CN114884647A - Network access management method and related equipment - Google Patents

Network access management method and related equipment Download PDF

Info

Publication number
CN114884647A
CN114884647A CN202110088394.0A CN202110088394A CN114884647A CN 114884647 A CN114884647 A CN 114884647A CN 202110088394 A CN202110088394 A CN 202110088394A CN 114884647 A CN114884647 A CN 114884647A
Authority
CN
China
Prior art keywords
target
sent
transport layer
application program
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110088394.0A
Other languages
Chinese (zh)
Other versions
CN114884647B (en
Inventor
郭晶
甘祥
郑兴
彭婧
刘羽
范宇河
唐文韬
申军利
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN202110088394.0A priority Critical patent/CN114884647B/en
Publication of CN114884647A publication Critical patent/CN114884647A/en
Application granted granted Critical
Publication of CN114884647B publication Critical patent/CN114884647B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0877Generation of secret information including derivation or calculation of cryptographic keys or passwords using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/029Firewall traversal, e.g. tunnelling or, creating pinholes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The disclosure provides a network access management method and related equipment. The method is applied to an untrusted client, and an authentication client application program is isolated and loaded in a target container providing a trusted operating environment. The method comprises the following steps: the authentication client application program sends application program data to be sent to the trusted operating environment, and the sending source address comprises an authentication client application program identifier; processing application program data to be sent in a trusted operating environment to generate a target transport layer security protocol data packet to be sent; and forwarding the target transport layer security protocol data packet to be sent to the server through the target transport layer security protocol tunnel, so that the server determines a firewall rule according to the authentication client application program identifier, and routes the target transport layer security protocol data packet to be sent to the target receiving equipment according to the firewall rule. By the method provided by the embodiment of the disclosure, the risk of being attacked can be effectively reduced.

Description

Network access management method and related equipment
Technical Field
The present disclosure relates to the field of computer and communication technologies, and in particular, to a network access management method and apparatus, a computer-readable storage medium, and an electronic device.
Background
With the rapid development and wide application of information technology, the human society has entered a new internet era. On one hand, people enjoy the convenience brought by internet science and technology; on the other hand, the network space formed by the network and the information system also faces an increasingly severe security problem. Trust is the basis for secure interaction in the network space, but as software complexity and attack level increase, the security of mobile environments and cloud platforms puts more stringent demands on hardware and platform security mechanisms.
Network security management in enterprises faces a dilemma: on one hand, the network communication behavior of the host computer needs to be strictly controlled; on the other hand, to support a large number of new client applications, firewall policies typically have to be relaxed. However, loose firewall policies make it possible for unknown client applications to leak data.
Meanwhile, the current firewall policy can only be configured by a coarse-grained Protocol or port number, that is, only fine-grained IP (Internet Protocol ) ports can be achieved, which are easily avoided and imitated by malicious applications (referred to as malicious programs for short), and since the IP port corresponding to the known application is considered to be trusted, when the known application is attacked, the flow of the attacked application cannot be identified due to the fact that the default corresponding IP port is trusted.
Therefore, a new network access management method and apparatus, a computer-readable storage medium, and an electronic device are needed.
It is to be noted that the information disclosed in the above background section is only for enhancement of understanding of the background of the present disclosure.
Disclosure of Invention
The embodiment of the disclosure provides a network access management method and device, a computer-readable storage medium and electronic equipment, which can improve the security of network access based on fine granularity of an application program.
Additional features and advantages of the disclosure will be set forth in the detailed description which follows, or in part will be obvious from the description, or may be learned by practice of the disclosure.
The embodiment of the disclosure provides a network access management method, which is applied to an untrusted client, wherein the untrusted client comprises an authentication client application program, and the authentication client application program is isolated and loaded in a target container providing a trusted operating environment. The method comprises the following steps: the authentication client application program sends application program data to be sent to the trusted operating environment, the application program data to be sent adopts a target transport layer protocol, the application program data to be sent comprises a sending source address and a sending destination address, and the sending source address comprises an authentication client application program identifier; processing the application program data to be sent in the trusted operating environment to generate a target transport layer security protocol data packet to be sent; determining a target transport layer security protocol tunnel between the target container and a server located in a gateway; and forwarding the target transport layer security protocol data packet to be sent to the server through the target transport layer security protocol tunnel, so that the server determines a firewall rule associated with the authentication client application program according to the authentication client application program identifier in the sending source address, and routes the target transport layer security protocol data packet to be sent to target receiving equipment corresponding to the sending destination address according to the firewall rule associated with the authentication client application program.
The embodiment of the disclosure provides a network access management method, which is applied to a server side located in a gateway. The method comprises the following steps: receiving a target transport layer security protocol data packet to be sent by an untrusted client through a target transport layer security protocol tunnel between the server and a target container, wherein the untrusted client comprises an authentication client application program, the authentication client application program is isolated and loaded in the target container providing a trusted operating environment, the target transport layer security protocol data packet to be sent comprises a sending source address and a sending destination address, and the sending source address comprises an authentication client application program identifier; determining a firewall rule associated with the authentication client application program according to the authentication client application program identifier in the sending source address; and routing the target transport layer security protocol data packet to be sent to the target receiving equipment corresponding to the sending destination address according to the firewall rule associated with the authentication client application program.
The embodiment of the disclosure provides a network access management device, which is applied to an untrusted client, wherein the untrusted client comprises an authentication client application program, and the authentication client application program is isolated and loaded in a target container providing a trusted operating environment. The device comprises: the to-be-sent application program data sending unit is used for sending the to-be-sent application program data to the trusted operating environment by the authentication client application program, wherein the to-be-sent application program data adopts a target transport layer protocol, the to-be-sent application program data comprises a sending source address and a sending destination address, and the sending source address comprises an authentication client application program identifier; a transmission layer security protocol data packet generating unit, configured to process, in the trusted operating environment, the application program data to be sent, and generate a target transmission layer security protocol data packet to be sent; a transport layer security protocol tunnel determining unit, configured to determine a target transport layer security protocol tunnel between the target container and a server located in a gateway; and the security protocol data packet forwarding unit is used for forwarding the target transport layer security protocol data packet to be sent to the server through the target transport layer security protocol tunnel, so that the server determines a firewall rule associated with the authentication client application program according to the authentication client application program identifier in the sending source address, and routes the target transport layer security protocol data packet to be sent to the target receiving equipment corresponding to the sending destination address according to the firewall rule associated with the authentication client application program.
The embodiment of the disclosure provides a network access management device, which is applied to a server side located in a gateway. The device comprises: a security protocol data packet receiving unit, configured to receive, through a target transport layer security protocol tunnel between the server and a target container, a target transport layer security protocol data packet to be sent, where the untrusted client includes an authentication client application, the authentication client application is separately loaded in the target container providing a trusted operating environment, the target transport layer security protocol data packet to be sent includes a sending source address and a sending destination address, and the sending source address includes an authentication client application identifier; a firewall rule determining unit, configured to determine, according to the authentication client application identifier in the source address, a firewall rule associated with the authentication client application; and the transmission layer security protocol data packet routing unit is used for routing the target transmission layer security protocol data packet to be sent to the target receiving equipment corresponding to the sending destination address according to the firewall rule associated with the authentication client application program.
The disclosed embodiments provide a computer-readable storage medium on which a computer program is stored, which when executed by a processor implements a network access management method as described in the above embodiments.
An embodiment of the present disclosure provides an electronic device, including: at least one processor; a storage device configured to store at least one program that, when executed by the at least one processor, causes the at least one processor to implement the network access management method as described in the above embodiments.
In the technical solutions provided by some embodiments of the present disclosure, an authentication client application in an untrusted client is deployed in a target container providing a trusted operating environment, so that the authentication client application runs in the trusted operating environment, an authentication-based target transport layer security protocol tunnel between the target container and a server located in a gateway is established, to-be-sent application data sent by the authentication client application is transmitted by using the target transport layer security protocol tunnel, and an authentication client application identifier of the authentication client application is bound in a sending source address of the to-be-sent application data, on one hand, the server located in the gateway can accurately and reliably associate network communication behaviors or network communication traffic with a specific authentication client application, and a communication policy can be customized for each authentication client application, the server side positioned in the gateway can manage network access on the basis of each authentication client application program, and a security gateway solution based on fine granularity of the application program can be provided; on the other hand, the risk of the protected authentication client application program traffic being attacked can be effectively reduced.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure. It should be apparent that the drawings in the following description are merely examples of the disclosure and that other drawings may be derived by those of ordinary skill in the art without inventive effort. In the drawings:
fig. 1 schematically shows a flow chart of a network access management method according to an embodiment of the present disclosure.
Fig. 2 schematically shows a block diagram of an untrusted client according to an embodiment of the present disclosure.
Fig. 3 schematically shows a block diagram of a server according to an embodiment of the present disclosure.
Fig. 4 schematically shows an architecture diagram of a network access management method according to an embodiment of the present disclosure.
Fig. 5 schematically illustrates an enterprise logical topology of a network access management method according to an embodiment of the present disclosure.
Fig. 6 schematically shows a traffic processing diagram of an application network access management method according to an embodiment of the present disclosure.
Fig. 7 schematically shows a flow chart of a network access management method according to an embodiment of the present disclosure.
Fig. 8 schematically shows a block diagram of a network access management device according to an embodiment of the present disclosure.
Fig. 9 schematically shows a block diagram of a network access management device according to an embodiment of the present disclosure.
FIG. 10 shows a schematic diagram of an electronic device suitable for use in implementing embodiments of the present disclosure.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The same reference numerals denote the same or similar parts in the drawings, and thus, a repetitive description thereof will be omitted.
The described features, structures, or characteristics of the disclosure may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the disclosure. One skilled in the relevant art will recognize, however, that the subject matter of the present disclosure can be practiced without one or more of the specific details, or with other methods, components, devices, steps, and the like. In other instances, well-known methods, devices, implementations, or operations have not been shown or described in detail to avoid obscuring aspects of the disclosure.
The drawings are merely schematic illustrations of the present disclosure, in which the same reference numerals denote the same or similar parts, and thus, a repetitive description thereof will be omitted. Some of the block diagrams shown in the figures do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in the form of software, or in at least one hardware module or integrated circuit, or in different networks and/or processor means and/or microcontroller means.
The flow charts shown in the drawings are merely illustrative and do not necessarily include all of the contents and steps, nor do they necessarily have to be performed in the order described. For example, some steps may be decomposed, and some steps may be combined or partially combined, so that the actual execution sequence may be changed according to the actual situation.
In this specification, the terms "a", "an", "the", "said" and "at least one" are used to indicate the presence of at least one element/component/etc.; the terms "comprising," "including," and "having" are intended to be inclusive and mean that there may be additional elements/components/etc. other than the listed elements/components/etc.; the terms "first," "second," and "third," etc. are used merely as labels, and are not limiting on the number of their objects.
Some terms mentioned in the embodiments of the present disclosure are first explained.
SGX (Software Guard Extensions): may be used to protect selected code and data from leakage and modification. Developers can divide application programs into executable protection areas in a Central Processing Unit (CPU) enhanced enclosure or a memory, and security can be improved even in an attacked platform. With this new application layer trusted runtime environment, developers can enable identity and record privacy, secure browsing and Digital Management protection (DRM), or any high-security application scenario that requires secure storage of secrets or protection of data. The SGX aims to provide a trusted running environment of a user space by taking hardware safety as mandatory guarantee and not depending on the safety states of firmware and software, realize isolated running among different programs through a group of new instruction set extension and access control mechanisms, and guarantee confidentiality and integrity of user key codes and data from being damaged by malicious software.
DTLS (packet Transport Layer Security protocol): the User Datagram Protocol (UDP) is a communication Protocol, and provides transmission security of the UDP (User Datagram Protocol) Protocol in a transport layer. It can provide Security protection similar to TLS (Transport Layer Security protocol). DTLS is commonly used for streaming media. Applications using UDP transport, which may include real-time video conferencing, internet telephony, and online gaming, among others, are delay sensitive. Applications on TCP (Transmission Control Protocol) can be secured with TLS, but TLS cannot be used to secure data transmitted over UDP.
LwIP (Light Weight IP, Light Internet protocol): the TCP/IP protocol stack is a small open source TCP/IP protocol stack and can run with or without the support of an operating system. The important point of the LwIP implementation is to reduce the occupation of a Random Access Memory (RAM) on the basis of maintaining the main functions of the TCP protocol, which makes the LwIP protocol stack suitable for use in an embedded system with limited resources.
IMAP (Internet Message Access Protocol, formerly known as Interactive Mail Access Protocol): is an application layer protocol and is a mail acquisition protocol. Its main function is that the mail client can obtain the information of mail from mail server by means of said protocol, and can download mail. The IMAP protocol runs on top of the TCP/IP protocol, using a port 143.
SMTP (Simple Mail Transfer Protocol), a Protocol that provides reliable and efficient email transmission. SMTP is a mail service established on the FTP (File Transfer Protocol) File Transfer service, and is mainly used for mail information Transfer between systems and providing notification about incoming messages. The SMTP is used for realizing the mail transmission between the same network processing processes, and also realizing the mail transmission between a certain processing process and other networks through a repeater or a gateway.
DNS (Domain Name System ): is a service of the internet. It acts as a distributed database that maps domain names and IP addresses to each other, enabling people to more conveniently access the internet. The DNS uses TCP and UDP ports 53.
LDAP (Lightweight Directory Access Protocol): is an open, neutral industry standard application protocol that provides access control and maintains directory information for distributed information via the IP protocol.
IDC (Internet Data Center ): the system is a service platform with perfect equipment (including high-speed internet access bandwidth, high-performance local area network, safe and reliable computer room environment and the like), specialized management and perfect application. On the basis of the platform, the IDC service provider provides Internet basic platform services (server hosting, virtual host, mail caching, virtual mail and the like) and various value-added services (site renting services, domain name system services, load balancing systems, database systems, data backup services and the like) for the client.
DMZ (dematialized zone, isolation zone, also known as demilitarized zone): the buffer zone is set between the non-safety system and the safety system to solve the problem that the access user of the external network can not access the internal network server (intranet server for short) after the firewall is installed. The buffer zone is located within a small network area between the enterprise internal network and the external network. Within this small network area, server facilities such as enterprise Web servers, FTP servers, etc. may be located that must be exposed. On the other hand, with such a DMZ zone, the internal network is protected more effectively. Because of the network deployment, compared with the general firewall scheme, the network deployment has one more barrier to attackers from the external network.
The following detailed description of exemplary embodiments of the disclosure refers to the accompanying drawings.
Based on the technical problems in the related art, an embodiment of the present disclosure provides a network access management method for at least partially solving the above problems. The method provided by each embodiment of the present disclosure may be executed by any electronic device, for example, a server or a server located in a gateway, or a terminal installed with a client, or an interaction between a server and a terminal, which is not limited in the present disclosure.
The server and the server mentioned in the embodiment of the present disclosure may be independent servers, may also be a server cluster or a distributed system formed by a plurality of servers, and may also be a cloud server that provides basic cloud computing services such as a cloud service, a cloud database, cloud computing, a cloud function, cloud storage, a Network service, cloud communication, a middleware service, a domain name service, a security service, a CDN (Content Delivery Network), a big data and an artificial intelligence platform.
In the embodiment of the present disclosure, the terminal may be a smart phone, a tablet computer, a notebook computer, a desktop computer, a smart speaker, a smart watch, or the like, but is not limited thereto. The terminal and the server or the server may be directly or indirectly connected through wired or wireless communication, and the disclosure is not limited herein.
Fig. 1 schematically shows a flow chart of a network access management method according to an embodiment of the present disclosure. The method provided by the embodiment of the present disclosure may be applied to an untrusted client that includes an authentication client application program that is isolated loaded in a target container that provides a trusted operating environment.
In the embodiment of the present disclosure, the untrusted client may define all clients as the untrusted client in a broad sense; a client that includes a malicious program and/or an unknown program may be referred to as an untrusted client or a client infected with a virus in a narrow sense. The malicious program generally refers to a program written with an attack intention, such as a virus, a trojan, and the like, and is a program that restricts an external network, and traffic corresponding to the program is referred to as malicious traffic. The unknown program refers to an application program which has a networking requirement but is not authenticated, and the corresponding traffic is called unknown traffic. The untrusted client may be any one of the untrusted clients.
In practical application, security protection of protected codes can be realized by building a TEE (trusted execution environment) and isolating the protected codes in a trusted application program in the TEE, and the part of the trusted application program which is isolated and loaded in the trusted operation environment is called as an authentication client application program, a protected program, an authentication application or an authentication client application program, wherein the authentication client application program can be any one authentication client application program. For example, taking building a TEE by using an SGX technology as an example, based on the SGX technology, a CPU of a device is usually used as a hardware support to create a program called Enclave as a target container, and code that needs to be protected is loaded in the Enclave program in an isolated manner to protect it from being attacked. In implementation, a software developer of the trusted application may develop a target container (e.g., an Enclave program in the SGX technology) as a TEE based on a specific TEE building technology (e.g., the SGX technology), and load protected code in the trusted application in the target container in isolation.
In the embodiment of the present disclosure, a target container generally refers to an isolated secure operating environment that is built based on a specific TEE building technology and can provide security protection for protected codes in a trusted application. In practical applications, the target container may be a software environment that is supported by the processor as the underlying hardware and is only accessible by the processor. For example, taking building a TEE by using an SGX technology as an example, the target container may specifically be an Enclave program in the SGX technology, and usually, protected codes in a trusted application program are separately loaded into the Enclave program to perform security protection on the protected codes. Of course, in practical applications, it is not excluded that the target container may also be a physically isolated hardware environment. For example, the target container may be a physically isolated physical chip, and protected code in the trusted application may be isolated and loaded in the physical chip to perform security protection on the protected code. It should be emphasized that the TEE building technology adopted for building the TEE is not particularly limited in the embodiments of the present disclosure, and those skilled in the art can flexibly select the TEE based on actual development requirements. It will be appreciated that the particular configuration of the target container will also generally depend on the TEE build technique employed by those skilled in the art, i.e., whether the target container is ultimately an isolated software environment or an isolated hardware environment, depending on the TEE build technique employed. For example, if the SGX technology is used to build a TEE, the target container is an isolated software environment, namely an Enclave program, which is supported by a CPU as underlying hardware and can only be accessed by the CPU. In the following embodiments, the TEE is built based on the SGX technology, and it is obvious that in practical applications, it is also possible to build the TEE by using other TEE building technologies, for example, TrustZone technology, without any examples.
As shown in fig. 1, the method provided by the embodiment of the present disclosure may include the following steps.
In step S110, the authentication client application sends application data to be sent to the trusted operating environment, where the application data to be sent adopts a target transport layer protocol, the application data to be sent includes a sending source address and a sending destination address, and the sending source address includes an authentication client application identifier.
In the embodiment of the present disclosure, the target transport layer protocol may include a TCP protocol and/or a UDP protocol, but the present disclosure is not limited thereto.
In an exemplary embodiment, the trusted operating environment may include a network Socket processing module (Socket processing module), a client protocol stack, which may include a target internet protocol, and a client tunnel module (corresponding to tunnel module 1 below), which may employ a target transport layer security protocol. The server may include a server tunnel module (corresponding to tunnel module 2 hereinafter).
In the following description, the target internet protocol is LwIP, and the target transport layer security protocol is DTLS protocol, which are used as examples, but the disclosure is not limited thereto. When the target transport layer security protocol adopts a DTLS protocol, both the client tunnel module and the server tunnel module may be referred to as DTLS modules, and an authentication-based target transport layer security protocol tunnel may be established between the untrusted client and the server located in the gateway based on the DTLS protocol, which may also be referred to as a DTLS tunnel.
Before the authenticating client application sends the application data to be sent to the trusted operating environment, the method may further include: establishing the target transport layer security protocol tunnel between the target container and the server by using the client tunnel module and the server tunnel module; and when the untrusted client is started, receiving a server public key which is sent by the server and uniquely corresponds to the untrusted client.
For example, as shown in fig. 3, the server at the gateway may include a key management module, which may be configured to generate a separate server public key and a server private key for each untrusted client, so that the server manages each untrusted client separately. When the non-trusted client is started, the non-trusted client interacts with a key management module of the server, and the server transmits a server public key corresponding to the non-trusted client.
In step S120, in the trusted operating environment, the application data to be sent is processed, and a target transport layer security protocol data packet to be sent is generated.
In the trusted operating environment, processing the application data to be sent to generate a target transport layer security protocol data packet to be sent, which may include: performing network socket function redirection processing on the application program data to be sent by using the network socket processing module, and redirecting the application program data to a target internet protocol application program interface function; grouping the application program data to be sent which are redirected to the target internet protocol application program interface function by using the target internet protocol to generate an internet protocol data packet to be sent; and packaging the internet protocol data packet to be sent by using the target transport layer security protocol to generate the target transport layer security protocol data packet to be sent. Reference may be made in particular to the embodiment of fig. 6 below.
In an exemplary embodiment, in the trusted operating environment, processing the application data to be sent to generate a target transport layer security protocol data packet to be sent, which may further include: and encrypting the target transmission layer security protocol data packet to be sent by using the server public key to generate the encrypted target transmission layer security protocol data packet to be sent.
In step S130, a target transport layer security protocol tunnel between the target container and the server located in the gateway is determined.
In the embodiment of the present disclosure, each untrusted client may establish a one-to-one DTLS tunnel through its DTLS module 1 and the DTLS module 2 of the server, and after determining the target container of the untrusted client, a target DTLS tunnel may be determined.
In step S140, the target transport layer security protocol packet to be sent is forwarded to the server through the target transport layer security protocol tunnel, so that the server determines a firewall rule associated with the authentication client application according to the authentication client application identifier in the sending source address, and routes the target transport layer security protocol packet to be sent to a target receiving device corresponding to the sending destination address according to the firewall rule associated with the authentication client application.
The forwarding the target transport layer security protocol data packet to be sent to the server through the target transport layer security protocol tunnel may include: and forwarding the encrypted target transport layer security protocol data packet to be sent to the server through the target transport layer security protocol tunnel, so that the server receives the encrypted target transport layer security protocol data packet to be sent, and decrypts the encrypted target transport layer security protocol data packet to be sent by adopting a server private key corresponding to the server public key.
In an exemplary embodiment, the method may further include: and if the application program data to be sent does not adopt the target transport layer protocol, forwarding the application program data to be sent to the server side in a non-network socket mode. Reference may be made in particular to the embodiment of fig. 6 below.
In an exemplary embodiment, the target container may further include an operating system library, the target container may be located in a user space of the untrusted client, and the untrusted client may further include a kernel space. The forwarding the target transport layer security protocol data packet to be sent to the server through the target transport layer security protocol tunnel may include: sending the target transport layer security protocol data packet to be sent to the operating system library through the client tunnel module; and the operating system library converts the target transport layer security protocol data packet to be sent from the target internet protocol application program interface function into a target transport layer protocol sending function so as to forward the target transport layer security protocol data packet to be sent to the server through the target transport layer security protocol tunnel located in the kernel space. Reference may be made in particular to the embodiment of fig. 6 below.
In an exemplary embodiment, the method may further include: the untrusted client receives a target transport layer security protocol data packet to be received, which is sent by the server, through the target transport layer security protocol tunnel; receiving and decrypting the target transport layer security protocol data packet to be received through the client tunnel module to obtain an internet protocol data packet to be received; processing the internet interconnection protocol data packet to be received through the target internet interconnection protocol to obtain application program data to be received; and sending the application program to be received to the authentication client application program.
The network access management method provided by the disclosed embodiment, by deploying an authentication client application program in an untrusted client in a target container providing a trusted operating environment, the authentication client application program is operated in the trusted operating environment, and establishing an authentication-based target transport layer security protocol tunnel between the target container and a server located in a gateway, and transmitting to-be-transmitted application program data transmitted by the authentication client application program by using the target transport layer security protocol tunnel, and binding an authentication client application program identifier of the authentication client application program in a transmission source address of the to-be-transmitted application program data, on one hand, the server located in the gateway can accurately and reliably associate network communication behaviors or network communication traffic with a specific authentication client application program, and can customize a communication policy for each authentication client application program, the server side positioned in the gateway can manage network access on the basis of each authentication client application program, and a security gateway solution based on fine granularity of the application program can be provided; on the other hand, the risk of the protected authentication client application program traffic being attacked can be effectively reduced.
The embodiment of the disclosure provides a network access management system, which can comprise an untrusted client and a server. The following examples are given by way of SGX, LwIP and DTLS.
Fig. 2 schematically shows a block diagram of an untrusted client according to an embodiment of the present disclosure. As shown in fig. 2, the untrusted client may include an SGX module, a DTLS module 1, a protocol stack, and a security monitoring module.
The SGX module provides an isolated trusted execution region, i.e., a trusted operating environment, for the authentication client application program based on the SGX, so that steps S110 and S120 in the embodiment of fig. 1 may be executed, that is, the authentication client application program in the untrusted client may send application program data to be sent to the trusted operating environment, and in the trusted operating environment, the application program data to be sent is processed to generate a target transport layer security protocol data packet to be sent. The SGX module builds a secure channel, such as a DTLS tunnel, with a server located in the gateway through the SGX envelope, and protects the authentication client application program from attacks, such as attack by a man-in-the-middle, and attack by an Advanced Persistent Threat (APT), and the like.
Man-in-the-Middle Attack (abbreviated as "MITM Attack") is an "indirect" intrusion Attack in which a computer under the control of an intruder is virtually placed between two communicating computers in a network connection by various techniques, known as a "Man-in-the-Middle". APT refers to the persistent and effective attack activity that an organization develops on a specific object, which is extremely hidden and targeted, and usually employs various means such as various infected mediums, supply chains and social engineering to implement advanced, persistent and effective threats and attacks.
The DTLS module 1 (tunnel module in fig. 6) is configured to build a secure channel, for example, a DTLS tunnel, between the authentication client application and the server located in the gateway through the DTLS protocol, so that step S130 in the embodiment of fig. 1 described above may be subsequently performed, that is, a target transport layer security protocol tunnel between the target container and the server located in the gateway may be determined. Then, step S140 in the embodiment of fig. 1 is executed again, and the authentication client application performs data transmission through the DTLS tunnel.
The protocol stack in fig. 2 may be based on an API (Application Programming Interface) operation provided by LwIP. The LwIP is suitable for an embedded system and is simple.
The security monitoring module in fig. 2 is mainly used for monitoring the security of the untrusted client itself, and may include integrity, whether the untrusted client is injected or tampered, checking a process, whether an address is replaced, and the like.
Fig. 3 schematically shows a block diagram of a server according to an embodiment of the present disclosure.
As shown in fig. 3, the server may include a DTLS module 2, a rule management module, a key management module, and an update management module.
The DTLS module 2 is configured to establish a DTLS tunnel together with the DTLS module 1 in fig. 2. Although not shown in fig. 3, the server of fig. 3 also includes the same protocol stack as the untrusted client.
In the embodiment of the disclosure, each untrusted client and the server have a single key pair, that is, the server has a single server public key and a single server private key for each untrusted client, and when each untrusted client is started, the server obtains the single server public key of each untrusted client through interaction with a key management module of the server, and the untrusted client can take the server public key to encrypt data, and then the server decrypts the data by using the server private key to authenticate the identity of each untrusted client and the server.
The rule management module may include a maintained application list, which includes applications that allow communication (e.g., an authentication application with an action of accept in table 1 below) and applications that are blacked out (e.g., an application corresponding to an action of reject in table 1 below); and may also include management of the intranet sub-segments within the application.
For example, a sub-network segment may be provided for each source area, for example, a Personal Computer (PC) machine, but the disclosure is not limited thereto, an IDC/DMZ area, an intranet server, and other sub-areas, and a list is maintained, where each source area and its corresponding sub-network segment are included in the list, so that different communication policies/rules (for example, table 1 below) may be formulated for different source areas, and a server may perform network access management with pertinence, sub-area, and finer granularity. By storing these communication policies/rules at the server, i.e. by defining and storing the communication rules for each particular authentication client application in the rules management module at the server, the gateway can perform further functions.
The update management module may comprise two parts: self component updates and list application vulnerability updates.
Wherein, the self component update (key, program, dependency library, LibOS) may include that the server controls the self component update, identifies the version number, and initiatively updates the version number; the method also includes that the server controls the untrusted client to update, for example, the untrusted client reports a process to the server, when the server finds that the version number of the untrusted client needs to be updated, the untrusted client actively updates the version number, and after the untrusted client downloads the updated version number, the untrusted client can judge whether the downloaded updated version number is maliciously replaced by verifying a hash (hash) value, so as to prevent the updated version number from being maliciously replaced. The list application vulnerability updating means that the server can actively disconnect the application program with the vulnerability and cancel the connection between the application program and other intranet sub-segments.
Fig. 4 schematically shows an architecture diagram of a network access management method according to an embodiment of the present disclosure. The overall system architecture is as shown in fig. 4, and virus infected clients (as untrusted clients) located in an intranet sub-network segment corresponding to a source region of a personal terminal in an enterprise intranet are assumed to include malicious programs, unknown programs, and protected programs (as authenticated client application programs) in a running state. The other sub-network segments in the embodiment of fig. 4 refer to intranet sub-network segments corresponding to other source regions, for example, IDC/DMZ, intranet servers, and the like. The virus infected client comprises an SGX module to provide SGX Enclave, and the protected program is encapsulated in the SGX Enclave.
When the client infected by virus runs, the protected program (which can be installed in the SGX after being predetermined in the intranet) is packaged in an operating system library (some dynamic link libraries or other extension packages of the protected program packaged together with the protected program), and the two are combined in the SGX Enclave. The server is positioned at the gateway and cooperates with the firewall to protect the flow of the protected program needing protection. The server side carries out identity verification on the protected program, and safely forwards the traffic between the virus infected client side and the gateway when the virus infected client side runs. The traffic of the protected program cannot be tampered, intercepted and the like.
A secure DTLS tunnel is established between the SGX Enclave and the service end, the service end monitors the flow from the trusted protected program, and the flow of the protected program is transmitted through the DTL tunnel. And the malicious traffic of the malicious program and the unknown traffic of the unknown program are forbidden to be networked by default and are shielded by the server side, namely, the transmission to an external server connected through the internet is not allowed.
In the embodiment of the present disclosure, the identity of the protected program may be checked using the remote attestation of the SGX, and during initialization, the key management module of the server distributes the server public key and checks the integrity of its file, and the like. And whether the SGX module runs in a trusted running environment or not can be verified, whether decompilated software such as debug exists in the process list or not can be checked, and if so, the SGX module is forcibly stopped. On the side of the untrusted client, the security monitoring module transparently protects the protected program from being attacked by a local system-level attacker in real time, so that when the host of the client infected by the virus is not attacked by the attacker, the attacker is prevented from hooking the trusted protected program through advanced methods such as process injection and the like, and the data is transmitted by using a DTLS tunnel networked by the trusted protected program.
The detailed processing of the data and the policy by the rule management module of the server can refer to the embodiment of fig. 5.
Fig. 5 schematically illustrates an enterprise logical topology diagram of a network access management method according to an embodiment of the present disclosure.
As shown in FIG. 5, it is assumed that the intranet is divided into three source areas, namely a personal terminal, an intranet server and IDC/DMZ, and the three source areas are isolated from each other, and each source area is allocated with an intranet sub-network segment.
In fig. 5, four untrusted clients are taken as an example, and it is assumed that an untrusted client uses the XX browser as an authentication client application, an untrusted client uses the SQL client as an authentication client application, an untrusted client uses the mail client as an authentication client application, and an untrusted client uses the FTP client as an authentication client application. It is understood that this is by way of illustration only and is not meant as a limitation. The XX browser, the SQL client, the mail client and the FTP client which are packaged are respectively installed on corresponding untrusted clients, the XX browser, the SQL client, the mail client and the FTP client respectively exchange keys with a service terminal SDK (Software Development Kit) at a gateway (trusted gateway), a corresponding DTLS tunnel is built, and the XX browser, the SQL client, the mail client and the FTP client are respectively identified as trusted authentication client application programs.
Assuming that the enterprise logic topology is as shown in fig. 5, the personal terminal is connected to the server of the trusted gateway through a corresponding switch, the intranet server is assumed to include a web server, an application server, and a database server, and is connected to the server through a corresponding switch, respectively, and the IDC/DMZ is assumed to include a web server, an FTP server, a DNS server, and a mail server, and is connected to the server through a corresponding switch, respectively. It is to be understood that fig. 5 is merely exemplary. Thus, a set of rules can be devised as shown in Table 1:
table 1 sample of rules
Figure BDA0002911795130000161
In table 1 above, both rule 1 and rule 2 refer to external servers that allow an authentication client application in a corresponding untrusted client to connect to an external network. Specifically, rule 1 refers to allowing the XX browser on the PC with the source region PC _ Client (the untrusted Client is the PC machine) to connect to an External server with the destination region $ External (i.e., access is to non-intranet IP) through ports 80 and 443 as an authentication application. Rule 2 refers to SQL _ TLS on PC with the source zone PC _ Client as the authentication application, connecting to an External server with the destination zone $ External through port 3306. Where $ PC _ SQL _ TLS indicates that only TLS handshaking procedures can connect to an external server, otherwise clear text transmission is easily intercepted.
The "NEW" state in table 1 indicates that a connection can be newly established, and the "EST" state indicates that a connection has been established and can be continued. ) "" is representative without limitation.
Rule 3 refers to the authentication application being Any Mail client ($ Any _ Mail) and without restriction of its source zone, allowing it to connect to an internal server with destination zone $ IMAP (corresponding to a Mail server in intranet server (not shown in fig. 5)) through ports 143 and 993, and allowing it to connect to an IDC/DMZ zone server with destination zone $ SMTP (corresponding to a Mail server in IDC/DMZ in fig. 5) through ports 465 and 587.
Rules 4-7 refer to the respective servers that allow external clients/external servers of the external network to connect to the IDC/DMZ zone. Specifically, rule 4 refers to allowing an External client/External server $ External with a source zone of $ External to be connected as an authentication application to an IDC/DMZ zone server with a destination zone of $ SMTP through port 25 (corresponding to the mail server in IDC/DMZ in fig. 5). Rule 5 means that the source zone and authentication application are not restricted, allowing connection to IDC/DMZ zone servers with destination zone $ DNS through port 53 (corresponding to DNS servers in IDC/DMZ in fig. 5). Rule 6 means that without restriction on the source zone, the XX browser installed on the PC in the external network is allowed to connect to the IDC/DMZ zone server with destination zone $ FTP (corresponding to the FTP server in IDC/DMZ in fig. 5) through ports 21 and 20 as an authentication application. Rule 7 refers to Webshop, which does not restrict the source region and authentication applications, allowing shopping services in external web services to be provided through ports 80 and 443 to connect to the destination region.
Rules 8-10 refer to allowing the authentication application to connect to the internal servers and the IDC/DMZ zone servers. Specifically, rule 8 refers to allowing the XX browser on the PC, having a source region PC _ Client, to connect as an authentication application to a web server (web server) in an intranet server having a destination region $ Internet through ports 80 and 443. Rule 9 refers to allowing a SQL Client on a PC with a source region PC _ Client to connect as an authentication application through port 3306 to a DataBase server in an intranet server with a destination region $ DataBase. Rule 10 refers to allowing an Enc (LDAP authentication related Client, not shown in FIG. 5) on a PC with a source zone PC _ Client to connect to an IDC/DMZ zone server with a destination zone $ LDAP as an authentication application through ports 389 and 636.
In rule 11, it is meant that $ Server stands for Intranet Server and IDC/DMZ zone Server, i.e., the Intranet Server and IDC/DMZ zone Server are allowed to connect to external servers.
Rule 12: all traffic for which rules 1-11 have established a connection is allowed, while rule 13 is the default policy for rejecting any other traffic, i.e. equivalent to a rule in IPtables, by default rejected first, and only rules in rules 1-12 are passed.
The traffic handling procedure is illustrated in conjunction with fig. 6, and although only the untrusted client is shown in fig. 6, the execution procedure of the server corresponds to this.
Fig. 6 schematically shows a traffic processing diagram of an application network access management method according to an embodiment of the present disclosure.
As shown in fig. 6, the untrusted client converts it into LwIP API processing of SGX by replacing functions such as system calls, e.g., UDP send/recv. The trusted operating environment has a set of protection programs to hide all network I/O (input/output) functions. All network socket (socket) functions of the protected application, i.e. the authenticated client application in the figure, will be redirected to the LwIP API function. And calls network I/O functions through the SGX internal user space. LwIP manages all requests and connections for APP and uses tunnel module 1 to request and retrieve associated IP packets. In order for various applications to run without having to directly manipulate the hardware, the underlying hardware is abstracted with a kernel between the application and the hardware. The operating system and drivers run in kernel space and the applications (including authenticated client applications) run in user space.
The IP packets transmitted by the untrusted client and the server may include those that adopt a TCP/UDP Protocol and those that do not adopt a TCP/UDP Protocol, and for an IP packet that adopts a TCP/UDP Protocol, the IP packet may be processed by the tunnel module 1, LwIP, and Socket into APP data and sent to the authenticated client, and for an IP packet that does not adopt a TCP/UDP Protocol, the IP packet may be transmitted to the authenticated client by a non-Socket method, such as SMP (symmetric Multi-Processing, symmetric multiprocessing), IGMP (Internet Group Management Protocol).
The process for outsourcing is as follows: the method comprises the steps that an authenticated client application program sends application program data (APP data) to be sent to a Socket processing module in a trusted operating environment, network Socket function redirection processing is conducted, the APP data to be sent are redirected to an LwIP API function (namely a target internet protocol application program interface function), grouping processing is conducted on the APP data to be sent by utilizing an LwIP protocol, an IP data packet to be sent (an internet protocol data packet to be sent) is generated, the tunnel module 1 encapsulates the IP data packet to be sent by utilizing a DTLS protocol, the DTLS data packet to be sent (as a target transmission layer security protocol data packet to be sent) is generated, and the DTLS data packet to be sent is forwarded to a server side located in a gateway through an authenticated DTLS tunnel. The service end receives the DTLS data packets, decrypts the contained IP data packets to be sent, and then transmits the IP data packets to the gateway through the virtual network interface. Then, the gateway applies the firewall rule of APP granularity, and routes the IP packet to be sent to a target receiving device corresponding to the sending destination address, such as a target external server, a target intranet server, or a target isolation server (the target isolation server refers to a designated server located in the IDC/DMZ area).
The hierarchy-SGX in FIG. 6 is a practical operating system library for authenticated client applications on SGX. A fully functional operating system library allows rapid deployment of unmodified applications on the SGX. The disclosed embodiments provide a hierarchy to SGX port, and some improvements that make the security benefits of SGX more available, such as integrity support and secure multi-process support for dynamically loaded libraries.
The packet receiving process is as follows: and the server receives the corresponding IP data packet to be received from the gateway through the virtual network interface. The server side inquires firewall rules by receiving the destination address, finds a DTLS tunnel corresponding to the protected authenticated client side application program, encapsulates the IP data packet to be received by using a DTLS protocol to generate a DTLS data packet to be received, and sends the DTLS data packet to be received to the untrusted client side through the DTLS tunnel. The tunnel module 1 receives and decrypts the to-be-received IP data packet of the to-be-received DTLS data packet, and places the to-be-received IP data packet into an LwIP receiving queue, and the LwIP processes the to-be-received IP data packet and transmits the included to-be-received application program data to the authenticated client application program.
On one hand, the network Access management method provided by the embodiments of the present disclosure can resist the untrusted client traffic attack for SGX protection, for example, reduce the risk of man-in-the-middle attack and APT attack, but is not limited thereto, and any application scenario that can associate and identify traffic and an authentication client application (or a process when the authentication client application runs) may be applicable, such as an egress traffic audit scenario and an Access Control List (ACL). When a host is trapped, the trusted authentication client application is not utilized, and the trusted authentication client application can still have networking behavior without directly disconnecting the untrusted client. On the other hand, the server at the gateway is given the ability to manage network access on an application fine-grained basis, and the firewall reliably associates network traffic with a particular authentication client application. The authentication client application runs in a trusted operating environment (SGX Enclave) provided by SGX, and an authentication-based DTLS tunnel is transparently established between SGX Enclave and the gateway. Because each DTLS tunnel corresponds to each authentication client application one-to-one, determining a DTLS tunnel determines which authentication client application is, and can accurately correlate traffic to the authentication client application at its source, thereby enabling the implementation of refined communication policies on the firewall that are customized for each authentication client application. Transparent means that no parsing or decryption is done regardless of the data being transmitted.
Fig. 7 schematically shows a flow chart of a network access management method according to an embodiment of the present disclosure. The method provided by the embodiment of fig. 7 can be applied to a server located in a gateway. As shown in fig. 7, the method provided by the embodiment of the present disclosure may include the following steps.
In step S710, a target transport layer security protocol data packet to be sent by an untrusted client is received through a target transport layer security protocol tunnel between the server and a target container, where the untrusted client includes an authentication client application, the authentication client application is separately loaded in the target container providing a trusted operating environment, the target transport layer security protocol data packet to be sent includes a sending source address and a sending destination address, and the sending source address includes an authentication client application identifier.
In step S720, a firewall rule associated with the authentication client application is determined according to the authentication client application identifier in the sending source address.
In step S730, the target transport layer security protocol packet to be sent is routed to the target receiving device corresponding to the sending destination address according to the firewall rule associated with the authentication client application.
In an exemplary embodiment, the sending source address may further include a current source area (e.g., a personal terminal in fig. 5) to which the untrusted client belongs, the current source area corresponding to an intranet sub-segment, and the target receiving device includes a target external server (e.g., an external server located in an external network in fig. 5) belonging to an external network, the external network corresponding to an intranet sub-segment. The routing, according to the firewall rule associated with the authentication client application program, the target transport layer security protocol packet to be sent to the target receiving device corresponding to the sending destination address may include: if the current source area in the sending source address and the authentication client application program identification are both matched with the source area and the authentication application in the firewall rules (e.g., rule 1 and rule 2 in table 1), judging whether the sending destination address is matched with the destination area in the firewall rules; if the destination address belongs to a destination area in the firewall rule, and the destination area includes the non-intranet subnet segment, a connection between the gateway and the target external server is newly established, and the target transport layer security protocol packet to be sent is routed to the target external server corresponding to the destination address through a first specified port in the firewall rule (e.g., ports 80 and 443 in rule 1, or port 3306 in rule 2).
In an exemplary embodiment, the target receiving device may include a target intranet server (e.g., any server in the intranet server in fig. 5, such as one or more of a network server, an application server, a database server, and the like) belonging to an intranet area (e.g., the intranet server in fig. 5), and the intranet area and a current source area to which the untrusted client belongs belong are divided into different intranet sub-segments and isolated from each other. The routing, according to the firewall rule associated with the authentication client application program, the target transport layer security protocol packet to be sent to the target receiving device corresponding to the sending destination address may include: if the authentication client application identifier in the sending source address matches an authentication application in the firewall rule (e.g., rule 3 in table 1), determining whether the sending destination address matches a destination zone in the firewall rule; if the sending destination address belongs to a destination area in the firewall rule and the destination area includes the target intranet server, establishing a connection between the gateway and the target intranet server, and routing the target transport layer security protocol data packet to be sent to the target intranet server corresponding to the sending destination address through a second specified port (for example, ports 143 and 993 in rule 3) in the firewall rule.
In an exemplary embodiment, the target receiving device includes a target isolation server (e.g., any server of the IDC/DMZ zone in fig. 5, e.g., any one or more of a web server, an FTP server, a DNS server, and a mail server in the IDC/DMZ zone), the target isolation server belongs to an isolation source zone (e.g., the IDC/DMZ zone in fig. 5), and the isolation source zone and a current source zone to which the untrusted client belongs belong respectively belong to different intranet sub-segments and are isolated from each other. The routing, according to the firewall rule associated with the authentication client application program, the target transport layer security protocol data packet to be sent to the target receiving device corresponding to the sending destination address may include: if the authentication client application identifier in the sending source address matches an authentication application in the firewall rule (e.g., rule 3 in table 1), determining whether the sending destination address matches a destination zone in the firewall rule; if the destination address belongs to a destination area in the firewall rule and the destination area includes the target isolation server, establishing a connection between the gateway and the target isolation server, and routing the target transport layer security protocol packet to be sent to the target isolation server corresponding to the destination address through a third specified port (e.g., ports 465 and 587 in rule 3) in the firewall rule.
The method provided by the embodiment of the present disclosure may specifically refer to the embodiments of fig. 1 to 6 described above.
The method provided by the embodiment of the disclosure can relate to cloud security in cloud technology. Currently, cloud computing environments require trusted computing support, and are typically built using a traditional layered security model to protect privileged programs from being attacked by untrusted applications, but not to protect data of the applications from being accessed and tampered by privileged software. This results in that the user in the cloud environment can only passively trust the reliability of the hardware and software of the cloud service provider, and the administrator cannot steal the private data of the administrator. In the embodiment of the disclosure, a secure isolated execution environment can be provided for an application program by using SGX and DTLS technologies, so that user data is prevented from being accessed by privileged software or from being attacked (such as memory scanning) based on hardware, and the security of a cloud computing environment is protected.
The Cloud technology (Cloud technology) is a hosting technology for unifying series resources such as hardware, software, network and the like in a wide area network or a local area network to realize calculation, storage, processing and sharing of data.
The cloud technology is a general term of network technology, information technology, integration technology, management platform technology, application technology and the like applied based on a cloud computing business model, can form a resource pool, is used as required, and is flexible and convenient. Cloud computing technology will become an important support. Background services of the technical network system require a large amount of computing and storage resources, such as video websites, picture-like websites and more web portals. With the high development and application of the internet industry, each article may have its own identification mark and needs to be transmitted to a background system for logic processing, data in different levels are processed separately, and various industrial data need strong system background support and can only be realized through cloud computing.
Cloud Security (Cloud Security) refers to a generic term for Security software, hardware, users, organizations, secure Cloud platforms for Cloud-based business model applications. The cloud security integrates emerging technologies and concepts such as parallel processing, grid computing and unknown virus behavior judgment, abnormal monitoring of software behaviors in the network is achieved through a large number of meshed clients, the latest information of trojans and malicious programs in the internet is obtained and sent to the server for automatic analysis and processing, and then the virus and trojan solution is distributed to each client.
The main research directions of cloud security include: 1. the cloud computing security mainly researches how to guarantee the security of the cloud and various applications on the cloud, including the security of a cloud computer system, the secure storage and isolation of user data, user access authentication, information transmission security, network attack protection, compliance audit and the like; 2. the cloud computing of the security infrastructure mainly researches how to newly build and integrate security infrastructure resources by adopting cloud computing and optimize a security protection mechanism, and comprises the steps of constructing a super-large-scale security event and an information acquisition and processing platform by using a cloud computing technology, realizing acquisition and correlation analysis of mass information and improving the handling control capability and risk control capability of the security event of the whole network; 3. the cloud security service mainly researches various security services, such as anti-virus services and the like, provided for users based on a cloud computing platform.
Fig. 8 schematically shows a block diagram of a network access management device according to an embodiment of the present disclosure. The network access management apparatus 800 provided in the embodiment of fig. 8 may be applied to an untrusted client, which may include an authentication client application program that may be quarantine-loaded in a target container providing a trusted operating environment.
As shown in fig. 8, the network access management apparatus 800 provided in this disclosure may include an application data transmission unit 810 to be transmitted, a transport layer security protocol packet generation unit 820, a transport layer security protocol tunnel determination unit 830, and a security protocol packet forwarding unit 840.
In this disclosure, the to-be-sent application data sending unit 810 may be configured to send, by the authentication client application, to-be-sent application data to the trusted operating environment, where the to-be-sent application data adopts a target transport layer protocol, the to-be-sent application data includes a sending source address and a sending destination address, and the sending source address includes an identification of the authentication client application. The transport layer security protocol data packet generating unit 820 may be configured to process the to-be-sent application program data in the trusted operating environment, and generate a to-be-sent target transport layer security protocol data packet. The transport layer security protocol tunnel determination unit 830 may be configured to determine a target transport layer security protocol tunnel between the target container and a server located at the gateway. The security protocol packet forwarding unit 840 may be configured to forward the target transport layer security protocol packet to be sent to the server through the target transport layer security protocol tunnel, so that the server determines a firewall rule associated with the authentication client application according to the authentication client application identifier in the sending source address, and routes the target transport layer security protocol packet to be sent to a target receiving device corresponding to the sending destination address according to the firewall rule associated with the authentication client application.
In an exemplary embodiment, the trusted operating environment may include a web socket processing module, a client protocol stack, which may include a target internet protocol, and a client tunneling module, which may employ a target transport layer security protocol; the transport layer security protocol data packet generating unit 820 may include: a redirection unit, configured to perform network socket function redirection processing on the to-be-sent application program data by using the network socket processing module, and redirect the to-be-sent application program data to a target internet protocol application program interface function; the packet processing unit may be configured to perform packet processing on the to-be-sent application program data redirected to the target internet protocol application program interface function by using the target internet protocol, and generate an to-be-sent internet protocol data packet; the target transport layer security protocol packet to be sent may be configured to encapsulate the internet protocol packet to be sent by using the target transport layer security protocol, and generate the target transport layer security protocol packet to be sent.
In an exemplary embodiment, the server includes a server tunnel module. Before the authenticating client application sends the application data to be sent to the trusted operating environment, the network access management apparatus 800 may further include: a target transport layer security protocol tunnel establishing unit, configured to establish a target transport layer security protocol tunnel between the target container and the server by using the client tunnel module and the server tunnel module; and the server public key receiving unit can be used for receiving a server public key which is sent by the server and uniquely corresponds to the untrusted client when the untrusted client is started.
In an exemplary embodiment, the transport layer security protocol packet generating unit 820 may further include: the target transport layer security protocol data packet to be sent encryption unit may be configured to encrypt the target transport layer security protocol data packet to be sent by using the server public key, and generate an encrypted target transport layer security protocol data packet to be sent. The security protocol packet forwarding unit 840 may include: the encrypted target transport layer security protocol data packet to be sent forwarding unit may be configured to forward the encrypted target transport layer security protocol data packet to be sent to the server through the target transport layer security protocol tunnel, so that the server receives the encrypted target transport layer security protocol data packet to be sent, and decrypts the encrypted target transport layer security protocol data packet to be sent by using a server private key corresponding to the server public key.
In an exemplary embodiment, the network access management apparatus 800 may further include: the to-be-sent application program data forwarding unit in a non-network socket manner may be configured to forward the to-be-sent application program data to the server in a non-network socket manner if the to-be-sent application program data does not adopt the target transport layer protocol.
In an exemplary embodiment, the target container may further include an operating system library, the target container is located in a user space of the untrusted client, and the untrusted client may further include a kernel space. The security protocol packet forwarding unit 840 may include: the sending unit of the target transport layer security protocol data packet to be sent can be used for sending the target transport layer security protocol data packet to be sent to the operating system library through the client tunnel module; a system call function conversion unit, configured to convert, by the operating system library, the target transport layer security protocol packet to be sent from the target internet protocol application program interface function to a target transport layer protocol sending function, so as to forward the target transport layer security protocol packet to be sent to the server through the target transport layer security protocol tunnel located in the kernel space.
In an exemplary embodiment, the network access management apparatus 800 may further include: a receiving unit for receiving a target transport layer security protocol data packet to be received, which may be used for the untrusted client to receive the target transport layer security protocol data packet to be received sent by the server through the target transport layer security protocol tunnel; the to-be-received internet protocol data packet obtaining unit may be configured to receive and decrypt the to-be-received target transport layer security protocol data packet through the client tunnel module, and obtain the to-be-received internet protocol data packet; a to-be-received application data obtaining unit, configured to process the to-be-received internet protocol data packet through the target internet protocol to obtain to-be-received application data; a to-be-received application sending unit, configured to send the to-be-received application to the authentication client application.
Other contents of the network access management device of the embodiment of the present disclosure may refer to the above-described embodiment.
Fig. 9 schematically shows a block diagram of a network access management device according to an embodiment of the present disclosure. The network access management apparatus 900 provided in the embodiment of fig. 9 may be applied to a server located in a gateway. As shown in fig. 9, the network access management apparatus 900 provided in the embodiment of the present disclosure may include a security protocol packet receiving unit 910, a firewall rule determining unit 920, and a transport layer security protocol packet routing unit 930. In this disclosure, the security protocol data packet receiving unit 910 may be configured to receive, through a target transport layer security protocol tunnel between the server and a target container, a target transport layer security protocol data packet to be sent, where the untrusted client includes an authentication client application program, the authentication client application program is separately loaded in the target container providing a trusted operating environment, the target transport layer security protocol data packet to be sent includes a sending source address and a sending destination address, and the sending source address includes an authentication client application program identifier. The firewall rule determining unit 920 may be configured to determine a firewall rule associated with the authentication client application according to the authentication client application identification in the sending source address. The transport layer security protocol packet routing unit 930 may be configured to route the target transport layer security protocol packet to be sent to the target receiving device corresponding to the sending destination address according to a firewall rule associated with the authentication client application.
In an exemplary embodiment, the sending source address may further include a current source area to which the untrusted client belongs, the current source area corresponds to an intranet sub-segment, and the target receiving device may include a target external server, which may belong to an external network, and the external network may correspond to an intranet sub-segment. The transport layer security protocol packet routing unit 930 may include: a sending destination address matching destination area determining unit, configured to determine whether the sending destination address matches a destination area in the firewall rule if the current source area in the sending source address and the authentication client application identifier both match a source area and an authentication application in the firewall rule; and a new connection unit is established between the gateway and the target external server, and the new connection unit can be used for establishing connection between the gateway and the target external server if the destination address belongs to a destination area in the firewall rule, and the destination area includes the non-intranet subnet section, and routing the target transport layer security protocol data packet to be sent to the target external server corresponding to the destination address through a first specified port in the firewall rule.
In an exemplary embodiment, the target receiving device may include a target intranet server, the target intranet server belongs to an intranet source area, and the intranet source area and a current source area to which the untrusted client belongs belong respectively belong to different intranet sub-segments and are isolated from each other. The transport layer security protocol packet routing unit 930 may include: a destination area matching judgment unit for judging whether the destination address matches with a destination area in the firewall rule if the authentication client application identifier in the source address matches with the authentication application in the firewall rule; and a newly-established connection unit is arranged between the gateway and the target intranet server, and can be used for establishing connection between the gateway and the target intranet server if the sending destination address belongs to a destination area in the firewall rule, and the destination area comprises the target intranet server, and routing the target transport layer security protocol data packet to be sent to the target intranet server corresponding to the sending destination address through a second specified port in the firewall rule.
In an exemplary embodiment, the target receiving device may include a target isolation server, the target isolation server belongs to an isolation source area, and the isolation source area and a current source area to which the untrusted client belongs belong respectively belong to different intranet sub-segments and are isolated from each other. The transport layer security protocol packet routing unit 930 may include: a destination area determination matching unit, configured to determine whether the destination address matches a destination area in the firewall rule if the authentication client application identifier in the source address matches an authentication application in the firewall rule; and a new connection unit is established between the gateway and the target isolation server, and the new connection unit can be used for establishing connection between the gateway and the target isolation server if the sending destination address belongs to a destination area in the firewall rule and the destination area includes the target isolation server, and routing the target transport layer security protocol data packet to be sent to the target isolation server corresponding to the sending destination address through a third specified port in the firewall rule.
Other contents of the network access management device of the embodiment of the present disclosure may refer to the above-described embodiment.
It should be noted that although in the above detailed description several units of the device for action execution are mentioned, this division is not mandatory. Indeed, the features and functions of two or more units described above may be embodied in one unit, in accordance with embodiments of the present disclosure. Conversely, the features and functions of one unit described above may be further divided into embodiments by a plurality of units.
Referring now to FIG. 10, shown is a schematic diagram of an electronic device suitable for use in implementing embodiments of the present application. The electronic device shown in fig. 10 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present application.
Referring to fig. 10, an electronic device provided by an embodiment of the present disclosure may include: a processor 1001, a communication interface 1002, a memory 1003, and a communication bus 1004. Wherein the processor 1001, the communication interface 1002 and the memory 1003 communicate with each other via a communication bus 1004.
Alternatively, the communication interface 1002 may be an interface of a communication module, such as an interface of a GSM (Global System for Mobile communications) module. The processor 1001 is used to execute programs. The memory 1003 is used for storing programs. The program may comprise a computer program comprising computer operating instructions. Wherein, can include in the procedure: and (5) a game client program. The processor 1001 may be a central processing unit CPU, or an application Specific Integrated circuit asic, or one or more Integrated circuits configured to implement embodiments of the present disclosure. The memory 1003 may include a Random Access Memory (RAM) memory, and may further include a non-volatile memory (non-volatile memory), such as at least one disk memory.
Wherein the program is specifically usable for an untrusted client, which may include an authentication client application, which may be quarantine-loaded in a target container providing a trusted operating environment, the program is specifically usable for: the authentication client application program sends application program data to be sent to the trusted operating environment, the application program data to be sent adopts a target transport layer protocol, the application program data to be sent comprises a sending source address and a sending destination address, and the sending source address comprises an authentication client application program identifier; processing the application program data to be sent in the trusted operating environment to generate a target transport layer security protocol data packet to be sent; determining a target transport layer security protocol tunnel between the target container and a server located at a gateway; and forwarding the target transport layer security protocol data packet to be sent to the server through the target transport layer security protocol tunnel, so that the server determines a firewall rule associated with the authentication client application program according to the authentication client application program identifier in the sending source address, and routes the target transport layer security protocol data packet to be sent to target receiving equipment corresponding to the sending destination address according to the firewall rule associated with the authentication client application program. Alternatively, the program may be specifically for a server located at the gateway. Among them, the procedure can be specifically used for: receiving a target transport layer security protocol data packet to be sent by an untrusted client through a target transport layer security protocol tunnel between the server and a target container, wherein the untrusted client comprises an authentication client application program, the authentication client application program is isolated and loaded in the target container providing a trusted operating environment, the target transport layer security protocol data packet to be sent comprises a sending source address and a sending destination address, and the sending source address comprises an authentication client application program identifier; determining a firewall rule associated with the authentication client application program according to the authentication client application program identifier in the sending source address; and routing the target transport layer security protocol data packet to be sent to the target receiving equipment corresponding to the sending destination address according to the firewall rule associated with the authentication client application program.
According to an aspect of the application, a computer program product or computer program is provided, comprising computer instructions, the computer instructions being stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions to cause the computer device to perform the method provided in the various alternative implementations of the embodiments described above.
It is to be understood that any number of elements in the drawings of the present disclosure are by way of example and not by way of limitation, and any nomenclature is used for differentiation only and not by way of limitation. Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims. It will be understood that the present disclosure is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.

Claims (15)

1. A network access management method applied to an untrusted client, wherein the untrusted client comprises an authenticated client application program, and the authenticated client application program is isolated and loaded in a target container providing a trusted operating environment; wherein the method comprises the following steps:
the authentication client application program sends application program data to be sent to the trusted operating environment, the application program data to be sent adopts a target transport layer protocol, the application program data to be sent comprises a sending source address and a sending destination address, and the sending source address comprises an authentication client application program identifier;
processing the application program data to be sent in the trusted operating environment to generate a target transport layer security protocol data packet to be sent;
determining a target transport layer security protocol tunnel between the target container and a server located at a gateway;
and forwarding the target transport layer security protocol data packet to be sent to the server through the target transport layer security protocol tunnel, so that the server determines a firewall rule associated with the authentication client application program according to the authentication client application program identifier in the sending source address, and routes the target transport layer security protocol data packet to be sent to target receiving equipment corresponding to the sending destination address according to the firewall rule associated with the authentication client application program.
2. The method of claim 1, wherein the trusted operating environment comprises a web socket processing module, a client protocol stack comprising a target internet protocol, and a client tunneling module employing a target transport layer security protocol; in the trusted operating environment, processing the application data to be sent to generate a target transport layer security protocol data packet to be sent, including:
performing network socket function redirection processing on the application program data to be sent by using the network socket processing module, and redirecting the application program data to a target internet protocol application program interface function;
grouping the application program data to be sent which are redirected to the target internet protocol application program interface function by using the target internet protocol to generate an internet protocol data packet to be sent;
and packaging the internet protocol data packet to be sent by using the target transport layer security protocol to generate the target transport layer security protocol data packet to be sent.
3. The method of claim 2, wherein the server comprises a server tunneling module; before the authenticating client application program sends application program data to be sent to the trusted operating environment, the method further includes:
establishing the target transport layer security protocol tunnel between the target container and the server by using the client tunnel module and the server tunnel module;
and when the untrusted client is started, receiving a server public key which is sent by the server and uniquely corresponds to the untrusted client.
4. The method of claim 3, wherein processing the application data to be sent in the trusted operating environment to generate a target transport layer security protocol data packet to be sent, further comprises:
encrypting the target transmission layer security protocol data packet to be sent by using the server public key to generate the encrypted target transmission layer security protocol data packet to be sent;
wherein, forwarding the target transport layer security protocol data packet to be sent to the server through the target transport layer security protocol tunnel includes:
and forwarding the encrypted target transport layer security protocol data packet to be sent to the server through the target transport layer security protocol tunnel, so that the server receives the encrypted target transport layer security protocol data packet to be sent, and decrypts the encrypted target transport layer security protocol data packet to be sent by adopting a server private key corresponding to the server public key.
5. The method of claim 2, further comprising:
and if the application program data to be sent does not adopt the target transport layer protocol, forwarding the application program data to be sent to the server side in a non-network socket mode.
6. The method of claim 2, wherein the target container further comprises an operating system library, wherein the target container is located in a user space of the untrusted client, and wherein the untrusted client further comprises a kernel space; wherein, forwarding the target transport layer security protocol data packet to be sent to the server through the target transport layer security protocol tunnel includes:
sending the target transport layer security protocol data packet to be sent to the operating system library through the client tunnel module;
and the operating system library converts the target transport layer security protocol data packet to be sent from the target internet protocol application program interface function into a target transport layer protocol sending function so as to forward the target transport layer security protocol data packet to be sent to the server through the target transport layer security protocol tunnel located in the kernel space.
7. The method of claim 2, further comprising:
the untrusted client receives a target transport layer security protocol data packet to be received, which is sent by the server, through the target transport layer security protocol tunnel;
receiving and decrypting the target transport layer security protocol data packet to be received through the client tunnel module to obtain an internet protocol data packet to be received;
processing the internet interconnection protocol data packet to be received through the target internet interconnection protocol to obtain application program data to be received;
and sending the application program to be received to the authentication client application program.
8. A network access management method is characterized in that the method is applied to a server side positioned in a gateway; wherein the method comprises the following steps:
receiving a target transport layer security protocol data packet to be sent by an untrusted client through a target transport layer security protocol tunnel between the server and a target container, wherein the untrusted client comprises an authentication client application program, the authentication client application program is isolated and loaded in the target container providing a trusted operating environment, the target transport layer security protocol data packet to be sent comprises a sending source address and a sending destination address, and the sending source address comprises an authentication client application program identifier;
determining a firewall rule associated with the authentication client application program according to the authentication client application program identifier in the sending source address;
and routing the target transport layer security protocol data packet to be sent to the target receiving equipment corresponding to the sending destination address according to the firewall rule associated with the authentication client application program.
9. The method of claim 8, wherein the source address further comprises a current source area to which the untrusted client belongs, the current source area corresponding to an intranet sub-segment, and wherein the target receiving device comprises a target external server belonging to an external network, the external network corresponding to an intranet sub-segment; wherein routing the target transport layer security protocol packet to be sent to the target receiving device corresponding to the sending destination address according to the firewall rule associated with the authentication client application program comprises:
if the current source area in the sending source address and the identification of the authentication client application program are matched with the source area and the authentication application in the firewall rule, judging whether the sending destination address is matched with the destination area in the firewall rule;
if the sending destination address belongs to a destination area in the firewall rule and the destination area comprises the non-intranet subnet section, establishing a connection between the gateway and the target external server, and routing the target transport layer security protocol data packet to be sent to the target external server corresponding to the sending destination address through a first specified port in the firewall rule.
10. The method according to claim 8, wherein the target receiving device comprises a target intranet server belonging to an intranet source area, and the intranet source area and a current source area to which the untrusted client belongs belong to different intranet sub-segments and are isolated from each other; wherein routing the target transport layer security protocol packet to be sent to the target receiving device corresponding to the sending destination address according to the firewall rule associated with the authentication client application program comprises:
if the authentication client application program identification in the sending source address is matched with the authentication application in the firewall rule, judging whether the sending destination address is matched with a destination area in the firewall rule;
if the sending destination address belongs to a destination area in the firewall rule and the destination area comprises the target intranet server, establishing connection between the gateway and the target intranet server, and routing the target transport layer security protocol data packet to be sent to the target intranet server corresponding to the sending destination address through a second specified port in the firewall rule.
11. The method of claim 8, wherein the target receiving device comprises a target isolation server, the target isolation server belongs to an isolation source area, and the isolation source area and a current source area to which the untrusted client belongs belong to different intranet sub-segments and are isolated from each other; wherein routing the target transport layer security protocol packet to be sent to the target receiving device corresponding to the sending destination address according to the firewall rule associated with the authentication client application program comprises:
if the authentication client application program identification in the sending source address is matched with the authentication application in the firewall rule, judging whether the sending destination address is matched with a destination area in the firewall rule;
if the sending destination address belongs to a destination area in the firewall rule and the destination area comprises the target isolation server, establishing a connection between the gateway and the target isolation server, and routing the target transport layer security protocol data packet to be sent to the target isolation server corresponding to the sending destination address through a third specified port in the firewall rule.
12. A network access management device, applied to an untrusted client, the untrusted client comprising an authenticated client application, the authenticated client application being sequestered loaded in a target container providing a trusted operating environment; wherein the apparatus comprises:
the to-be-sent application program data sending unit is used for sending the to-be-sent application program data to the trusted operating environment by the authentication client application program, wherein the to-be-sent application program data adopts a target transport layer protocol, the to-be-sent application program data comprises a sending source address and a sending destination address, and the sending source address comprises an authentication client application program identifier;
a transmission layer security protocol data packet generating unit, configured to process, in the trusted operating environment, the application program data to be sent, and generate a target transmission layer security protocol data packet to be sent;
a transport layer security protocol tunnel determining unit, configured to determine a target transport layer security protocol tunnel between the target container and a server located in a gateway;
and the security protocol data packet forwarding unit is used for forwarding the target transport layer security protocol data packet to be sent to the server through the target transport layer security protocol tunnel, so that the server determines a firewall rule associated with the authentication client application program according to the authentication client application program identifier in the sending source address, and routes the target transport layer security protocol data packet to be sent to the target receiving equipment corresponding to the sending destination address according to the firewall rule associated with the authentication client application program.
13. The network access management device is characterized by being applied to a server side positioned in a gateway; wherein the apparatus comprises:
a security protocol data packet receiving unit, configured to receive, through a target transport layer security protocol tunnel between the server and a target container, a target transport layer security protocol data packet to be sent, where the untrusted client includes an authentication client application, the authentication client application is separately loaded in the target container providing a trusted operating environment, the target transport layer security protocol data packet to be sent includes a sending source address and a sending destination address, and the sending source address includes an authentication client application identifier;
a firewall rule determining unit, configured to determine, according to the authentication client application identifier in the source address, a firewall rule associated with the authentication client application;
and the transmission layer security protocol data packet routing unit is used for routing the target transmission layer security protocol data packet to be sent to the target receiving equipment corresponding to the sending destination address according to the firewall rule associated with the authentication client application program.
14. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1 to 7 or the method according to any one of claims 8 to 11.
15. An electronic device, comprising:
at least one processor;
a storage device configured to store at least one program that, when executed by the at least one processor, causes the at least one processor to implement the method of any one of claims 1 to 7 or the method of any one of claims 8 to 11.
CN202110088394.0A 2021-01-22 2021-01-22 Network access management method and related equipment Active CN114884647B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110088394.0A CN114884647B (en) 2021-01-22 2021-01-22 Network access management method and related equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110088394.0A CN114884647B (en) 2021-01-22 2021-01-22 Network access management method and related equipment

Publications (2)

Publication Number Publication Date
CN114884647A true CN114884647A (en) 2022-08-09
CN114884647B CN114884647B (en) 2024-02-20

Family

ID=82666961

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110088394.0A Active CN114884647B (en) 2021-01-22 2021-01-22 Network access management method and related equipment

Country Status (1)

Country Link
CN (1) CN114884647B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115396347A (en) * 2022-08-15 2022-11-25 中国人民解放军国防科技大学 Routing protocol fuzzy test method and system based on man-in-the-middle
CN117201200A (en) * 2023-11-07 2023-12-08 湖南密码工程研究中心有限公司 Data safety transmission method based on protocol stack

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020069278A1 (en) * 2000-12-05 2002-06-06 Forsloew Jan Network-based mobile workgroup system
CN110011801A (en) * 2018-11-16 2019-07-12 阿里巴巴集团控股有限公司 Remote certification method and device, the electronic equipment of trusted application
CN110138799A (en) * 2019-05-30 2019-08-16 东北大学 A kind of secure cloud storage method based on SGX

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020069278A1 (en) * 2000-12-05 2002-06-06 Forsloew Jan Network-based mobile workgroup system
CN110011801A (en) * 2018-11-16 2019-07-12 阿里巴巴集团控股有限公司 Remote certification method and device, the electronic equipment of trusted application
CN110138799A (en) * 2019-05-30 2019-08-16 东北大学 A kind of secure cloud storage method based on SGX

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115396347A (en) * 2022-08-15 2022-11-25 中国人民解放军国防科技大学 Routing protocol fuzzy test method and system based on man-in-the-middle
CN115396347B (en) * 2022-08-15 2024-02-06 中国人民解放军国防科技大学 Routing protocol fuzzy test method and system based on man-in-the-middle
CN117201200A (en) * 2023-11-07 2023-12-08 湖南密码工程研究中心有限公司 Data safety transmission method based on protocol stack
CN117201200B (en) * 2023-11-07 2024-01-02 湖南密码工程研究中心有限公司 Data safety transmission method based on protocol stack

Also Published As

Publication number Publication date
CN114884647B (en) 2024-02-20

Similar Documents

Publication Publication Date Title
Tabrizchi et al. A survey on security challenges in cloud computing: issues, threats, and solutions
US10652210B2 (en) System and method for redirected firewall discovery in a network environment
US11075955B2 (en) Methods and systems for use in authorizing access to a networked resource
US11218446B2 (en) Secure on-premise to cloud communication
US8800024B2 (en) System and method for host-initiated firewall discovery in a network environment
US10158655B2 (en) System and method for protecting service-level entities
JP5911893B2 (en) Logic device, processing method and processing device
Cynthia et al. Security protocols for IoT
US11552987B2 (en) Systems and methods for command and control protection
US20180375644A1 (en) Introducing middleboxes into secure communications between a client and a server
US9210128B2 (en) Filtering of applications for access to an enterprise network
CN114884647B (en) Network access management method and related equipment
Manaa Data encryption scheme for large data scale in cloud computing
Vidhani et al. Security Challenges in 5G Network: A technical features survey and analysis
Mangalampalli et al. Cloud Environment Limitations and Challenges
Reece et al. Defending Multi-Cloud Applications Against Man-in-the-Middle Attacks
Riaz et al. Access control for fog/cloud enabled iots
Simpson et al. Network Defense in an End-to-End Paradigm
Alakbarov Security issues and solution mechanisms in cloud computing systems: a review
Diego et al. CMXsafe: A Proxy Layer for Securing Internet-of-Things Communications
Wang et al. Communication Boundary Stealth Technology of Power Internet of Things Terminal Network
Duan et al. Architecture for Multilevel Secure System Design
Liguori et al. Mitigating cyber-security risks using MILS
Ahmed et al. Cloud Security and Pivoting Exploitations
Kurdziel et al. Information security trades in tactical wireless networks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant