CN115065541A - SSL VPN proxy resource access authority control method - Google Patents

SSL VPN proxy resource access authority control method Download PDF

Info

Publication number
CN115065541A
CN115065541A CN202210704792.5A CN202210704792A CN115065541A CN 115065541 A CN115065541 A CN 115065541A CN 202210704792 A CN202210704792 A CN 202210704792A CN 115065541 A CN115065541 A CN 115065541A
Authority
CN
China
Prior art keywords
user
white list
vpn
role
resource
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210704792.5A
Other languages
Chinese (zh)
Inventor
方技
刘磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhongan Yunke Technology Development Shandong Co ltd
Original Assignee
Zhongan Yunke Technology Development Shandong Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhongan Yunke Technology Development Shandong Co ltd filed Critical Zhongan Yunke Technology Development Shandong Co ltd
Priority to CN202210704792.5A priority Critical patent/CN115065541A/en
Publication of CN115065541A publication Critical patent/CN115065541A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1095Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes

Abstract

The invention relates to the technical field of information security, and discloses a method for controlling SSL VPN proxy resource access authority, which comprises the following steps: step one, establishing a user login account and an access authority setting thereof; step two, dynamically updating the white list information; and step three, automatically synchronizing the white list information. According to the SSL VPN proxy resource access authority control method, the resource access authority of the user can be controlled by establishing the user login account and the setting of the access authority, proxy resources can be selectively published to the designated user, the safety and the confidentiality of the resources are improved, the IP address of the user accessing the resources can appear in a white list through the setting of dynamically updating the white list information, the VPN server only needs to maintain the part of users, the load of the VPN server is reduced, the working efficiency of the VPN server can be accelerated, and the use experience of the user is improved.

Description

SSL VPN proxy resource access authority control method
Technical Field
The invention relates to the technical field of information security, in particular to a method for controlling SSL VPN proxy resource access authority.
Background
The SSL VPN provides a mode for safely accessing the back-end application resources through proxy for the users, if the proxy resources are indiscriminately published to all users, and all users can access the back-end application resources through proxy under the condition of no access control, and the safety and the confidentiality of the resources cannot be fully guaranteed.
The traditional method for manually adding the user white list needs a specially-assigned person to maintain the white list information, cannot maintain the white list information in real time according to the needs of the user, and affects the use experience of the user.
Disclosure of Invention
Aiming at the defects of the prior art, the invention provides a method for controlling SSL VPN proxy resource access authority, which can control the resource access authority of a user and ensure the safety and confidentiality of resources; the white list information can be dynamically updated, the users accessing the resources are maintained, and each user account is not allowed to log in on a plurality of computers at the same time, so that the load of VPN host service is reduced; the white list information of the VPN host servers in the same group is consistent, the integrity of the user information is ensured, and the problems in the background art are solved.
The invention provides the following technical scheme: a SSL VPN agent resource access authority control method includes the following steps:
step one, establishing a user login account and setting access authority thereof
And creating user role information including role names, role descriptions, role associated resources and the like through a user role management function of the VPN management system.
Through the user management function of the VPN management system, independent login account information including login account names, account passwords and timeout duration is created for each user, and the role of the user account is selected.
Step two, dynamically updating the white list information
When the user accesses the back-end resource, if the VPN server detects that the original IP address of the client is in the white list, the user can normally access the resource;
if the VPN server does not obtain the original IP address of the client of the user in the white list, the VPN server prompts the client to log in the resource management system first. When a user logs in a resource management system, a VPN server firstly analyzes http request information of the user, acquires an original client IP address of the user, adds the IP address into a white list and then prompts the user to log in successfully. After logging in, the user can normally access the resources, and the user logs out or the logging time is overtime, the VPN server can automatically delete the IP address of the current logging-in equipment from the white list, and the IP address can be normally used after logging in the account again.
Step three, white list information automatic synchronization
After adding white list information successfully, the current VPN server provides service organizes the white list information into a message to inform other VPN servers in the same group in time, and after receiving the synchronous information, the informed VPN server updates local white list information in time to ensure that the white list information of all VPN servers in the same group is consistent.
Preferably, each proxy resource has its unique resource ID, and after a certain user role is assigned with the resource ID, the role has resource access right, and different roles are distinguished according to the "role name".
Preferably, when the login account name is set in the first step, the VPN management system automatically identifies and judges the uniqueness of the login account name, if the account name is not unique, the VPN management system forcibly modifies the login account name, when the login account information is set, the "associated role" is clicked, the "role name" created in the first step is displayed, and the role owned by the user is designated by selecting the "role name".
Preferably, when the dual-host hot-standby function is configured through the VPN management system, the VPN server records information of the host and the standby, such as IP and service port, and white list information is automatically synchronized between the host and the standby.
Preferably, each user account does not allow simultaneous login on multiple computers, and only the current login device has access to the resource.
Preferably, when a user needs to access a resource, the user must log in the resource management system first, and then can see the resource link allowed to be accessed.
Compared with the prior art, the invention has the following beneficial effects:
1. according to the SSL VPN proxy resource access authority control method, the resource access authority of the user can be controlled by establishing the user login account and the setting of the access authority of the user, proxy resources can be selectively published to a designated user, the safety and confidentiality of the resources are improved, the IP address of the user accessing the resources can appear in a white list by dynamically updating the setting of white list information, the VPN server only needs to maintain the part of the users, the load of the VPN server is reduced, the working efficiency of the VPN server can be accelerated, and the use experience of the user is improved.
2. According to the SSL VPN proxy resource access authority control method, the white list information of the same group of VPN servers can be consistent through the automatic and synchronous setting of the white list information, the integrity of the white list information is guaranteed, and the VPN servers can maintain the white list information conveniently.
Drawings
Fig. 1 is a schematic diagram of the working principle of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1, a method for controlling access authority of SSL VPN proxy resource includes the following steps:
the method comprises the steps of firstly, creating a user login account and setting access authority of the user login account, wherein the purpose of the step is to create the login account for each user, and simultaneously, the resource access authority of the account is controlled by distributing roles to the accounts, namely, the user accounts with different roles can access different resources, so that the safety and the confidentiality of the resources can be effectively guaranteed.
The implementation method of the step comprises the following steps: the method comprises the steps that user role information including role names, role descriptions, role associated resources and the like is created through a user role management function of a VPN management system, each agent resource has a unique resource ID, after the resource ID is distributed to a certain user role, the role has resource access authority, and different roles are distinguished according to the role names;
through the user management function of the VPN management system, independent login account information including login account names, account passwords, timeout duration, associated roles and the like is created for each user, when the login account names are set, the VPN management system can automatically identify and judge the uniqueness of the login account names, if the account names are not unique, the login account names are forcibly modified, when the login account information is set, the associated roles are clicked, the role names created in the first step are displayed, and the roles owned by the users are designated by selecting the role names.
And step two, dynamically updating the white list information, wherein the purpose of the step is to ensure that only the current login equipment has the authority to access the resources, and each user account is not allowed to log in on a plurality of computers simultaneously, so that the data volume processed by the VPN server can be effectively reduced, the working efficiency of the VPN server is improved, and the experience effect of the user is improved.
The implementation method of the step comprises the following steps: when a user accesses rear-end resources, a VPN server checks that an original IP address of a client is in a white list, the user can normally access the resources, if the VPN server does not obtain the original IP address of the client of the user in the white list, the VPN server prompts the client to log in a resource management system first, when the user logs in the resource management system, the VPN server firstly analyzes http request information of the user, the original client IP address of the user is obtained, the IP address is added into the white list, then the login success of the user is returned, the user can normally access the resources, the login time of the user is over, the VPN server automatically deletes the IP address of current login equipment from the white list, and the user can normally use the equipment after logging in an account again;
and step three, white list information is automatically synchronized, and the purpose of the step is to make the white list information of the same group of VPN servers consistent, ensure the integrity of the white list information and facilitate the VPN servers to maintain users in real time.
The implementation method of the step comprises the following steps: after adding white list information successfully, the current VPN server provides service organizes the white list information into a message to inform other VPN servers in the same group in time, and after receiving the synchronous information, the informed VPN server updates local white list information in time to ensure that the white list information of all VPN servers in the same group is consistent.
When the dual-host hot-standby function is configured through the VPN management system, the VPN server records information of the host and the standby host, such as IP (Internet protocol), service ports and the like, and white list information is automatically synchronized between the host and the standby host.
Example (b): the method comprises the steps that a user creates a user login account and access authority of the user login account through a VPN management system, the user logs in a resource management system through the created login account, a VPN server firstly analyzes http request information of the user, obtains an original client IP address of the user, adds the IP address into a white list, and then returns the success of user login, the user can normally access resources, if the user exceeds a set time length, the VPN server deletes the IP address of the user from the white list, the user login is invalid, the user can normally access the resources only by logging in again, and when the user accesses the resources, the white list information of the VPN servers in the same group is consistent.
Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.

Claims (6)

1. A SSL VPN agent resource access authority control method is characterized in that: the method comprises the following steps:
step one, establishing a user login account and setting access authority thereof
And creating user role information including role names, role descriptions, role associated resources and the like through a user role management function of the VPN management system.
Through the user management function of the VPN management system, independent login account information including login account names, account passwords and timeout duration is created for each user, and the role of the user account is selected.
Step two, dynamically updating the white list information
When the user accesses the back-end resource, if the VPN server detects that the original IP address of the client is in the white list, the user can normally access the resource;
if the VPN server does not obtain the original IP address of the client of the user in the white list, the VPN server prompts the client to log in the resource management system first. When a user logs in the resource management system, the VPN server firstly analyzes http request information of the user, acquires an original client IP address of the user, adds the IP address into a white list, and then prompts the user to log in successfully. After logging in, the user can normally access the resources, and the user logs out or the logging time is overtime, the VPN server can automatically delete the IP address of the current logging-in equipment from the white list, and the IP address can be normally used after logging in the account again.
Step three, white list information automatic synchronization
After adding white list information successfully, the current VPN server provides service organizes the white list information into a message to inform other VPN servers in the same group in time, and after receiving the synchronous information, the informed VPN server updates local white list information in time to ensure that the white list information of all VPN servers in the same group is consistent.
2. The method of claim 1, wherein the method comprises the following steps: each proxy resource has a unique resource ID, and after the resource ID is assigned to a certain user role, the role has resource access authority, and different roles are distinguished according to the role names.
3. The method of claim 1, wherein the method comprises the following steps: when the login account name is set in the first step, the VPN management system can automatically identify and judge the uniqueness of the login account name, if the account name is not unique, the account name is forcibly modified, when login account information is set, the 'associated role' is clicked, the 'role name' created in the first step is displayed, and the role owned by the user is designated by selecting the 'role name'.
4. The method of claim 1, wherein the method comprises the following steps: when the dual-host hot-standby function is configured through the VPN management system, the VPN server records information of the host and the standby host, such as IP (Internet protocol), service ports and the like, and white list information is automatically synchronized between the host and the standby host.
5. The method of claim 1, wherein the method comprises the following steps: each user account does not allow simultaneous login on multiple computers, and only the current login device has access to resources.
6. The method of claim 1, wherein the method comprises the following steps: when a user needs to access resources, the user must log in the resource management system first, and can see the resource links allowed to be accessed after logging in.
CN202210704792.5A 2022-06-21 2022-06-21 SSL VPN proxy resource access authority control method Pending CN115065541A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210704792.5A CN115065541A (en) 2022-06-21 2022-06-21 SSL VPN proxy resource access authority control method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210704792.5A CN115065541A (en) 2022-06-21 2022-06-21 SSL VPN proxy resource access authority control method

Publications (1)

Publication Number Publication Date
CN115065541A true CN115065541A (en) 2022-09-16

Family

ID=83203215

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210704792.5A Pending CN115065541A (en) 2022-06-21 2022-06-21 SSL VPN proxy resource access authority control method

Country Status (1)

Country Link
CN (1) CN115065541A (en)

Similar Documents

Publication Publication Date Title
US11907359B2 (en) Event-based user state synchronization in a local cloud of a cloud storage system
US9059956B2 (en) Asynchronous real-time retrieval of data
US8495155B2 (en) Enterprise management of public instant message communications
WO2018095416A1 (en) Information processing method, device and system
US7536392B2 (en) Network update manager
US20030220946A1 (en) Resource list management system
US7089311B2 (en) Methods, systems and computer program products for resuming SNA application-client communications after loss of an IP network connection
US20100088698A1 (en) Techniques for managing communication sessions
EP1859597B1 (en) Method for communication between an application and a client
US20030220977A1 (en) Temporary aliasing for resource list
CN112261172B (en) Service addressing access method, device, system, equipment and medium
CN109862565A (en) A kind of WLAN unaware control method, system and readable storage medium storing program for executing
CN109819053A (en) Applied to the springboard machine system and its control method under mixing cloud environment
US20020194295A1 (en) Scalable data-sharing architecture
CN115065541A (en) SSL VPN proxy resource access authority control method
CN105407095B (en) Secure communication device and its communication means between heterogeneous networks
CN114785761B (en) Advanced k8s cluster intercommunication method in Internet of things operating system
CN114338633B (en) Method and system for remotely connecting Linux server
CN107959674A (en) Gateway device, access control method and system to third party ldap server user
US20230300141A1 (en) Network security management method and computer device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination