CN114915427A - Access control method, device, equipment and storage medium - Google Patents
Access control method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN114915427A CN114915427A CN202210628757.XA CN202210628757A CN114915427A CN 114915427 A CN114915427 A CN 114915427A CN 202210628757 A CN202210628757 A CN 202210628757A CN 114915427 A CN114915427 A CN 114915427A
- Authority
- CN
- China
- Prior art keywords
- sdp
- access
- client
- sdp client
- intranet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Small-Scale Networks (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides an access control method, an access control device, access control equipment and a storage medium. The method comprises the following steps: receiving a first access request of an SDP client, wherein the access request is used for requesting to access intranet resources and carrying out identity verification on the SDP client. And if the identity verification of the SDP client passes, acquiring the historical access credibility of the SDP client. And the historical access credibility is used for representing the safety of the SDP client when accessing the intranet resources. And according to the historical access credibility of the SDP client, performing intranet resource access control on the SDP client through an SDP gateway. The method improves the safety of remote access to the intranet resources and improves the network expansion capability.
Description
Technical Field
The present application relates to communications technologies, and in particular, to an access control method, apparatus, device, and storage medium.
Background
With the increase of the demand of remote office, users often need to use terminal devices to remotely access resources in the intranet of the enterprise, such as applications, data and the like in the intranet. In this scenario, the traditional security boundaries based on the intranet become fuzzy, and the Information Technology (IT) architecture of the enterprise transitions from "bounded" to "unbounded". Currently, a terminal device usually uses a Virtual Private Network (VPN) technology to remotely access resources in an intranet.
However, based on the current remote access method, a network attacker can illegally intrude into the intranet by scanning the VPN gateway exposed in the public network in the intranet and cracking the user account. Therefore, remote access to resources in an intranet using VPN technology has a problem of low security.
Disclosure of Invention
The application provides an access control method, device, equipment and storage medium, which are used for solving the problem of low security existing in remote access to an intranet.
In a first aspect, the present application provides an access control method, which is applied to an SDP controller, and includes:
receiving a first access request of an SDP client, wherein the access request is used for requesting to access intranet resources;
carrying out identity verification on the SDP client;
if the identity verification of the SDP client passes, acquiring the historical access reliability of the SDP client; the historical access credibility is used for representing the safety of the SDP client when accessing the intranet resources;
and according to the historical access credibility of the SDP client, performing intranet resource access control on the SDP client through an SDP gateway.
Optionally, the obtaining of the historical access reliability of the SDP client includes:
if the SDP client side has not accessed the intranet resources through an SDP gateway before, taking preset access reliability as historical access reliability of the SDP client side;
if the internal network resource is accessed by the SDP client at least once before, reading the recorded historical access reliability of the SDP client, wherein the historical access reliability is obtained based on first log audit information reported by the SDP gateway connected when the SDP client accesses the internal network resource last time and second log audit information reported by the SDP client; the first log audit information and the second log audit information are used for recording the information of the SDP client accessing the intranet resource last time.
Optionally, the performing, according to the historical access reliability of the SDP client, intranet resource access control on the SDP client through an SDP gateway includes:
determining the intranet resource access authority of the SDP client according to the historical access credibility of the SDP client;
and sending an access response to the SDP client, wherein the access response is used for indicating an SDP gateway connected when the SDP client is allowed to access the intranet resources, and the intranet resource access authority of the SDP client.
Optionally, the determining, according to the historical access reliability of the SDP client, the intranet resource access right of the SDP client includes:
determining the credibility level of the SDP client according to the historical access credibility of the SDP client;
and determining the intranet resource access authority of the SDP client according to the credibility level of the SDP client and the mapping relation between the credibility level and the intranet access authority.
Optionally, after performing access control on the internal network resource of the SDP client through the SDP gateway, the method further includes:
receiving third log audit information from an SDP gateway currently connected with the SDP client and fourth log audit information of the SDP client; the third log audit information and the fourth log audit information are used for recording information that the SDP client side currently accesses intranet resources;
and updating the historical access reliability of the SDP client according to the third log audit information and the fourth log audit information.
Optionally, the updating the historical access reliability of the SDP client according to the third log audit information and the fourth log audit information includes:
extracting a value of at least one historical access credibility vector in an access credibility function according to the third log audit information and the fourth log audit information;
and updating the historical access credibility of the SDP client according to the access credibility function and the extracted value of the at least one historical access credibility vector.
Optionally, after the updating of the historical access reliability of the SDP client, the method further includes:
and if the change of the intranet resource access authority of the SDP client is determined according to the updated historical access reliability of the SDP client and the SDP client currently accesses the intranet resource, performing intranet resource access control on the SDP client through an SDP gateway according to the updated historical access reliability of the SDP client.
In a second aspect, the present application provides an access control apparatus, which is applied to an SDP controller, and includes:
the system comprises a receiving module, a first access module and a second access module, wherein the receiving module is used for receiving a first access request of an SDP client, and the access request is used for requesting to access intranet resources;
the verification module is used for verifying the identity of the SDP client;
the obtaining module is used for obtaining the historical access credibility of the SDP client if the identity verification of the SDP client passes; the historical access credibility is used for representing the safety of the SDP client when accessing the intranet resources;
and the control module is used for carrying out intranet resource access control on the SDP client through an SDP gateway according to the historical access credibility of the SDP client.
In a third aspect, the present application provides an access control apparatus, which is applied to an SDP client, and includes:
the sending module is used for sending a first access request to the SDP controller, wherein the first access request is used for requesting to access intranet resources.
And the receiving module is used for receiving control information sent by the SDP controller, and the control information is used for controlling the access of the intranet resources to the SDP client through an SDP gateway.
And the access module is used for initiating a connection request to the SDP gateway, and accessing the intranet resources through the connection established with the SDP gateway after the connection is successful.
In a fourth aspect, the present application provides an access control apparatus, which is applied to an SDP gateway, and includes:
a receiving module, configured to receive indication information sent by an SDP controller, where the indication information is used to indicate that the SDP gateway allows an access of an SDP client.
And the connection module is used for receiving the connection request of the SDP client and establishing connection with the SDP client.
In a fifth aspect, the present application provides an SDP controller comprising: a processor, a communication interface, and a memory; the processor is respectively in communication connection with the communication interface and the memory;
the memory stores computer execution instructions;
the communication interface is in communication interaction with external equipment;
the processor executes computer-executable instructions stored by the memory to implement the method of any of the first aspects.
In a sixth aspect, the present application provides an SDP client, comprising: a processor, a communication interface, and a memory; the processor is respectively in communication connection with the communication interface and the memory;
the memory stores computer-executable instructions;
the communication interface is in communication interaction with external equipment;
the processor executes computer-executable instructions stored by the memory to implement the method of any of the first aspects.
In a seventh aspect, the present application provides an SDP gateway, including: a processor, a communication interface, and a memory; the processor is respectively in communication connection with the communication interface and the memory;
the memory stores computer-executable instructions;
the communication interface is in communication interaction with external equipment;
the processor executes computer-executable instructions stored by the memory to implement the method of any of the first aspects.
In an eighth aspect, the present application provides an access control system, the system comprising: an SDP controller as described in the fifth aspect, an SDP client as described in the sixth aspect, and an SDP gateway as described in the seventh aspect.
In a ninth aspect, the present application provides a computer-readable storage medium having stored thereon computer-executable instructions for implementing the access control method according to any one of the first aspect when executed by a processor.
In a tenth aspect, the present application provides a computer program product comprising a computer program that, when executed by a processor, performs the method according to any one of the first aspect.
According to the access control method, the device, the equipment and the storage medium, the SDP gateway corresponding to the intranet resources which can be accessed by the SDP client is determined by performing two-layer authentication of identity authentication and historical access reliability authentication on the SDP client which sends an access request, and the intranet resource access authority is determined, so that the SDP client can only access the intranet resources corresponding to the historical access reliability of the SDP client, and the safety of the intranet resources in a remote access scene is improved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present application and together with the description, serve to explain the principles of the application.
Fig. 1 is a schematic diagram of an architecture for remotely accessing an intranet through a VPN technology according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of a possible access control method according to an embodiment of the present disclosure;
fig. 3 is a schematic flowchart of an access control method according to an embodiment of the present application;
fig. 4 is a schematic flowchart of another access control method provided in an embodiment of the present application;
fig. 5 is a schematic structural diagram of an access control apparatus according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of another access control device provided in an embodiment of the present application;
fig. 7 is a schematic structural diagram of another access control device according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of an access control device according to an embodiment of the present application.
With the above figures, there are shown specific embodiments of the present application, which will be described in more detail below. These drawings and written description are not intended to limit the scope of the inventive concepts in any manner, but rather to illustrate the inventive concepts to those skilled in the art by reference to specific embodiments.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
Currently, the resources in the intranet may include, for example, data in a database, applications in the intranet, and other resources. The data in the database may include, for example, financial data, administrative data, and the like of an enterprise; the application may be, for example, a system or software mainly based on information technology for meeting various requirements of an enterprise, and may be used online through a Web page (Web) end, or through an application installed on a terminal device; the system may be, for example, an OA system, a process system, or the like of an enterprise. The user needs to access the resources in the intranet through the terminal device connected to the intranet, for example, the terminal device is deployed in a physical location of the enterprise and connected to the intranet of the enterprise in a wired or wireless manner.
However, based on the rapid increase in demand for remote offices, users are increasingly demanding for remote access to resources in an intranet using terminal devices. For example, when a user is at home or on business, sometimes it is necessary to access resources in the intranet to complete the work. Therefore, IT is necessary to break the conventional enterprise IT architecture with the intranet of the enterprise as the boundary, so as to make the transition from "bounded" to "unbounded".
In the remote access means in the prior art, a user connects a terminal device to a VPN deployed by an enterprise to which the user belongs, so that the terminal device is remotely connected to an intranet of a corresponding enterprise through the VPN, and the purpose of accessing resources in the intranet is achieved. Next, a scenario in which a resource in an intranet is remotely accessed by a VPN technology will be described.
Fig. 1 is a schematic diagram of an architecture for remotely accessing an intranet through a VPN technology according to an embodiment of the present disclosure. As shown in fig. 1, the architecture includes:
the VPN client side: and the VPN interface device is installed on the terminal device and is used for realizing the remote access function of the terminal device by using the VPN technology. For example, when the enterprise user is not in the corresponding physical location of the intranet, the VPN client can be installed on the terminal device to remotely access the resources in the intranet. The terminal device may be, for example, a computer, a smart phone, or the like.
VPN gateway: the terminal equipment is connected to a corresponding gateway in an enterprise intranet through a VPN technology, so that the function of remotely connecting external terminal equipment to the intranet is realized.
Under the framework, a user is connected to a VPN gateway exposed in a public network of an enterprise intranet through a client of the VPN, so that the terminal equipment is accessed to the enterprise intranet. After the connection is completed, the terminal equipment can access resources in the enterprise intranet according to actual needs. The resource may be, for example, data in the intranet, an application in the intranet, or the like. The data in the intranet may be stored in a database, for example. The application in the intranet may be, for example, an application with various functions provided based on data resources, for example, an application with a staff management function provided based on enterprise staff information in a database; based on financial data in the database, applications with financial analysis functions are provided, and the like.
However, remote access to an intranet through VPN technology has the following problems:
problem 1: is easy to attack. Because the VPN gateway of the intranet is directly exposed in the public network, all users in the public network can acquire the VPN gateway of the intranet, and an attacker can connect to the VPN gateway according to the acquired VPN gateway of the intranet, so that the attacker can enter the intranet of the enterprise. Because the resources on the intranet can be widely accessed by connecting to the intranet through the VPN technology, the resources in the intranet can be exposed to an attacker by the method for wide access, so that the attacker can obtain the resources in the intranet. Therefore, VPN technology has problems of excessive trust and wide access, and based on these problems, remote access to an intranet using VPN technology is easily invaded or attacked by an illegal user.
Problem 2: the network expansion capability is poor. When an enterprise has a plurality of data centers in different networks, such as an intranet network corresponding to a data center in beijing and an intranet network corresponding to a data center in shanghai, the enterprise needs to configure a firewall policy of a VPN gateway for each intranet network corresponding to a data center different from each network. The firewall is a protection barrier on the VPN gateway for protecting the safety of resources in an intranet, the safety risk possibly existing during network access is discovered and processed in time, and the strategy of the firewall can be set according to actual needs. Therefore, in this scenario, an enterprise needs to configure the firewall policy of the VPN gateway many times, and the network expansion method is troublesome.
Problem 3: and the related data required by the reliability judgment mode of the VPN account is single. At present, a VPN gateway is exposed in a public network, and an attacker can acquire the VPN gateway on the public network in a port scanning manner. The reliability judgment mode of the VPN is mainly to judge whether the user is a legal user through an authorized user account and a password, and a reliability judgment mode from other angles is lacked. If an attacker obtains the port through port scanning and cracks the user account and the password of a legal user, authorization can be easily obtained, and therefore the enterprise data resources are illegally accessed or modified.
In summary, the method for remotely accessing the intranet through the VPN in the prior art has the problems of low security and poor network expansion capability, and cannot meet the security protection requirements of a remote office scene.
Software-Defined-Perimeter (SDP) is a Security framework developed by the Cloud Security Alliance (CSA). The SDP technology is based on a zero-trust network security protection concept, network access service activities are continuously monitored through multiple credibility judgment modes, trust scores of terminal equipment using SDP services are continuously updated, control strategies and access authorities are dynamically adjusted to deal with network attacks, and security of data resources of enterprises is effectively protected. The network security protection concept of zero trust refers to a protection mode of continuously verifying all visitors by defaulting to distrust anyone, any equipment or any system and never trusting.
In view of this, the present application provides an access control method based on the SDP technology, which can control the access of the SDP client to the intranet in a dual authentication manner of the identity of the SDP client and the historical access reliability, so as to improve the security of the remote access of the user to the resources in the intranet. In addition, the access control method based on the SDP technology controls the connection between the SDP client and the SDP gateway through the SDP controller, and the resource access authority when the SDP client accesses the resources in the internal network. Namely, the user only needs to configure or update the SDP controller, and can manage and control the security policies of all SDP gateways through the configuration of the SDP client, and the firewall policies of different geographic locations and different network configuration VPNs do not need to be configured respectively under the VPN architecture, so that the method can improve the network expansion capability.
Fig. 2 is a schematic structural diagram of a possible access control method according to an embodiment of the present disclosure. As shown in fig. 2, the architecture includes:
the SDP controller: for example, the SDP client may be a server or a server cluster, which is used to manage all SDP clients and SDP gateways and issue control information to the SDP clients and the SDP gateways, for example, to determine which SDP clients can communicate with which SDP gateways and indicate resource access rights of the SDP clients, or to relay information acquired from the SDP clients and SDP gateways to an external authentication service, such as 4A authentication, a geographic location server and/or an identity server, so as to implement authentication of the SDP clients.
SDP client: the SDP gateway list is used for requesting the SDP controller for the SDP gateway list which can be connected by the SDP client and the intranet resource access authority of the SDP client, thereby accessing the resources in the intranet corresponding to the SDP gateway which can be connected.
SDP gateway: the SDP server may be a network device or a host device with a routing function, such as a router, a network switch, a host with a routing function enabled, and the like, and is configured to receive an indication of an SDP controller, and connect with a corresponding SDP client according to the indication, so as to provide resources in an internal network for the SDP client.
The technical solutions of the embodiments of the present application will be described in detail with reference to specific embodiments. The following several specific embodiments may be combined with each other, and details of the same or similar concepts or processes may not be repeated in some embodiments.
Fig. 3 is a schematic flowchart of an access control method according to an embodiment of the present application. As shown in fig. 3, the method includes:
s301, the SDP client sends a first access request to the SDP controller.
Correspondingly, the SDP controller receives the first access request, and the first access request is used for requesting to access intranet resources.
By operating the SDP client, the user may initiate the first access request to the SDP controller to request access to the intranet resources that the SDP controller can access.
The SDP controller starts a network hiding function, and a service port of the SDP controller is closed by default, so that other equipment cannot be connected with the network and cannot be scanned to the service port of the SDP controller. In this case, the first access request may be transmitted to the SDP controller in a Single Packet Authorization authentication (SPA) manner, for example. By using the single-packet authorization authentication mode, the SDP client can send the first access request to the SDP controller with the service port closed by default. The first access request is sent to the SDP controller in the form of a specific authentication message, which causes the SDP controller to open services for the IP address of the SDP client.
By using the embodiment, the possibility that the SDP controller is attacked by an attacker through a port scanning method can be reduced, and the security of the access control method can be improved.
S302, carrying out identity verification on the SDP client. If the verification is passed, which indicates that the identity information of the user logged in by the SDP client is legal, step S303 is executed to further determine the credibility of the SDP client. If the verification fails, the identity information of the user logged in by the SDP client is illegal, and the access request of the SDP client is directly rejected.
After receiving a first access request of an SDP client, an SDP controller first verifies the SDP client through user identity information included in a data packet where the first access request is located. The authentication of the user may be performed by obtaining the identity information of the user using the SDP client, for example, by using an account password, and/or facial recognition, and/or fingerprint recognition, and/or voice recognition, to determine whether the identity of the user is legal.
Optionally, the data packet of the first access request may further include hardware information, and the verifying of the SDP client may further include verifying the hardware information of the terminal device where the SDP client is located, so as to verify whether the terminal device is legal. For example, the hardware information may include an identifier of the terminal device, a Media Access Control Address (MAC), and so on.
And S303, acquiring historical access credibility of the SDP client, wherein the historical access credibility is used for representing the safety of the SDP client when accessing the intranet resources.
The historical access reliability of the SDP client refers to the security of the SDP client when accessing the intranet resource, which is determined by the historical access times of the SDP client and the historical access behavior of the SDP controller.
Case 1: and if the SDP client does not access the intranet resources through the SDP gateway before.
In a possible implementation manner, a preset access reliability is used as the historical access reliability of the SDP client, and the preset access reliability may be set according to actual needs, which is not limited in this application.
In another possible implementation manner, the SDP controller first performs a preliminary judgment on the access reliability of the SDP client, and the preliminary judgment result is used as the historical access reliability of the SDP client.
Case 2: if the SDP client accesses the intranet resources through the SDP gateway at least once before:
in a possible implementation manner, the recorded historical access reliability of the SDP client is read, where the historical access reliability is obtained based on first log audit information reported by an SDP gateway connected to the SDP client when the SDP client accesses an intranet resource last time, and second log audit information reported by the SDP client. The first log audit information and the second log audit information are used for recording the information of the SDP client accessing the intranet resource last time.
In another possible implementation manner, the historical access reliability is obtained based on a plurality of historical access reliabilities when the SDP client accesses the intranet resource for a plurality of times. Each historical access credibility is obtained according to the first log audit information reported by the connected SDP gateway and the second log audit information reported by the SDP client. For example, the average of the historical access reliability is obtained as the historical access reliability corresponding to the current access according to the historical access reliability corresponding to all times of the SDP client historical access. It should be understood that the present application is only an example of an average value, and the method for how to handle the multiple historical access credibility is not limited.
And S304, according to the historical access credibility of the SDP client, performing intranet resource access control on the SDP client through an SDP gateway.
And the SDP controller can control whether the SDP client can access the intranet or not, how to access the intranet and what intranet resources can be accessed according to the historical access credibility of the SDP client.
The SDP controller issues a list of SDP gateways which can be accessed to the SDP client according to the historical access credibility of the SDP client, and the intranet resource access authority of the SDP client is given when the SDP client accesses each SDP gateway. After receiving the information, the SDP client sends a network connection application to the SDP gateway in the SDP gateway list.
And the SDP controller indicates the SDP client which needs to accept connection and the intranet resource access authority of the SDP client to the SDP gateway according to the historical access credibility of the SDP client. After receiving the network connection application sent by the SDP client, the SDP gateway receives the network connection application of the SDP client, thereby establishing connection. After the connection is completed, the SDP gateway controls the resources which can be accessed by the SDP client according to the intranet resource access authority of the SDP client acquired from the SDP controller, so that the SDP client can only access the resources in the intranet resource access authority, and the security of the intranet resources is ensured.
According to the access control method provided by the embodiment of the application, the SDP gateway corresponding to the intranet resource which can be accessed by the SDP client is determined and the intranet resource access authority is determined by performing two-layer authentication of identity authentication and historical access reliability authentication on the SDP client which sends an access request, so that the SDP client can only access the intranet resource corresponding to the historical access reliability, and the safety of the intranet resource in a remote access scene is improved.
In the following, a detailed description is given to how to obtain the historical access reliability of the SDP client when the SDP client accesses the intranet resource through the SDP gateway at least once before sending an access request.
The method comprises the steps of obtaining historical access credibility vectors of an SDP client, and obtaining a credibility value corresponding to each historical access credibility vector according to elements in the historical access credibility vectors. And acquiring the historical access credibility of the SDP client according to the acquired credibility values corresponding to all the historical access credibility vectors of the SDP client and the corresponding weighting coefficients.
The historical access credibility vector of the SDP client can be historically reported by an SDP controller, and/or log audit information historically reported by an SDP gateway, and/or log audit information reported by a third-party analysis system, wherein the log audit information can be divided into a plurality of audit information categories, each audit information category comprises a plurality of audit information items, and each audit information item is an element in the historical access credibility vector.
The log audit information at least comprises one or more of the following audit information categories:
(1) and analyzing the information by the user behavior. The audit information category at least comprises one or more items of audit information items such as high-frequency query, high-frequency download, multiple login attempts, multiple mail copying and the like.
(2) Network behavior analysis information. The audit information category at least comprises one or more items of audit information items such as flow abnormity, protocol abnormity and the like.
(3) And (6) comprehensively auditing and analyzing information. The audit information category at least comprises one or more items of audit information items such as log association analysis, security system abnormity and the like.
(4) And the system runs environment information. The audit information category at least comprises one or more items of audit information items such as antivirus software closing, high-risk port opening, system vulnerability outbreak, registry modification and the like.
(5) And operating environment information of the terminal. The audit information category at least comprises one or more items of audit information items such as authorized people leaving the seat, multiple people watching around and the like.
(6) And newly adding burst safety information. The audit information category at least comprises one or more items of audit information items such as sudden industry risks, emergency blocking protection and the like.
According to the method and the system, through the plurality of audit information categories, the historical access credibility of the SDP client side is comprehensively calculated and judged from the viewpoints of user behaviors, network behaviors, system operation environments, terminal operation environments, newly-added burst safety information and comprehensive audit, so that the problem that related data required by a reliability judging mode of a VPN account in the prior art is single is solved, and the safety of the SDP client side for accessing intranet resources is improved.
In the following, taking the above-mentioned type of the audit information as an example, how to obtain the historical access reliability of the SDP client is described in detail through various embodiments.
Embodiment 1: and acquiring the historical access credibility of the SDP client through the first log audit information and the second log audit information.
S3031, acquiring first log audit information and second log audit information.
The first log audit information is reported by an SDP gateway connected when the SDP client accesses the intranet last time. The first log audit information may include, for example: user behavior analysis information. The user behavior analysis information may be, for example, a user behavior generated when the SDP client accesses the internal network in the last time passing through the SDP gateway. The user behavior may be, for example, a high-frequency query behavior for a part of resources, where the resources may be, for example, resources above a preset certain security level, a high-frequency download behavior for sensitive information, or a behavior of attempting to log in a certain system or a certain application in an intranet many times. The first log audit information may be, for example, as shown in table 1 below:
TABLE 1
The high-frequency query may be, for example, that the SDP gateway monitors at least one piece of preset sensitive information in an intranet corresponding to the SDP gateway, and if there is any sensitive information that the SDP client side has in a preset time, or the number of queries for all the sensitive information exceeds a preset threshold, the querying behavior of the SDP client side is recorded. The query behavior may include, for example, an identifier of the SDP client, an identifier of the queried sensitive information, and information such as the number of times of querying the sensitive information, and it is to be understood that the content of the recorded query behavior may be adjusted according to actual requirements, which is not limited in the present application.
The high-frequency downloading may be, for example, downloading the sensitive information, and the obtaining manner of the high-frequency downloading is similar to that of the high-frequency query, and is not described herein again.
The multiple login attempts may be, for example, that the number of times that the SDP client attempts to log in to a certain system or a certain application in the intranet exceeds a preset login number threshold value within a preset time. For example, it may be set that the SDP client needs to be recorded as long as a preset login number threshold is exceeded, regardless of whether the SDP client is finally logged in successfully; it may also be set that the SDP client only records it if it is not successful to log in at last.
The multi-time copying of the mail can be, for example, recording the copying times of historical mails in an internal mail system/mail application if the copying behavior of the historical mails exceeds a preset threshold value of the copying times.
The second log audit information is reported by the SDP client terminal when the SDP client terminal accesses the intranet last time. The second log audit information may include, for example: network anomaly analysis information and system environment analysis information. The second log audit information may be, for example, as shown in table 2 below:
TABLE 2
| Audit information classification | Audit information item | Variable symbol corresponding to item |
| Network anomaly analysis information | Flow anomaly | M1 |
| Network anomaly analysis information | Protocol exception | M2 |
| System environment analysis information | Antivirus software shutdown | S1 |
| System environment analysis information | High risk port opening | S2 |
| System environment analysis information | System vulnerability bursting | S3 |
| System environment analysis information | Registry modification | S4 |
The network anomaly analysis information is used for monitoring the network condition of the terminal device where the SDP client is located, and may be that a network condition monitoring module is integrated on the SDP client so as to monitor the network condition of the terminal device, or that the SDP client obtains a monitoring result of network monitoring software on the terminal device so as to obtain the network condition of the terminal device. The abnormal traffic may mean that network traffic of the terminal device fluctuates sharply in a short time, which may cause network congestion, packet loss, delay, and the like. The protocol exception refers to the exception of the network protocol configuration of the terminal equipment.
The system environment analysis information is used for monitoring the system security status of the terminal device where the SDP client is located, and may be that a system security monitoring module is integrated on the SDP client to monitor the system security status of the terminal device, or that the SDP client obtains a monitoring result of system security monitoring software on the terminal device, for example, a monitoring result of antivirus software on the terminal device, to obtain the system security status of the terminal device. The high risk port may be, for example, at least one network port determined according to actual demand. The system bug outbreak may refer to, for example, whether the number of the system bugs existing in the current terminal device exceeds a preset number of the system bugs, and a range of the number of the system bugs exceeding the preset number. The modification of the registry refers to whether the registry in the terminal device is modified, and if the registry is modified, the characteristic that the terminal device is possibly attacked by an attacker exists, and a potential safety hazard exists.
S3032, after the first log audit information and the second log audit information are obtained, mapping information corresponding to each audit information item to be a credible value.
For example, the information corresponding to each audit information item may be input into a trained machine learning model, such as a convolutional neural network model, and the input information may be analyzed to obtain a score corresponding to each audit information item. The score is a credible value mapped by the information corresponding to each audit information item.
And S3033, acquiring a category credibility value corresponding to each audit information category based on the audit information categories.
And obtaining a category credibility value corresponding to the audit information category according to the credibility value of each audit information item under the audit information category.
In one possible implementation manner, a summation average value or a weighted average value of the credibility values of all audit information items corresponding to each audit information category is used as the category credibility value corresponding to the audit information category. Taking an example of processing user behavior analysis information by an averaging method, the formula corresponding to the embodiment may be, for example:
wherein, a is a category credibility value corresponding to the user behavior analysis information, n is the number of corresponding audit information items under the user behavior analysis information, Ai is a credibility value corresponding to each audit information item, for example, a1 is a credibility value corresponding to the high-frequency query, a2 is a credibility value corresponding to the high-frequency download, and the like.
In another possible implementation manner, the minimum value of the credibility values of all the audit information items corresponding to each audit information category is used as the category credibility value corresponding to the audit information category. The smaller the credibility value is, the lower the credibility representing the audit information item is, and the higher the attack risk from the terminal equipment is, so that by using the embodiment, the credibility judgment mode of each audit information category can be ensured to use the audit information item with the highest risk as the judgment standard, thereby more strictly controlling the attacked risk of the intranet resources and further improving the safety of the method.
S3034, obtaining the historical access credibility of the SDP client based on the category credibility value corresponding to each audit information category.
Wherein, the value of the historical access credibility ZTD of the SDP client is between the intervals [0,1 ].
According to a possible implementation manner, the historical access reliability of the SDP client is obtained only according to the category credibility value corresponding to the audit information category with the risk.
In this embodiment, the weighted value of each type of audit information category is obtained through correlation analysis and/or importance analysis between the types of audit information categories, and the historical access reliability of the SDP client is obtained by performing weighted average through the audit information categories and the weighted values corresponding to the audit information categories. The above-mentioned correlation analysis and/or importance analysis process may use the same kind of methods in the prior art, and will not be described herein.
The weight value of each type of audit information category may be preset and fixed, or may be adjusted according to different log audit information obtained each time, for example, the occurrence frequency of risk behaviors is different, the risk degree is different, and the like, which results in different results of correlation analysis and/or importance analysis.
In another possible implementation manner, the historical access reliability of the SDP client is obtained according to the category reliability values corresponding to all the audit information categories.
In this embodiment, the method for obtaining the historical access reliability of the SDP client is similar to that in the previous embodiment, and details are not repeated here.
Embodiment 2: and acquiring the historical access reliability of the SDP client through the fifth log audit information acquired by a third-party analysis system connected with the SDP controller.
The fifth log audit information is log audit information which must be acquired through a third-party analysis system, and may include, for example, terminal operating environment analysis information, comprehensive audit analysis information, newly-added emergency security risk information, and the like.
The terminal operating environment analysis information may include, for example, an authorized person leaving project, a multiple person watching project, and the like, which are acquired by a video monitoring system that monitors a camera screen of the terminal device. For example, a communication connection exists between a video monitoring system of a third party and a terminal device where an SDP client is located, and monitoring of a picture in a camera of the terminal device can be implemented. When the user is connected to the intranet, if the picture in the camera is displayed, the authorized user leaves the terminal equipment, and then the resource leakage risk caused by the fact that the authorized person leaves the terminal equipment is considered to exist. If the image in the camera is displayed, and there is a multi-people watching behavior around the authorized user, it indicates that there may be a resource that the unauthorized user can acquire from the terminal device in the intranet around the authorized user, for example, the watching unauthorized user may see the resource in the intranet through the display of the terminal device. Therefore, this situation is considered to be at risk of resource leakage in the intranet due to multi-person close-up.
The analysis information of the terminal operating environment obtained by the video monitoring system can be sent to the SDP controller through the video monitoring system, or can be sent to the SDP controller through the terminal equipment provided with the video monitoring system, so that the SDP controller can process the analysis information of the terminal operating environment through the method and calculate the historical access reliability of the SDP client.
The comprehensive audit analysis information can comprise log related analysis items, safety system abnormal items and the like acquired by an audit analysis system. And the auditing analysis system is connected with the terminal equipment where the SDP client is located, and audits whether the terminal equipment has problems or not by acquiring the system log of the terminal equipment. And then sending the auditing result to an SDP controller for judging the credibility of the SDP client. For example, the log association analysis item may be an analysis of association abnormality existing in the system logs of the plurality of terminal devices, and the abnormality may be, for example, a case where an illegal log is displayed in the system logs. The abnormal item of the security system refers to that the abnormal information of the security system of the SDP client is obtained through the security log by obtaining the security log of the SDP client.
The comprehensive audit analysis information obtained by the audit analysis system can be sent to the SDP controller through the audit analysis system, or can be sent to the SDP controller through an SDP client connected with the audit analysis system, so that the SDP controller can process the comprehensive audit analysis information through the method, and the historical access reliability of the SDP client is calculated.
The newly added emergent security risk information can include emergent industry risk items, emergent blocking and protecting items and the like acquired by a threat intelligence system. Illustratively, the threat intelligence system can acquire the burst risk information in the industry in real time, and monitor whether the terminal device where the SDP client is located has the characteristic conforming to the burst risk. The emergency plugging protection means that, for example, an enterprise discovers a leak needing emergency plugging, and a threat information system monitors that a terminal device where the SDP client is located has a feature that meets the leak.
The newly added burst security risk information obtained by the threat information system can be sent to the SDP controller through the threat information system, or can be sent to the SDP controller through an SDP gateway connected with the threat information system, so that the SDP controller can process the newly added burst security risk information through the method, and the historical access reliability of the SDP client is calculated.
In embodiment 2, the specific method for subsequently obtaining the historical access reliability of the SDP client according to the fifth log audit information is similar to that in embodiment 1, and details are not repeated here.
The method for obtaining the historical access reliability of the SDP client through the first log audit information, the second log audit information, and the fifth log audit information may obtain the historical access reliability of the SDP client through the three types of log audit information, or obtain the historical access reliability of the SDP client according to at least one type of log audit information of the three types of log audit information, which is not limited in this application.
According to the method for acquiring the historical access reliability of the SDP client, multiple types of risk information possibly existing in the process that a user remotely accesses an intranet are acquired through multiple types of acquisition means, so that the risk information is digitized, the relevance and the importance among the risk information are balanced and considered, the historical access reliability of the SDP client is comprehensively acquired, and the safety of the access control method is improved.
Next, how "the SDP client performs intranet resource access control based on the historical access reliability of the SDP client" in step S304 will be described in detail.
Fig. 4 is a schematic flowchart of another access control method provided in an embodiment of the present application, and as shown in fig. 4, the method includes:
s401, according to the historical access credibility of the SDP client, determining the intranet resource access authority of the SDP client.
The historical access reliability of the SDP client is obtained in step S303. The internal network access authority of the SDP client may refer to, for example, which SDP gateways the SDP client can access the internal network through, which resources the SDP gateway corresponds to can be accessed by the SDP client after accessing the internal network through different SDP gateways, and what manner the SDP client can access the internal network resources, such as operations of viewing, modifying, deleting, and the like at different authority levels.
In one possible embodiment, the trust level of the SDP client is determined based on the historical access trust level of the SDP client. And determining the intranet access authority of the SDP client according to the credibility level of the SDP client and the mapping relation between the credibility level and the intranet access authority.
Illustratively, for example, the value range [0,1] of the historical access reliability ZTD of the SDP client may be divided into four reliability levels, as shown in table 3 below:
TABLE 3
| Trusted level name | Range of values of ZTD |
| Credibility (Trust) | [0.85,1] |
| Middle credibility (Midtrust) | [0.7,0.85] |
| Low confidence (Lowttrut) | [0.6,0.7] |
| Incredible (Untrust) | [0,0.6] |
With respect to the above-mentioned four levels of confidence,
and when the historical access reliability of the SDP client is Trust, the user can access the application authorized to the user account in the internal network through the SDP client.
And when the historical access reliability of the SDP client is Midtrust, limiting the access authority of the SDP client, for example, a user can only access an authorized application Web end and cannot access a database of the application. The control function of limiting the access right of the SDP client may be implemented by the SDP gateway through the content of the access right sent by the SDP controller to the SDP gateway. For example, for an SDP client with a Trust historical access Trust level, the SDP gateway allows the SDP client to access an application within its access rights, and a database of the application; for the SDP client with the historical access reliability of Midtrust, the SDP gateway only allows the SDP client to access the Web end of the application in the access authority of the SDP client, but does not allow the SDP client to access the database of the application and the like. For example, for an SDP client with a history access reliability of middtrust, when the SDP client sends an access request to an application database, the SDP gateway refuses to accept the access request of the SDP client; when the SDP client sends out an access request to the Web end of the application, the SDP gateway receives the access request of the SDP client and logs in the Web end of the application to the SDP client.
When the historical access reliability of the SDP client is Lowttrust, the user account is locked, the user account cannot be used for accessing intranet resources, and the user needs to apply for self-service unlocking or contact a network administrator to unlock the account. Or, the SDP client enters a quarantine zone (DMZ) of the server, the DMZ zone of the server guides the user using the SDP client to perform further zero trust strong authentication, and if the historical access trust of the SDP client cannot be repaired or cannot pass the authentication after being repaired, the access request of the SDP client is rejected.
When the historical access reliability of the SDP client is Untrust, the SDP controller pulls the user account and the SDP client into a blacklist, an access request based on single-packet authorization authentication sent by the SDP client subsequently is not received by the SDP controller, and a user needs to contact a network administrator to remove the blacklist.
It should be understood that the present application is only an example of dividing the four credible grades, and the division of the credible grades in actual operation may be adjusted according to actual requirements, which is not limited in the present application.
In another possible implementation manner, the intranet access authority of the SDP client is determined according to the historical access reliability of the SDP client.
In this embodiment, the intranet access permission of the SDP client may be directly obtained according to the value corresponding to the historical access reliability of the SDP client. For example, after the SDP controller obtains a value corresponding to the historical access reliability of the SDP client, the intranet access permission of the SDP client may be determined according to a mapping relationship between the value and the intranet access permission; alternatively, the value may be input into a processing model of the access authority, and the intranet access authority or the like corresponding to the value may be calculated from the model.
S402, sending an access response to the SDP client, wherein the access response is used for indicating an SDP gateway connected when the SDP client is allowed to access the intranet resources and the intranet resource access authority of the SDP client.
Correspondingly, the SDP client receives an access response sent by the SDP controller, and determines an SDP gateway connected when the SDP client accesses the intranet resources and the intranet resource access authority of the SDP client according to the access response.
If the SDP client has the intranet access right according to the determination in step S401, a bidirectional Transport Layer protocol (TLS) connection is established between the SDP controller and the SDP client. Through the bi-directional TLS connection, the SDP controller sends an access response to the SDP client.
The access response may include, for example, a list of SDP gateways connected when the SDP client is allowed to access the intranet resources, and an access authority range of the SDP client for each connectable SDP gateway.
Meanwhile, the SDP controller needs to send indication information to the SDP gateway in the SDP gateway list, where the indication information is used to indicate that the SDP gateway allows the SDP client to access, and the intranet resource access right information of the SDP client. The connection between the SDP controller and the SDP gateway may be pre-established when the SDP architecture is deployed, or may be pre-established when the SDP architecture is maintained. The SDP maintenance architecture may be, for example, adding a new SDP gateway.
After the SDP controller completes the execution of the operation, the SDP client sends a connection request to the SDP gateway, the SDP gateway responds to the connection request of the SDP client, and then a bidirectional TLS connection between the SDP client and the SDP gateway is established, so that the function of remotely accessing intranet resources is achieved through the bidirectional TLS connection.
According to the access control method provided by the embodiment of the application, different access authorities corresponding to different historical access credibility are obtained through the historical access credibility of the SDP client, then the access request of the untrusted SDP client is rejected, and different access authorities are authorized to the SDP client with different credibility, so that the risk that the internal network is attacked is reduced.
Optionally, after the SDP client establishes a connection with the SDP gateway, the method may further include:
and S403, receiving third log audit information from an SDP gateway currently connected with the SDP client and fourth log audit information of the SDP client. And updating the historical access reliability of the SDP client according to the third log audit information and the fourth log audit information.
And the third log audit information and the fourth log audit information are used for recording the information of the current intranet access of the SDP client. The third log audit information is consistent with the category and the item included in the first log audit information, and the difference is only that the third log audit information is based on the current access behavior, and the log audit information is fed back by the SDP gateway currently connected to the SDP client. The fourth log audit information is consistent with the category and item included in the second log audit information, and the difference is that the fourth log audit information is based on the current access behavior, and the SDP client feeds back the log audit information.
According to a possible implementation manner, the value of at least one historical access credibility vector in the access credibility function is extracted according to the third log audit information and the fourth log audit information. And updating the historical access credibility of the SDP client according to the access credibility function and the value of the extracted at least one historical access credibility vector.
The historical access reliability vector is as described in the foregoing step S3031, and each audit information category is a historical access reliability vector. The access reliability function is obtained by a plurality of historical access reliability vectors and the weight value of each historical access reliability vector and is used for calculating the access reliability of the SDP client.
And the SDP controller updates the value of the historical access credibility vector from the third log audit information and/or the information in the fourth log audit information according to the credibility function and the value of at least one historical access credibility vector, so that the access credibility vector based on the current access behavior is obtained, and the update of the historical access credibility of the SDP client is completed. The calculation method of the historical access reliability of the SDP client is the same as that in step S303, and is not described in detail herein.
After the historical access reliability of the SDP client is updated according to the third log audit information and the fourth log audit information, the method further includes:
and if the internal network access authority of the SDP client is determined to be changed and the SDP client currently accesses the internal network according to the updated historical access reliability of the SDP client, controlling the SDP client to access the internal network through the SDP gateway according to the updated historical access reliability of the SDP client.
For example, if the reliability level corresponding to the historical access reliability of the SDP client before updating is Trust, the reliability level corresponding to the historical access reliability of the updated SDP client is middtrust, and the SDP client has not finished the current intranet access, the SDP controller issues a new access policy corresponding to the reliability level of the SDP client to the SDP gateway according to the updated historical access reliability of the SDP client. The SDP gateway then changes the access interaction with the SDP controller according to the access policy, such as disconnecting the SDP client from the accessing application, prompting the SDP client that only a Web application is currently available, etc.
In the access control method provided in the above embodiment of the present application, during the period in which the SDP client accesses the intranet, the historical access reliability of the SDP client is updated in real time according to the contents of the state, the operating environment, the access behavior with the SDP gateway, and the like of the SDP client, and the access right of the SDP client is changed in real time based on the change in the historical access reliability, so that even in the same behavior in which the intranet is accessed, the intranet access behavior of the SDP client through the SDP gateway can be controlled in real time according to the change in the access reliability of the SDP client, thereby further improving the real-time performance of security protection, and reducing the risk that an attacker attacks intranet resources by using an authorized SDP client during the intranet access process.
Fig. 5 is a schematic structural diagram of an access control apparatus according to an embodiment of the present application. As shown in fig. 5, the access control apparatus applied to the SDP controller includes: the system comprises a receiving module 11, a verification module 12, an acquisition module 13 and a control module 14. In one possible embodiment, the method further comprises: and updating the module 15.
A receiving module 11, configured to receive a first access request from an SDP client, where the access request is used to request to access an intranet resource;
the verification module 12 is configured to perform identity verification on the SDP client;
an obtaining module 13, configured to obtain a historical access reliability of the SDP client if the identity verification of the SDP client passes; the historical access credibility is used for representing the safety of the SDP client when accessing the intranet resources;
and the control module 14 is configured to perform intranet resource access control on the SDP client through the SDP gateway according to the historical access reliability of the SDP client.
In a possible implementation manner, if the SDP client has not accessed the intranet resource through the SDP gateway before, the obtaining module 13 is specifically configured to use a preset access reliability as a historical access reliability of the SDP client. If the SDP client has accessed the intranet resource through an SDP gateway at least once before, the obtaining module 13 is specifically configured to read recorded historical access reliability of the SDP client, where the historical access reliability is obtained based on first log audit information reported by an SDP gateway connected to the SDP client when the SDP client has last accessed the intranet resource, and second log audit information reported by the SDP client. The first log audit information and the second log audit information are used for recording the information of the SDP client accessing the intranet resource last time.
In a possible embodiment, the control module 14 is specifically configured to determine the intranet resource access right of the SDP client according to the historical access reliability of the SDP client, and send an access response to the SDP client, where the access response is used to indicate an SDP gateway connected when the SDP client is allowed to access the intranet resource, and the intranet resource access right of the SDP client.
In a possible implementation manner, the control module 14 is specifically configured to determine the trusted level of the SDP client according to the historical access reliability of the SDP client, and determine the intranet resource access right of the SDP client according to the trusted level of the SDP client and the mapping relationship between the trusted level and the intranet access right.
In a possible implementation manner, after the control module 14 performs intranet resource access control on the SDP client through the SDP gateway, the update module 15 is configured to receive third log audit information from the SDP gateway currently connected to the SDP client, and fourth log audit information of the SDP client, and update the historical access reliability of the SDP client according to the third log audit information and the fourth log audit information. The third log audit information and the fourth log audit information are used for recording the information that the SDP client currently accesses the intranet resources.
In a possible implementation manner, the updating module 15 is specifically configured to extract, according to the third log audit information and the fourth log audit information, a value of at least one historical access reliability vector in the access reliability function. And updating the historical access credibility of the SDP client according to the access credibility function and the value of the extracted at least one historical access credibility vector.
In a possible embodiment, after the update module 15 updates the historical access reliability of the SDP client, the control module 14 is further configured to, if it is determined that the access permission of the intranet resource of the SDP client changes and the SDP client currently accesses the intranet resource according to the updated historical access reliability of the SDP client, perform intranet resource access control on the SDP client through the SDP gateway according to the updated historical access reliability of the SDP client.
The access control device provided in the embodiment of the present application may execute the access control method in the foregoing method embodiment, and the implementation principle and the technical effect are similar, which are not described herein again.
Fig. 6 is a schematic structural diagram of an access control apparatus according to an embodiment of the present application. As shown in fig. 6, the access control device applied to the SDP client includes: a sending module 21, a receiving module 22 and an accessing module 23.
A sending module 21, configured to send a first access request to the SDP controller, where the access request is used to request to access an intranet resource.
And a receiving module 22, configured to receive control information sent by the SDP controller, where the control information is used to perform intranet resource access control on the SDP client through an SDP gateway.
And the access module 23 is configured to initiate a connection request to the SDP gateway, and after the connection is successful, access the intranet resource through the connection established with the SDP gateway.
In a possible implementation manner, when the SDP client accesses the intranet resource last time, the sending module 21 is further configured to report second log audit information to the SDP controller, where the second log audit information is used to record information that the SDP client accesses the intranet resource last time.
In a possible implementation manner, when the SDP client currently accesses the intranet resource, the sending module 21 is further configured to report fourth log audit information to the SDP controller, where the fourth log audit information is used to record information that the SDP client currently accesses the intranet resource.
The access control device provided in the embodiment of the present application may execute the access control method in the foregoing method embodiment, and the implementation principle and the technical effect are similar, which are not described herein again.
Fig. 7 is a schematic structural diagram of an access control apparatus according to an embodiment of the present application. As shown in fig. 7, the access control device is applied to an SDP gateway, and includes: a receiving module 31 and a connecting module 32. In one possible embodiment, the method further comprises: a sending module 33.
A receiving module 31, configured to receive indication information sent by the SDP controller, where the indication information is used to indicate that the SDP gateway allows the access of the SDP client.
A connection module 32, configured to accept the connection request of the SDP client, and establish a connection with the SDP client.
In a possible implementation manner, when the SDP client accesses the intranet resource last time, the sending module 32 is further configured to report first log audit information to the SDP controller, where the first log audit information is used to record information that the SDP client accesses the intranet resource last time.
In a possible implementation manner, when the SDP client currently accesses the intranet resource, the sending module 32 is further configured to report third log audit information to the SDP controller, where the third log audit information is used to record information that the SDP client currently accesses the intranet resource.
The access control device provided in the embodiment of the present application may execute the access control method in the foregoing method embodiment, and the implementation principle and the technical effect are similar, which are not described herein again.
Fig. 8 is a schematic structural diagram of an access control device according to an embodiment of the present application. Wherein the access control device is configured to execute the aforementioned access control method. The access control device may be, for example, the SDP controller mentioned above, or an SDP client, or an SDP gateway. As shown in fig. 8, the access control apparatus 800 may include: at least one processor 801, a memory 802, and a communication interface 803.
The memory 802 stores programs. In particular, the program may include program code including computer operating instructions.
The processor 801 is configured to execute computer-executable instructions stored in the memory 802 to implement the methods described in the foregoing method embodiments. The processor 801 may be a CPU, an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits configured to implement the embodiments of the present Application.
The processor 801 may communicatively interact with external devices via a communication interface 803. When the access control device is an SDP controller, the external device referred to herein may be, for example, an SDP client, or an SDP gateway. When the access control device is an SDP client, the external device referred to herein may be, for example, an SDP client, or an SDP gateway. When the access control device is an SDP gateway, the external device referred to herein may be, for example, an SDP client, or an SDP controller, or a device corresponding to an intranet resource.
In a specific implementation, if the communication interface 803, the memory 802 and the processor 801 are implemented independently, the communication interface 803, the memory 802 and the processor 801 may be connected to each other through a bus and perform communication with each other. The bus may be an Industry Standard Architecture (ISA) bus, a Peripheral Component Interconnect (PCI) bus, an Extended ISA (EISA) bus, or the like. Buses may be classified as address buses, data buses, control buses, etc., but do not represent only one bus or type of bus.
Alternatively, in a specific implementation, if the communication interface 803, the memory 802 and the processor 801 are integrated into a chip, the communication interface 803, the memory 802 and the processor 801 may complete communication through an internal interface.
The present application also provides an access control system as in fig. 2, the system comprising: SDP client, SDP controller, SDP gateway. The SDP client is configured to execute the actions of the SDP client described in the foregoing method embodiment, the SDP controller is configured to execute the actions of the SDP controller described in the foregoing method embodiment, and the SDP gateway is configured to execute the actions of the SDP gateway described in the foregoing method embodiment, so that a user can implement a function of remotely accessing an intranet through a terminal device.
The present application also provides a computer-readable storage medium, which may include: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and in particular, the computer-readable storage medium stores program instructions, and the program instructions are used in the method in the foregoing embodiments.
The present application also provides a program product comprising execution instructions stored in a readable storage medium. The at least one processor of the access control device may read the execution instructions from the readable storage medium, and the execution of the execution instructions by the at least one processor causes the access control device to implement the access control method provided by the various embodiments described above.
Finally, it should be noted that: the above embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present application.
Claims (10)
1. An access control method applied to an SDP controller, the method comprising:
receiving a first access request of an SDP client, wherein the access request is used for requesting to access intranet resources;
carrying out identity verification on the SDP client;
if the identity verification of the SDP client passes, acquiring the historical access reliability of the SDP client; the historical access credibility is used for representing the safety of the SDP client when accessing the intranet resources;
and according to the historical access credibility of the SDP client, performing intranet resource access control on the SDP client through an SDP gateway.
2. The method of claim 1, wherein obtaining historical access confidence for the SDP client comprises:
if the SDP client side has not accessed the intranet resources through an SDP gateway before, taking preset access reliability as historical access reliability of the SDP client side;
if the internal network resource is accessed by the SDP client through the SDP gateway at least once before, reading the recorded historical access reliability of the SDP client, wherein the historical access reliability is obtained based on first log audit information reported by the SDP gateway connected when the SDP client accesses the internal network resource last time and second log audit information reported by the SDP client; the first log audit information and the second log audit information are used for recording the information of the SDP client accessing the intranet resource last time.
3. The method according to claim 1 or 2, wherein the controlling access to the SDP client via an SDP gateway according to the historical access reliability of the SDP client comprises:
determining the intranet resource access authority of the SDP client according to the historical access credibility of the SDP client;
and sending an access response to the SDP client, wherein the access response is used for indicating an SDP gateway connected when the SDP client is allowed to access the intranet resources, and the intranet resource access authority of the SDP client.
4. The method of claim 3, wherein the determining the intranet resource access rights of the SDP client according to the historical access reliability of the SDP client comprises:
determining the credibility level of the SDP client according to the historical access credibility of the SDP client;
and determining the intranet resource access authority of the SDP client according to the credibility level of the SDP client and the mapping relation between the credibility level and the intranet access authority.
5. The method of claim 3, wherein after the controlling access to resources of the SDP client via an SDP gateway, the method further comprises:
receiving third log audit information from an SDP gateway currently connected with the SDP client and fourth log audit information of the SDP client; the third log audit information and the fourth log audit information are used for recording the information that the SDP client currently accesses intranet resources;
and updating the historical access reliability of the SDP client according to the third log audit information and the fourth log audit information.
6. The method of claim 5, wherein said updating a historical access trust of the SDP client based on the third log audit information and the fourth log audit information comprises:
extracting a value of at least one historical access credibility vector in an access credibility function according to the third log audit information and the fourth log audit information;
and updating the historical access credibility of the SDP client according to the access credibility function and the extracted value of the at least one historical access credibility vector.
7. The method of claim 5, wherein after updating the historical access trustworthiness of the SDP client, the method further comprises:
and if the change of the intranet resource access authority of the SDP client is determined according to the updated historical access reliability of the SDP client and the SDP client currently accesses the intranet resource, performing intranet resource access control on the SDP client through an SDP gateway according to the updated historical access reliability of the SDP client.
8. An access control apparatus, applied to an SDP controller, comprising:
the system comprises a receiving module, a first access module and a second access module, wherein the receiving module is used for receiving a first access request of an SDP client, and the access request is used for requesting to access intranet resources;
the verification module is used for verifying the identity of the SDP client;
the obtaining module is used for obtaining the historical access credibility of the SDP client if the identity verification of the SDP client passes; the historical access credibility is used for representing the safety of the SDP client when accessing the intranet resources;
and the control module is used for carrying out intranet resource access control on the SDP client through an SDP gateway according to the historical access credibility of the SDP client.
9. An SDP controller, comprising: a processor, a communication interface, and a memory; the processor is respectively in communication connection with the communication interface and the memory;
the memory stores computer-executable instructions;
the communication interface is in communication interaction with external equipment;
the processor executes computer-executable instructions stored by the memory to implement the method of any of claims 1 to 7.
10. A computer-readable storage medium having computer-executable instructions stored therein, which when executed by a processor, are configured to implement the access control method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210628757.XA CN114915427B (en) | 2022-06-06 | 2022-06-06 | Access control method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210628757.XA CN114915427B (en) | 2022-06-06 | 2022-06-06 | Access control method, device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114915427A true CN114915427A (en) | 2022-08-16 |
| CN114915427B CN114915427B (en) | 2023-10-13 |
Family
ID=82770860
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210628757.XA Active CN114915427B (en) | 2022-06-06 | 2022-06-06 | Access control method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114915427B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116318912A (en) * | 2023-03-01 | 2023-06-23 | 华能信息技术有限公司 | Dynamic network interface hiding method |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102668501A (en) * | 2009-10-15 | 2012-09-12 | 交互数字专利控股公司 | Registration and credential roll-out for accessing a subscription-based service |
| US8812482B1 (en) * | 2009-10-16 | 2014-08-19 | Vikas Kapoor | Apparatuses, methods and systems for a data translator |
| CN104615765A (en) * | 2015-02-13 | 2015-05-13 | 中国联合网络通信集团有限公司 | Data processing method and data processing device for browsing internet records of mobile subscribers |
| CN104640114A (en) * | 2015-01-04 | 2015-05-20 | 中国联合网络通信集团有限公司 | Verification method and device of access request |
| CN106850509A (en) * | 2015-12-07 | 2017-06-13 | 中国电信股份有限公司 | Method for network access control and device |
| CN107005442A (en) * | 2014-10-31 | 2017-08-01 | 华为技术有限公司 | Method and apparatus for remotely accessing |
| US20180191700A1 (en) * | 2016-12-30 | 2018-07-05 | Google Inc. | Two-token based authenticated session management |
| US20190132326A1 (en) * | 2017-10-27 | 2019-05-02 | Cleverdome, Inc. | Software Defined Network for Creating a Trusted Network System |
| CN110213215A (en) * | 2018-08-07 | 2019-09-06 | 腾讯科技(深圳)有限公司 | A kind of resource access method, device, terminal and storage medium |
| US20190342103A1 (en) * | 2018-05-02 | 2019-11-07 | AZ Board of Regents on Behalf of AZ State Univ | Method and Apparatus for Verification of Social Media Information |
| US10860115B1 (en) * | 2019-09-19 | 2020-12-08 | Bao Tran | Air transportation systems and methods |
-
2022
- 2022-06-06 CN CN202210628757.XA patent/CN114915427B/en active Active
Patent Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102668501A (en) * | 2009-10-15 | 2012-09-12 | 交互数字专利控股公司 | Registration and credential roll-out for accessing a subscription-based service |
| CN105306480A (en) * | 2009-10-15 | 2016-02-03 | 交互数字专利控股公司 | Method and device in system including the device |
| US8812482B1 (en) * | 2009-10-16 | 2014-08-19 | Vikas Kapoor | Apparatuses, methods and systems for a data translator |
| CN107005442A (en) * | 2014-10-31 | 2017-08-01 | 华为技术有限公司 | Method and apparatus for remotely accessing |
| US10681010B2 (en) * | 2014-10-31 | 2020-06-09 | Huawei Technologies Co., Ltd. | Establishing a connection between a user device and an access zone |
| CN104640114A (en) * | 2015-01-04 | 2015-05-20 | 中国联合网络通信集团有限公司 | Verification method and device of access request |
| CN104640114B (en) * | 2015-01-04 | 2018-09-11 | 中国联合网络通信集团有限公司 | A kind of verification method and device of access request |
| CN104615765A (en) * | 2015-02-13 | 2015-05-13 | 中国联合网络通信集团有限公司 | Data processing method and data processing device for browsing internet records of mobile subscribers |
| CN106850509A (en) * | 2015-12-07 | 2017-06-13 | 中国电信股份有限公司 | Method for network access control and device |
| US20180191700A1 (en) * | 2016-12-30 | 2018-07-05 | Google Inc. | Two-token based authenticated session management |
| US20190132326A1 (en) * | 2017-10-27 | 2019-05-02 | Cleverdome, Inc. | Software Defined Network for Creating a Trusted Network System |
| US20190342103A1 (en) * | 2018-05-02 | 2019-11-07 | AZ Board of Regents on Behalf of AZ State Univ | Method and Apparatus for Verification of Social Media Information |
| CN110213215A (en) * | 2018-08-07 | 2019-09-06 | 腾讯科技(深圳)有限公司 | A kind of resource access method, device, terminal and storage medium |
| US10860115B1 (en) * | 2019-09-19 | 2020-12-08 | Bao Tran | Air transportation systems and methods |
Non-Patent Citations (2)
| Title |
|---|
| LARRY NACE ECT.: "Securing Trajectory based Operations Through a Zero Trust Framework in the NAS", 《2020 INTEGRATED COMMUNICATIONS NAVIGATION AND SURVEILLANCE CONFERENCE (ICNS)》 * |
| 王刚;张英涛;杨正权;: "基于零信任打造封闭访问空间", 信息安全与通信保密, no. 08 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116318912A (en) * | 2023-03-01 | 2023-06-23 | 华能信息技术有限公司 | Dynamic network interface hiding method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114915427B (en) | 2023-10-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20220210173A1 (en) | Contextual zero trust network access (ztna) based on dynamic security posture insights | |
| EP2545680B1 (en) | Behavior-based security system | |
| CN114598540B (en) | Access control system, method, device and storage medium | |
| CN111917714B (en) | Zero trust architecture system and use method thereof | |
| US20060026679A1 (en) | System and method of characterizing and managing electronic traffic | |
| KR101143847B1 (en) | Network security apparatus and method thereof | |
| US20120151565A1 (en) | System, apparatus and method for identifying and blocking anomalous or improper use of identity information on computer networks | |
| US20070294759A1 (en) | Wireless network control and protection system | |
| WO2023159994A1 (en) | Operation and maintenance processing method, and terminal device | |
| JP2002342279A (en) | Filtering device, filtering method and program for making computer execute the method | |
| CN110830447A (en) | SPA single packet authorization method and device | |
| CN110830446B (en) | SPA security verification method and device | |
| US8881273B2 (en) | Device reputation management | |
| CN115150208B (en) | Zero-trust-based Internet of things terminal secure access method and system | |
| US11190515B2 (en) | Network device information validation for access control and information security | |
| US10375099B2 (en) | Network device spoofing detection for information security | |
| CN104883364A (en) | Method and device for judging abnormity of server accessed by user | |
| CN111526150A (en) | Zero-trust automation rule releasing platform and releasing method for single-cluster or multi-cluster cloud computer remote operation and maintenance port | |
| CN103618613A (en) | Network access control system | |
| CN114915427B (en) | Access control method, device, equipment and storage medium | |
| CN110830444A (en) | Method and device for single-packet enhanced security verification | |
| CN117061556B (en) | Remote operation and maintenance safety protection device for power monitoring system | |
| CN116192497B (en) | Network access and user authentication safe interaction method based on zero trust system | |
| CN113972992A (en) | Access method and device for SDP controller and computer-readable storage medium | |
| Tsai et al. | Strategy for Implementing of Zero Trust Architecture |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |