CN115065564B - Access control method based on zero trust mechanism - Google Patents

Access control method based on zero trust mechanism Download PDF

Info

Publication number
CN115065564B
CN115065564B CN202210989533.1A CN202210989533A CN115065564B CN 115065564 B CN115065564 B CN 115065564B CN 202210989533 A CN202210989533 A CN 202210989533A CN 115065564 B CN115065564 B CN 115065564B
Authority
CN
China
Prior art keywords
data
access
credibility
evaluation
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210989533.1A
Other languages
Chinese (zh)
Other versions
CN115065564A (en
Inventor
罗思明
陈灼波
刘罕
袁靖周
王统林
邱伟洋
钟孟森
张浩浩
周孟磊
刘国鑫
张添中
刘震
王建松
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Navigation Mark Office Of Hong Kong Zhuhai Macao Bridge Nanhai Navigation Support Center Ministry Of Transport
Tianjin Tianyuanhai Technology Development Co ltd
Original Assignee
Navigation Mark Office Of Hong Kong Zhuhai Macao Bridge Nanhai Navigation Support Center Ministry Of Transport
Tianjin Tianyuanhai Technology Development Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Navigation Mark Office Of Hong Kong Zhuhai Macao Bridge Nanhai Navigation Support Center Ministry Of Transport, Tianjin Tianyuanhai Technology Development Co ltd filed Critical Navigation Mark Office Of Hong Kong Zhuhai Macao Bridge Nanhai Navigation Support Center Ministry Of Transport
Priority to CN202210989533.1A priority Critical patent/CN115065564B/en
Publication of CN115065564A publication Critical patent/CN115065564A/en
Application granted granted Critical
Publication of CN115065564B publication Critical patent/CN115065564B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to the technical field of network security, and discloses an access control method based on a zero trust mechanism, which is used for realizing data exchange between an application server arranged on a cloud and an internal network. The method realizes data transmission and control among the application server, the security evaluation server, the token generation server and the gateway based on a zero trust mechanism, can improve the security of the application server deployed on the cloud when accessing intranet data, solves the problem that the traditional boundary protection mode fails due to fuzzy network boundary in the traditional network, provides a stable, safe and reliable network environment for the application server to access intranet data, and meets the network security requirements of small and medium-sized enterprises.

Description

Access control method based on zero trust mechanism
Technical Field
The invention relates to the field of network security, in particular to an access control method based on a zero trust mechanism.
Background
The traditional network security architecture generally divides the original network structure into an internal network and an external network. And the internal boundary of the network deploys safety protection devices such as a firewall and an IDS and the like to communicate with the external network. With the gradual development of network applications, the traditional network security architecture is more and more difficult to ensure the security of the network, and two major potential safety hazards exist: 1. the structure defaults to the safety of an internal network, and an effective defense means is lacked for the attack from the inside of the network, so that the bastion is often broken from the inside; second, the secure internal network relies heavily on the border's security equipment. Once the security boundary is breached, the intranet lacks an effective means of protection.
However, with the rapid development of cloud computing, many enterprises begin to transfer business to internet cloud platforms, but cloud servers transmit data over public networks. Servers are exposed on the internet and the risk of attack increases. Secondly, the network boundary is fuzzy, clear physical boundary cloud servers are difficult to define, traditional network security protection equipment cannot be deployed between an intranet and the internet, and a zero trust security concept is generated at the discretion in order to solve the problems existing in a network security scene. Current solutions tend to require a large number of devices and complex network architectures. The method mainly aims at the application requirements of a data center and a big data platform, and is not suitable for the network security requirements of small and medium-sized enterprises. How to provide safe and reliable access control for an application server deployed on the cloud to access intranet data becomes a problem which needs to be solved urgently for ensuring the network security of many small and medium-sized enterprises at present.
Disclosure of Invention
The invention provides an access control method based on a zero trust mechanism, which provides a stable, safe and reliable network environment for an application server deployed on a cloud to access intranet data, and solves the problems mentioned in the background technology.
The invention provides the following technical scheme: an access control method based on a zero trust mechanism is used for realizing data exchange between an application server arranged on a cloud and an internal network, and comprises the following steps: s1: setting a zero trust proxy on the application server; s2: the zero trust proxy collects multi-source trust measurement index data and sends the multi-source trust measurement index data to a security evaluation server; the multi-source trust measurement index data comprises user identity data, account data, system log data, network log data, flow data, application behavior data and data access behavior data; the multi-source trust measurement index data is encrypted and encoded through a double sha256 algorithm, and an encoding result is packaged into a data packet for network transmission; s3: the security assessment server receives the multi-source trust measurement index data sent by the application server and the universal unique identifier, the IP address and the MAC address information corresponding to the terminal equipment, adopts a multi-source dynamic security assessment strategy, and assesses user identity credibility, environment credibility, user behavior credibility, software credibility and hardware credibility respectively to obtain assessment scores, and sends the assessment scores to a gateway; s4: the gateway receives the evaluation scores sent by the security evaluation server, establishes a state node for each application server, wherein the state node is used for storing an IP address, MAC address information, user identity credibility, environment credibility, user behavior credibility, software credibility, hardware credibility, evaluation scores, evaluation time and effective duration, establishes an IP table, and stores the IP table in a network control kernel, the IP table comprises the IP address and a corresponding evaluation processing result, and the evaluation processing result is a read-only mode, a read-write mode or an access denial mode so that the network control kernel can release or intercept access requests of the application servers; s5: the application server uses a pre-installed certificate to complete communication with a token generation server and the security assessment server; s6: the application server acquires a token from the token generation server, signs in the URL, and sends an access request to an internal network through the gateway by the token; s7: after receiving the access request of the application server, the gateway inquires the IP table, and if the evaluation processing result corresponding to the IP address is a read-only mode and has a token, the gateway has the authority to access the internal network through the read-only mode; if the evaluation processing result corresponding to the IP address is in a read-write mode and has a token, the access to the internal network is authorized through the read-write mode; and if the evaluation processing result corresponding to the IP address is in a denial access mode, denying the internal network access.
Preferably, the user identity data comprises a digital certificate, a biometric, a username and a password.
Preferably, corresponding weights are set for the respective evaluation elements in the evaluation score calculation, and the evaluation score is obtained by a normalized weighted average algorithm.
Preferably, the evaluation score is compared with a preset first threshold and a preset second threshold, and the evaluation processing result is divided into a read-only mode, a read-write mode or an access denial mode, wherein the first threshold is smaller than the second threshold.
Preferably, the step of judging the credibility of the user behavior comprises depicting a behavior baseline for normal access according to flow characteristics and context information analysis, and judging whether the current user behavior is credible based on the behavior baseline.
Compared with the prior access control method, the method has the following beneficial effects:
1. according to the access control method based on the zero trust mechanism, data transmission and control among the application server, the security evaluation server, the token generation server and the gateway are achieved through the zero trust mechanism, the access authority is set to be in three modes of read-only, read-write and access refusal based on the evaluation result of the zero trust mechanism, the security of the application server deployed on the cloud when accessing intranet data can be improved, and the problem that a traditional boundary protection mode is invalid due to fuzzy network boundaries in a traditional network is solved.
2. The access control method based on the zero trust mechanism adopts a multi-source dynamic security assessment strategy, and realizes multi-source trust assessment judgment through the acquisition of user identity data, account data, system log data, network log data, flow data, application behavior data and data access behavior data and the assessment of user identity credibility, environment credibility, user behavior credibility, software credibility and hardware credibility, thereby realizing dynamic control on access and ensuring the security of user access and access under a constantly changing environment.
3. According to the access control method based on the zero trust mechanism, the collected multi-source trust measurement index data is encrypted and encoded through a double sha256 algorithm, and the encoding result is packaged into a data packet for network transmission, so that the network transmission safety of the multi-source trust measurement index data is improved.
Drawings
FIG. 1 is a block diagram of a zero trust network architecture of the present invention;
fig. 2 is a flowchart of an access control method based on a zero trust mechanism according to the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1-2, an access control method based on a zero trust mechanism is used for implementing data exchange between an application server disposed on a cloud and an internal network, and includes the following steps: s1: setting a zero trust proxy on the application server; s2: the zero trust proxy collects multi-source trust measurement index data and sends the multi-source trust measurement index data to a security evaluation server; the multi-source trust measurement index data comprises user identity data, account data, system log data, network log data, flow data, application behavior data and data access behavior data; the multi-source trust measurement index data is encrypted and encoded through a double sha256 algorithm, and an encoding result is packaged into a data packet for network transmission; s3: the security assessment server receives the multi-source trust measurement index data sent by the application server and the corresponding universal unique identifier, IP address and MAC address information of the terminal equipment, adopts a multi-source dynamic security assessment strategy, and assesses user identity credibility, environment credibility, user behavior credibility, software credibility and hardware credibility respectively to obtain assessment scores, and sends the assessment scores to a gateway; s4: the gateway receives the evaluation scores sent by the security evaluation server, establishes a state node for each application server, wherein the state node is used for storing an IP address, MAC address information, user identity credibility, environment credibility, user behavior credibility, software credibility, hardware credibility, evaluation scores, evaluation time and effective duration, establishes an IP table, and stores the IP table in a network control kernel, the IP table comprises the IP address and a corresponding evaluation processing result, and the evaluation processing result is a read-only mode, a read-write mode or an access denial mode so that the network control kernel can release or intercept access requests of the application servers; s5: the application server uses a pre-installed certificate to complete communication with a token generation server and the security assessment server; s6: the application server acquires a token from the token generation server, signs in the URL, and sends an access request to an internal network through the gateway by the token; s7: after receiving the access request of the application server, the gateway inquires the IP table, and if the evaluation processing result corresponding to the IP address is a read-only mode and has a token, the gateway has the authority to access the internal network through the read-only mode; if the evaluation processing result corresponding to the IP address is in a read-write mode and has a token, the access to the internal network is authorized through the read-write mode; and if the evaluation processing result corresponding to the IP address is in a denial access mode, denying the internal network access.
The application server is an actual business server installed with business application software, and an initialization certificate, zero-trust client software and the like are installed. The security evaluation server is mainly used for evaluating the states of the application server and the terminal thereof. And the safety evaluation server receives the information from the application server, evaluates and scores the information, and sends a scoring result to the gateway. The token generation server is a token management server for generating token information for the application. It accepts the SSL connection of the application server, generates a token for the token request and manages the token. The gateway is located between the application server and the internal network for deciding whether to allow the application server to access the internal network. And the gateway receives the evaluation result of the security evaluation server to the application server.
The application server, the security assessment server, the token generation server and the gateway all use the same root certificate, which includes SSL communication and a token digital signature.
The multi-source trust measurement index data comprises user identity data, account data, system log data, network log data, flow data, application behavior data and data access behavior data. The acquired data is encrypted and encoded through a double sha256 algorithm, and an encoding result is packaged into a data packet for network transmission, so that the security of data transmission is greatly ensured.
The application server is connected with the token generation server through SSL. And the security evaluation server adopts a multi-source dynamic security evaluation strategy to evaluate the credibility of the user identity, the credibility of the environment, the credibility of the user behavior, the credibility of software and the credibility of hardware respectively. The multi-source dynamic security assessment strategy realizes dynamic management and control of access through real-time acquisition, updating and dynamic trust assessment judgment of multi-source data, and guarantees the security of user access and access under a constantly changing environment.
The trustworthiness of the user identity is not only a login account, but also a service resource needing to be accessed, an access port needing to be opened and the like.
Trustworthiness of the environment: virus, trojan and vulnerability detection can be carried out on the terminal environment to form continuous evaluation on the network environment, and unsafe connection is interrupted once threat is found.
Trustworthiness of user behavior: and (4) according to the flow characteristics and the context information analysis of the client, a behavior baseline of normal access is drawn, and whether the current behavior is credible or not can be judged based on the behavior baseline.
Trustworthiness of the software: and the combination of the version of an operating system, the version of application software and the like of the equipment is used as software information, and whether the software is credible or not is evaluated by judging whether the current version has a released high-risk vulnerability or not.
Hardware trustworthiness: the end hardware information, such as the device manufacturer, can be identified by the MAC address to assess whether the hardware is authentic.
Setting corresponding weight for each evaluation element during evaluation score calculation, obtaining the evaluation score through a normalized weighted average algorithm, comparing the evaluation score with a preset first threshold and a preset second threshold, and dividing an evaluation processing result into a read-only mode, a read-write mode or an access denial mode, wherein the first threshold is smaller than the second threshold. The first threshold and the second threshold may be preset fixed thresholds or dynamic thresholds obtained by an adaptive algorithm.
Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.

Claims (2)

1. An access control method based on a zero trust mechanism is used for realizing data exchange between an application server arranged on a cloud and an internal network, and is characterized in that: the method comprises the following steps:
s1: setting a zero trust proxy on the application server;
s2: the zero trust proxy collects multi-source trust measurement index data and sends the multi-source trust measurement index data to a security evaluation server; the multi-source trust measurement index data comprises user identity data, account data, system log data, network log data, flow data, application behavior data and data access behavior data; the multi-source trust measurement index data is encrypted and encoded through a double sha256 algorithm, and an encoding result is packaged into a data packet for network transmission;
s3: the security assessment server receives the multi-source trust measurement index data sent by the application server and the universal unique identifier, the IP address and the MAC address information corresponding to the terminal equipment, adopts a multi-source dynamic security assessment strategy, and assesses user identity credibility, environment credibility, user behavior credibility, software credibility and hardware credibility respectively to obtain assessment scores, and sends the assessment scores to a gateway;
s4: the gateway receives the evaluation scores sent by the security evaluation server, establishes a state node for each application server, wherein the state node is used for storing an IP address, MAC address information, user identity credibility, environment credibility, user behavior credibility, software credibility, hardware credibility, evaluation scores, evaluation time and effective duration, establishes an IP table, and stores the IP table in a network control kernel, the IP table comprises the IP address and a corresponding evaluation processing result, and the evaluation processing result is a read-only mode, a read-write mode or an access denial mode so that the network control kernel can release or intercept access requests of the application servers;
s5: the application server uses a pre-installed certificate to complete communication with a token generation server and the security assessment server;
s6: the application server acquires a token from the token generation server, signs in a URL (uniform resource locator), and sends an access request to an internal network through the gateway by the token;
s7: after receiving the access request of the application server, the gateway inquires the IP table, and if the evaluation processing result corresponding to the IP address is a read-only mode and has a token, the gateway has the authority to access the internal network through the read-only mode; if the evaluation processing result corresponding to the IP address is in a read-write mode and has a token, the access to the internal network is authorized through the read-write mode; if the evaluation processing result corresponding to the IP address is in a denial access mode, internal network access is denied;
wherein the user identity data comprises a digital certificate, a biometric, a username, and a password; setting corresponding weight for each evaluation element during the evaluation score calculation, and obtaining the evaluation score through a normalized weighted average algorithm; and comparing the evaluation score with a preset first threshold and a preset second threshold, and dividing the evaluation processing result into a read-only mode, a read-write mode or an access refusal mode, wherein the first threshold is smaller than the second threshold.
2. The access control method based on the zero trust mechanism as claimed in claim 1, wherein: judging the credibility of the user behavior comprises depicting a behavior baseline of normal access according to flow characteristics and context information analysis, and judging whether the current user behavior is credible or not based on the behavior baseline.
CN202210989533.1A 2022-08-18 2022-08-18 Access control method based on zero trust mechanism Active CN115065564B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210989533.1A CN115065564B (en) 2022-08-18 2022-08-18 Access control method based on zero trust mechanism

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210989533.1A CN115065564B (en) 2022-08-18 2022-08-18 Access control method based on zero trust mechanism

Publications (2)

Publication Number Publication Date
CN115065564A CN115065564A (en) 2022-09-16
CN115065564B true CN115065564B (en) 2022-11-01

Family

ID=83208536

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210989533.1A Active CN115065564B (en) 2022-08-18 2022-08-18 Access control method based on zero trust mechanism

Country Status (1)

Country Link
CN (1) CN115065564B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116170806B (en) * 2022-12-07 2024-05-24 南京南瑞信息通信科技有限公司 Smart power grid LWM2M protocol security access control method and system
CN117729057A (en) * 2024-02-18 2024-03-19 北京建恒信安科技有限公司 Method for accessing zero trust based on identity security

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111490993A (en) * 2020-04-13 2020-08-04 江苏易安联网络技术有限公司 Application access control security system and method
CN111917714A (en) * 2020-06-18 2020-11-10 云南电网有限责任公司信息中心 Zero trust architecture system and use method thereof
CN111935169A (en) * 2020-08-20 2020-11-13 腾讯科技(深圳)有限公司 Business data access method, device, equipment and storage medium
CN113901499A (en) * 2021-10-18 2022-01-07 北京八分量信息科技有限公司 Zero-trust access authority control system and method based on trusted computing
CN114070600A (en) * 2021-11-11 2022-02-18 上海电气集团数字科技有限公司 Industrial Internet field identity access control method based on zero trust model
CN114697230A (en) * 2022-03-18 2022-07-01 国网浙江省电力有限公司绍兴市上虞区供电公司 Energy station safety monitoring system and method based on zero trust

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11962584B2 (en) * 2020-07-27 2024-04-16 Twistlock, Ltd. Providing zero trust network security without modification of network infrastructure
JP2023550622A (en) * 2020-11-20 2023-12-04 華為技術有限公司 Method and related apparatus for determining trusted terminals
US20220210173A1 (en) * 2020-12-31 2022-06-30 Fortinet, Inc. Contextual zero trust network access (ztna) based on dynamic security posture insights
CN113051602B (en) * 2021-01-22 2022-11-22 东南大学 Database fine-grained access control method based on zero trust architecture
CN113949573B (en) * 2021-10-18 2024-01-23 天翼数字生活科技有限公司 Zero-trust service access control system and method

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111490993A (en) * 2020-04-13 2020-08-04 江苏易安联网络技术有限公司 Application access control security system and method
CN111917714A (en) * 2020-06-18 2020-11-10 云南电网有限责任公司信息中心 Zero trust architecture system and use method thereof
CN111935169A (en) * 2020-08-20 2020-11-13 腾讯科技(深圳)有限公司 Business data access method, device, equipment and storage medium
CN113901499A (en) * 2021-10-18 2022-01-07 北京八分量信息科技有限公司 Zero-trust access authority control system and method based on trusted computing
CN114070600A (en) * 2021-11-11 2022-02-18 上海电气集团数字科技有限公司 Industrial Internet field identity access control method based on zero trust model
CN114697230A (en) * 2022-03-18 2022-07-01 国网浙江省电力有限公司绍兴市上虞区供电公司 Energy station safety monitoring system and method based on zero trust

Also Published As

Publication number Publication date
CN115065564A (en) 2022-09-16

Similar Documents

Publication Publication Date Title
CN115065564B (en) Access control method based on zero trust mechanism
Ertaul et al. Security Challenges in Cloud Computing.
EP1782265B1 (en) System and method for secure network connectivity
CN112055029A (en) Zero-trust power Internet of things equipment and user real-time trust degree evaluation method
Yu et al. Mitigating application layer distributed denial of service attacks via effective trust management
US9137203B2 (en) Centralized secure offload of cryptographic security services for distributed security enforcement points
CN111917714B (en) Zero trust architecture system and use method thereof
CN106899561B (en) TNC (network node controller) authority control method and system based on ACL (Access control List)
CN113783871B (en) Micro-isolation protection system adopting zero trust architecture and protection method thereof
CN112887334B (en) Distributed authentication method and system in limited environment
CN113312632A (en) Positive defense system based on zero trust verification
Varre et al. A secured botnet prevention mechanism for HTTP flooding based DDoS attack
Yu et al. A lightweight mechanism to mitigate application layer DDoS attacks
CA2586581A1 (en) Method and system for network intrusion prevention
CN112351005B (en) Internet of things communication method and device, readable storage medium and computer equipment
KR101109563B1 (en) Apparatus and method for guranteeing internet service
Alosaimi et al. Denial of service attacks mitigation in the cloud
Srivastava et al. A Review on Protecting SCADA Systems from DDOS Attacks
CN116015977A (en) Network access control method and system for Internet of things equipment
Al-Duwairi et al. A novel scheme for mitigating botnet-based DDoS attacks
Pratama Tcp syn flood (dos) attack prevention using spi method on csf: A poc
Mahalaxmi et al. Blockchain Solutions for IoT Devices Against DDoS Attacks: A Review
CN117811847B (en) Man-machine verification method and device based on combination of public network and intranet
CN114244593B (en) DNS security defense method and system, electronic equipment and medium
CN109510828B (en) Method and system for determining threat disposal effect in network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant