CN115189897A - Access processing method and device for zero trust network, electronic equipment and storage medium - Google Patents

Abstract

The application provides a zero trust network access processing method, a device, electronic equipment and a computer readable storage medium; relating to the safety field of cloud technology, the method comprises the following steps: receiving an access request sent by an application program; acquiring the address of a service site to be accessed by the application program from the access request; based on the identification of the application program and the address of the service site, inquiring an access control strategy of a zero trust network to obtain an access mode of the application program for accessing the service site; establishing a communication connection between the application and the service site based on the access mode and the zero trust network; and sending the access request to the service site through the communication connection, and sending an access request response of the service site to the application program through the communication connection. By the method and the device, a flexible, stable and efficient access mode can be provided for the application program through the zero trust network.

Description

Access processing method and device for zero trust network, electronic equipment and storage medium

Technical Field

The present application relates to the field of internet technologies, and in particular, to a method and an apparatus for processing access to a zero trust network, an electronic device, and a computer-readable storage medium.

Background

The zero trust network establishes a security access control between an access subject (i.e. a user area) and an access object (i.e. an enterprise data area) to construct a security protection system with 'identity' as a logic boundary, i.e. only trusted subjects (e.g. legal devices and legal users) can access the object (e.g. application system, data, service interface and the like), thereby improving the security risk perception capability of the network.

However, in the zero trust network access architecture provided by the related art, trusted applications all need to access any site in the reachable area by means of proxy access, and this unified access manner cannot adapt to the complex network environment where the application program is located.

Disclosure of Invention

The embodiment of the application provides a zero trust network access processing method and device, electronic equipment and a computer readable storage medium, which can provide a flexible access mode for an application program through a zero trust network.

The technical scheme of the embodiment of the application is realized as follows:

the embodiment of the application provides an access processing method of a zero trust network, which comprises the following steps:

receiving an access request sent by an application program;

acquiring the address of a service site which needs to be accessed by the application program from the access request;

based on the identification of the application program and the address of the service site, inquiring an access control strategy of a zero trust network to obtain an access mode of the application program for accessing the service site;

establishing a communication connection between the application and the service site based on the access pattern and the zero trust network;

and sending the access request to the service site through the communication connection, and sending an access request response of the service site to the application program through the communication connection.

In the above solution, when receiving an access request sent by an application program, the method further includes: acquiring the domain name of the service site by the following method: matching the IP address corresponding to the access request with a virtual IP configuration list included in an access control strategy; when the IP address exists in the virtual IP configuration list, inquiring a mapping list between the virtual IP address and a domain name based on the IP address to obtain the domain name of the service site; and when the IP address does not exist in the virtual IP configuration list, inquiring a mapping list between a native IP address and a domain name of a system based on the IP address to obtain the domain name of the service site.

In the foregoing solution, when the access mode is proxy access, the establishing a communication connection between the application and the service site based on the access mode and the zero trust network includes: obtaining the credential of the access request; forwarding the certificate to a zero trust network server through a zero trust network gateway so that the zero trust network server checks the certificate to obtain a check result; when the verification result represents that the certificate is verified successfully, the certificate and the access request are sent to the service site through the zero trust network gateway so as to establish communication connection between the application program and the service site and proxy access through the zero trust network gateway; and when the verification result represents that the certificate is failed to be verified, the access request is forwarded to the service site through the zero trust network gateway so as to establish a direct connection communication connection between the application program and the service site.

In the above scheme, the receiving an access request sent by an application program includes: hijacking the access request sent by the application program through a virtual network card operated by a zero trust network agent end; the obtaining of the credential of the access request includes: extracting request parameters of the access request through the zero trust network client, sending a certificate request to the zero trust network server based on the request parameters, and receiving the certificate returned by the zero trust network server.

In the foregoing solution, the request parameter includes: the address and port of the application program, the address and port of the service site, and the identifier of the application program; the sending a credential request to the zero trust network server based on the request parameter and receiving the credential returned by the zero trust network server includes: sending the request parameter to the zero trust network client through the zero trust network proxy end so that the zero trust network client can acquire the characteristic information of the application based on the identifier of the application program in the request parameter; and sending a certificate request to the zero trust network server through the zero trust network client, wherein the certificate request carries the address and the port of the application program, the address and the port of the service site and the characteristic information, so that the zero trust network server performs authentication processing, and returns the certificate to the zero trust network client when the authentication is passed.

In the foregoing solution, when the access mode is direct access, the establishing a communication connection between the application and the service site based on the access mode and the zero trust network includes: obtaining a certificate of the access request through a zero trust network client, and forwarding the certificate to a zero trust network server through a zero trust network gateway so that the zero trust network server checks the certificate to obtain a check result; and when the verification result represents that the certificate is verified successfully, forwarding the certificate and the network request to the service site through the zero-trust network gateway so as to establish direct connection communication between the application program and the service site.

An embodiment of the present application provides an access processing apparatus for a zero trust network, including:

the receiving module is used for receiving an access request sent by an application program;

the acquisition module is used for acquiring the address of the service site to be accessed by the application program from the access request;

the query module is used for querying an access control strategy of the zero trust network based on the identifier of the application program and the address of the service site to obtain an access mode of the application program for accessing the service site;

the establishing module is used for establishing communication connection between the application program and the service site based on the access mode and the zero trust network;

and the sending module is used for sending the access request to the service site through the communication connection and sending an access request response of the service site to the application program through the communication connection.

An embodiment of the present application provides an electronic device, including:

a memory for storing executable instructions;

and the processor is used for realizing the access processing method of the zero trust network provided by the embodiment of the application when the executable instructions stored in the memory are executed.

The embodiment of the present application provides a computer-readable storage medium, which stores executable instructions for causing a processor to implement the access processing method for the zero trust network provided in the embodiment of the present application when the processor executes the executable instructions.

The embodiment of the application has the following beneficial effects:

the access control strategy of the zero trust network is inquired through the identification of the application program and the address of the service site to obtain the access mode of the application program for accessing the service site, so that flexible and various access modes can be provided according to the application program and the service site, the characteristic that the network environment where the application program and the service site are located is complicated is adapted, and the stability and the efficiency of accessing the service site through the zero trust network are ensured.

Drawings

Fig. 1 is a schematic architecture diagram of an access processing system 100 of a zero trust network provided in an embodiment of the present application;

fig. 2 is a schematic structural diagram of a terminal device 400 provided in an embodiment of the present application;

fig. 3A is a schematic flowchart of an access processing method of a zero trust network according to an embodiment of the present application;

fig. 3B is a schematic flowchart of an access processing method of a zero trust network according to an embodiment of the present application;

fig. 4 is a schematic flowchart of an access processing method of a zero trust network according to an embodiment of the present application;

fig. 5 is a schematic flowchart of an access processing method of a zero trust network according to an embodiment of the present application;

fig. 6 is a schematic view of a scenario in which an administrator configures an access control policy for a zero trust network according to an embodiment of the present application;

fig. 7A is a schematic view of a scenario in which an administrator configures an access control policy for a zero trust network according to an embodiment of the present application;

fig. 7B is a schematic view of a scenario in which an administrator configures an access control policy for a zero trust network according to an embodiment of the present application;

fig. 8 is a schematic view of a scenario in which an administrator configures an access control policy for a zero trust network according to an embodiment of the present application;

fig. 9 is a schematic configuration diagram of a trusted application provided in an embodiment of the present application;

fig. 10 is a schematic view of a scenario that an accessing user accesses a zero trust network client according to an embodiment of the present application;

fig. 11A is a schematic view of a scenario in which an accessing user queries an access control policy according to an embodiment of the present application;

fig. 11B is a schematic view of a scenario that an accessing user queries an access control policy according to an embodiment of the present application;

FIG. 12 is a schematic diagram illustrating an access process of a zero trust network provided in an embodiment of the present application;

fig. 13 is a schematic architecture diagram of an access processing system of a zero trust network provided in an embodiment of the present application;

fig. 14 is a flowchart illustrating a process of executing a custom DNS logic for a domain name carried by a network access request according to an embodiment of the present application;

fig. 15 is a schematic flowchart illustrating a process of executing a custom DNS logic for a domain name carried by a network access request according to an embodiment of the present application;

fig. 16 is a schematic diagram illustrating a principle that configuration information synchronization between an IOA client and a zero-trust network proxy is implemented in a manner of combining configuration-aware change pushing and configuration pull response according to an embodiment of the present application.

Detailed Description

In order to make the objectives, technical solutions and advantages of the present application clearer, the present application will be described in further detail with reference to the attached drawings, the described embodiments should not be considered as limiting the present application, and all other embodiments obtained by a person of ordinary skill in the art without creative efforts shall fall within the protection scope of the present application.

In the following description, reference is made to "some embodiments" which describe a subset of all possible embodiments, but it is understood that "some embodiments" may be the same subset or different subsets of all possible embodiments, and may be combined with each other without conflict.

In the following description, references to the terms "first", "second", and the like are only used for distinguishing similar objects and do not denote a particular order or importance, but rather the terms "first", "second", and the like may be used interchangeably with the order of priority or the order in which they are expressed, where permissible, to enable embodiments of the present application described herein to be practiced otherwise than as specifically illustrated and described herein.

Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used herein is for the purpose of describing embodiments of the present application only and is not intended to be limiting of the application.

Before further detailed description of the embodiments of the present application, terms and expressions referred to in the embodiments of the present application will be described, and the terms and expressions referred to in the embodiments of the present application will be used for the following explanation.

1) Zero trust network: the communication architecture used between the access subject and the access object has the capabilities of business security access, continuous trust evaluation and dynamic access control on the basis of identity authentication.

2) Accessing a subject: in the zero trust network, the party initiating the access may be, for example, a person, a device, or an application accessing the intranet service resource.

3) Accessing an object: in the zero trust network, the accessed party may be, for example, a service resource, data, a development test environment, an operation and maintenance environment, and the like of an intranet.

4) Direct access: in a zero trust network architecture, when an application initiates a network access request to a target site, after a zero trust network proxy end (e.g., a full traffic proxy) hijacks the request, the zero trust network proxy end directly initiates a network access request to the target site through the full traffic proxy, that is, initiates a direct connection access, and the full traffic proxy sends a network response of the target site to the application, which is called a direct connection access.

5) Agent access: in the zero trust network architecture, an application initiates a network access request to a target station, after the request is hijacked by a full-flow proxy, the full-flow proxy initiates request forwarding to a zero trust network gateway (such as an intelligent gateway), the target station is accessed through the intelligent gateway proxy, after the access, the intelligent gateway sends a network response of the target station to the full-flow proxy, and the full-flow proxy forwards the network response of the target station to the application, wherein the access mode is called proxy access.

6) The zero trust network agent end: the terminal agent which is deployed in the controlled terminal and initiates the secure access is responsible for the request initiation of the credible identity authentication of the access subject, and when the authentication identity is credible, the encrypted access connection can be established and is also a strategy execution point of access control. For example, the zero trust network proxy side may be a full traffic proxy that implements full traffic hijacking based on a TUN/TAP virtual network card.

7) Zero trust network gateway: the system is deployed at the entrances of the enterprise application program and the data resource and is responsible for verifying and forwarding each session request for accessing the enterprise resource.

8) Trusted applications: and the application carrier which is granted by the management terminal and can be accessed to the internal service system by the terminal comprises an application name, an MD5 value of the application, signature information and the like.

9) Reachable area: an end user may access the enterprise-set internal site list through a zero trust network.

In the zero-trust network access architecture provided by the related art, generally, only an administrator is supported to issue a single access control policy type (that is, a full-proxy policy type, for example, any trusted application needs to access any site in a reachable area by means of proxy access), and only the administrator is allowed to perform adjustment in the single access control policy type, and switching between different access control policy types is not allowed. That is, the related art has poor flexibility with respect to the access method provided by the zero trust network.

In view of this, embodiments of the present application provide an access processing method and apparatus for a zero trust network, an electronic device, and a computer-readable storage medium, which can improve flexibility of zero trust network access. An exemplary application of the electronic device provided in the embodiments of the present application is described below, and the electronic device provided in the embodiments of the present application may be implemented as various types of user terminals such as a notebook computer, a tablet computer, a desktop computer, a set-top box, a mobile device (for example, a mobile phone, a portable music player, a personal digital assistant, a dedicated messaging device, and a portable game device), and may also be implemented as a server. Next, an exemplary application when the electronic device is implemented as a terminal device will be explained.

Referring to fig. 1, fig. 1 is a schematic structural diagram of an access processing system 100 of a zero trust network provided in an embodiment of the present application, as shown in fig. 1, a terminal device 400 is a terminal device associated with a user, and an application 401, a zero trust network proxy 402, and a zero trust network client 403 run on the terminal device 400, where the application 401 may be various types of applications, such as a video playing application, an online conference application, a live broadcast application, a news application, an instant messaging application, and the like. It should be noted that the application 401 refers to an application which is trusted by the zero trust network server 200 to access an internal service system (e.g., the service server 500).

The zero trust network proxy 402 is configured to hijack an access request sent by the application 401, and the zero trust network proxy 402 stores an access control policy that the zero trust network client 403 acquires from the zero trust network server 200, and when the zero trust network proxy 402 hijacks the access request sent by the application 401, acquires an address of a service site (for example, the service server 500) that the application 401 needs to access from the access request, and queries the access control policy of the zero trust network based on an identifier of the application 401 and an address of the service server 500 (for example, an Internet Protocol (IP) address of the service server 500), so as to obtain an access mode that the application 401 accesses the service server 500. Then, zero trust network proxy 402 establishes a communication connection between application 401 and service server 500 based on the obtained access mode and zero trust network (including zero trust network proxy, zero trust network gateway, and zero trust network server), and sends the hijacked access request to service server 500 through the communication connection, and sends an access request response returned by service server 500 to application 401 through the communication connection. The following is a detailed description.

For example, when the access mode is direct access, the zero trust network proxy 402 forwards an access request sent by the hijacked application program 401 to the service server 500, so as to establish a direct connection communication connection between the application program 401 and the service server 500, returns an access request response corresponding to the access request sent by the service server 500 for the application program 401 to the application program 401 through the established direct connection communication connection, and invokes a human-computer interaction interface of the application program 401 for presentation.

It should be noted that, for the direct access, there is actually only one communication connection directly connected between the application 401 and the service server 500, and the relay does not need to be performed through the zero trust network gateway 300.

For example, when the access mode is proxy access, after hijacking an access request sent by the application 401, the zero trust network proxy 402 first sends an authentication request to the zero trust network client 403 (that is, the zero trust network proxy 402 applies for a credential of the access request to the zero trust network client 403), and after receiving the authentication request sent by the zero trust network proxy 402, the zero trust network client 403 applies for a credential to the zero trust network server 200 and sends the credential returned by the zero trust network server 200 to the zero trust network proxy 402. After receiving the credential sent by the zero trust network client 403, the zero trust network proxy 402 sends the credential to the zero trust network gateway 300, so that the zero trust network gateway 300 sends the credential to the zero trust network server 200 for verification. When the zero trust network server 200 passes the verification of the certificate sent by the zero trust network gateway 300, the zero trust network gateway 300 establishes a communication connection with the zero trust network proxy 402, then the zero trust network proxy 402 forwards the access request sent by the hijacked application 401 to the zero trust network gateway 300, and the zero trust network gateway 300 forwards the access request sent by the application 401 to the service server 500. When the zero trust network server 200 fails to verify the credential sent by the zero trust network gateway 300, the zero trust network proxy 402 disconnects the zero trust network gateway 300 from the zero trust network proxy 402, and the zero trust network proxy 402 directly forwards the access request sent by the application 401 to the service server 500.

It should be noted that, for proxy access, two communication connections actually included between the application 401 and the zero trust network gateway 300 and between the zero trust network gateway 300 and the service server 500 are relayed by the zero trust network gateway 300 (that is, when the application 401 sends an access request to the service server 500, the address of the application 401 is replaced by the address of the zero trust network gateway 300, and when an access request response returned from the service server 500 is received, the address of the zero trust network gateway 300 is replaced by the address of the application 401, and then the access request response is sent to the application 401).

In some embodiments, the zero-trust network server 200 and the service server 500 may be independent physical servers, may also be a server cluster or a distributed system formed by a plurality of physical servers, and may also be cloud servers providing basic cloud computing services such as cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDNs, and big data and artificial intelligence platforms. The terminal device 400 may be, but is not limited to, a smart phone, a tablet computer, a notebook computer, a desktop computer, a smart speaker, a smart watch, and the like. The terminal device 400 may be directly or indirectly connected to the zero trust network server 200, the zero trust network gateway 300, and the service server 500 through wired or wireless communication, which is not limited in this embodiment of the application.

The structure of the terminal device 400 in fig. 1 is explained below. Referring to fig. 2, fig. 2 is a schematic structural diagram of a terminal device 400 provided in an embodiment of the present application, where the terminal device 400 shown in fig. 2 includes: at least one processor 410, memory 450, at least one network interface 420, and a user interface 430. The various components in the terminal device 400 are coupled together by a bus system 440. It is understood that the bus system 440 is used to enable communications among the components. The bus system 440 includes a power bus, a control bus, and a status signal bus in addition to a data bus. For clarity of illustration, however, the various buses are labeled as bus system 440 in fig. 2.

The Processor 410 may be an integrated circuit chip having Signal processing capabilities, such as a general purpose Processor, a Digital Signal Processor (DSP), or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like, wherein the general purpose Processor may be a microprocessor or any conventional Processor, or the like.

The user interface 430 includes one or more output devices 431, including one or more speakers and/or one or more visual displays, that enable the presentation of media content. The user interface 430 also includes one or more input devices 432, including user interface components to facilitate user input, such as a keyboard, mouse, microphone, touch screen display screen, camera, other input buttons and controls.

The memory 450 may be removable, non-removable, or a combination thereof. Exemplary hardware devices include solid state memory, hard disk drives, optical disk drives, and the like. Memory 450 optionally includes one or more storage devices physically located remote from processor 410.

The memory 450 includes both volatile memory and nonvolatile memory, and can include both volatile and nonvolatile memory. The nonvolatile Memory may be a Read Only Memory (ROM), and the volatile Memory may be a Random Access Memory (RAM). The memory 450 described in embodiments herein is intended to comprise any suitable type of memory.

In some embodiments, memory 450 is capable of storing data, examples of which include programs, modules, and data structures, or a subset or superset thereof, to support various operations, as exemplified below.

An operating system 451, including system programs for handling various basic system services and performing hardware-related tasks, such as a framework layer, a core library layer, a driver layer, etc., for implementing various basic services and handling hardware-based tasks;

a network communication module 452 for communicating to other computing devices via one or more (wired or wireless) network interfaces 420, exemplary network interfaces 420 including: bluetooth, wireless compatibility authentication (WiFi), and Universal Serial Bus (USB), etc.;

a presentation module 453 for enabling presentation of information (e.g., user interfaces for operating peripherals and displaying content and information) via one or more output devices 431 (e.g., display screens, speakers, etc.) associated with user interface 430;

an input processing module 454 for detecting one or more user inputs or interactions from one of the one or more input devices 432 and translating the detected inputs or interactions.

In some embodiments, the apparatus provided in this embodiment may be implemented in software, and fig. 2 illustrates the zero trust network access processing apparatus 455 stored in the memory 450, which may be software in the form of programs and plug-ins, and includes the following software modules: a receiving module 4551, an obtaining module 4552, a query module 4553, a building module 4554, a sending module 4555, a matching module 4556, a determining module 4557, a pushing module 4558 and a building module 4559, which are logical and thus arbitrarily combined or further divided according to the functions implemented.

For example, each step of the corresponding terminal device, the zero trust network server, and the zero trust network gateway described below in the embodiment of the present application may be implemented as an individual module, and may be correspondingly deployed in the terminal device, the zero trust network server, and the zero trust network gateway in a manner of hardware, software, or a combination of the two, so as to enable the terminal device, the zero trust network server, and the zero trust network gateway to cooperate to implement the access processing method of the zero trust network provided in the embodiment of the present application.

Of course, the terminal device, the zero trust network server and the zero trust network gateway may all implement all modules in the apparatus shown in fig. 2, and each electronic device has a capability of implementing any one role among the terminal device, the zero trust network server and the zero trust network gateway, so that the roles may be flexibly switched according to actual needs, for example, the zero trust network server may be switched to the role of the zero trust network gateway when necessary, so that the proportions of the electronic devices of different roles may be flexibly adjusted according to actual service requirements.

For example, in the case of the terminal device shown in fig. 2, although all the modules in the above-described access processing means 455 are shown at once, it should not be considered that an implementation that may include only the receiving module 4551, the obtaining module 4552, the querying module 4553, the establishing module 4554, and the sending module 4555 is excluded in the access processing means 455 disposed in the terminal device, and the functions of the respective modules will be described below.

In other embodiments, the apparatus provided in this embodiment of the present Application may be implemented in hardware, and for example, the apparatus provided in this embodiment of the present Application may be a processor in the form of a hardware decoding processor, which is programmed to execute the access processing method of the zero-trust network provided in this embodiment of the present Application, for example, the processor in the form of the hardware decoding processor may be implemented by one or more Application Specific Integrated Circuits (ASICs), DSPs, programmable Logic Devices (PLDs), complex Programmable Logic Devices (CPLDs), field Programmable Gate Arrays (FPGAs), or other electronic components.

As described above, the access processing apparatus 455 of the zero trust network provided in this embodiment of the present application may be deployed in the terminal device, the zero trust network server, and the zero trust network gateway, so that the access processing method of the zero trust network is cooperatively implemented by the terminal device, the zero trust network server, and the zero trust network gateway.

Referring to fig. 3A, fig. 3A is a flowchart illustrating an access processing method of a zero trust network according to an embodiment of the present application, where the steps illustrated in fig. 3A may be executed by a terminal device running a zero trust network proxy and a zero trust network client. As shown in fig. 3A, in step S101, an access request sent by an application is received; in step S102, an address of a service site that the application needs to access is obtained from the access request; in step S103, based on the identifier of the application program and the address of the service site, an access control policy of the zero trust network is queried to obtain an access mode in which the application program accesses the service site; in step S104, establishing a communication connection between the application program and the service site based on the access mode and the zero trust network; in step S105, an access request is sent to the service site through the communication connection, and an access request response of the service site is sent to the application program through the communication connection. Therefore, flexible and various access modes can be provided according to the application program and the service site, the characteristic that the network environment where the application program and the service site are located is complicated is adapted, and the stability and the efficiency of accessing the service site through the zero-trust network are ensured.

The access processing method of the zero trust network provided by the embodiment of the present application is specifically described below from the perspective of interaction between the terminal device (running with the application program, the zero trust network proxy end and the zero trust network client), the zero trust network gateway, and the zero trust network server.

Referring to fig. 3B, fig. 3B is a schematic flowchart of an access processing method of a zero trust network provided in an embodiment of the present application, and as shown in fig. 3B, an application program, a zero trust network proxy end, and a zero trust network client end run on a terminal device, which will be specifically described with reference to the steps shown in fig. 3B.

In step S201, the zero-trust network proxy hijacks the access request sent by the application.

In some embodiments, the access user may perform a triggering operation (for example, a contact operation such as a click and a long press, or a non-contact operation such as a voice and a gesture) on the application running on the terminal device, so that the application sends a corresponding access request, and then, the zero-trust network proxy (for example, the full-traffic proxy) hijacks the access request sent by the application through the virtual network card.

For example, taking an application as a retrieval-type application (e.g., a browser), when a browser running on a terminal device receives a click operation triggered by an access user, a corresponding access request is generated, for example, the access request may be generated after the access user inputs a domain name of a certain service site in a search bar of the browser, and then, the full-traffic proxy may hijack the access request sent by the browser based on the TUN/TAP virtual network card.

In other embodiments, the application may initiate the access request by: firstly, the binding relation between the service site needing to be accessed and the network address stored in the domain name cache is inquired, and then an access request aiming at the service site is generated based on the inquired network address.

However, when the domain name cache of the application does not store the binding relationship between the service site and the network address, the access processing method of the zero trust network provided by the embodiment of the present application may further perform the following processing: monitoring a Domain Name resolution port (such as a 53 port) through a zero trust network proxy end to hijack a Domain Name resolution request sent by an application program, extracting a Domain Name of a service site from the Domain Name resolution request, inquiring an access control strategy based on the extracted Domain Name to obtain an IP address distributed for the Domain Name (for example, when the access control strategy is a full proxy type strategy, distributing a corresponding virtual IP address for the Domain Name through a custom Domain Name System (DNS) logic in the zero trust network proxy end, creating a mapping list between the Domain Name and the virtual IP address, when the access control strategy is a full direct connection type strategy, analyzing the Domain Name through a System DNS in the internet to obtain a System native IP address corresponding to the Domain Name, creating the mapping list between the Domain Name and the System native IP address, and then sending the obtained IP address to the application program through the zero trust network proxy end to enable the application program to generate the access request based on the IP address.

For example, taking an application program needing to access a service site with a domain name of "km.oa.com" as an example, the zero trust network broker listens to a 53 port to hijack a domain name resolution request sent by the application program, and extracts a domain name of the service site, that is, "km.oa.com", from the domain name resolution request, and then, based on a domain name query access control policy, when the domain name "km.oa.com" exists in a virtual IP configuration list, that is, when access needs to be performed by proxy access for the domain name "km.oa.com", a corresponding virtual IP address, for example, "192.168.202.1", is allocated for the domain name "oa.com" through a custom DNS logic in the zero trust network broker, and then, this virtual IP address is returned to the application program, so that the application program generates an access request for the domain name "km.oa.com" based on this virtual IP address.

In step S202, the zero trust network proxy acquires the address of the service site that the application needs to access from the access request.

In some embodiments, the address of the service site may comprise a domain name address, such as "www.aaa.com", or an IP address, such as "10.28.0.12". For the access request in the form of the IP address, the domain name resolution process does not exist, so the access request can be directly hijacked by the virtual network card. For the access request in the domain name form, because the DNS resolution may fail (i.e., the corresponding IP address cannot be resolved) in the domain name of the intranet in the enterprise in the public network or the DNS resolution may cause domain name pollution, the application program may not initiate a subsequent network access request (i.e., when the application program initiates an access request for a service site in the domain name address form, the access behavior may continue until the DNS resolves a correct IP address).

In view of the above technical problems, the access control method for a zero trust network provided in the embodiments of the present application may obtain a domain name of a service site in the following manner: matching the IP address corresponding to the access request with a virtual IP configuration list in the access control strategy; when the IP address exists in the virtual IP configuration list, inquiring a mapping list between the virtual IP address and the domain name based on the IP address to obtain the domain name of the service site; and when the IP address does not exist in the virtual IP configuration list, inquiring a mapping list between the native IP address of the system and the domain name based on the IP address to obtain the domain name of the service site. Therefore, the problem that the application program cannot initiate subsequent requests due to the fact that DNS resolution of the intranet domain name of some enterprises is failed in the public network or domain name pollution occurs in the DNS resolution can be solved.

In step S203, the zero trust network proxy queries the access control policy of the zero trust network based on the identifier of the application and the address of the service site, so as to obtain an access mode of the application accessing the service site.

In some embodiments, when the access control policy is a full proxy type policy, the zero trust network proxy side may obtain an access mode of the application program to access the service site by: matching the application program with a plurality of credible application configuration nodes in the full-agent type strategy respectively, and matching the address of the service site with a plurality of reachable area configuration nodes in the full-agent type strategy respectively; the trusted application configuration node comprises a plurality of characteristic fields of an application program allowing access (such as the name, process name, serial number, signature information and the like of the application program), and the reachable area configuration node comprises a plurality of characteristic fields of a service site allowing access (such as the name of a module where the reachable area is located, the name of the reachable area and the like); when a trusted application configuration node matched with the application program exists and a reachable area configuration node matched with the address of the service site exists, determining that the access mode is proxy access; and when a trusted application configuration node matched with the application program does not exist or a reachable area configuration node matched with the address of the service site does not exist, determining that the access mode is direct access.

In other embodiments, when the access control policy is an all-direct type policy, the zero-trust network proxy may obtain an access mode of the application program to access the service site by: respectively matching an application program with a plurality of trusted application configuration nodes in the all-direct connection type strategy, and respectively matching the address of a service site with a plurality of reachable area configuration nodes in the all-direct connection type strategy; when a trusted application configuration node matched with an application program exists and a reachable area configuration node matched with the address of the service site exists, determining that the access mode is direct access; and when a trusted application configuration node matched with the application program does not exist or a reachable area configuration node matched with the address of the service site does not exist, determining that the access mode is proxy access.

For example, taking an access control policy stored in a zero trust network proxy end as an all-direct connection type policy as an example, after acquiring an identifier of an application (for example, application a) and an address of a service site (for example, service site B) that the application a needs to access, the zero trust network proxy end matches the application a with a plurality of trusted application configuration nodes in the all-direct connection type policy, and matches the address of the service site B with a plurality of reachable area configuration nodes in the all-direct connection type policy; when an application program A exists in the trusted application configuration node and a service site B exists in the reachable area configuration node, determining that the access mode of the application program A for accessing the service site B is direct access; and when the application program A does not exist in the trusted application configuration node or the service site B does not exist in the reachable area configuration node, determining that the access mode of the application program A accessing the service site B is proxy access.

In other embodiments, when the access control policy includes a direct connection configuration list, the zero trust network proxy may further obtain an access mode of the application program to access the service site by: matching the address of the service site with a direct connection configuration list; and when the address of the service site exists in the direct connection configuration list, determining that the access mode of the application program for accessing the service site is direct connection access.

For example, taking a service site as a service site a as an example, addresses (including IP addresses and domain name addresses) of a plurality of service sites are stored in a direct connection configuration list, and when the address of the service site a hits the direct connection configuration list, that is, when the address of the service site a exists in the direct connection configuration list, it is determined that an access mode in which an application accesses the service site a is direct connection access.

In some embodiments, when the access control policy includes a virtual IP configuration list, the zero trust network proxy may further obtain an access mode of the application program to access the service site by: matching the address of the service site with a virtual IP configuration list; and when the address of the service site exists in the virtual IP configuration list, determining that the access mode of the application program for accessing the service site is proxy access.

For example, taking a service site as a service site B, the addresses (for example, virtual IP addresses) of multiple service sites are stored in the virtual IP configuration list, and when the address of the service site B hits the virtual IP configuration list, that is, when the address of the service site B exists in the virtual IP configuration list, the access mode in which the application program accesses the service site B is determined to be proxy access.

In other embodiments, after determining the access mode, the zero trust network proxy side may establish a communication connection between the application program and the service site based on the access mode and the zero trust network; and sending an access request to the service site over the communication connection and sending an access request response for the service site to the application over the communication connection.

It should be noted that, for the direct access, the source address/port of the access request is not modified (i.e. always points to the application program), so that the direct communication connection between the application program and the service site can be established through the three-way handshake protocol; for proxy access, a credential and an access request (at this time, a source address/port is a source address/port of the zero trust network gateway) need to be sent to the service site through the zero trust network gateway, that is, a communication connection is established between the zero trust network gateway itself and the service site, and a communication connection is also needed to be established between the zero trust network gateway and the application program, so that the zero trust network gateway can forward data between the zero trust network gateway and the service site.

The two access modes are explained in detail below.

In some embodiments, when the access mode is determined to be direct access in step S203, steps S204 to S206 will be performed subsequently.

In step S204, the zero-trust network proxy sends the hijacked access request to the service server.

In some embodiments, when the zero trust network proxy queries the access control policy of the zero trust network based on the identifier of the application and the address of the service site, and obtains that the access mode of the application accessing the service site is direct access, the hijacked access request can be directly forwarded to the corresponding service server.

For example, taking an application a accessing a service site B with an IP address of "192.168.202.1" as an example, when the zero-trust network proxy queries an access control policy of the zero-trust network (for example, compares the IP address of the service site B with a direct connection configuration list) based on the identifier of the application a and the IP address of the service site B, and obtains that an access mode of the application a accessing the service site B is direct access, the access request sent by the application a is directly forwarded to a service server with an IP address of "192.168.202.1" through a physical network card.

In step S205, the service server returns an access request response to the zero-trust network proxy.

In some embodiments, when the service server receives the access request forwarded by the zero trust network proxy, the service server responds and returns the response result to the zero trust network proxy, for example, when the access request sent by the application is a retrieval request, the service server may return the retrieval result to the zero trust network proxy.

In step S206, the zero trust network proxy sends the access request response returned by the service server to the application program.

In some embodiments, after receiving the access request response returned by the service server, the zero-trust network proxy sends the received access request response to the application program, so that the application program outputs the access request response to the human-computer interaction interface.

In other embodiments, when the access mode is determined to be proxy access in step S203, steps S204 to S206 are replaced by steps S207 to S2017, i.e., steps S207 to S2017 are performed subsequently.

In step S207, the zero trust network proxy sends an authentication request to the zero trust network client.

In some embodiments, when the zero trust network proxy queries the access control policy of the zero trust network based on the identifier of the application and the address of the service site, and obtains that the access mode of the application accessing the service site is proxy access, an authentication request is first sent to the zero trust network client (i.e., a credential corresponding to the access request is applied to the zero trust network client).

In step S208, the zero trust network client applies for the credential for the access request to the zero trust network server.

In some embodiments, after receiving an authentication request sent by a zero trust network proxy, a zero trust network client extracts a request parameter carried in the authentication request, where the request parameter may include: the address and port of the application, the address and port of the service site, and the identifier of the application (e.g., a Process Identifier (PID) corresponding to the application), etc.), then, the zero-trust network client may obtain characteristic information of the application (e.g., a Process MD5 value corresponding to the application, a Process path, a Process latest modification time, copyright information, signature information, etc.) based on the identifier of the application carried in the request parameter, and then, the zero-trust network gateway sends a credential request (i.e., applies for a ticket to the zero-trust network server) to the zero-trust network server, where the credential request carries the address and port of the application, the address and port of the service site, and the characteristic information of the application.

In step S209, the zero trust network server returns a credential to the zero trust network client.

In some embodiments, after receiving a credential request sent by the zero trust network client, the zero trust network server performs authentication processing on the credential request, generates a credential corresponding to an access request sent by an application program after the authentication is passed, and returns the credential, the maximum use times of the credential, and the effective use time of the credential to the zero trust network client as a response.

In step S2010, the zero trust network client sends the credential returned by the zero trust network server to the zero trust network proxy.

In some embodiments, after receiving the credential, the maximum number of times of use of the credential, and the valid use time of the credential returned by the zero trust network server, the zero trust network client sends the credential, the maximum number of times of use of the credential, and the valid use time of the credential to the zero trust network proxy as a response to the authentication request.

In step S2011, the zero trust network proxy sends the credential to the zero trust network gateway.

In some embodiments, after receiving the credential sent by the zero trust network client, the zero trust network proxy sends the credential to the zero trust network gateway, and the zero trust network gateway forwards the credential to the zero trust network server, so that the zero trust network server checks the credential.

In step S2012, the zero trust network gateway sends the credential to the zero trust network server for verification.

In some embodiments, after receiving the credential sent by the zero trust network gateway, the zero trust network server verifies the credential, for example, compares the credential sent by the zero trust network gateway with a credential stored in the zero trust network server (i.e., the credential generated in step S209), and when the two are consistent, determines that the verification is passed, and returns a verification result representing that the verification is passed to the zero trust network gateway; and when the two are not consistent, determining that the verification fails, and returning a verification result representing the verification failure to the zero-trust network gateway.

It should be noted that, when the zero trust network gateway receives a verification result indicating that the verification fails, which is returned by the zero trust network server, the communication connection with the zero trust network proxy end is disconnected, so that the zero trust network proxy end directly forwards the access request to the corresponding service server through the physical network card.

In step S2013, the zero trust network proxy sends the hijacked access request to the zero trust network gateway.

In some embodiments, when the zero trust network server passes the verification of the credential sent by the zero trust network gateway, the zero trust network proxy forwards the access request sent by the hijacked application program to the zero trust network gateway, so that the zero trust network gateway accesses the target service site.

In step S2014, the zero trust network gateway forwards the access request to the service server.

In some embodiments, after receiving an access request sent by a zero trust network proxy, a zero trust network gateway forwards the access request to a corresponding service server according to a destination IP address or a domain name (i.e., an IP address or a domain name corresponding to the service server) carried by the access request.

In step S2015, the service server sends an access request response to the zero trust network gateway.

In some embodiments, after receiving the access request forwarded by the zero trust network gateway, the service server responds to the access request and returns an access request response to the zero trust network gateway. For example, when the access request sent by the application is a retrieval request, the service server may return the retrieval result to the zero-trust network gateway.

In step S2016, the zero trust network gateway sends the access request response to the zero trust network proxy.

In some embodiments, after receiving an access request response returned by the service server, the zero trust network gateway returns the access request response to the zero trust network proxy running on the terminal device. For example, the zero trust network gateway may return the search result returned by the service server to the zero trust network proxy end operated by the terminal device associated with the visiting user.

In step S2017, the zero trust network proxy sends an access request response to the application.

In some embodiments, after receiving an access request response returned by the service server forwarded by the zero trust network gateway, the zero trust network proxy sends the received access request response to the application program, so that the application program outputs the access request response to the human-computer interaction interface.

The following describes an update process of configuration information (including an access control policy, a connection address of a zero trust network server, connection configuration information of a zero trust network gateway, and the like) stored in the zero trust network proxy.

In some embodiments, the updated configuration information (for example, an administrator adds a reachable area configuration node or modifies a connection address configuration of the zero trust network gateway, for example, modifies a connection protocol, a connection address, a connection port, or the like) may be sent to the zero trust network proxy in an active push manner by the zero trust network server.

For example, referring to fig. 4, fig. 4 is a schematic flowchart of an access processing method of a zero trust network according to an embodiment of the present application, and will be described with reference to steps S301 to S303 shown in fig. 4.

In step S301, a trigger is set in the zero trust network server.

In some embodiments, a trigger may be set in the zero trust network server, where the trigger condition of the trigger may be to trigger the zero trust network server to automatically push updated configuration information to the zero trust network client when any one of the access control policy, the connection address of the zero trust network server, and the connection configuration information of the zero trust network gateway is updated.

In step S302, when the configuration information is updated, the zero trust network server is triggered to push the updated configuration information to the zero trust network client.

In some embodiments, when the trigger detects that the configuration information stored in the zero trust network server is updated, for example, when the administrator modifies the access control policy, the zero trust network server is automatically triggered to push the modified access control policy to the zero trust network client.

In step S303, the zero trust network client sends the updated configuration information to the zero trust network proxy.

In some embodiments, after receiving the updated configuration information pushed by the zero trust network server, the zero trust network client pushes the received updated configuration information to the zero trust network proxy, so that the zero trust network proxy sets the received updated configuration information.

In other embodiments, the zero trust network client may further receive a response result returned by the zero trust network proxy, and perform the following operations: constructing a push state cache based on a response result of the zero trust network agent end; the response result is generated after the zero trust network agent is set based on the updated configuration information, the push state cache adopts a key value pair form, and the key value pair takes a hash value corresponding to the updated configuration information as a key and takes a push timestamp and a push state corresponding to the updated configuration information as values; wherein the push state comprises at least one of: unknown state, state to be pushed, successful pushing and failure pushing.

For example, taking the updated configuration information as the configuration information a, after receiving the configuration information a pushed by the zero trust network client, the zero trust network proxy sets the configuration information a, and returns a response result (for example, a successful setting) to the zero trust network client. After receiving a response result returned by the zero trust network agent end, the zero trust network client performs hash operation on the configuration information A to obtain a hash value corresponding to the configuration information A, and creates a cache item corresponding to the configuration information A by taking the hash value corresponding to the configuration information A as a key and taking a push timestamp and a push state corresponding to the configuration information A as values; wherein, the pushing state is pushing success.

In other embodiments, the zero-trust network client may further perform the following processing for configuration information corresponding to a specific timestamp and a specific hash value: when the zero trust network agent terminal successfully receives and sets configuration information, inquiring a push state cache based on a specific hash value; when a cache record corresponding to the specific hash value exists in the push state cache, updating the push state corresponding to the specific hash value (for example, updating the push state from push failure to push success); when no cache record corresponding to the specific hash value exists in the push state cache, determining the number of cache items included in the push state cache; and when the number of the cache items is larger than the number threshold, deleting the preset number of cache items according to the pushing time stamp, and establishing the cache items corresponding to the specific hash value and the specific time stamp in the deleted pushing state cache.

In other embodiments, the updated configuration information may be synchronized to the zero trust network proxy side by actively pulling the zero trust network client side.

For example, with continuing reference to fig. 4, fig. 4 is a schematic flowchart of an access processing method of a zero trust network provided in an embodiment of the present application, and will be described with reference to step S304 to step S307 shown in fig. 4.

In step S304, a timer is set in the zero trust network client.

In some embodiments, a timer may be set in the zero trust network client to cause the zero trust network client to periodically (e.g., every 10 minutes) send a configuration information acquisition request to the zero trust network server.

In step S305, the zero trust network client periodically sends a configuration information obtaining request to the zero trust network server based on the timer.

In some embodiments, the zero trust network client initiates a configuration information acquisition request to the zero trust network server each time the time set by the timer arrives. For example, when the period set by the timer is 5 minutes, the zero trust network client initiates a configuration information acquisition request to the zero trust network server every 5 minutes.

In step S306, the zero trust network server sends the updated configuration information to the zero trust network client.

In some embodiments, when the zero trust network server receives a configuration information acquisition request sent by the zero trust network client, checking whether the configuration information is updated, and when the configuration information is not updated, ignoring the configuration information acquisition request sent by the zero trust network client; and when the configuration information is updated, sending the updated configuration information to the zero trust network client.

In step S307, the zero trust network client sends the updated configuration information to the zero trust network proxy.

In some embodiments, after receiving updated configuration information returned by the zero trust network server, the zero trust network client generates a corresponding hash value based on the acquired updated configuration information, compares the generated hash value with a hash value corresponding to configuration information which is last pushed and recorded in a memory, and pushes the acquired updated configuration information to the zero trust network proxy end when the two are not consistent; when the two are consistent, inquiring the push state corresponding to the configuration information pushed last time; and when the pushing state is pushing failure or the corresponding record is not inquired, pushing the acquired updated configuration information to the zero trust network agent end.

It should be noted that the scheme for the zero-trust network server to actively push and the scheme for the zero-trust network client to actively pull shown in fig. 4 may be executed synchronously, for example, a trigger may be set in the zero-trust network server and a timer may be set in the zero-trust network client at the same time, and of course, the scheme for the zero-trust network client to actively pull may also be executed when the zero-trust network server fails to actively push the updated configuration information.

In other embodiments, although the scheme of actively pushing by the zero trust network server and the scheme of actively pulling by the zero trust network client are combined to improve the efficiency of configuration information synchronization, it cannot be guaranteed that the updated configuration information can be pushed to the zero trust network proxy one hundred percent. In order to solve the problem of push failure and further improve the success rate of configuration information synchronization, the access processing method of the zero trust network provided by the embodiment of the application further uses a scheme of pulling a proxy end of the zero trust network as a bottom-finding scheme.

For example, referring to fig. 5, fig. 5 is a schematic flowchart of an access processing method of a zero trust network provided in an embodiment of the present application, and will be described with reference to steps shown in fig. 5.

In step S401, the zero trust network proxy sends a configuration information obtaining request to the zero trust network client periodically at a first frequency.

In some embodiments, when the zero-trust network proxy does not acquire the updated configuration information, a configuration information acquisition request may be periodically sent to the zero-trust network client at a first frequency (i.e., a high frequency, for example, executed every 5 minutes) to request to acquire the updated configuration information.

In step S402, the zero trust network client sends a configuration information obtaining request to the zero trust network server.

In some embodiments, after receiving a configuration information acquisition request sent by a zero trust network proxy, a zero trust network client forwards the request to a zero trust network server.

In step S403, the zero trust network server sends the updated configuration information to the zero trust network client.

In some embodiments, when the zero trust network server receives a configuration information acquisition request forwarded by the zero trust network client, checking whether configuration information stored in the zero trust network server is updated, and when the configuration information is not updated, ignoring the configuration information acquisition request sent by the zero trust network client; and when the configuration information is updated, sending the updated configuration information to the zero trust network client.

In step S404, the zero trust network client sends the updated configuration information to the zero trust network proxy.

In some embodiments, after the zero trust network client receives the updated configuration information returned by the zero trust network server, the received updated configuration information is pushed to the zero trust network proxy.

It should be noted that the zero trust network client needs to pass authentication of the push interface of the zero trust network proxy end, and then can successfully call the push interface of the zero trust network proxy end to push the updated configuration information to the zero trust network proxy end.

In step S405, the zero trust network proxy continues to periodically send a configuration information obtaining request to the zero trust network client at a second frequency, so as to request to obtain the configuration information after being updated again.

In some embodiments, when the zero-trust network proxy successfully receives and sets the updated configuration information pushed by the zero-trust network client, since the configuration information is not updated again immediately after the update occurs, the zero-trust network proxy may continuously send a configuration information acquisition request to the zero-trust network client periodically at the second frequency (i.e., a low frequency, for example, executed once every 30 minutes) to request to acquire the updated configuration information. Therefore, the problems of untimely configuration information pulling (the condition of low frequency setting) and overlarge resource consumption (the condition of high frequency setting) in the related technology are avoided.

The access processing method for the zero trust network provided by the embodiment of the application solves the problem of network access interruption or jitter caused by switching between the all-direct connection type strategy and the all-proxy type strategy, and simultaneously optimizes the problem that the terminal takes effect slowly after the management and control terminal adjusts the access control strategy. In the zero trust network access architecture, the network access operations of the end user are controlled and affected by the access control policy. The access processing method of the zero trust network provided by the embodiment of the application supports flexible switching of an administrator between an all-direct connection type strategy and an all-proxy type strategy, and realizes network access configuration information synchronization between the zero trust network proxy end and the zero trust network client end in real time through a scheme based on configuration change, a timestamp and a configuration hash value. Compared with the scheme provided by the related technology which only depends on the periodic pulling of the configuration information, the access processing method of the zero-trust network provided by the embodiment of the application can improve the efficiency of the synchronization of the configuration information, shorten the response time of the terminal and improve the stability of the network access.

Next, an exemplary application of the embodiment of the present application in a practical application scenario will be described.

In the zero-trust network architecture provided by the related art, generally, only an administrator is supported to issue a single access control policy type (i.e., a full-proxy type policy), and the administrator is only allowed to perform adjustment in one access control policy type, and is not allowed to switch functions between different access control policy types. In the related art, the zero trust network proxy usually only periodically pulls configuration information to a zero trust network client (e.g., an Intelligent Office Automation system (IOA) client), and when the IOA client receives a configuration pull request, the IOA client acquires the latest access control policy and the configuration information related to the network and sends a configuration response to the zero trust network proxy. That is, when the access control policy configured on the administrator or the configuration information related to the network is changed, the IOA client may synchronize the latest configuration information to the zero-trust network proxy only by waiting for the zero-trust network proxy to send a request for pulling the configuration to the IOA client. During this period, network access is prone to jitter, resulting in frequent access failures. The terminal has long response time for configuration change and poor stability of network access.

In view of this, the embodiment of the present application provides an access processing method for a zero trust network, which can support an administrator to issue an all-direct connection type policy or an all-proxy type policy, and allow the administrator to implement flexible switching between two policy types, thereby providing greater configuration flexibility, solving the problem of a DNS resolution error or a DNS failure when a site with a time domain name switching type is switched between two policy types, and solving the problem of network access jitter caused by switching between proxy access and direct connection access. When an access control strategy or configuration information related to a network is changed, the IOA client side realizes the quick synchronization of the network access configuration information between the zero trust network agent side and the zero trust network client side by combining active pushing and periodic pulling based on a trigger point. Compared with the scheme of only periodically pulling the configuration information provided by the related technology, the access processing method of the zero-trust network provided by the embodiment of the application can shorten the response time of the terminal to the change of the configuration information and improve the stability of network access while improving the synchronization efficiency of the configuration information.

The access processing method of the zero trust network provided by the embodiment of the application can be applied to an online office scene, can ensure efficient and stable remote cooperative office experience, and promotes the application of the zero trust technology in the digital industry to land.

The access processing method of the zero trust network provided in the embodiment of the present application is specifically described below.

For example, referring to fig. 6, fig. 6 is a schematic view of a scenario in which an administrator configures an access control policy for a zero-trust network according to an embodiment of the present application. As shown in fig. 6, interface 600 is an interface corresponding to a zero-trust network client (e.g., an IOA client) when logging in based on an account of an administrator, and the administrator can configure an access control policy associated with a trusted application in a trusted application configuration area 610 presented by interface 600; of course, the administrator can also configure access control policies associated with the business system in business system configuration area 620 presented by interface 600.

The access processing method of the zero trust network provided by the embodiment of the application allows an administrator to configure the service site in an IP form or a domain name form.

For example, referring to fig. 7A, fig. 7A is a schematic view of a scenario in which an administrator configures an access control policy for a zero trust network according to an embodiment of the present application. As shown in FIG. 7A, a category selection box is presented in business system configuration interface 700, and when the administrator selects "IP"710 in the category selection box, "a" designated IP "or" IP segment "is also selected in" IP "column 720, and the administrator can configure, e.g., configure, all ports or a designated port for" Port "730.

For example, referring to fig. 7B, fig. 7B is a schematic view of a scenario where an administrator configures an access control policy for a zero trust network according to an embodiment of the present application. As shown in fig. 7B, when the administrator selects "domain name" 740 in the category selection box presented by business system configuration interface 700, domain name filling box 750 may also be filled with the domain name of the specific business site.

The access processing method of the zero trust network provided by the embodiment of the application is based on a combined control strategy of a person (identity) -application-target service system, realizes flow filtration, supports a domain name, an IP section and multiple ports, and can realize inheritance and expansion based on an organization structure of a user.

For example, referring to fig. 8, fig. 8 is a schematic view of a scenario where an administrator configures an access control policy for a zero trust network according to an embodiment of the present application. As shown in fig. 8, the administrator may further create a plurality of user accounts (i.e., access user accounts) in an account creation area 810 presented in the interface 800, where the user accounts may be individual user accounts or group user accounts, and the embodiment of the present invention is not limited herein. For the group user account, inheritance of configuration information can also be realized, for example, a user account of a next level can continue configuration information of a user account of a previous level.

The following describes the configuration process of the trusted application.

For example, referring to fig. 9, fig. 9 is a schematic configuration diagram of a trusted application provided in an embodiment of the present application. As shown in fig. 9, in a configuration interface 900 of a trusted application there are presented: the process name 910 of the application, the signature information 920, the version 930, a hash value (e.g., MD5 value) 940 corresponding to the process, and a hash value (e.g., sha256 value) 950 corresponding to the process.

Further, under the condition of starting zero-trust office, the terminal user can realize the zero-trust office function by logging in a zero-trust network client (such as an IOA client).

For example, referring to fig. 10, fig. 10 is a schematic view of a scenario that an accessing user accesses a zero-trust network client according to an embodiment of the present application, as shown in fig. 10, a login interface 1000 displays multiple login manners, including a code scanning login manner or an account login manner, and the accessing user may log in the zero-trust network client (e.g., an IOA client) in any manner.

For example, referring to fig. 11A, fig. 11A is a schematic view of a scenario where an access user queries an access control policy provided in an embodiment of the present application, as shown in fig. 11A, an interface 1100 is an interface presented after the access user successfully logs in a zero trust network client, a user account 1101 of the access user is presented in the interface 1100, in addition, a "during office security real-time defense" control 1102 is also presented in the interface 1100, when the access user clicks the control 1102, a corresponding sub-interface 1103 is presented in the interface 1100 in a pop-up manner, and a defense policy in the access control policy configured by an administrator, for example, an entry defense and a system bottom defense, are presented in the sub-interface 1103. The application entrance protection comprises desktop icon protection, camera protection, USB flash disk protection, file downloading protection and webpage firewall. The system bottom layer protection comprises file system protection, registry protection, process protection, drive protection and hacker intrusion protection.

For example, referring to fig. 11B, fig. 11B is a schematic view of a scenario that an accessing user queries an access control policy according to an embodiment of the present application, and as shown in fig. 11B, when the accessing user clicks a "trusted software configured" control 1104 in an interface 1100, a corresponding sub-interface 1105 is presented in the interface 1100 in a pop-up manner, and application policies in the access control policy configured by an administrator, such as trusted software (i.e., trusted applications) and intercepting software, are displayed in the sub-interface 1105. The trusted software includes application categories and business applications, for example, when the application type is a search application, the business applications may be a specific browser 1 (e.g., IE browser), a browser 2 (e.g., chrome browser), and a browser 3 (e.g., QQ browser).

According to the access processing method of the zero trust network provided by the embodiment of the application, the terminal user can access the service system configured by the administrator through the appointed trusted application according to the user-level policy issued by the management terminal.

The following describes an access processing method of a zero trust network provided in the embodiments of the present application in detail from a technical side.

For example, referring to fig. 12, fig. 12 is a schematic diagram of an access process of a zero trust network provided in an embodiment of the present application, as shown in fig. 12, a zero trust network client (e.g., an IOA client) serves as a zero trust network security service provider, a unified entry is provided for an access agent to access a resource of an object through a network request through a zero trust network proxy and a zero trust network gateway (e.g., an intelligent gateway), the IOA client provides an authentication operation for the unified entry, and only a network request passing through the authentication can be forwarded to the intelligent gateway by the zero trust network proxy to proxy an access of an actual service system through the intelligent gateway.

For example, referring to fig. 13, fig. 13 is a schematic structural diagram of an access processing system of a zero trust network provided in an embodiment of the present application, and as shown in fig. 13, a core module of the access processing system of the zero trust network mainly includes: a zero trust network client (e.g., IOA client), a zero trust network server (e.g., IOA server), a zero trust network proxy (e.g., full traffic proxy), and a zero trust network gateway (e.g., intelligent gateway), which are described below.

An IOA client is a security Agent (Agent) installed on a working device of an accessing user (e.g., a company employee) responsible for verifying the trusted identity of the user on the device, verifying whether the device is trusted, and whether the application is trusted; meanwhile, the method is also used for applying the unknown process to the IOA server for process submission.

The zero trust network proxy (proxy) is mainly used for hijacking device traffic (such as an access request sent by an application program) through the TUN/TAP virtual network card, and is responsible for forwarding a network request sent by the application to the intelligent gateway after authentication is carried out by the IOA client, and if the authentication is not passed, direct connection is carried out or connection is interrupted.

The intelligent gateway is deployed at the entrance of the enterprise application program and the data resource and is responsible for verifying, authorizing and forwarding each session request for accessing the enterprise resource.

The IOA server is mainly used for carrying out safe scheduling on service flow through a policy control engine and authorizing according to the granularity of human-equipment-service system-application, wherein an identity verification module included in the IOA server is used for verifying the identity of an access user; the equipment trusted module is used for verifying hardware information of the equipment and safety information of the equipment; the application detection module is used for detecting whether the application process is safe, such as whether a bug exists or not, whether a virus Trojan horse exists or not, and the like. In addition, the IOA service end can also periodically initiate file submission to a threat intelligence cloud inspection service security or antivirus engine (such as a TAV antivirus engine), and when a malicious process is identified, an asynchronous blocking operation is executed through the client.

The overall flow is as follows: when the access subject initiates a network access request aiming at the access object through the application program, the zero-trust network agent end (such as a full-flow agent) hijacks the access request initiated by the application program through the TUN/TAP virtual network card. If the policy is judged to be the full agent policy type through the access control policy, the zero trust network agent terminal requests a bill to the IOA client terminal, the IOA client terminal further applies the bill to the IOA server terminal, the IOA client terminal responds the bill to the zero trust network agent terminal after successfully applying the bill, and then the zero trust network agent terminal sends the actual network access flow to the intelligent gateway through the physical network card and the intelligent gateway proxies the actual service access; if the direct connection policy type is judged to be the full connection policy type through the access control policy, the zero trust network agent end hijacks a network access request sent by an application program, and then directly performs network access and response processes with a corresponding target service site through a physical network card to realize direct connection access.

The specific process for the full-proxy policy type is as follows: the IOA client hijacks a network access request initiated by an application program through a zero trust network proxy, and then the zero trust network proxy initiates an authentication request to the IOA client (namely the zero trust network proxy applies a certificate of the network access request to the IOA client), wherein request parameters comprise a source IP or a domain name, a source port, a destination IP or a domain name, a destination port and a Process Identifier (PID) corresponding to the application program. And then, the IOA client acquires the MD5, the process path, the process latest modification time, the copyright information, the signature information and the like of the process through the PID sent by the zero trust network agent, and applies for a bill to the IOA server together with a source IP or domain name, a source port, a destination IP or domain name and a destination port carried in a network access request sent by the zero trust network agent, and if the application is successful, the IOA client returns the bill, the maximum use times of the bill and the valid time of the bill to the zero trust network agent as responses. At this time, the zero trust network proxy end can initiate an http request to the intelligent gateway, a network request certificate (i.e. a bill) returned by the IOA client is carried in an Authorization (Authorization) header field of the request, the intelligent gateway analyzes the bill in the header field after receiving the http request sent by the zero trust network proxy end, and requests a check bill to the IOA server end, if the check is successful, the connection between the intelligent gateway and the zero trust network proxy end is successfully established, then the zero trust network proxy end can send a network access request initiated by a hijacked application program to the intelligent gateway, the intelligent gateway forwards the network access request to a corresponding service server, and the actual application network access is proxied; if the IOA server side fails to verify the bill, the connection between the zero trust network proxy side and the intelligent gateway is interrupted, and a network access request is sent to a target service server through the zero trust network proxy side aiming at the flow of an application program except the access control strategy for accessing a specific site so as to realize direct access.

In addition, for the site access in the IP form, because there is no domain name resolution process, it can be hijacked by the virtual network card directly. However, if the service sites are domain name type service sites, such as "km.oa.com" and "www.crop.com", because the domain name of the intranet may fail in DNS resolution (i.e. the corresponding IP cannot be resolved) or the DNS resolution is polluted in the public network, the application program does not initiate a subsequent network request (when an application program initiates access to the domain name type site, it must wait for the DNS to resolve the correct IP, and then the access behavior can continue).

In view of the above technical problems, the access processing method for a zero trust network provided in the embodiment of the present application uses a zero trust network proxy to capture a DNS request by monitoring a 53 port, and executes a logic of custom DNS resolution for the DNS request: that is, for each domain name requesting DNS resolution, a corresponding virtual IP address (e.g., "192.168.220.1") is automatically generated, and a mapping relationship between the domain name and the virtual IP address is generated. For example, when an application requests a DNS request for a domain name "www.crop.com", the zero trust network proxy listens to 53 port and automatically allocates a corresponding virtual IP address for "www.crop.com", for example: "192.168.220.12" and stores the mapping between this domain name and the virtual IP address: "www.crop.com" - "192.168.220.12". The following is a detailed description of the custom DNS resolution process.

For example, referring to fig. 14, fig. 14 is a schematic diagram illustrating a principle of executing a customized DNS logic for a domain name carried in a network access request provided in an embodiment of the present application, and as shown in fig. 14, when an application initiates a network access request for a service site in the form of a domain name, a DNS request is first sent, the DNS request is captured by a zero trust network proxy (for example, a full traffic proxy) through a virtual network adapter and enters the customized DNS logic of the zero trust network proxy, and the zero trust network proxy first determines whether the domain name needs to walk through a proxy access type (that is, whether an access control policy needs to be sent to the zero trust network proxy by an IOA client in a configuration synchronization manner) according to an access control policy issued by the IOA server to the IOA client; if yes, distributing the corresponding virtual IP address by the user-defined DNS logic, and storing the mapping relation between the virtual IP address and the domain name in the zero trust network proxy end; and if the type is not the proxy access type, directly switching to a system DNS to perform DNS resolution, and generating a system native IP address.

The following description will take an example in which the application executes a custom DNS logic when accessing a service site with a domain name "km.oa.com".

For example, referring to fig. 15, fig. 15 is a schematic flowchart of a process of executing a custom DNS logic for a domain name carried in a network access request according to an embodiment of the present application, as shown in fig. 15, an application program first executes DNS resolution for a domain name "km.oa.com", traffic for executing the DNS resolution is automatically imported into a virtual network card, and a zero-trust network proxy (e.g., a full-traffic proxy) takes over the DNS resolution, at this time, the zero-trust network proxy first queries an access control policy and checks whether the domain name is in the access control policy. If the domain name is detected to be in the access control strategy, the domain name is considered to be an intranet domain name, and the allocation action of the virtual IP address is executed; if the domain name is not in the access control strategy, the domain name is not an intranet domain name, and the domain name is sent to a system DNS to perform DNS resolution so as to resolve the native IP address of the system.

With continued reference to fig. 15, the zero trust network proxy successfully resolves that the IP address corresponding to the domain name "km.oa.com" is "100.8.0.x". And when the zero trust network proxy terminal responds to the virtual IP address or resolves the system native IP address through the system DNS, responding the result to the application program through the virtual network card, thereby completing the DNS resolution process of the application program. Meanwhile, the zero-trust network proxy end also stores the mapping relationship between the virtual IP address (i.e. the result processed by the custom DNS logic) -domain name or the mapping relationship between the system native IP address (i.e. the result of the system DNS resolution) -domain name in the memory of the zero-trust network proxy end.

After the application program successfully executes DNS resolution, a TCP request, for example, "100.8.0.X", is sent to an IP address (possibly a virtual IP address, or a system native IP address resolved by a system DNS) resolved by the DNS, the TCP request also enters a virtual network card and is captured by a zero trust network proxy, the zero trust network proxy checks whether the domain name is in a virtual IP address-domain name mapping list or a system native IP address-domain name mapping list according to the IP address (value is 100.8.0. X), if "km.oa.com" is configured in an access control policy, the corresponding domain name is checked from the virtual IP address-domain name mapping list according to the IP address, and finally the domain name corresponding to the request is acquired as "km.oa.com", thereby completing the search of the virtual IP address-actual domain name.

By the mode, the problem that the application program cannot initiate a subsequent request due to the fact that the internal network domain name of some enterprises fails to perform DNS analysis under the public network (namely, the corresponding IP address cannot be analyzed) or domain name pollution occurs in the DNS analysis can be solved.

The following describes the details of the access control policy of the zero trust network.

The access control policy of the zero trust network consists of a reachable area (i.e. the core domestic site of the enterprise) configuration node and a trusted application (i.e. a security application specifying that the end user has the right to access the reachable area) configuration node, as shown below is an example of the access control policy, and a description of the fields (in the following// the following content represents an explanation of the left-hand fields).

As shown in the above example, the accessible enterprise intranet sites specified by the access control policy are: * Com (only 899 ports are accessible) and oa sof com (accessible ports are: 443 and 27800), the user can only access both sites via outlook. Exe (version 4.0.2.132).

"policytype" in the above policy example indicates the type of access control policy, and if the value of this item is "proxy _ access," it indicates a full proxy type policy; if the value of the entry is "direct _ access," an all direct type policy is indicated.

The specific description of the all-proxy type policy and the all-direct type policy is as follows, wherein an end user accessing a certain site U using a certain application a is referred to as an application-site combination. For the full-proxy type strategy, an application-site combination which meets the reachable region and the trusted application in the strategy is appointed to act for accessing the actual service site through the intelligent gateway, and the application-site combination which does not meet the access control strategy is directly connected with the service site through the zero-trust network agent end to realize network access; for the all-direct-connection type strategy, the application-site combination which meets the reachable region and the trusted application in the strategy is appointed to be directly connected with the service site through the zero-trust network agent end to realize network access, and the application-site combination which does not meet the access control strategy is accessed through the intelligent gateway agent to act on the actual service site.

In addition, the IOA client synchronizes a direct connection configuration list and a virtual IP configuration list with the zero trust network proxy end, so that flexible switching between a direct connection access type and a proxy access type is realized. The direct connection configuration list represents the type of the zero trust network proxy end directly connecting with the target service site, and does not pass through the intelligent gateway proxy.

For example, the JSON format of the direct connection configuration list information synchronized by the IOA client to the zero trust network proxy is as follows:

for the hit domain name or IP, an all-direct connection type strategy is forcibly used, namely, network access is forcibly directly initiated to a target service site through a zero trust network proxy end without intelligent gateway proxy network access. That is to say, the domain names in the direct connection configuration list are all virtual IP addresses that are generated by the custom DNS logic of the zero trust network proxy, and the corresponding IP addresses are resolved by the system DNS.

The virtual IP configuration list represents a domain name list which accords with the access control strategy and needs to be resolved into virtual IP addresses by the self-defined DNS logic of the zero trust network proxy end, and the corresponding JSON format is as follows:

the content of the virtual IP configuration list is a policy in the access control policy (i.e. the custom DNS logic in the zero trust network proxy), and is composed of domain name sites inside the enterprise.

When the access control strategy is a full-proxy type strategy, the direct connection configuration list is a list for transmitting all background servers corresponding to the IOA server (if the strategy is single-machine deployment, the server connection address of the single-machine deployment IOA server is used, and if the strategy is cluster distributed deployment, the server connection address list of all distributed deployment) and all intelligent gateway connection address lists, and the virtual IP configuration list is a list for transmitting all domain names and virtual IP addresses in the access control strategy.

When the access control policy is an all-direct connection type policy, the direct connection configuration list is composed of domain name information (excluding virtual IP addresses in the policy), all server lists corresponding to the IOA server and all intelligent gateway connection address lists in the access control policy, and the configuration of the virtual IP configuration list is empty.

The following examples are given.

For example, assume that the connection addresses of the IOA server configured by the administrator of a certain enterprise are "10.80.25.6: 8454 "and" km.srp.co.com:8492", the connection address of the intelligent gateway is" www.sg.com:9445 "and" crop.sg.com:8492", reachable areas of the access control policy include" www.a.com "," www.b.com "," www.c.com "," 10.11.56.24", and" 10.28.0.12".

When the type of the access control policy configured by the administrator is a full-proxy type policy, the direct connection configuration list is a list of all server connection addresses and a list of all intelligent gateway connection addresses corresponding to the IOA service end, that is, "10.80.25.6: 8454"," km.srp.co.com:8492"," www.sg.com:9445 "and" crop.sg.com:8492", and the virtual IP configuration list is all domain names and IP addresses in the access control policy, i.e.," www.a.com "," www.b.com "," www.c.com "," 10.11.56.24", and" 10.28.0.12".

When the type of the access control policy configured by the administrator is an all-direct-connection type policy, the direct-connection configuration list is all the server connection address lists and the intelligent gateway connection address lists corresponding to the IOA server, and all reachable area information (including domain name type and IP type) in the access control policy, that is, "10.80.25.6: 8454"," km.srp.co.com:8492"," www.sg.com:9445"," crop. Sg. Com: the set of 8492"," www.a.com "," www.b.com "," www.c.com "," 10.11.56.24 "and" 10.28.0.12 "may be configured to be empty for the virtual IP configuration list.

The access processing method for the zero trust network provided in the embodiment of the present application combines two modes, namely, configuration sensing change pushing and configuration pull response, to implement a timely and stable configuration synchronization logic between the IOA client and the zero trust network proxy, which is described in detail below.

For example, referring to fig. 16, fig. 16 is a schematic diagram illustrating a principle that configuration information synchronization between an IOA client and a zero-trust network proxy is implemented in combination with a configuration-aware change pushing and a configuration pull response manner provided in the embodiment of the present application, as shown in fig. 16, "package1, package2, package3 \8230, and package" indicates different network data packets processed by the zero-trust network proxy (e.g., a proxy client); "A, B, C, D \8230" -representing different data packets sent and responded when the proxy client and the IOA client perform terminal local process communication; "Trigger" means a Trigger; "Timer" denotes a Timer; "policy" denotes an access control policy; "server config" represents a connection address corresponding to the IOA server, including a connection address for single machine deployment and a collection of connection addresses of all servers in a cluster distributed deployment scenario; "SG config" denotes a connection address configuration of the intelligent gateway, including a connection protocol, a connection address, and a connection port; "Check" indicates the transmission status of the Check configuration; "LastConfig" indicates the configuration of the last transmission; "DirectSrv" represents a direct configuration list; "InterDomain" represents a virtual IP configuration list; "state _ cache" indicates that the sending state cache is configured; the 'hash: state' represents a mapping table of a configured hash value (hash) and a configured transmission state; "authentication" represents the validation process of the proxy client push interface; "MsgPush" indicates that a configuration push is performed.

The access processing method for the zero trust network provided by the embodiment of the application realizes the quick synchronization between the zero trust network agent end and the IOA client through combining a push mode and a pull mode. The access control strategy, the connection address configuration of the IOA server and the intelligent gateway configuration serve as trigger factors of pushing. When at least one of the three factors changes, triggering the IOA client to pull up the latest configuration information, wherein the three factors comprise reading and analyzing an access control strategy, reading the latest IOA server connection address and reading and analyzing the latest intelligent gateway connection configuration information, then combining to form a current virtual IP configuration list and a direct connection configuration list, generating a hash value based on the configured content, then judging whether the hash value of the configuration of the current configuration and the configuration of the last pushing recorded in the memory of the IOA client is the same or not based on the hash value, and if the hash value is different, immediately executing configuration pushing; and if the hash value of the current configuration is the same as the hash value of the configuration pushed last time, inquiring the push state of the last configuration, and if the configuration push state corresponding to the hash value in the push state cache is push failure or a record corresponding to the hash value is not found in the push state cache, determining that the current configuration needs to execute push. The IOA client calls a pushing interface of the zero trust network proxy end to push the current virtual IP configuration list (InterDomain) and the direct connection configuration list (DirectSrv).

The zero trust network agent end firstly authenticates the pushing interface calling request of the IOA client end, and if authentication fails, the pushing of the IOA client end fails; if the authentication is successfully passed, the zero trust network proxy end receives the two types of configuration, namely a virtual IP configuration list (InterDomain) and a direct connection configuration list (DirectSrv), analyzes a timestamp and a hash value in the configuration, compares the timestamp with a historical configuration timestamp of which the setting operation has been executed, and if the current timestamp is newer than the historical configuration timestamp, considers that the current configuration is the new configuration and enters the next step of checking and setting; otherwise, the configuration is considered to be the old configuration and is ignored.

After checking that the current configuration is the new configuration, the zero trust network agent compares whether the hash value of the current configuration is the same as the hash value of the historical configuration which has been set last time, if so, the zero trust network agent ignores the processing and responds to the result of the normal configuration setting for the IOA client so as to avoid repeatedly setting the same configuration and influencing network access, such as clearing the existing DNS cache or refreshing the network jitter caused by a new virtual IP list; if not, the zero trust network proxy end executes the configured refreshing operation, meanwhile, the set result is responded to the IOA client, and the IOA client builds a pushing state cache according to the response result of the zero trust network proxy end.

The push state cache may be composed of a plurality of cache items, each cache item is composed of a hash Value and a push state corresponding to the cache, and a Key-Value (Key-Value) pair structure is formed, where Key is a hash Value corresponding to the configuration information, and Value includes a push timestamp and a push state of the configuration information, where the push state includes an unknown state, a state to be pushed, a push success and a push failure. And after receiving the response result of the zero trust network agent side, the IOA client side constructs a push state cache. In addition, for configuration information push of a specific timestamp T and a specific hash value H, if the zero trust network proxy successfully receives and sets configuration information, the IOA client first searches whether a cache record corresponding to the specific hash value H exists in the push state cache, and if so, updates the push state corresponding to the specific hash value H. If the cache record corresponding to the specific hash value H is not found, further checking whether the number of the cache entries exceeds a set maximum value, if so, traversing the cache records, and deleting the preset number (for example, 1/2) of historical cache records according to the push timestamp. And under the condition that the number of the current cache records is smaller than the maximum value of the cache, the push state cache automatically newly establishes cache items corresponding to the specific hash value H and the specific timestamp T.

In addition, when a certain push configuration is not successful, the IOA client automatically enters a push retry state, and after the maximum retry number is reached, for example, 3 times, if the push still fails, the push is stopped, and the last push result is recorded in the push state cache.

For example, with reference to fig. 16, in a case that the configuration push triggered by the trigger factors of the 3 configuration pushes of the access control policy, the IOA server connection address configuration, and the intelligent gateway connection address configuration fails, in order to improve the synchronization efficiency and availability of the configuration, the configuration may be periodically checked and pushed by setting a timer, where the specific process is as follows:

the IOA client reads and analyzes the latest access control strategy, the latest IOA server connection address and the latest intelligent gateway configuration from the IOA server, combines the latest IOA server connection address and the latest intelligent gateway configuration to form a current virtual IP configuration list and a direct connection configuration list, generates a hash value based on the configured content, judges whether the hash value of the configuration information of the current configuration and the last push recorded in the memory of the IOA client is the same based on the hash value, and immediately executes configuration push if the hash value of the configuration information of the current configuration and the hash value of the configuration information of the last push recorded in the memory of the IOA client are different; and if the hash value of the current configuration information is the same as the hash value of the configuration information pushed last time, inquiring the push state of the last configuration, and if the configuration push state corresponding to the hash value in the push state cache is push failure or a push record corresponding to the hash value is not found in the push state cache, determining that the current configuration needs to execute push. At this time, the IOA client may call a push interface of the zero trust network proxy, and perform push on the current virtual IP configuration list (InterDomain) and the direct configuration list (DirectSrv). The IOA client can successfully call the push interface of the zero trust network agent end after the IOA client is authenticated by the push interface of the zero trust network agent end, receives the response result of the zero trust network agent end and adjusts the push state cache based on the result.

It should be noted that, there may be a case where a process of performing configuration push due to the trigger mechanism and a process of checking and pushing configuration by setting a timer period are executed in parallel, and in order to achieve precise synchronization of configuration and avoid errors, it is necessary to ensure that thread security is supported by addition, modification, and deletion of a push state cache entry. When the zero trust network agent end receives multiple configurations at the same time, the latest configuration information is selected for setting according to the time stamp of the configuration information, and the problems of performance consumption and network jitter caused by repeatedly setting the same configuration information in a short time are avoided through the hash value.

Although the scheme of pushing the configuration information between the IOA client and the zero trust network proxy is introduced, the two modes of actively pushing and setting the timer period check and pushing are combined with the trigger factor, the configuration information of the IOA client cannot be guaranteed to be successfully pushed by one hundred percent, and the situation of failed pushing still exists at a certain probability. In order to solve the problem of failure of active push of the IOA client and further improve the success rate of configuration information synchronization, the access processing method of the zero trust network provided in the embodiment of the present application may further use a zero trust network proxy end to periodically pull configuration information of the IOA client as a bottom-of-pocket scheme. As shown in fig. 16, after the IOA client receives, through the network, server connection address configuration information, intelligent gateway connection address configuration information, and an access control policy that are sent by the IOA server, the zero trust network proxy may initiate a configuration information pull request to the IOA client periodically by setting a high frequency (for example, sending the configuration information once every 5 minutes), and the IOA client parses the configuration information and sends the zero trust network proxy to respond to the latest configuration information. After the zero trust network agent end successfully receives the configuration information responded by the IOA client, the zero trust network agent end can be adjusted to be in a low frequency (for example, the zero trust network agent end is sent every half hour), so that the consumption is reduced, the timeliness detection and the updating setting of the configuration information are realized, and meanwhile, a bottom-pocketing mechanism which is complementary to a configuration information pushing mechanism is also realized. That is to say, the access processing method for the zero trust network provided in the embodiment of the present application may implement a higher success rate of configuration synchronization by combining mechanisms of active push of the IOA client and active pull of the zero trust network proxy, and avoid problems of a scheme provided by a related technology, such as lower timeliness of updating configuration information, high error rate of configuration synchronization, untimely configuration pull (in a case of low frequency setting), or excessive resource consumption (in a case of high frequency setting).

The access processing method for the zero trust network provided by the embodiment of the application solves the problem of network access interruption or jitter caused by switching between the all-direct connection type strategy and the all-proxy type strategy, and simultaneously optimizes the problem that the terminal takes effect slowly after the management and control terminal adjusts the access control strategy. In the zero trust network access architecture, the network access operations of the end user are controlled and affected by the access control policy. The access processing method for the zero trust network provided by the embodiment of the application supports the flexible switching of an administrator between the all-direct connection type strategy and the all-proxy type strategy, and realizes the network access configuration information synchronization between the zero trust components (such as the zero trust network proxy end and the IOA client end) in real time through a scheme based on configuration change, a timestamp and a configuration hash value. Compared with the scheme provided by the related technology which only depends on the periodic pulling of the configuration information, the access processing method of the zero-trust network provided by the embodiment of the application can improve the efficiency of the synchronization of the configuration information, shorten the response time of the terminal and improve the stability of the network access.

Continuing with the exemplary structure of the zero trust network access processing apparatus 455 provided by the embodiment of the present application implemented as a software module, in some embodiments, as shown in fig. 2, the software module stored in the zero trust network access processing apparatus 455 of the memory 450 may include: a receiving module 4551, an obtaining module 4552, a query module 4553, a building module 4554 and a sending module 4555.

A receiving module 4551, configured to receive an access request sent by an application program; an obtaining module 4552, configured to obtain, from the access request, an address of a service site that the application needs to access; the query module 4553 is configured to query an access control policy of the zero trust network based on the identifier of the application program and the address of the service site, and obtain an access mode in which the application program accesses the service site; an establishing module 4554 configured to establish a communication connection between the application and the service site based on the access mode and the zero trust network; a sending module 4555, configured to send an access request to the service site through the communication connection, and send an access request response of the service site to the application program through the communication connection.

In some embodiments, the access processing apparatus 455 of the zero trust network further includes a matching module 4556, configured to, when the access control policy is a full-proxy type policy, match the application program with a plurality of trusted application configuration nodes in the full-proxy type policy, and match the address of the service site with a plurality of reachable area configuration nodes in the full-proxy type policy, respectively; the trusted application configuration node comprises a plurality of characteristic fields of application programs allowing access, and the reachable area configuration node comprises a plurality of characteristic fields of service sites allowing access; the access processing apparatus 455 of the zero trust network further includes a determining module 4557, configured to determine an access mode in which the application accesses the service site as a proxy access when there is a trusted application configuration node matching the application and there is a reachable area configuration node matching the address of the service site; and the access mode of the application program accessing the service site is determined to be direct access when a trusted application configuration node matched with the application program does not exist or a reachable area configuration node matched with the address of the service site does not exist.

In some embodiments, the matching module 4556 is further configured to, when the access control policy is an all-direct connection type policy, match the application program with a plurality of trusted application configuration nodes in the all-direct connection type policy, and match the address of the service site with a plurality of reachable area configuration nodes in the all-direct connection type policy; the trusted application configuration node comprises a plurality of characteristic fields of application programs allowing access, and the reachable area configuration node comprises a plurality of characteristic fields of service sites allowing access; the determining module 4557 is further configured to determine that an access mode in which the application accesses the service site is direct access when there is a trusted application configuration node that matches the application and there is a reachable area configuration node that matches the address of the service site; and when a trusted application configuration node matched with the application program does not exist or a reachable area configuration node matched with the address of the service site does not exist, determining that the access mode of the application program for accessing the service site is proxy access.

In some embodiments, when the access control policy includes a direct connection configuration list, the matching module 4556 is further configured to match the address of the service site with the direct connection configuration list; the determining module 4557 is further configured to determine, when the address of the service site exists in the direct connection configuration list, that an access mode in which the application accesses the service site is direct connection access.

In some embodiments, when the access control policy includes a virtual IP configuration list, the matching module 4556 is further configured to match the address of the service site with the virtual IP configuration list; the determining module 4557 is further configured to determine, when the address of the service site exists in the virtual IP configuration list, that the access mode of the application program for accessing the service site is proxy access.

In some embodiments, the access processing device 455 of the zero trust network further includes a pushing device 4558, configured to push, by the zero trust network server, the updated configuration information to the zero trust network client when the configuration information is updated, so that the zero trust network client sends the updated configuration information to the zero trust network proxy; wherein the configuration information comprises at least one of: the access control strategy, the connection address of the zero trust network server and the connection configuration information of the zero trust network gateway.

In some embodiments, the zero trust network access processing apparatus 455 further includes a building module 4559, configured to build a push status cache based on the response result of the zero trust network proxy; the response result is generated after the zero trust network agent is set based on the updated configuration information, the push state cache adopts a key value pair form, and the key value pair takes a hash value corresponding to the updated configuration information as a key and takes a push timestamp and a push state corresponding to the updated configuration information as values; wherein the push state comprises at least one of: unknown state, state to be pushed, successful pushing and failure pushing.

In some embodiments, the building module 4559 is further configured to, for configuration information corresponding to a specific timestamp and a specific hash value, perform the following processing: when the zero trust network agent terminal successfully receives and sets configuration information, inquiring a push state cache based on a specific hash value; when a cache record corresponding to the specific hash value exists in the push state cache, updating the push state corresponding to the specific hash value; when no cache record corresponding to the specific hash value exists in the push state cache, determining the number of cache items included in the push state cache; and when the number of the cache items is larger than the number threshold, deleting the preset number of cache items according to the pushing time stamp, and establishing the cache items corresponding to the specific hash value and the specific time stamp in the deleted pushing state cache.

In some embodiments, the sending module 4555 is further configured to, when the zero trust network server fails to push the updated configuration information, periodically send, by the zero trust network client, a configuration information acquisition request to the zero trust network server, and send the updated configuration information returned by the zero trust network server to the zero trust network proxy.

In some embodiments, the sending module 4555 is further configured to send, by the zero trust network proxy, a configuration information acquisition request to the zero trust network client periodically at a first frequency when the zero trust network proxy fails to acquire the updated configuration information; when the zero trust network proxy end receives the updated configuration information acquired by the zero trust network client from the zero trust network server, the zero trust network proxy end continuously transmits an acquisition request to the zero trust network client periodically at a second frequency so as to request to acquire the configuration information after being updated again; wherein the first frequency is greater than the second frequency.

In some embodiments, the obtaining module 4552 is further configured to monitor the domain name resolution port when the application does not store the binding relationship between the service site and the network address, so as to hijack the domain name resolution request of the application, extract the domain name of the service site from the domain name resolution request, and query an access control policy based on the domain name, to obtain an IP address allocated to the domain name; the sending module 4551 is further configured to send the IP address to the application program, so that the application program generates the access request based on the IP address.

In some embodiments, the query module 4553 is further configured to assign a corresponding virtual IP address to the domain name when the access control policy is a full proxy type policy; and when the access control strategy is an all-direct connection type strategy, analyzing the domain name to obtain a system native IP address corresponding to the domain name.

In some embodiments, the obtaining module 4552 is further configured to obtain the domain name of the service site by: matching the IP address corresponding to the access request with a virtual IP configuration list included in the access control strategy; when the IP address exists in the virtual IP configuration list, inquiring a mapping list between the virtual IP address and the domain name based on the IP address to obtain the domain name of the service site; and when the virtual IP configuration list does not have the IP address, inquiring a mapping list between the native IP address of the system and the domain name based on the IP address to obtain the domain name of the service site.

In some embodiments, the obtaining module 4552 is further configured to obtain the credential of the access request when the access mode is proxy access; the sending module 4555 is further configured to forward the credential to the zero trust network server through the zero trust network gateway, so that the zero trust network server checks the credential to obtain a check result; the establishing module 4554 is further configured to, when the verification result indicates that the credential is successfully verified, send the credential and the access request to the service site through the zero trust network gateway, so as to establish a communication connection between the application program and the service site and perform proxy access through the zero trust network gateway; and when the verification result represents that the certificate is failed to be verified, the access request is forwarded to the service site through the zero-trust network gateway so as to establish direct connection communication between the application program and the service site.

In some embodiments, the receiving module 4551 is further configured to hijack an access request sent by an application through a virtual network card running at the trust network proxy; the obtaining module 4552 is further configured to extract a request parameter of the access request through the zero trust network client, send a credential request to the zero trust network server based on the request parameter, and receive a credential returned by the zero trust network server.

In some embodiments, the request parameters include: the address and port of the application program, the address and port of the service site and the identifier of the application program; the sending module 4555 is further configured to send the request parameter to the zero trust network client through the zero trust network proxy, so that the zero trust network client obtains the feature information of the application based on the identifier of the application program in the request parameter; and the zero trust network client is used for sending a certificate request to the zero trust network server through the zero trust network client, wherein the certificate request carries the address and the port of the application program, the address and the port of the service site and the characteristic information, so that the zero trust network server carries out authentication processing, and returns a certificate to the zero trust network client when the authentication is passed.

In some embodiments, the obtaining module 4552 is further configured to obtain, when the access mode is direct access, a credential of the access request through the zero-trust network client; the sending module 4555 is further configured to forward the credential to the zero trust network server through the zero trust network gateway, so that the zero trust network server checks the credential to obtain a check result; the establishing module 4554 is further configured to forward the credential and the network request to the service site through the zero-trust network gateway when the verification result indicates that the credential is successfully verified, so as to establish a direct connection communication connection between the application and the service site.

It should be noted that the description of the apparatus in the embodiment of the present application, similar to the description of the method embodiment and similar to the method embodiment, has similar beneficial effects to the method embodiment, and therefore, the description is omitted. The inexhaustible technical details of the access processing device of the zero trust network provided by the embodiment of the application can be understood from the description of any one of the drawings in fig. 3A, fig. 3B, fig. 4, or fig. 5.

Embodiments of the present application provide a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the electronic device (e.g., a computer device) reads the computer instructions from the computer-readable storage medium, and executes the computer instructions, so that the electronic device executes the access processing method of the zero trust network described in the embodiment of the present application.

Embodiments of the present application provide a computer-readable storage medium storing executable instructions, which when executed by a processor, cause the processor to perform a method provided by embodiments of the present application, for example, an access processing method of a zero trust network as shown in any one of fig. 3A, fig. 3B, fig. 4, or fig. 5.

In some embodiments, the computer-readable storage medium may be memory such as FRAM, ROM, PROM, EPROM, EEPROM, flash, magnetic surface memory, optical disk, or CD-ROM; or may be various devices including one or any combination of the above memories.

In some embodiments, executable instructions may be written in any form of programming language (including compiled or interpreted languages), in the form of programs, software modules, scripts or code, and may be deployed in any form, including as a stand-alone program or as a module, component, subroutine, or other unit suitable for use in a computing environment.

By way of example, executable instructions may, but need not, correspond to files in a file system, and may be stored in a portion of a file that holds other programs or data, such as in one or more scripts in a hypertext Markup Language (HTML) document, in a single file dedicated to the program in question, or in multiple coordinated files (e.g., files that store one or more modules, sub-programs, or portions of code).

As an example, executable instructions may be deployed to be executed on one electronic device (e.g., an electronic device) or on multiple electronic devices located at one site or distributed across multiple sites and interconnected by a communication network.

In summary, the access processing method for the zero trust network provided in the embodiment of the present application solves the problem of network access interruption or jitter caused by switching between the all-direct connection type policy and the all-proxy type policy, and optimizes the problem that the terminal takes effect slowly after the management and control end adjusts the zero trust access control policy. In the zero trust network access architecture, the network access operation of the end user is controlled and influenced by the zero trust access control policy. The access processing method of the zero trust network provided by the embodiment of the application supports flexible switching of an administrator between an all-direct connection type strategy and an all-proxy type strategy, and a scheme for instantly realizing rapid synchronization of network access configuration information between zero trust components (such as a zero trust network proxy end and a zero trust network client) based on configuration change, a timestamp and a configuration hash value. Compared with the scheme provided by the related technology which only depends on the periodic pulling of the configuration information, the access processing method of the zero trust network provided by the embodiment of the application can improve the efficiency of the synchronization of the configuration information, shorten the response time of the terminal and improve the stability of the network access.

The above description is only an example of the present application, and is not intended to limit the scope of the present application. Any modification, equivalent replacement, and improvement made within the spirit and scope of the present application are included in the protection scope of the present application.

Claims (15)

1. An access processing method for a zero trust network, the method comprising:

receiving an access request sent by an application program;

acquiring the address of a service site which needs to be accessed by the application program from the access request;

based on the identification of the application program and the address of the service site, inquiring an access control strategy of a zero trust network to obtain an access mode of the application program for accessing the service site;

establishing a communication connection between the application and the service site based on the access pattern and the zero trust network;

and sending the access request to the service site through the communication connection, and sending an access request response of the service site to the application program through the communication connection.

2. The method of claim 1,

when the access control policy is a full proxy type policy, the querying an access control policy of a zero trust network based on the identifier of the application program and the address of the service site to obtain an access mode of the application program accessing the service site includes:

matching the application program with a plurality of trusted application configuration nodes in the full-proxy type strategy respectively, and matching the address of the service site with a plurality of reachable area configuration nodes in the full-proxy type strategy respectively;

wherein the trusted application configuration node comprises a plurality of characteristic fields of applications allowed to be visited, and the reachable area configuration node comprises a plurality of characteristic fields of service sites allowed to be visited;

when a trusted application configuration node matched with the application program exists and a reachable area configuration node matched with the address of the service site exists, determining that the access mode of the application program for accessing the service site is proxy access;

and when a trusted application configuration node matched with the application program does not exist or a reachable area configuration node matched with the address of the service site does not exist, determining that the access mode of the application program accessing the service site is direct access.

3. The method of claim 1,

when the access control policy is an all-direct connection type policy, querying an access control policy of a zero trust network based on the identifier of the application program and the address of the service site to obtain an access mode of the application program accessing the service site, including:

matching the application program with a plurality of trusted application configuration nodes in the all-direct connection type strategy respectively, and matching the address of the service site with a plurality of reachable area configuration nodes in the all-direct connection type strategy respectively;

wherein the trusted application configuration node comprises a plurality of feature fields of an application program allowing access, and the reachable region configuration node comprises a plurality of feature fields of a service site allowing access;

when a trusted application configuration node matched with the application program exists and a reachable area configuration node matched with the address of the service site exists, determining that the access mode of the application program accessing the service site is direct access;

and when a trusted application configuration node matched with the application program does not exist or a reachable area configuration node matched with the address of the service site does not exist, determining that the access mode of the application program for accessing the service site is proxy access.

4. The method of claim 1, wherein when the access control policy comprises a direct connection configuration list, the method further comprises:

matching the address of the service site with the direct connection configuration list;

and when the address of the service site exists in the direct connection configuration list, determining that the access mode of the application program for accessing the service site is direct connection access.

5. The method of claim 1, wherein when the access control policy comprises a virtual internet protocol, IP, configuration list, the method further comprises:

matching the address of the service site with the virtual IP configuration list;

and when the address of the service site exists in the virtual IP configuration list, determining that the access mode of the application program for accessing the service site is proxy access.

6. The method of claim 1, further comprising:

when the configuration information is updated, pushing the updated configuration information to a zero trust network client through a zero trust network server so that the zero trust network client sends the updated configuration information to a zero trust network agent end;

wherein the configuration information comprises at least one of: the access control strategy, the connection address of the zero trust network server and the connection configuration information of the zero trust network gateway.

7. The method of claim 6, wherein after sending the updated configuration information to the zero trust network broker, the method further comprises:

constructing a push state cache based on the response result of the zero trust network proxy end;

the response result is generated after the zero trust network agent end is set based on the updated configuration information, the push state cache adopts a key value pair form, and the key value pair takes a hash value corresponding to the updated configuration information as a key and takes a push timestamp and a push state corresponding to the updated configuration information as values;

wherein the push state comprises at least one of: unknown state, state to be pushed, successful pushing and failure pushing.

8. The method of claim 7, further comprising:

and aiming at the configuration information corresponding to the specific timestamp and the specific hash value, executing the following processing:

when the zero trust network proxy end successfully receives and sets the configuration information, inquiring the push state cache based on the specific hash value;

when a cache record corresponding to the specific hash value exists in the push state cache, updating the push state corresponding to the specific hash value;

when the cache record corresponding to the specific hash value does not exist in the push state cache, determining the number of cache items included in the push state cache;

and when the number of the cache items is larger than a number threshold value, deleting a preset number of cache items according to a push timestamp, and establishing cache items corresponding to the specific hash value and the specific timestamp in the deleted push state cache.

9. The method of claim 6, wherein when the zero trust network server fails to push the updated configuration information, the method further comprises:

and periodically sending a configuration information acquisition request to the zero trust network server through the zero trust network client, and sending updated configuration information returned by the zero trust network server to the zero trust network agent.

10. The method according to claim 9, wherein when the zero trust network proxy fails to obtain the updated configuration information, the method further comprises:

periodically sending a configuration information acquisition request to the zero trust network client through the zero trust network agent end at a first frequency;

when the zero trust network proxy end receives the updated configuration information acquired by the zero trust network client from the zero trust network server, the zero trust network proxy end continuously transmits an acquisition request to the zero trust network client periodically at a second frequency so as to request to acquire the configuration information which is updated again;

wherein the first frequency is greater than the second frequency.

11. The method of claim 1, wherein when the application program does not store the binding relationship between the service site and the network address, the method further comprises:

monitoring a domain name resolution port to hijack the domain name resolution request of the application program, and

extracting the domain name of the service site from the domain name resolution request, and inquiring the access control strategy based on the domain name to obtain an IP address distributed for the domain name;

sending the IP address to the application program to enable the application program to generate the access request based on the IP address.

12. The method of claim 11, wherein the querying the access control policy based on the domain name to obtain the IP address assigned to the domain name comprises:

when the access control strategy is a full-proxy type strategy, distributing a corresponding virtual IP address for the domain name;

and when the access control strategy is an all-direct connection type strategy, analyzing the domain name to obtain a system native IP address corresponding to the domain name.

13. An access processing apparatus for a zero trust network, the apparatus comprising:

the receiving module is used for receiving an access request sent by an application program;

the acquisition module is used for acquiring the address of the service site to be accessed by the application program from the access request;

the query module is used for querying an access control strategy of the zero trust network based on the identifier of the application program and the address of the service site to obtain an access mode of the application program for accessing the service site;

the establishing module is used for establishing communication connection between the application program and the service site based on the access mode and the zero trust network;

and the sending module is used for sending the access request to the service site through the communication connection and sending an access request response of the service site to the application program through the communication connection.

14. An electronic device, comprising:

a memory for storing executable instructions;

a processor, configured to execute the executable instructions stored in the memory to implement the method for access processing of the zero trust network according to any one of claims 1 to 12.

15. A computer-readable storage medium having stored thereon executable instructions that when executed perform a method of zero trust network access handling as claimed in any one of claims 1 to 12.

Images