the like, the device to be authenticated is authenticated successfully, then the result of passing authentication is sent to the switch, the switch opens a port to which the device to be authenticated is connected, opens the port to establish communication connection with the device to be authenticated, and adds the MAC address of the device to be authenticated into the MAC address table of itself in a static manner, if one of the two is not satisfied, authentication fails, the switch refuses to establish communication connection with the device to be authenticated, and the device to be authenticated is not allowed to be authenticated again in a certain period.
In the device authentication method, the server receives the first identification information of each device sent by the client, generates the network access permission rule according to each first identification information, sends the network access permission rule to the switch, further receives the second identification information of the device to be authenticated sent by the switch, authenticates the second identification information, and establishes communication connection with the device to be authenticated under the condition that the authentication passes. According to the method, an allowed network access rule is generated according to the first identification information of each device, the allowed network access rule is sent to the switch, the switch authenticates the device to be authenticated according to the allowed network access rule, and under the condition that authentication is passed, the second identification information is sent to the server, and the server further authenticates the device to be authenticated.
Fig. 3 is a schematic flow chart of generating a rule for allowing network access according to each first identification information and sending the rule for allowing network access to the switch in one embodiment, and the embodiment of the present application relates to a possible implementation manner of generating the rule for allowing network access according to each first identification information and sending the rule for allowing network access to the switch, which includes the following steps:
S301, each piece of first identification information is authenticated.
In this embodiment, taking the first identification information as an example of the MAC address, the MAC address is determined by the network card and is in a fixed format, and sequentially includes the manufacturer identification, the multicast flag bit, the manufacturer identification, and the serial number, so that one device only has one MAC address and is globally unique. Assuming that the MAC address of device a is a, the MAC address of device B is B, the MAC address of device C is C, the MAC address of device D is D, and the MAC address of device E is E. The server compares the MAC address a, b, c, d, e with the normal MAC address and performs authentication, respectively.
S302, if the authentication of each first identification information is passed, generating a rule for allowing network access according to each first identification information, and sending the rule for allowing network access to the switch.
In this embodiment, if the MAC addresses a, b, and c are the first identification information that passes the authentication, the server generates a rule for allowing access to the network according to the MAC addresses a, b, and c, and sends the rule for allowing access to the switch, so that the switch authenticates the device to be authenticated according to the rule for allowing access to the network.
Optionally, the server may generate a corresponding allowed access rule for each piece of identification information, or uniformly process all pieces of first identification information after passing the authentication, so as to obtain a total allowed access rule.
In this embodiment, each first identification information is authenticated, a rule for allowing access to the network is generated according to each first identification information after passing, and the rule for allowing access to the network is sent to the switch. In the method, each piece of first identification information is authenticated, the network access permission rule is generated according to all pieces of legal first identification information, and the access equipment is authenticated according to the network access permission rule, so that the safety of the access equipment is ensured.
Fig. 4 is a schematic flow chart of analysis processing according to a detection message in an embodiment, which relates to a possible implementation manner of how to generate a detection message according to detection information and send the detection message to a detection analysis device, so that the detection analysis device analyzes the detection message to obtain an analysis result, and includes the following steps:
S401, acquiring detection information from a local database.
In this embodiment, the server may obtain the probe information from the local database according to the electronic tag, or may obtain the probe information according to keyword screening.
S402, generating a detection message according to the detection information, and sending the detection message to the detection analysis equipment so that the detection analysis equipment can analyze and process the detection message to obtain an analysis result.
In this embodiment, the server generates a detection message according to the detection information, and sends the detection message to the detection analysis device, and the detection analysis device filters the network tuples by filtering, analyzes and identifies the detection message (external connection or cross-zone interconnection), evaluates the risk of the violation according to the detection message, records the audit, and manages the alarm.
In the embodiment of the application, the detection information is acquired from the local database, the detection message is generated according to the detection information, and the detection message is sent to the detection analysis equipment, so that the detection analysis equipment analyzes and processes the detection message to obtain an analysis result, the risk of violation is evaluated, audit is recorded, and the alarm is managed, thereby avoiding the phenomenon that the dynamic stability of the system is influenced when monitoring systems in different areas are connected with each other.
FIG. 5 is a flow chart of managing security of each device in one embodiment, which relates to a possible implementation of managing security of each device according to a target security policy, including the following steps:
S501, acquiring a target security policy, wherein the target security policy comprises an asset policy, a peripheral intervention policy, a network access policy, a U disk policy, a compliance baseline detection policy and a violation external connection and cross-region interconnection detection policy.
In this embodiment, the server may obtain all the target security policies at the same time, or may obtain corresponding target security policies for different situations.
S502, managing the security of each device according to the target security policy.
In this embodiment, the server manages security of each device according to different target security policies. Taking the above-mentioned network access policy in step S501 as an example, it is automatically determined whether the device can access the network, and disabling the network from the device that does not meet the requirements mainly includes identifying the identity of the device, the security requirement that the device must meet for accessing the network, and accessing the device at the specified time.
In the embodiment of the application, the security of each device is managed according to the target security policy by acquiring the target security policy. According to the method, the omnibearing safety detection of the equipment is finished through different target safety strategies, and the safety connection of the equipment is ensured.
Fig. 6 is a flow chart of generating a port service information table in an embodiment, which relates to how to generate a possible implementation of the port service information table according to service identifiers of port services and service information of each port service, and includes the following steps:
s601, acquiring service identifiers of enabled port services of equipment to be authenticated.
The service identifier of the port service is a port used for distinguishing services, such as a service port in a TCP/IP protocol, and the port number ranges from 0 to 65535, such as an 80 port used for browsing web services, a 21 port used for FTP services, and the like.
In this embodiment, the server actively initiates an application connection request of a TCP/UDP service to the device to be authenticated, scans a port of the device to be authenticated (terminal), and determines whether a common port and a designated port are open according to a service response state of the device to be authenticated, so as to obtain service identifiers of enabled port services of the device to be authenticated.
S602, service information of each port service is acquired.
In this embodiment, it is assumed that the service identifier of each enabled port service acquired above is port 40, port 41, port 42, port 43, port 44, and port 45, and the server may acquire service information corresponding to each port service, where the service information of port 40 is a, the service information of port 41 is B, the service information of port 42 is C, the service information of port 43 is D, the service information of port 44 is E, and the service information of port 45 is F.
S603, generating a port service information table according to the service identification of each port service and the service information of each port service.
In the present embodiment, a port service information table regarding service identifiers and service information may be generated according to the correspondence between the service identifiers of the respective port services and the service information of the respective port services. The service type of each port service can be determined according to the service information of each port service, so as to generate a port service information table of service identification and service type.
Further, as shown in fig. 7, "generating a port service information table according to the service identification of each port service and the service information of each port service" may include the steps of:
s701, determining the service type of each port service according to the service information of each port service.
In this embodiment, the service type of each port service is determined according to the service information of each port service, and taking the above steps as an example, it is assumed that the port 41 is determined to be a graph according to the service information B; determining that the port 42 is a hostname service according to the service information C; determining that the port 43 serves who is according to the service information D; determining that the port 44 is an MPM (message processing module) flag protocol according to the service information E; the port 45 is determined to be a message processing module based on the service information F.
S702, generating a port service information table according to the service identification and the service type of each port service.
In this embodiment, the server may generate a port service information table by using a one-to-one matching manner according to service identifiers and service types of each port service, and classifying the service identifiers and service types of a certain device according to different devices. The same service identifier and service type of different devices can also be used for generating a port service information table according to the service identifier and service type.
Further, the port service information table can be stored in a database, so that the inquiry of the port information is facilitated.
In the embodiment of the application, the service type of each port service is further determined according to the service information of each port service by acquiring the service identification of each enabled port service and the service information of each port service of the equipment to be authenticated, so that a port service information table is generated according to the service identification and the service type of each port service. The port service information table in the method can intuitively embody the corresponding relation between the service identification and the service type, and is convenient for inquiring or acquiring the service information of the corresponding port.
It should be understood that, although the steps in the flowcharts related to the above embodiments are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least some of the other steps or stages.
Based on the same inventive concept, the embodiment of the application also provides a device authentication device for realizing the device authentication method. The implementation of the solution provided by the device is similar to the implementation described in the above method, so the specific limitation in the embodiment of one or more device authentication devices provided below may refer to the limitation of the device authentication method hereinabove, and will not be repeated herein.
In one embodiment, as shown in fig. 8, there is provided a device authentication apparatus including: a first receiving module 11, a first generating module 12, a second receiving module 13 and an authenticating module 14, wherein:
A first receiving module 11, configured to receive first identification information of each device sent by a client;
a first generating module 12, configured to generate a rule for allowing access to the network according to each first identification information, and send the rule for allowing access to the network to the switch;
A second receiving module 13, configured to receive second identification information of the device to be authenticated sent by the switch, where the second identification information is information sent to the server when the switch performs authentication on the device to be authenticated according to a rule of allowing access to the network;
and the authentication module 14 is used for authenticating the second identification information and establishing communication connection with the equipment to be authenticated under the condition that the authentication passes.
In one embodiment, the generating module includes:
an authentication unit, configured to authenticate each first identification information;
The first generating unit is used for generating a network access permission rule according to each first identification information and sending the network access permission rule to the switch when the authentication of each first identification information is passed.
In one embodiment, there is provided a device authentication apparatus, the apparatus further comprising:
The first acquisition module is used for acquiring detection information from a local database;
And the sending module is used for generating a detection message according to the detection information and sending the detection message to the detection analysis equipment so that the detection analysis equipment can analyze and process the detection message to obtain an analysis result.
In one embodiment, there is provided a device authentication apparatus, the apparatus further comprising:
the second acquisition module is used for acquiring a target security policy, wherein the target security policy comprises an asset policy, a peripheral intervention policy, a network access policy, a U disk policy, a compliance baseline detection policy and a violation external connection and cross-region interconnection detection policy;
and the management module is used for managing the safety of each device according to the target safety strategy.
In one embodiment, there is provided a device authentication apparatus, the apparatus further comprising:
A third acquisition module, configured to acquire service identifiers of enabled port services of a device to be authenticated;
a fourth acquisition module, configured to acquire service information of each port service;
and the second generation module is used for generating a port service information table according to the service identification of each port service and the service information of each port service.
In one embodiment, the second generation module includes:
the determining unit is used for determining the service type of each port service according to the service information of each port service;
And the second generating unit is used for generating a port service information table according to the service identification and the service type of each port service.
In one embodiment, the method is applied to a server, as shown in fig. 9, and specifically may include a management configuration module, a security policy module, an active detection module, a detection analysis module, a U-disc management module, an audit and violation alert module, an asset application checking module, a terminal management and control module, a Radius authentication module, a network admission management module, an IP/MAC address acquisition module, a port scanning module, and a data module, where the above modules are connected through a data bus.
It should be noted that, the terminal in fig. 9 may include each device and the device to be authenticated in the above embodiments.
The terminal management and control module is connected with a plurality of terminals and is used for configuration management, information acquisition and reporting, audit management and upgrade management of the client platform.
The terminal management and control module invokes the management and configuration module and the security policy module to generate a terminal management and control policy and a baseline detection policy, and issues the terminal in the form of a JSON message through an encryption protection channel, and the terminal management and control module executes the asset management and control and baseline detection policy.
The terminal management and control module utilizes a trusted channel to send a registered USB flash disk information (PID/VID) list to the terminal, the equipment management module (terminal side) executes management and control of the USB flash disk, terminal alarming and audit logs are analyzed and classified and stored in the operation log library and the alarming audit library by utilizing the audit and violation alarming module.
Alternatively, in the above method steps, step S602 may also be implemented by using the module.
The management configuration module cooperates with the terminal management and control module to register and manage the assets and configure and maintain the system operation parameters. The management configuration module mainly has the functions of basic parameter configuration, safety parameter configuration, monitoring data, audit log management, visualization of asset information and synchronous acquisition of LDAP asset data.
Further, the authorized manager invokes the management configuration module to manage the operating parameters of each module in the platform. An administrator can maintain a configuration legal USB flash disk registration code (PID/VID) database, and a configuration maintenance detection basic information database, including factory information (names, network exit addresses and the like), detection analysis service information (service network addresses and the like) and detection message attributes.
The Radius authentication module is connected with the switch and is used for accessing the equipment of the authentication service to the authentication. The Radius authentication module functions include: the authentication method is a PAP and CHAP standard authentication mechanism for realizing MAC address authentication, account password authentication and PAP and CHAP standard authentication.
The network access management module mainly has the functions of configuration management of switch VLAN or ACL rules and audit information acquisition.
Optionally, in the above method steps, steps S202, S203, S204, S302 may also be implemented by using this module.
The IP/MAC address acquisition module is connected with the terminal, manages a legal IP/MAC address list of the terminal and manages a terminal address database. Optionally, in the above method steps, steps S201 and S301 may also be implemented by using the module.
The port scanning module is connected with the terminal and is responsible for collecting the terminal application service ports. The port scanning module mainly has the function of actively initiating an application connection request of a terminal TCP/UDP service, and acquiring a port enabling list by judging a service response state.
Alternatively, in the above method steps, step S601 may also be implemented by using the module.
The security policy module is responsible for managing the security policy of the terminal. The security policy module mainly comprises asset policy and group policy, and user-defined policy management, including peripheral intervention policy, network access policy, USB flash disk policy, compliance baseline detection policy, and illegal external connection and cross-region interconnection detection policy, and related data configuration includes detection analysis end service address, network ACL management and control, and factory basic Information (IP). Optionally, in the above method steps, steps S501 and S502 may also be implemented by using the module.
The active detection module is responsible for sending a cross-region interconnection detection message, and mainly sends a detection application TCP message to the external network or the cross-region detection analysis service module through a designated network card. Specifically, according to the information of the detection basic information database, an active detection message (TCP-SYN) is constructed, and the detection message is sent to an external network or a cross-region detection analysis end; a system IP/MAC address list, radius service parameters (authentication account number, authentication rules, authentication attributes), terminal NetACL rules may also be maintained.
Optionally, in the above method steps, steps S401 and S402 may also be implemented by using the module.
The detection analysis module is responsible for detecting the recognition of the message and alarming the rule violation. The detection analysis module is connected with the cross-region active detection module through the appointed network card, and further has the main functions of acquiring the mirror image flow of the appointed network card, filtering network tuples, analyzing and identifying cross-region interconnection detection messages, evaluating illegal risks according to the detection messages and factory configuration information, recording auditing and managing alarms.
The U disk management module is connected with the U disk and is responsible for registering and canceling the working U disk. Further, the USB flash disk management module can realize the identification and maintenance management of the USB flash disk attribute value PID/VID (namely, USB flash disk registration codes). And adding the information base record of the working U disk by matching the registration code of the legal U disk, finishing the registration of the legal U disk, and finishing the cancellation of the U disk by deleting the information base record of the working U disk.
And the audit and violation alarm module is responsible for managing audit logs and alarm information of the terminal. Further, the audit log is classified, processed and stored, and the illegal alarm information is handled and managed.
And the asset application counting module is responsible for counting the arrangement of the terminal application service. The main function is to report information by statistics of the query terminal, classify and count the application by taking the service type as a classification standard and provide a visual statistical report.
Optionally, in the above method steps, steps S603, S701, S702 may also be implemented by using the module.
And the database module is used for designing a database, wherein the database comprises three parts, namely a logic design, a physical structure design and a library table design. And the method is mainly responsible for reading, writing and maintaining a background data layer database. Further, the database module can provide reliable and efficient read-write assurance for the functional layer module for controlling concurrent read-write of data.
The client reports the IP/MAC address list (local and cache) of the terminal, and the IP/MAC address list is added to a legal IP/MAC address database of the system after being verified by the acquisition module. And the administrator generates VLAN or ACL admittance rules according to a legal IP/MAC list of the system by utilizing a network admittance management module, and issues the rules to the switch for execution through a trusted management channel (SNMP).
The respective modules in the above-described device authentication apparatus may be implemented in whole or in part by software, hardware, and combinations thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In one embodiment, a computer device is provided, which may be a terminal, and an internal structure diagram thereof may be as shown in fig. 10. The computer device includes a processor, a memory, a communication interface, a display screen, and an input device connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless mode can be realized through WIFI, a mobile cellular network, NFC (near field communication) or other technologies. The computer program is executed by a processor to implement a device authentication method. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, can also be keys, a track ball or a touch pad arranged on the shell of the computer equipment, and can also be an external keyboard, a touch pad or a mouse and the like.
It will be appreciated by those skilled in the art that the structure shown in FIG. 10 is merely a block diagram of some of the structures associated with the present inventive arrangements and is not limiting of the computer device to which the present inventive arrangements may be applied, and that a particular computer device may include more or fewer components than shown, or may combine some of the components, or have a different arrangement of components.
In one embodiment, a computer device is provided comprising a memory and a processor, the memory having stored therein a computer program, the processor when executing the computer program performing the steps of:
Receiving first identification information of each device sent by a client;
generating a network access permission rule according to each piece of first identification information, and sending the network access permission rule to the switch;
Receiving second identification information of equipment to be authenticated, which is sent by a switch, wherein the second identification information is information which is sent to a server when the equipment to be authenticated passes authentication according to an allowed network access rule by the switch;
And authenticating the second identification information, and establishing communication connection with the equipment to be authenticated under the condition that the authentication is passed.
In one embodiment, the processor when executing the computer program further performs the steps of:
Authenticating each piece of first identification information;
and if the authentication of each first identification information is passed, generating a network access permission rule according to each first identification information, and sending the network access permission rule to the switch.
In one embodiment, the processor when executing the computer program further performs the steps of:
Acquiring detection information from a local database;
And generating a detection message according to the detection information, and sending the detection message to the detection analysis equipment so that the detection analysis equipment can analyze and process the detection message to obtain an analysis result.
In one embodiment, the processor when executing the computer program further performs the steps of:
obtaining a target security policy, wherein the target security policy comprises an asset policy, a peripheral intervention policy, an access policy, a USB flash disk policy, a compliance baseline detection policy and a violation external connection and cross-region interconnection detection policy;
and managing the security of each device according to the target security policy.
In one embodiment, the processor when executing the computer program further performs the steps of:
Acquiring service identifiers of enabled port services of equipment to be authenticated;
Acquiring service information of each port service;
And generating a port service information table according to the service identification of each port service and the service information of each port service.
In one embodiment, the processor when executing the computer program further performs the steps of:
Determining the service type of each port service according to the service information of each port service;
and generating a port service information table according to the service identification and the service type of each port service.
In one embodiment, a computer readable storage medium is provided having a computer program stored thereon, which when executed by a processor, performs the steps of:
Receiving first identification information of each device sent by a client;
generating a network access permission rule according to each piece of first identification information, and sending the network access permission rule to the switch;
Receiving second identification information of equipment to be authenticated, which is sent by a switch, wherein the second identification information is information which is sent to a server when the equipment to be authenticated passes authentication according to an allowed network access rule by the switch;
And authenticating the second identification information, and establishing communication connection with the equipment to be authenticated under the condition that the authentication is passed.
In one embodiment, the computer program when executed by the processor further performs the steps of:
Authenticating each piece of first identification information;
and if the authentication of each first identification information is passed, generating a network access permission rule according to each first identification information, and sending the network access permission rule to the switch.
In one embodiment, the computer program when executed by the processor further performs the steps of:
Acquiring detection information from a local database;
And generating a detection message according to the detection information, and sending the detection message to the detection analysis equipment so that the detection analysis equipment can analyze and process the detection message to obtain an analysis result.
In one embodiment, the computer program when executed by the processor further performs the steps of:
obtaining a target security policy, wherein the target security policy comprises an asset policy, a peripheral intervention policy, an access policy, a USB flash disk policy, a compliance baseline detection policy and a violation external connection and cross-region interconnection detection policy;
and managing the security of each device according to the target security policy.
In one embodiment, the computer program when executed by the processor further performs the steps of:
Acquiring service identifiers of enabled port services of equipment to be authenticated;
Acquiring service information of each port service;
And generating a port service information table according to the service identification of each port service and the service information of each port service.
In one embodiment, the computer program when executed by the processor further performs the steps of:
Determining the service type of each port service according to the service information of each port service;
and generating a port service information table according to the service identification and the service type of each port service.
In one embodiment, a computer program product is provided comprising a computer program which, when executed by a processor, performs the steps of:
Receiving first identification information of each device sent by a client;
generating a network access permission rule according to each piece of first identification information, and sending the network access permission rule to the switch;
Receiving second identification information of equipment to be authenticated, which is sent by a switch, wherein the second identification information is information which is sent to a server when the equipment to be authenticated passes authentication according to an allowed network access rule by the switch;
And authenticating the second identification information, and establishing communication connection with the equipment to be authenticated under the condition that the authentication is passed.
In one embodiment, the computer program when executed by the processor further performs the steps of:
Authenticating each piece of first identification information;
and if the authentication of each first identification information is passed, generating a network access permission rule according to each first identification information, and sending the network access permission rule to the switch.
In one embodiment, the computer program when executed by the processor further performs the steps of:
Acquiring detection information from a local database;
And generating a detection message according to the detection information, and sending the detection message to the detection analysis equipment so that the detection analysis equipment can analyze and process the detection message to obtain an analysis result.
In one embodiment, the computer program when executed by the processor further performs the steps of:
obtaining a target security policy, wherein the target security policy comprises an asset policy, a peripheral intervention policy, an access policy, a USB flash disk policy, a compliance baseline detection policy and a violation external connection and cross-region interconnection detection policy;
and managing the security of each device according to the target security policy.
In one embodiment, the computer program when executed by the processor further performs the steps of:
Acquiring service identifiers of enabled port services of equipment to be authenticated;
Acquiring service information of each port service;
And generating a port service information table according to the service identification of each port service and the service information of each port service.
In one embodiment, the computer program when executed by the processor further performs the steps of:
Determining the service type of each port service according to the service information of each port service;
and generating a port service information table according to the service identification and the service type of each port service.
The user information (including but not limited to user equipment information, user personal information, etc.) and the data (including but not limited to data for analysis, stored data, presented data, etc.) related to the present application are information and data authorized by the user or sufficiently authorized by each party.
Those skilled in the art will appreciate that implementing all or part of the above-described methods in accordance with the embodiments may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high density embedded nonvolatile Memory, resistive random access Memory (ReRAM), magneto-resistive random access Memory (Magnetoresistive Random Access Memory, MRAM), ferroelectric Memory (Ferroelectric Random Access Memory, FRAM), phase change Memory (PHASE CHANGE Memory, PCM), graphene Memory, and the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can be in various forms such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), etc. The databases referred to in the embodiments provided herein may include at least one of a relational database and a non-relational database. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processor referred to in the embodiments provided in the present application may be a general-purpose processor, a central processing unit, a graphics processor, a digital signal processor, a programmable logic unit, a data processing logic unit based on quantum computing, or the like, but is not limited thereto.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The foregoing examples illustrate only a few embodiments of the application, which are described in detail and are not to be construed as limiting the scope of the application. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of the application should be assessed as that of the appended claims.
Claims (7)
1. A device authentication method, applied to a server, the method comprising:
receiving first identification information of each device sent by a client; the first identification information is unique identification information of each device;
Authenticating each piece of first identification information; if the authentication of each piece of first identification information is passed, generating a network access permission rule according to each piece of first identification information, and sending the network access permission rule to a switch;
receiving second identification information of equipment to be authenticated, which is sent by a switch, wherein the second identification information is information which is sent to the server by the switch when the switch authenticates the MAC address of the equipment to be authenticated according to the network access permission rule and the authentication passes;
Determining target equipment corresponding to the second identification information, and if the target equipment meets access time, the target equipment is not expired and the target equipment can be accessed, establishing communication connection with the target equipment;
The method further comprises the steps of:
Obtaining a target security policy, wherein the target security policy comprises an asset policy, a peripheral intervention policy, an access policy, a USB flash disk policy, a compliance baseline detection policy and an illegal external connection and cross-region interconnection detection policy;
and managing the safety of each device according to the target safety strategy.
2. The method according to claim 1, wherein the method further comprises:
Acquiring detection information from a local database;
And generating a detection message according to the detection information, and sending the detection message to detection analysis equipment so that the detection analysis equipment can analyze and process the detection message to obtain an analysis result.
3. The method according to claim 1, wherein the method further comprises:
acquiring service identifiers of enabled port services of the equipment to be authenticated;
Acquiring service information of each port service;
and generating a port service information table according to the service identification of each port service and the service information of each port service.
4. The method of claim 3, wherein generating the port service information table based on the service identification of each of the port services and the service information of each of the port services comprises:
determining the service type of each port service according to the service information of each port service;
And generating the port service information table according to the service identification and the service type of each port service.
5. A device authentication apparatus, the apparatus comprising:
The first receiving module is used for receiving first identification information of each device sent by the client; the first identification information is unique identification information of each device;
The first generation module is used for authenticating each piece of first identification information; if the authentication of each piece of first identification information is passed, generating a network access permission rule according to each piece of first identification information, and sending the network access permission rule to a switch;
The second receiving module is used for receiving second identification information of equipment to be authenticated, which is sent by the switch, wherein the second identification information is information which is sent to the server by the switch when the switch authenticates the MAC address of the equipment to be authenticated according to the network access permission rule;
The authentication module is used for determining target equipment corresponding to the second identification information, and if the target equipment meets the access time, the target equipment is not expired and the target equipment can be accessed, communication connection is established with the target equipment;
the second acquisition module is used for acquiring a target security policy, wherein the target security policy comprises an asset policy, a peripheral intervention policy, a network access policy, a U disk policy, a compliance baseline detection policy and a violation external connection and cross-region interconnection detection policy;
and the management module is used for managing the safety of each device according to the target safety strategy.
6. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any of claims 1 to 4 when the computer program is executed.
7. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210361572.7A CN114726617B (en) | 2022-04-07 | 2022-04-07 | Device authentication method, device, computer device, storage medium, and program product |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210361572.7A CN114726617B (en) | 2022-04-07 | 2022-04-07 | Device authentication method, device, computer device, storage medium, and program product |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114726617A CN114726617A (en) | 2022-07-08 |
| CN114726617B true CN114726617B (en) | 2024-05-03 |
Family
ID=82241453
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210361572.7A Active CN114726617B (en) | 2022-04-07 | 2022-04-07 | Device authentication method, device, computer device, storage medium, and program product |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114726617B (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101197785A (en) * | 2008-01-04 | 2008-06-11 | 杭州华三通信技术有限公司 | MAC authentication method and apparatus |
| CN102083171A (en) * | 2010-02-08 | 2011-06-01 | 大唐移动通信设备有限公司 | Network access method and equipment for machine type communication (MTC) equipment |
| CN102185840A (en) * | 2011-04-22 | 2011-09-14 | 上海华为技术有限公司 | Authentication method, authentication equipment and authentication system |
| CN103428211A (en) * | 2013-08-07 | 2013-12-04 | 华南理工大学 | Network authentication system on basis of switchboards and authentication method for network authentication system |
| CN106209750A (en) * | 2015-05-08 | 2016-12-07 | 深圳市腾讯计算机系统有限公司 | A kind of network allocation method, server, network access equipment and system |
| CN112800411A (en) * | 2021-02-19 | 2021-05-14 | 浪潮云信息技术股份公司 | Multi-protocol and multi-mode supporting safe and reliable identity authentication method and device |
| CN113891428A (en) * | 2020-07-02 | 2022-01-04 | 华为技术有限公司 | Network access method, equipment and system |
| CN114257406A (en) * | 2021-11-17 | 2022-03-29 | 中国南方电网有限责任公司 | Equipment communication method and device based on identification algorithm and computer equipment |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9582308B2 (en) * | 2014-03-31 | 2017-02-28 | Nicira, Inc. | Auto detecting legitimate IP addresses using spoofguard agents |
| US11729166B2 (en) * | 2020-07-07 | 2023-08-15 | Arista Networks, Inc. | Authentication of passive devices |
-
2022
- 2022-04-07 CN CN202210361572.7A patent/CN114726617B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101197785A (en) * | 2008-01-04 | 2008-06-11 | 杭州华三通信技术有限公司 | MAC authentication method and apparatus |
| CN102083171A (en) * | 2010-02-08 | 2011-06-01 | 大唐移动通信设备有限公司 | Network access method and equipment for machine type communication (MTC) equipment |
| CN102185840A (en) * | 2011-04-22 | 2011-09-14 | 上海华为技术有限公司 | Authentication method, authentication equipment and authentication system |
| CN103428211A (en) * | 2013-08-07 | 2013-12-04 | 华南理工大学 | Network authentication system on basis of switchboards and authentication method for network authentication system |
| CN106209750A (en) * | 2015-05-08 | 2016-12-07 | 深圳市腾讯计算机系统有限公司 | A kind of network allocation method, server, network access equipment and system |
| CN113891428A (en) * | 2020-07-02 | 2022-01-04 | 华为技术有限公司 | Network access method, equipment and system |
| CN112800411A (en) * | 2021-02-19 | 2021-05-14 | 浪潮云信息技术股份公司 | Multi-protocol and multi-mode supporting safe and reliable identity authentication method and device |
| CN114257406A (en) * | 2021-11-17 | 2022-03-29 | 中国南方电网有限责任公司 | Equipment communication method and device based on identification algorithm and computer equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114726617A (en) | 2022-07-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9069954B2 (en) | Security threat detection associated with security events and an actor category model | |
| US10140453B1 (en) | Vulnerability management using taxonomy-based normalization | |
| US7870598B2 (en) | Policy specification framework for insider intrusions | |
| US9679125B2 (en) | Characterizing user behavior via intelligent identity analytics | |
| US9531755B2 (en) | Field selection for pattern discovery | |
| US9275348B2 (en) | Identifying participants for collaboration in a threat exchange community | |
| US20050091532A1 (en) | Method and apparatus to detect unauthorized information disclosure via content anomaly detection | |
| EP2723034A1 (en) | System for Detection of Mobile Applications Network Behavior - Netwise | |
| US20160164893A1 (en) | Event management systems | |
| CN107733863B (en) | Log debugging method and device under distributed hadoop environment | |
| US20110055923A1 (en) | Hierarchical statistical model of internet reputation | |
| US20130081065A1 (en) | Dynamic Multidimensional Schemas for Event Monitoring | |
| US20080016563A1 (en) | Systems and methods for measuring cyber based risks in an enterprise organization | |
| Miloslavskaya | Security operations centers for information security incident management | |
| WO2011149773A2 (en) | Security threat detection associated with security events and an actor category model | |
| US20130198168A1 (en) | Data storage combining row-oriented and column-oriented tables | |
| US11818160B2 (en) | Predicting cyber risk for assets with limited scan information using machine learning | |
| CN113614718A (en) | Abnormal user session detector | |
| US20230300153A1 (en) | Data Surveillance In a Zero-Trust Network | |
| Meijerink | Anomaly-based detection of lateral movement in a microsoft windows environment | |
| US20230396640A1 (en) | Security event management system and associated method | |
| US9143517B2 (en) | Threat exchange information protection | |
| CN114726617B (en) | Device authentication method, device, computer device, storage medium, and program product | |
| CN111859363B (en) | Method and device for identifying unauthorized access of application and electronic equipment | |
| US20240163668A1 (en) | Apparatuses, computer-implemented methods, and computer program products for managing access of wireless nodes to a network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |