CN114968390A

CN114968390A - Zero trust network system and processing method

Info

Publication number: CN114968390A
Application number: CN202110214654.4A
Authority: CN
Inventors: 吴岳廷
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2021-02-25
Filing date: 2021-02-25
Publication date: 2022-08-30

Abstract

The application provides a zero trust network system and a processing method, which relate to the technical field of cloud security, and the system comprises: the plug-in management module is used for managing at least one zero trust plug-in, wherein the at least one zero trust plug-in is independently arranged; the plug-in management module is arranged in a main service module of the system; at least one zero trust plug-in and the main service module are independently arranged; the main service module is used for strategy scheduling and module scheduling. In other words, the zero trust service module is modified in a plug-in mode, the zero trust network system is provided with the plug-in management module to manage the plug-ins, and therefore flexible scheduling of each zero trust plug-in can be achieved based on the plug-in management module.

Description

Zero trust network system and processing method

Technical Field

The embodiment of the application relates to the technical field of cloud security, in particular to a zero trust network system and a processing method.

Background

The concept of zero trust is improved by the development of network de-boundary. In the former network construction concept, the network is divided into an internal network and an external network, the network attack is from the outside of an enterprise, which is a common knowledge in the industry, and the boundary protection is made by default so as to be safe. The enterprise security department identifies and intercepts malicious or unauthorized access through technical means and products such as a firewall, a Virtual Private Network (VPN) and the like, and ensures normal access and legal operation of a user.

The zero trust network system is not limited to trust evaluation and dynamic access control, but is also applied to Business (B2B) model, for example: enterprise a may provide targeted zero trust services to enterprise B through a zero trust network system.

The zero trust service modules in the current zero trust network system are highly coupled, which is not beneficial for enterprises or users to flexibly schedule the zero trust service modules.

Disclosure of Invention

The application provides a zero trust network system and a processing method, so that flexible scheduling of each zero trust plug-in is improved.

In a first aspect, a zero trust network system is provided, which includes: the zero trust plug-in is a plug-in for realizing zero trust service, wherein the zero trust plug-in is independently arranged. The plug-in management module is arranged in a main service module of the system. At least one zero trust plug-in is provided independently of the host service module. The main service module is used for strategy scheduling and module scheduling.

Optionally, the plug-in management module is specifically configured to manage at least one of the following:

installation of at least one zero trust plugin.

Offloading of at least one zero trust plugin.

Hot update of at least one zero trust plugin.

And opening at least one zero trust plug-in.

And stopping at least one zero trust plug-in.

Policy dispatching of at least one zero trust plugin.

Parameter adjustment of at least one zero trust plugin.

Data reading of at least one zero trust plugin.

Optionally, the system further comprises: and an agent module. The at least one zero trust plugin includes: the agent management plug-in, the access control plug-in and the ticket service plug-in. The UI module is specifically used for acquiring user login information so as to trigger the access control plug-in to acquire a zero-trust access control strategy corresponding to the user login information from a server corresponding to the system. The agent management plug-in is used for authenticating the interface between the agent module and the agent management plug-in under the triggering of the zero trust access control strategy, and after the authentication of the interface is successful, the function of the agent module is started. The agent module is used for obtaining an access request aiming at the target service system and sending an authentication request to the access control plug-in according to the access request. The access control plug-in is used for determining whether to carry out network access through the proxy module according to the authentication request, if the network access is determined to be carried out through the proxy module, the ticket service plug-in is triggered to apply for a bill of the access request to a server corresponding to the system, and the bill is sent to the proxy module. The agent module is also used for accessing the target business system according to the bill.

Optionally, the at least one zero trust plugin further includes: the asynchronous check plug-in is used for acquiring the characteristic information of the process corresponding to the application initiating the access request and sending the characteristic information to the server corresponding to the system, so that the server corresponding to the system detects whether the process corresponding to the application initiating the access request is a trusted process or not, receives a response message sent by the server corresponding to the system, and sends an indication message to the ticket service plug-in to indicate the process corresponding to the application initiating the access request if the process corresponding to the application initiating the access request is determined to be the trusted process according to the response message. The ticketing services plug-in is specifically configured to send the ticket to the agent module after receiving the indication message.

Optionally, the asynchronous submission plug-in is specifically configured to: and when the ticket service plug-in applies for the ticket from the server corresponding to the system, asynchronously sending the characteristic information to the server corresponding to the system.

In a second aspect, a processing method for a zero trust network system is provided, including: managing at least one zero trust plug-in, wherein the zero trust plug-in is a plug-in for realizing zero trust service; wherein at least one zero trust plugin is independently set. The plug-in management module is arranged in a main service module of the system. At least one zero trust plug-in is provided independently of the host service module. The main service module is used for strategy scheduling and module scheduling.

In a third aspect, a terminal device is provided, which includes: a processor and a memory, the memory for storing a computer program, the processor for invoking and executing the computer program stored in the memory to perform the method of the first aspect.

In a fourth aspect, there is provided a computer readable storage medium for storing a computer program for causing a computer to perform the method of the first aspect.

In summary, in the application, the zero trust service module is modified in a plug-in mode, and the zero trust network system is provided with the plug-in management module to manage the plug-ins.

Furthermore, the plug-in management module can reside in the main service module, and the at least one zero-trust plug-in and the main service module are independently arranged, so that the aim of decoupling between the zero-trust plug-in and the main service module is fulfilled, and the zero-trust plug-in can be flexibly scheduled based on the zero-trust plug-in and the main service module.

Furthermore, according to the zero trust network system provided by the application, due to the fact that the zero trust service module is transformed into a plug-in mode, any zero trust plug-in can be subjected to hot updating, hot updating of the system version is not needed, and therefore system upgrading efficiency is improved.

In addition, the zero trust network system provided by the embodiment of the application can realize the zero trust network access function. It should be understood that the zero trust network access function may not be controlled by the UI module, i.e., the zero trust network system provided by the present application may support silent access.

Drawings

In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings required to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the description below are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.

FIG. 1 provides a schematic diagram of a zero trust access process;

FIG. 2 is a schematic diagram of a zero trust service provided by the present application;

FIG. 3A is a schematic view of an interface provided herein;

FIG. 3B is a schematic view of another interface provided herein;

FIG. 3C is a schematic view of yet another interface provided herein;

FIG. 3D is a schematic view of yet another interface provided herein;

FIG. 3E is a schematic view of an interface provided herein;

FIG. 3F is a schematic view of another interface provided herein;

FIG. 3G is a schematic view of yet another interface provided herein;

fig. 4 is a schematic diagram of a zero trust network system according to an embodiment of the present application;

fig. 5 is a schematic diagram of another zero trust network system provided in an embodiment of the present application;

fig. 6 is a schematic diagram of another zero trust network system provided in an embodiment of the present application;

FIG. 7 is a flowchart of a method for installing a zero trust plugin according to an embodiment of the present disclosure;

FIG. 8 is a flowchart of a method for uninstalling a zero trust plugin according to an embodiment of the present disclosure;

FIG. 9 is a flowchart of a method for hot-updating a zero-trust plugin according to an embodiment of the present disclosure;

FIG. 10 is a flowchart of a method for opening a zero trust plugin according to an embodiment of the present disclosure;

FIG. 11 is a flowchart of a method for stopping a zero trust plugin according to an embodiment of the present application;

FIG. 12 is a flowchart of a method for policy dispatch for zero trust plugin according to an embodiment of the present disclosure;

fig. 13 is a flowchart of a method for adjusting parameters of a zero trust plugin according to an embodiment of the present application;

fig. 14 is a flowchart of a processing method of a zero trust network system according to an embodiment of the present application;

fig. 15 is a schematic block diagram of a terminal device 1500 provided in an embodiment of the present application.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, belong to the protection scope of the present invention.

It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Moreover, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or server that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

Before the technical scheme of the application is described, the technical terms related to the application are explained as follows:

trusted applications: and the management terminal trusts, and the terminal equipment can access an application carrier of the target business system, wherein the application carrier comprises a process name, signature information, a version, a process MD5, sha256 and the like.

And (3) trusted process: a process that the terminal device can use.

Reachable area: a user may access an enterprise-provisioned internal site list, also referred to as a business system, through a zero trust network system.

Login credentials: after the user successfully logs in the zero-trust network system, the server of the system designates an encryption string for the user, which represents login authorization information of the user, including user information and an authorization validity period, and the login credentials can be stored on the terminal equipment of the user in an encrypted manner.

Network request voucher or ticket: and the server corresponding to the zero trust system issues authorization information for a single network request, and the authorization information is used for identifying the authorization state of the network request.

Zero trust access control policy: the system consists of a trusted application which can be used by a user and an accessible service site, and under the condition that the authority is opened, the user can use any available process information to any accessible service site. The granularity of the zero trust access control strategy is the login user, and different zero trust strategies are allowed to be made for different login users.

Zero trust gateway: the zero trust network system is deployed between the application server and the zero trust network system and is responsible for verifying and forwarding each access request.

Access agent or agent module: the zero trust gateway is deployed in a zero trust network system and is mainly responsible for initiating a request for verifying the credible identity of an access subject, and when the identity of a user is verified to be credible, encrypted access connection can be established with the zero trust gateway, and the zero trust gateway is also a policy execution point for access control.

A service module: a collection of multiple files that performs some specific function.

Plug-in components: represents a service execution module or a service module, and mainly exists in the form of a Dynamic Link Library (DLL).

And (3) scheduling a central process: the system is responsible for scheduling and managing related modules in the zero trust network system, and provides policy management center services, including policy pull update, caching, validity period management and the function of keeping the heartbeat of the server corresponding to the zero trust network system consistent.

And (3) a service center process: and providing service center services, including the functions of loading and executing the service module, subscribing and distributing the strategy of the service module, managing the life cycle of the service module and the like.

It should be understood that the server related to the present application may be an independent physical server, may also be a server cluster or a distributed system formed by a plurality of physical servers, and may also be a cloud server providing basic cloud computing services such as a cloud service, a cloud database, cloud computing, a cloud function, cloud storage, a network service, cloud communication, a middleware service, a domain name service, a security service, a CDN, and a big data and artificial intelligence platform. The terminal may be, but is not limited to, a smart phone, a tablet computer, a laptop computer, a desktop computer, a smart speaker, a smart watch, and the like. The terminal and the server may be directly or indirectly connected through wired or wireless communication, and the application is not limited herein.

As described above, the zero trust service modules in the current zero trust network system are highly coupled. The following describes a high coupling between zero trust service modules in an existing zero trust network system, taking an application access process as an example:

FIG. 1 provides a schematic diagram of a zero trust access process, as shown in FIG. 1, comprising the steps of:

s1: the user initiates an access request for the target business system through the browser application.

S2: and the proxy module (proxy) acquires the access request and initiates an authentication request to a client of the zero-trust access system, namely applies for a bill of the current network request to the client.

The proxy module may obtain the access request through the TUN/TAP virtual network card.

The authentication request includes: a source Internet Protocol (IP) or domain name, a source port, a destination IP or domain name, a destination port, and a Process Identity (PID) corresponding to the browser application.

S3: and the client acquires the characteristic information of the corresponding process through the PID sent by the agent module.

The characteristic information includes: MD5 of the process, process path, process last modified time, copyright information, signature information, etc.

S4: the client sends the characteristic information of the process to the server so that the server detects whether the process is a trusted process.

Wherein, the server may periodically send a process submission to the threat intelligence cloud check service, or tav periodically, to detect the credibility of the process, that is, whether the process is safe or not, for example, at least one of the following is included: whether the process has a bug, whether the process has a virus Trojan, and the like. And if the server detects that the process is not a trusted process, namely a malicious process, the client is informed to execute asynchronous blocking operation.

S5: the client sends a source IP address or a domain name, a source port, a destination IP or a domain name and a destination port to the server, and applies for a bill to the server corresponding to the zero-trust access system, namely, the bill replacement is realized.

S6: and if the client side successfully applies for the bill and the process is a trusted process, the client side sends the bill, the maximum using times of the bill and the valid time of the bill to the agent module as responses.

S7: the agent module initiates a hypertext Transfer Protocol over Secure Socket Layer (HTTPS) request to the intelligent gateway.

Wherein, the above-mentioned ticket is carried in the Authorization header field of the HTTPS request.

S8: and after receiving the http request, the intelligent gateway analyzes the bill in the header field and sends the bill to the server so that the server verifies the bill.

S9: if the server successfully verifies the bill, the connection between the intelligent gateway and the agent module is successfully established. And if the server fails to verify the bill, the server indicates that the connection between the intelligent gateway and the proxy module is failed to be established.

S10: and after the connection between the intelligent gateway and the agent module is successfully established, the agent module sends the access request to the intelligent gateway.

S11: the intelligent gateway verifies the access request, and if the verification is successful, the access request is forwarded to the corresponding service server.

S12: and the service server sends an access response to the intelligent gateway.

S13: the intelligent gateway sends an access response to the agent module.

S14: the proxy module sends an access response to the browser application.

As can be seen from the above example, the zero trust access procedure involves zero trust traffic including: access control, ticketing services, and the like. The two modules are coupled together at the client, and the user needs to update the whole zero-trust network system no matter which zero-trust service module is scheduled or updated thermally.

Besides the zero trust service designed by the zero trust access process, account authentication service, equipment evaluation service, security management and control service and the like may be involved in other service execution processes, and these service modules are also highly coupled together.

It should be understood that the current zero trust service is mainly distributed in a User Interface (UI) module and a main service module, for example: fig. 2 is a schematic diagram of a zero trust service provided in the present application, and as shown in fig. 2, the UI module includes: the system comprises an account authentication unit, a heartbeat detection unit, a proxy unit, other UI components and the like, wherein the proxy unit interacts with a proxy module, and specifically can interact with a business process in the proxy module. The heartbeat detection unit periodically sends the log information of the equipment state and the zero trust network access by maintaining the heartbeat with the server. The account authentication unit is used for processing account login and authentication operations of the user, acquiring a login bill from the server and carrying out local encryption storage. The main service module comprises: the system comprises a policy scheduling unit, a module scheduling unit, a zero trust bill service unit, an access control policy unit and the like, wherein the zero trust bill service unit performs local process communication with a proxy unit on one hand, and interacts with a server on the other hand to acquire bills by reporting characteristic data. The access control strategy unit is mainly used for receiving a control strategy issued by the server, analyzing and filtering a request sent by the agent module, and controlling abnormal process blocking operation of the client. In addition, zero trust traffic also involves device evaluation, security management and control, and the like.

It should be understood that device evaluation and security regulation need to be performed periodically, mainly for detecting the availability of a device, including for example: virus killing, bug repairing, compliance detection, security reinforcement, real-time protection, data protection and the like. After the terminal device is installed in the zero-signaling network system and periodically detected through device evaluation and security control, the terminal device is considered to be trusted, otherwise, the terminal device is considered to be an untrusted device, and the zero-trust function is prohibited to be used, for example: zero trust access functionality.

In summary, each zero trust service module in the current zero trust network system is highly coupled, which is not favorable for the enterprise or the user to flexibly schedule the zero trust service module.

In order to solve the technical problem, plug-in transformation is carried out on each zero trust service module, namely each zero trust service module is used as a plug-in, and a plug-in management module is arranged in a zero trust network system to manage the plug-ins.

By way of example, the zero trust network system provided by the present application may be applied to the following scenarios, but is not limited thereto: remote cooperative office scenario, B2B scenario. The remote collaborative office scenario is, for example: the employees of enterprise a need to remotely access the intranet of enterprise a through the zero trust network system. The B2B scenario is, for example: enterprise a may provide targeted zero trust services to enterprise B through a zero trust network system.

It is worth mentioning that an administrator can configure a trusted application, accessible business system for a user. As shown in fig. 3A, the trusted application configured by the administrator for the user lem is an arbitrary application, and the configured accessible business system is a business system corresponding to all URLs. The administrator may also manually configure the accessible business system, as shown in fig. 3B, and the administrator may configure the class (e.g., IP class), IP, port, etc. of the business system. As shown in fig. 3C, the administrator may configure the class (e.g., domain name class), domain name, port, etc. of the business system. The administrator may also manually configure the trusted application, and as shown in fig. 3D, the administrator may configure the application name, process name, operating system, signature, version, MD5, sha256, etc. of the trusted application.

In a remote cooperative office scenario, when a zero-trust network system, that is, a client of the system, is installed on a terminal device of a user, and the user opens the client, an interface diagram as shown in fig. 3E is displayed on the terminal device, and the user can log in the system by scanning a two-dimensional code manner or an account login manner. After the user successfully logs in the system, the terminal device may display information such as the real-time prevention and control policy shown in fig. 3F, and after the user successfully logs in the system, the terminal device may further display trusted software shown in fig. 3G, that is, a configuration situation of the trusted application, and the user may access, according to the user-level policy issued by the administrator, the service system configured for the user by the administrator through the trusted application.

The technical scheme of the application is explained in detail as follows:

example 1

Fig. 4 is a schematic diagram of a zero-trust network system according to an embodiment of the present application, where the system may be applied to a terminal device, and the terminal device may be a mobile phone, a Personal Computer (PC), a desktop Computer, and as shown in fig. 4, the system includes: and the plug-in management module 410 is used for managing at least one zero trust plug-in 420, and the zero trust plug-in is a plug-in for realizing the zero trust service. In fig. 4, a dashed box represents a zero-trust plugin to be installed, that is, the plugin is not yet installed in the zero-trust network system, and other solid boxes represent installed zero-trust plugins.

Optionally, the server corresponding to the third-party application may start or stop the designated zero-trust plugin through the part management module 410.

Exemplary, zero trust traffic includes: zero trust access procedures involve access control, ticket services, etc. Or, in other service execution processes, the zero trust service may be an account authentication service, a device evaluation service, a security management and control service, and the like.

Optionally, the plug-in management module 410 is specifically configured to manage at least one of the following, but is not limited thereto: installation of at least one zero trust plugin; uninstalling at least one zero trust plugin; a hot update of at least one zero trust plugin; opening at least one zero trust plug-in; a stoppage of at least one zero trust plugin; policy dispatching of at least one zero trust plugin; parameter adjustment of at least one zero trust plugin; data reading of at least one zero trust plugin.

Optionally, the zero-trust network system further includes: plug-in initialization, plug-in start, plug-in clean, plug-in stop, plug-in read operation, plug-in set operation, plug-in upgrade, and plug-in uninstall/install these 8 interfaces.

The zero trust network system can enable the corresponding zero trust plug-in to start running by calling the plug-in initialization and the plug-in starting interface. The zero trust network system can control the corresponding zero trust plug-in to stop running by calling the plug-in cleaning and plug-in stopping interface. The zero trust network system can complete the strategy distribution, parameter adjustment, configuration updating and the like of the corresponding zero trust plug-in by calling a plug-in setting operation interface such as a SetProperty interface. By calling a plug-in to read an operation interface (such as a GetProperty interface), service data can be reported, policy state data can be reported, third-party applications can be operated, and the like. The zero trust plug-in upgrading can be realized by calling the plug-in upgrading interface. And unloading/installing the corresponding zero-trust plug-in by calling the plug-in unloading/installing interface.

Alternatively, the plug-in management module 410 may reside in a host service module, wherein the host service module is used for policy scheduling, module scheduling, and basic functions, etc.

It should be understood that the module scheduling referred to by the master service module includes: the scheduling of the zero trust plugin and the scheduling of modules related to other non-zero trust services are not limited in the present application.

Optionally, when the user needs to control the starting or stopping of a zero-trust plug-in, a start message or a stop message may be sent to the plug-in management module 410, so that the plug-in management module 410 controls the starting or stopping of the zero-trust plug-in.

Optionally, the at least one zero trust plugin is independently arranged from the main service module. For example: the at least one zero trust plugin may be loaded by a separate host EXE. The common component of the host EXE is composed of, but not limited to, a work thread pool, a communication connection pool, a data collector, cache management, plug-in daemon, and scheduling management.

Optionally, the worker threads in the worker thread pool may be used to process the authentication request, the ticket application, and the data collection of the agent module in parallel. The communication thread pool is used for establishing a long chain with the authentication request and the response sent by the agent module and supporting a single long chain and a plurality of long chains, namely, a plurality of agent modules and a channel for client communication of the zero trust network system exist in the same time. The data collector is used for collecting information of a terminal device where the system is located, process information for initiating network access, user information and the like, and automatically reporting collected data to the server.

Optionally, the zero-trust host EXE sets a series of caches, including: bill caching, submission caching, process caching and the like, and the method is used for improving the processing speed, reducing the data acquisition times and the like.

To sum up, in the present application, a zero trust service module is modified in a plug-in manner, and a plug-in management module is provided in a zero trust network system to manage these plug-ins, so that flexible scheduling of each zero trust plug-in can be realized, for example: install/uninstall zero trust plug-in a, launch zero trust plug-in B, hot update zero trust plug-in C, etc. In the B2B scenario, precise control of the corresponding zero trust plugin is made possible for different commercial licenses (licenses).

It should be understood that the introduction of the plug-in management module may converge the interaction surface, for example: in the prior art, the zero trust service module and the main service module are coupled together, if a certain zero trust service module needs to be updated, the whole system needs to be updated thermally, and if the technical scheme of the application exists, the thermal update corresponding to the zero trust plug-in is controlled only by the plug-in management module, and the thermal update of other modules such as the main service module is not involved.

Example 2

Fig. 5 is a schematic diagram of another zero trust network system provided in an embodiment of the present application, and as shown in fig. 5, on the basis of embodiment 1, the zero trust network system further includes: the UI module 430 is configured to obtain a control command to trigger the plug-in management module 410 to manage at least one zero trust plug-in, where the at least one zero trust plug-in is independently configured.

The management of at least one zero trust plugin by plugin management module 410 is exemplified below:

in example 1, the UI module 430 is specifically configured to obtain a first control command, where the first control command is used to control the plugin management module to install a first zero-trust plugin; the plug-in management module 410 is specifically configured to obtain a configuration file of the first zero-trust plug-in, call a plug-in installation interface, and execute the configuration file of the first zero-trust plug-in through the plug-in installation interface to install the first zero-trust plug-in.

Optionally, the plug-in management module 410 may also control the UI module 430 to display the installation progress, such as displaying "60% installed currently", or displaying the result of "plug-in installation completed".

Illustratively, taking the installation of the asset management plug-in as an example, the UI module 430 obtains a first control command, where the first control command is used for controlling the plug-in management module to install the asset management plug-in; the plug-in management module 410 is specifically configured to obtain a configuration file of the asset management plug-in, call a plug-in installation interface, and execute the configuration file of the asset management plug-in through the plug-in installation interface to install the asset management plug-in. The plug-in management module 410 may also control the UI module 430 to display the installation progress, such as displaying the result of "plug-in installation is completed".

Example 2, the zero trust network system further comprises: and the second zero trust plug-in is a zero trust plug-in to be uninstalled in the system. The UI module 430 is specifically configured to obtain a second control command, where the second control command is used to control the plug-in management module 410 to uninstall the second zero-trust plug-in; the plug-in management module 410 is specifically configured to invoke a plug-in stop interface according to the second control command to stop the running second zero-trust plug-in, invoke a plug-in cleaning interface to clean the configuration file of the second zero-trust plug-in, and invoke a plug-in uninstall interface to uninstall the second zero-trust plug-in.

Optionally, the plug-in management module 410 may also control the UI module 430 to display the uninstall progress, such as displaying "uninstalled completed at present 60%", or displaying the result of "uninstalled plug-in is completed".

For example, taking an uninstall asset management plug-in as an example, the UI module 430 is specifically configured to obtain a second control command, where the second control command is used to control the plug-in management module 410 to uninstall the asset management plug-in; the plug-in management module 410 is specifically configured to call a plug-in stop interface according to the second control command to stop the running asset management plug-in, call a plug-in cleaning interface to clean the configuration file of the asset management plug-in, and call a plug-in uninstall interface to uninstall the asset management plug-in. The plug-in management module 410 may also control the UI module 430 to display the uninstall progress, such as displaying the result of "the plug-in uninstall is completed".

Example 3, the zero trust network system further comprises: the third zero trust plug-in is a zero trust plug-in to be updated in the system; the plug-in management module 410 is specifically configured to: the method comprises the steps of obtaining a plug-in updating instruction sent by a server corresponding to the system, calling a plug-in stopping interface according to the plug-in updating instruction to stop a running third zero trust plug-in, calling a plug-in cleaning interface to clean a configuration file of the third zero trust plug-in, calling a plug-in unloading interface to unload the third zero trust plug-in, obtaining the updated configuration file of the third zero trust plug-in, calling a plug-in installing interface, and executing the updated configuration file through the plug-in installing interface.

The pre-running is to detect whether the running state of the component of the new version is normal or not according to a preset interface and a protocol, and the plug-in management module triggers the formal running of the plug-in after verifying that the zero-trust plug-in of the hot update is completely updated. Firstly, the plug-in management module 410 calls a plug-in initialization interface and a plug-in starting interface to realize the starting of the updated third zero trust plug-in, then sends the result to the main service module, reports the operation data to the server, and controls the UI module 430 to display the hot updating result.

And if the updating fails, retrying is initiated according to a set rule, and after the number of retrying reaches the upper limit, the zero trust network system automatically uses the configuration file of the third zero trust plug-in before updating and reports the operation data to the server.

From the aspect of execution, firstly, a server issues an upgrade instruction, a scheduling center process receives the upgrade instruction through a heartbeat, pulls a latest plugin information list from the server, compares the latest plugin information list with an encryption configuration file install.dat of all installed plugin information, and automatically generates an upgrade file update.dat, wherein the latest plugin information list and the encryption configuration file are compared, and an upgrade file is automatically generated in different places, and the upgrade file can comprise details such as the name, the version number, the name of an executable file, the relative path of an installation destination, md5, the version number of a sub-plugin, signature information and the like of a basic plugin to be upgraded.

Dat is an example of update as follows:

when the system successfully acquires the upgrade file, starting an upgrade tool UpdateTool next, pulling an executable compressed package of the plug-in required to be updated by the upgrade tool according to the upgrade file, namely, a client corresponding to the system initiates a file downloading request to a server shown by a 'download' node, checking the integrity of the compressed file according to 'filed 5' after the downloading is completed, automatically decompressing the compressed file to an appointed directory after the verification is passed, and informing a service center process to execute the change operation of the plug-in. And after receiving the request, the service center process executes the cleaning of the old version plug-in according to the corresponding interface, and stops and unloads the operation. After the unloading operation of the old version plug-in is completed, the plug-in manager renames the current version file, replaces the new version file, and then calls an interface to execute the plug-in loading and pre-running operation. The pre-operation is to detect whether the operation state of the new version of the component is normal or not according to a preset interface and a protocol, and the plug-in manager triggers the formal operation of the plug-in after the new component is verified. The method comprises the steps of calling an initialization interface and a running interface of a plug-in to start the plug-in, deleting a file of an old plug-in, and then updating installed plug-in information to an install. And simultaneously, the result is sent to the main service module, the operation data is reported to a server corresponding to the zero trust network system, the UI module is controlled to display the updating result, and the dynamic hot updating process of the plug-in is finished.

Example 4, the zero trust network system further comprises: the fourth zero trust plug-in is a zero trust plug-in to be started in the system; the UI module 430 is specifically configured to obtain a third control command, where the third control command is used to control the plug-in management module 410 to start a fourth zero trust plug-in; the plug-in management module 410 is specifically configured to call a plug-in initialization interface according to the third control command to initialize the fourth zero trust plug-in, and call a plug-in start interface to start the fourth zero trust plug-in.

Optionally, after the fourth zero trust plugin, the plugin management module 410 may also control the UI module 430 to display a start result, such as displaying a result of "plugin started".

Example 5, the zero trust network system further comprises: a fifth zero trust plug-in, which is a zero trust plug-in to be stopped in the system; the UI module 430 is specifically configured to obtain a fourth control command, where the fourth control command is used to control the plug-in management module 410 to stop the fifth zero-trust plug-in; the plug-in management module 410 is specifically configured to call a plug-in stop interface according to the fourth control command to stop the running fifth zeroth trust plug-in, and call a plug-in cleaning interface to clean the configuration file of the fifth zeroth trust plug-in.

Optionally, after the fifth zero trust plugin, the plugin management module 410 may further control the UI module 430 to display a plugin stop result, such as displaying a "plugin stopped" result.

Example 6, the zero trust network system further comprises: a sixth zero trust plugin, which is a zero trust plugin subscribing the target policy in the system; the plug-in management module 410 is specifically configured to: obtaining a policy dispatching instruction sent by a server corresponding to a system, wherein the policy dispatching instruction comprises the following steps: a target policy; the plug-in management module 410 is specifically configured to: and searching a sixth zero trust plug-in according to the strategy dispatching instruction, and sending the target strategy to the sixth zero trust plug-in.

Optionally, after obtaining the target policy, the plug-in management module 410 searches for a zero trust plug-in subscribed to the target policy, which includes a sixth zero trust plug-in, and sends the target policy to the zero trust plug-in subscribed to the target policy.

Optionally, the sixth zero trust plugin is configured to: reading a target strategy and checking the integrity of the target strategy, or checking whether a process corresponding to the target strategy is a trusted process, or checking the integrity of the target strategy and whether the process corresponding to the target strategy is the trusted process; if the target strategy is complete, or the process corresponding to the target strategy is a trusted process, or the target strategy is complete and the process corresponding to the target strategy is a trusted process, processing the target strategy; if the target policy is incomplete, or the process corresponding to the target policy is an untrusted process, or the target policy is incomplete and the process corresponding to the target policy is an untrusted process, sending an unsubscribe instruction to the plug-in management module 410; the plug-in management module 410 is specifically configured to delete the sixth zero trust plug-in from the zero trust plug-ins subscribed to the target policy according to the unsubscribe instruction.

Optionally, after the sixth trust plugin completes the analysis and execution of the target policy, the result is reported to the server corresponding to the system.

Optionally, the zero-trust network system further includes: a seventh zero trust plug-in, which is a zero trust plug-in needing parameter adjustment in the system; the plug-in management module 410 is specifically configured to: acquiring a parameter adjusting instruction sent by a server corresponding to the system, wherein the parameter adjusting instruction comprises: a target parameter; the plug-in management module 410 is specifically configured to: and searching a seventh zero trust plug-in according to the parameter adjusting instruction, and sending the target parameter to the seventh zero trust plug-in.

Optionally, after obtaining the target parameter, the plug-in management module 410 searches for a zero trust plug-in subscribed to the target parameter, where the zero trust plug-in includes a seventh zero trust plug-in, and sends the target parameter to the zero trust plug-in subscribed to the target parameter.

Optionally, the seventh zeroth trust plugin is to: reading the target parameter and checking the integrity of the target parameter, or checking whether the process corresponding to the target parameter is a trusted process, or checking the integrity of the target parameter and whether the process corresponding to the target parameter is a trusted process; if the target parameter is complete, or the process corresponding to the target parameter is a trusted process, or the target parameter is complete and the process corresponding to the target parameter is a trusted process, adjusting the corresponding parameter to the target parameter; if the target parameter is incomplete, or the process corresponding to the target parameter is an untrusted process, or the target parameter is incomplete and the process corresponding to the target parameter is an untrusted process, sending an unsubscribe instruction to the plug-in management module 410; the plug-in management module 410 is specifically configured to delete the seventh zero trust plug-in from the zero trust plug-ins subscribed to the target parameter according to the unsubscribe instruction.

Optionally, after the seventh trust plugin completes the adjustment of the target parameter, the result is reported to the server corresponding to the system.

In summary, in the present application, the plug-in management module is specifically used for managing at least one of the following, but is not limited thereto: installation of at least one zero trust plugin; uninstalling at least one zero trust plugin; a hot update of at least one zero trust plugin; opening at least one zero trust plug-in; a cessation of at least one zero trust plugin; policy dispatching of at least one zero trust plugin; parameter adjustment of at least one zero trust plugin; data reading of at least one zero trust plugin. Namely, flexible scheduling of each zero-trust plug-in can be realized. And introducing a plug-in management module can converge the interactive surface.

Furthermore, in the present application, the publish-subscribe of policies is combined with push, rather than periodically obtaining policies from the server.

Example 3

As mentioned above, the zero trust access process is an important function implemented by the zero trust network system, and the zero trust network system with respect to the zero trust access will be described below. Fig. 6 is a schematic diagram of another zero trust network system provided in an embodiment of the present application, and as shown in fig. 6, the system includes: part management module 610, agent module 620, and UI module 630, wherein part management module 610 is configured to manage at least one zero trust plugin, wherein the at least one zero trust plugin may include: an agent management plug-in 640, an access control plug-in 650 and a ticketing services plug-in 660. The UI module 630 is specifically configured to obtain user login information, so as to trigger the access control plug-in 650 to obtain a zero-trust access control policy corresponding to the user login information from a server corresponding to the system. The proxy management plug-in 640 is configured to authenticate an interface between the proxy module 620 and the proxy management plug-in 640 under the trigger of the zero-trust access control policy, and start the function of the proxy module 620 after the interface is successfully authenticated. The agent module 620 is configured to obtain an access request for the target service system, and send an authentication request to the access control plug-in 650 according to the access request; the access control plug-in 650 is configured to determine whether to perform network access through the proxy module 620 according to the authentication request, and if it is determined that the network access is performed through the proxy module 620, trigger the ticket service plug-in 660 to apply for a ticket of the access request to a server corresponding to the system, and send the ticket to the proxy module 620; the agent module 620 is also used for accessing the target business system according to the ticket.

Optionally, the at least one zero trust plugin further includes: the asynchronous submission plug-in 670 is configured to collect feature information of a process corresponding to an application initiating the access request, and send the feature information to a server corresponding to the system, so that the server corresponding to the system detects whether the process corresponding to the application initiating the access request is a trusted process, and receives a response message sent by the server corresponding to the system, and if it is determined according to the response message that the process corresponding to the application initiating the access request is a trusted process, sends an indication message to the ticketing service plug-in 660 to indicate the process corresponding to the application initiating the access request; the ticketing services plugin 660 is specifically configured to send the ticket to the agent module 620 after receiving the indication message.

Optionally, asynchronous submission plug-in 670 is specifically configured to: and when the ticket service plug-in 660 applies for the ticket from the server corresponding to the system, the characteristic information is asynchronously sent to the server corresponding to the system.

Optionally, the agent module 620 obtains the access request through the TUN/TAP virtual network card.

Optionally, the authentication request includes: the source IP or the domain name, the source port, the destination IP or the domain name, the destination port, and the PID corresponding to the application for obtaining the access request.

It should be understood that the present application is not limited as to how to determine whether to access the network via the proxy module 620.

Optionally, the asynchronous submission plug-in 670 collects the feature information of the process corresponding to the PID through the PID sent by the agent module 620.

Optionally, the feature information includes: MD5 of the process, process path, process last modified time, copyright information, signature information, etc.

Optionally, asynchronous submission plug-in 670 sends feature information of the process to the server to enable the server to detect whether the process is a trusted process.

The server may periodically send a process submission to the threat intelligence cloud inspection service, or to tav periodically to detect the trustworthiness of the process, that is, to detect whether the process is secure, for example, including at least one of the following: whether the process has a bug, whether the process has a virus Trojan, and the like. And if the server detects that the process is not a trusted process, namely a malicious process, the client is informed to execute asynchronous blocking operation.

Optionally, the ticketing service plug-in 660 sends a source IP address or domain name, a source port, a destination IP or domain name, and a destination port to the server corresponding to the system to apply for the ticket corresponding to the access request.

Optionally, if the ticket service plug-in 660 successfully applies for the ticket and the process is a trusted process, the client sends the ticket, the maximum use times of the ticket, and the valid time of the ticket to the agent module 620 as a response.

Optionally, the agent module 620 initiates an HTTPS request to the intelligent gateway. Wherein, the above-mentioned ticket is carried in the Authorization header field of the HTTPS request.

Optionally, after receiving the http request, the intelligent gateway parses out a ticket in the header field, and sends the ticket to the server, so that the server verifies the ticket.

Alternatively, if the server verifies the ticket successfully, it indicates that the connection between the intelligent gateway and the proxy module 620 was successfully established. If the server fails to verify the ticket, it indicates that the connection between the intelligent gateway and the proxy module 620 has failed to be established. After the connection is successfully established between the intelligent gateway and the proxy module 620, the proxy module 620 sends the access request to the intelligent gateway. The intelligent gateway verifies the access request, and if the verification is successful, the access request is forwarded to the corresponding service server.

It should be understood that the administrator turns on the switch of the zero trust network access function at the management end, and configures the zero trust network access control policy for all users at the management end. After the user installs the client corresponding to the zero trust network access system, the function of the zero trust network access is automatically started after the user logs in the client. If the user actively logs out the client or the login account of the user exceeds the set validity period, for example, the administrator sets the login validity period to be 12 hours, the account is automatically logged out after the user logs in for 12 hours, or the server corresponding to the system identifies that the terminal equipment of the user does not meet the requirement of compliance detection, namely the terminal equipment is untrusted equipment, under the condition, the server corresponding to the system issues a forced logout instruction, the client automatically and forcibly logs out, and the function of zero trust network access is automatically terminated.

In summary, the zero trust network system provided by the embodiment of the application can realize the zero trust network access function. It should be understood that the zero trust network access function may not be controlled by the UI module, i.e., the zero trust network system provided by the present application may support silent access.

Example 4

The present application further provides a processing method of the zero trust network system, which may be executed by a component management module in the zero trust network system, or a terminal device loaded by the zero trust network system, and the like, and the method is not limited in this application. Wherein, the method comprises the following steps: and managing at least one zero trust plug-in, wherein the zero trust plug-in is a plug-in for realizing zero trust service. Wherein at least one zero trust plugin is independently set. The plug-in management module is arranged in a main service module of the system. At least one zero trust plug-in is provided independently of the host service module. The main service module is used for strategy scheduling and module scheduling.

Optionally, at least one zero trust plugin is managed at least one of:

at least one zero trust plugin is installed.

At least one zero trust plugin is uninstalled.

At least one zero trust plugin is hot updated.

At least one zero trust plugin is started.

At least one zero trust plugin is stopped.

And carrying out policy dispatching on at least one zero-trust plug-in.

Parameters of at least one zero trust plugin are adjusted.

And reading the data of at least one zero-trust plug-in.

Fig. 7 is a flowchart of a method for installing a zero trust plugin according to an embodiment of the present application, and as shown in fig. 7, the method includes:

s710: and acquiring a first control command and a configuration file of the first zero-trust plug-in.

S720: and calling a plug-in installation interface.

S730: and executing the configuration file of the first zero trust plug-in through the plug-in installation interface to install the first zero trust plug-in.

Fig. 8 is a flowchart of a method for uninstalling a zero trust plugin according to an embodiment of the present application, and as shown in fig. 8, the method includes:

s810: and acquiring a second control command.

S820: and calling a plug-in stopping interface according to the second control command to stop the second zero-trust plug-in which is running.

S830: and calling the plug-in cleaning interface to clean the configuration file of the second zero trust plug-in.

S840: a plug-in offload interface is invoked to offload the second zero trust plug-in.

Fig. 9 is a flowchart of a method for hot-updating a zero-trust plugin according to an embodiment of the present application, and as shown in fig. 9, the method includes:

s910: and acquiring a plug-in updating instruction sent by a server corresponding to the system.

S920: and calling a plug-in stop interface according to the plug-in update instruction to stop the running third zero-trust plug-in.

S930: and calling the plug-in cleaning interface to clean the configuration file of the third zero-trust plug-in.

S940: a plug-in offload interface is invoked to offload the third zero trust plug-in.

S950: and acquiring the updated configuration file of the third zero trust plug-in.

S960: and calling the plug-in installation interface, and executing the updated configuration file through the plug-in installation interface.

Fig. 10 is a flowchart of a method for opening a zero trust plugin according to an embodiment of the present application, and as shown in fig. 10, the method includes:

s1010: a third control command is obtained.

S1020: and calling a plug-in initialization interface according to the third control command to initialize the fourth zero-trust plug-in.

S1030: and calling a plug-in starting interface to start a fourth zero-trust plug-in.

Fig. 11 is a flowchart of a method for stopping a zero trust plugin according to an embodiment of the present application, and as shown in fig. 11, the method includes:

s1110: and acquiring a fourth control command.

S1120: and calling a plug-in stop interface according to the fourth control command to stop the running fifth zero-trust plug-in.

S1130: and calling the plug-in cleaning interface to clean the configuration file of the fifth zero trust plug-in.

Fig. 12 is a flowchart of a method for policy distribution of zero trust plugin according to an embodiment of the present application, and as shown in fig. 12, the method includes:

s1210: obtaining a policy dispatching instruction sent by a server corresponding to a system, wherein the policy dispatching instruction comprises the following steps: and (4) target strategy.

S1220: and searching a sixth zero trust plug-in according to the strategy dispatching instruction, and sending the target strategy to the sixth zero trust plug-in.

Optionally, when the sixth zero trust plugin determines that the target policy needs to be unsubscribed, the method further includes: and acquiring an unsubscribe instruction sent by the sixth zero trust plug-in. And according to the unsubscribe instruction, deleting the sixth zero trust plug-in from the zero trust plug-ins subscribed to the target policy.

Fig. 13 is a flowchart of a method for adjusting parameters of a zero trust plugin according to an embodiment of the present application, and as shown in fig. 13, the method includes:

s1310: acquiring a parameter adjusting instruction sent by a server corresponding to the system, wherein the parameter adjusting instruction comprises: a target parameter.

S1320: and searching a seventh zero trust plug-in according to the parameter adjusting instruction, and sending the target parameter to the seventh zero trust plug-in.

Optionally, when the seventh zeroth trust plugin determines that target parameters need to be unsubscribed, the method further includes: and acquiring an unsubscribe instruction sent by the seventh zeroth trust plug-in. And deleting the seventh zero trust plug-in from the zero trust plug-ins subscribed to the target parameters according to the unsubscribe instruction.

It should be noted that the method may be executed by a part management module in the zero trust network system, or a terminal device loaded by the zero trust network system, and the like, and therefore, the explanation of the method may refer to an embodiment corresponding to the zero trust network system, and is not described herein again.

Example 5

Fig. 14 is a flowchart of a processing method of a zero trust network system according to an embodiment of the present application, where a network element involved in the method includes: the system comprises a UI module, an agent management plug-in, an access control plug-in, a ticket service plug-in and a server. As shown in fig. 14, the method includes the steps of:

s1401: the UI module acquires user login information.

S1402: and the access control plug-in acquires a zero-trust access control strategy corresponding to the user login information from a server corresponding to the system.

S1403: the agent management plug-in authenticates the interface between the agent module and the agent management plug-in, and starts the function of the agent module after the authentication of the interface is successful.

S1404: the agent module acquires an access request aiming at the target service system.

S1405: and the agent module sends an authentication request to the access control plug-in according to the access request.

S1406: and the access control plug-in determines whether to carry out network access through the proxy module according to the authentication request.

S1407: and if the access control plug-in determines that the network access is carried out through the proxy module, sending a trigger message to the ticket service plug-in.

S1408: and the ticket service plug-in applies for the ticket of the access request to a server corresponding to the system according to the trigger message.

S1409: the ticketing services plug-in sends the ticket to the agent module.

S1410: and the agent module accesses the target business system according to the bill.

Optionally, the at least one zero trust plugin further includes: the asynchronous submission plug-in, based on which, the method further comprises: the method comprises the steps of collecting characteristic information of a process corresponding to an application initiating an access request, sending the characteristic information to a server corresponding to a system, enabling the server corresponding to the system to detect whether the process corresponding to the application initiating the access request is a trusted process, receiving a response message sent by the server corresponding to the system, and if the process corresponding to the application initiating the access request is determined to be the trusted process according to the response message, sending an indication message to a ticket service plug-in to indicate the process corresponding to the application initiating the access request. The ticketing services plugin sends the ticket to the proxy module after receiving the indication message.

Optionally, the asynchronous submission plug-in asynchronously sends the feature information to the server corresponding to the system while the ticket service plug-in applies for the ticket from the server corresponding to the system.

It should be noted that the method may be executed by a UI module, an agent management plugin, an access control plugin, a ticket service plugin, a server, and the like, and therefore, the explanation of the method may refer to an embodiment corresponding to the zero trust network system, and details of the method are not repeated herein.

Example 6

As shown in fig. 15, the terminal apparatus 1500 may include:

a memory 1510 and a processor 1520, the memory 1510 being configured to store a computer program and to transmit the program code to the processor 1520. In other words, the processor 1520 may invoke and run a computer program from the memory 1510 to implement the functionality of the zero trust network system described above.

For example, the processor 1520 may be configured to perform the functions of the zero trust network system described above according to instructions in the computer program.

In some embodiments of the present application, the processor 1520 may include, but is not limited to:

general purpose processors, Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components, and the like.

In some embodiments of the present application, the memory 1510 includes, but is not limited to:

volatile memory and/or non-volatile memory. The non-volatile Memory may be a Read-Only Memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an Electrically Erasable PROM (EEPROM), or a flash Memory. The volatile Memory may be a Random Access Memory (RAM) which serves as an external cache. By way of example, but not limitation, many forms of RAM are available, such as Static random access memory (Static RAM, SRAM), Dynamic Random Access Memory (DRAM), Synchronous Dynamic random access memory (Synchronous DRAM, SDRAM), Double Data Rate Synchronous Dynamic random access memory (DDR SDRAM), Enhanced Synchronous SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), and Direct Rambus RAM (DR RAM).

In some embodiments of the present application, the computer program may be partitioned into one or more modules stored in the memory 1510 and executed by the processor 1520 to implement the functionality of a zero trust network system. The one or more modules may be a series of computer program instruction segments capable of performing certain functions, the instruction segments being used to describe the execution of the computer program in the terminal device.

As shown in fig. 15, the terminal device may further include:

a transceiver 1530, the transceiver 1530 being connectable to the processor 1520 or the memory 1510.

The processor 1520 may control the transceiver 1530 to communicate with other devices, and in particular, may transmit information or data to other devices or receive information or data transmitted by other devices. The transceiver 1530 may include a transmitter and a receiver. The transceiver 1530 may further include one or more antennas.

It should be understood that the various components in the terminal device are connected by a bus system, wherein the bus system includes a power bus, a control bus and a status signal bus in addition to a data bus.

The present application also provides a computer storage medium having a computer program stored thereon, which when executed by a computer, implements the functionality of a zero trust network system. Alternatively, embodiments of the present application also provide a computer program product containing instructions, which when executed by a computer, cause the computer to implement the functions of the zero-trust network system.

When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. The procedures or functions described in accordance with the embodiments of the application are all or partially generated when the computer program instructions are loaded and executed on a computer. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored on a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website, computer, server, or data center to another website, computer, server, or data center via wire (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that includes one or more of the available media. The usable medium may be a magnetic medium (e.g., a floppy disk, a hard disk, a magnetic tape), an optical medium (e.g., a Digital Video Disk (DVD)), or a semiconductor medium (e.g., a Solid State Disk (SSD)), among others.

Those of ordinary skill in the art will appreciate that the various illustrative modules and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the module is merely a logical division, and other divisions may be realized in practice, for example, a plurality of modules or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or modules, and may be in an electrical, mechanical or other form.

Modules described as separate parts may or may not be physically separate, and parts displayed as modules may or may not be physical modules, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. For example, functional modules in the embodiments of the present application may be integrated into one processing module, or each of the modules may exist alone physically, or two or more modules are integrated into one module.

The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and all the changes or substitutions should be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims

1. A zero trust network system, comprising:

the zero trust plug-in management module is used for managing at least one zero trust plug-in, and the zero trust plug-in is used for realizing zero trust service;

wherein the at least one zero trust plugin is independently set; the plug-in management module is arranged in a main service module of the system; the at least one zero trust plug-in is arranged independently from the main service module; the main service module is used for strategy scheduling and module scheduling.

2. The system of claim 1, wherein the plug-in management module is specifically configured to manage at least one of:

installation of at least one said zero trust plugin;

uninstalling at least one of the zero trust plug-ins;

a hot update of at least one of the zero trust plugins;

the opening of at least one zero trust plug-in;

a stoppage of at least one of said zero trust plugins;

policy dispatch of at least one of the zero trust plugins;

parameter adjustment of at least one of the zero trust plugins;

data reading of at least one of the zero trust plug-ins.

3. The system of claim 1 or 2, further comprising:

and the user interface UI module is used for acquiring a control command so as to trigger the plug-in management module to manage the at least one zero-trust plug-in.

4. The system of claim 3,

the UI module is specifically used for acquiring a first control command, and the first control command is used for controlling the plug-in management module to install a first zero-trust plug-in;

the plug-in management module is specifically configured to obtain a configuration file of the first zero-trust plug-in, call a plug-in installation interface, and execute the configuration file of the first zero-trust plug-in through the plug-in installation interface to install the first zero-trust plug-in.

5. The system of claim 3, further comprising:

a second zero trust plugin, which is a zero trust plugin to be uninstalled in the system;

the UI module is specifically configured to acquire a second control command, where the second control command is used to control the plug-in management module to uninstall the second zero-trust plug-in;

the plug-in management module is specifically configured to call a plug-in stop interface according to the second control command to stop the running second zero-trust plug-in, call a plug-in cleaning interface to clean the configuration file of the second zero-trust plug-in, and call a plug-in unloading interface to unload the second zero-trust plug-in.

6. The system of claim 1 or 2, further comprising:

a third zero trust plugin, which is a zero trust plugin to be updated in the system in a hot state;

the plug-in management module is specifically configured to: acquiring a plug-in updating instruction sent by a server corresponding to the system, calling a plug-in stopping interface according to the plug-in updating instruction to stop the running third zero trust plug-in, calling a plug-in cleaning interface to clean the configuration file of the third zero trust plug-in, calling a plug-in unloading interface to unload the third zero trust plug-in, acquiring the updated configuration file of the third zero trust plug-in, calling a plug-in installing interface, and executing the updated configuration file through the plug-in installing interface.

7. The system of claim 3, further comprising:

a fourth zero trust plugin, which is a zero trust plugin to be started in the system;

the UI module is specifically configured to obtain a third control command, where the third control command is used to control the plug-in management module to start the fourth zero-trust plug-in;

the plug-in management module is specifically configured to call a plug-in initialization interface according to the third control command to initialize the fourth zero trust plug-in, and call a plug-in start interface to start the fourth zero trust plug-in.

8. The system of claim 3, further comprising:

a fifth zero trust plugin, which is a zero trust plugin to be stopped in the system;

the UI module is specifically configured to acquire a fourth control command, where the fourth control command is used to control the plug-in management module to stop the fifth zero-trust plug-in;

the plug-in management module is specifically configured to call a plug-in stop interface according to the fourth control command to stop the running fifth zero trust plug-in, and call a plug-in cleaning interface to clean the configuration file of the fifth zero trust plug-in.

9. The system of claim 1 or 2, further comprising:

a sixth zero trust plugin, which is a zero trust plugin in the system that subscribes to a target policy;

the plug-in management module is specifically configured to: obtaining a policy dispatching instruction sent by a server corresponding to the system, wherein the policy dispatching instruction comprises the following steps: the target policy;

the plug-in management module is specifically configured to: and searching the sixth zero trust plug-in according to the strategy dispatching instruction, and sending the target strategy to the sixth zero trust plug-in.

10. The system of claim 9, wherein the sixth zero trust plugin is to:

reading the target strategy and checking the integrity of the target strategy, or checking whether a process corresponding to the target strategy is a trusted process, or checking the integrity of the target strategy and whether the process corresponding to the target strategy is the trusted process;

if the target strategy is complete, or the process corresponding to the target strategy is a trusted process, or the target strategy is complete and the process corresponding to the target strategy is a trusted process, processing the target strategy;

if the target strategy is incomplete, or the process corresponding to the target strategy is an untrusted process, sending an unsubscribe instruction to the plug-in management module;

the plug-in management module is specifically configured to delete the sixth zero trust plug-in from the zero trust plug-ins subscribed to the target policy according to the unsubscribe instruction.

11. The system of claim 1 or 2, further comprising:

a seventh zero trust plugin, which is a zero trust plugin needing parameter adjustment in the system;

the plug-in management module is specifically configured to: acquiring a parameter adjusting instruction sent by a server corresponding to the system, wherein the parameter adjusting instruction comprises: a target parameter;

the plug-in management module is specifically configured to: and searching the seventh zero trust plug-in according to the parameter adjusting instruction, and sending the target parameter to the seventh zero trust plug-in.

12. The system of claim 11, wherein the seventh zeroth trust plug-in is configured to:

reading the target parameter and checking the integrity of the target parameter, or checking whether the process corresponding to the target parameter is a trusted process, or checking the integrity of the target parameter and whether the process corresponding to the target parameter is a trusted process;

if the target parameter is complete, or the process corresponding to the target parameter is a trusted process, or the target parameter is complete and the process corresponding to the target parameter is a trusted process, adjusting the corresponding parameter to the target parameter;

if the target parameter is incomplete, or the process corresponding to the target parameter is an untrusted process, or the target parameter is incomplete and the process corresponding to the target parameter is an untrusted process, sending an unsubscribe instruction to the plug-in management module;

the plug-in management module is specifically configured to delete the seventh zero trust plug-in from the zero trust plug-ins subscribed to the target parameter according to the unsubscribe instruction.

13. The system of claim 3, further comprising: an agent module; the at least one zero trust plugin comprises: the system comprises an agent management plug-in, an access control plug-in and a ticket service plug-in;

the UI module is specifically used for acquiring user login information so as to trigger the access control plug-in to acquire a zero-trust access control strategy corresponding to the user login information from a server corresponding to the system;

the agent management plug-in is used for authenticating the interface between the agent module and the agent management plug-in under the triggering of the zero trust access control strategy, and after the interface is successfully authenticated, the function of the agent module is started;

the agent module is used for acquiring an access request aiming at a target service system and sending an authentication request to the access control plug-in according to the access request;

the access control plug-in is used for determining whether to carry out network access through the proxy module according to the authentication request, if so, triggering the ticket service plug-in to apply for a bill of the access request to a server corresponding to the system and sending the bill to the proxy module;

and the agent module is also used for accessing the target business system according to the bill.

14. The system of claim 13, wherein the at least one zero trust plugin further comprises:

the asynchronous submission plug-in is used for acquiring the characteristic information of the process corresponding to the application initiating the access request and sending the characteristic information to the server corresponding to the system so as to enable the server corresponding to the system to detect whether the process corresponding to the application initiating the access request is a trusted process or not and receive a response message sent by the server corresponding to the system, and if the process corresponding to the application initiating the access request is determined to be the trusted process according to the response message, an indication message is sent to the ticketing service plug-in to indicate the process corresponding to the application initiating the access request;

the ticketing services plugin is specifically configured to send the ticket to the agent module after receiving the indication message.

15. A processing method of a zero trust network system is characterized by comprising the following steps:

managing at least one zero trust plug-in, wherein the zero trust plug-in is a plug-in for realizing zero trust service;