CN115499235A - DNS-based zero-trust network authorization method and system - Google Patents

DNS-based zero-trust network authorization method and system Download PDF

Info

Publication number
CN115499235A
CN115499235A CN202211183668.5A CN202211183668A CN115499235A CN 115499235 A CN115499235 A CN 115499235A CN 202211183668 A CN202211183668 A CN 202211183668A CN 115499235 A CN115499235 A CN 115499235A
Authority
CN
China
Prior art keywords
controller
spa
client
gateway
dns
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211183668.5A
Other languages
Chinese (zh)
Inventor
常官清
秦益飞
杨正权
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jiangsu Yianlian Network Technology Co ltd
Original Assignee
Jiangsu Yianlian Network Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jiangsu Yianlian Network Technology Co ltd filed Critical Jiangsu Yianlian Network Technology Co ltd
Priority to CN202211183668.5A priority Critical patent/CN115499235A/en
Publication of CN115499235A publication Critical patent/CN115499235A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3218Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs
    • H04L9/3221Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs interactive zero-knowledge proofs

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a zero trust network authorization method and a system based on DNS, the method comprises: acquiring a request sent by a client to a DNS (domain name server), identifying a source IP (Internet protocol) address of the client and sending the source IP address to a controller; if the source IP address of the client accords with the firewall rule of the SPA knock port, the DNS server synchronizes the TXT value corresponding to the domain name of the controller and returns the TXT value to the client; the client sends an SPA message and a login request to the controller, the controller decrypts and verifies the SPA message, the login is successful, the client sends the SPA message to the gateway, the gateway decrypts and verifies the SPA message, after the verification is passed, the client initiates a tunnel establishment request to the gateway, and if the request conforms to the firewall rule of the service port opened by the gateway, a tunnel between the client and the gateway is established. The invention adopts the DNS server to hide the controller and the gateway server, thereby achieving the purpose of resisting DDOS attack.

Description

DNS-based zero-trust network authorization method and system
Technical Field
The invention relates to the technical field of zero trust network authorization, in particular to a zero trust network authorization method and a zero trust network authorization system based on a DNS (domain name system).
Background
In recent years, "zero trust" becomes a hot word of a security circle, and zero trust is a security concept, and the complete realization of zero trust needs to ensure the credibility of a user terminal, the credibility of a user identity, the credibility of a link, the credibility of a gateway and the credibility of application resources. Enterprises can introduce different product components to construct own zero trust schemes according to own organizational architectures, business processes and working scenes. There are three common zero-trust schemes: identity governance based zero trust (IAM), micro-isolation based zero trust, software Defined Perimeter (SDP) based zero trust.
SDP is a new generation network security model based on the Zero Trust (Zero Trust) concept proposed by the international cloud security association CSA in 2013, and is mainly composed of 3 components, which are: 1) Initializing SDP Host, IH for short, namely client; 2) Accepting SDP Host, called AH for short, namely gateway; 3) SDP Controller, i.e., controller. The relationship of the 3 major components is divided into two planes: 1) Control plane and 2) data plane. Both the gateway and the client would be connected to the controller. The connection between the client and the gateway is managed through the interaction of the controller with the secure control channel. This architecture enables the control plane to remain separate from the data plane in order to implement a fully extensible security system.
In the SDP architecture design, before the client is connected to the controller and the gateway, network verification needs to be completed in a Single Packet Authentication (SPA) manner, and the controller and the gateway only open a corresponding service port to the client that passes the SPA authentication. The architecture and interaction flow is shown in fig. 1. The specific steps are as follows:
(1) the client (IH) sends an SPA message to the controller, an SPA module of the controller judges whether the client is a legal client or not, and if the client is the legal client, a port of authentication service is opened to the corresponding IP of the client;
(2) because the SPA module of the controller does not return any response, the client actively initiates an attempt of an authentication request after sending the SPA message;
(3) after the client finishes authentication, the client acquires an authorization gateway from the controller;
(4) the client sends an SPA message to the gateway, an SPA module of the gateway judges whether the client is a legal client or not, and if the client is the legal client, a service port is opened only to the corresponding IP of the client;
(5) the client tries to establish tunnel connection with the gateway; if the SPA passes the authentication, the port is opened, and the client and the gateway tunnel are successfully established;
(6) after the tunnel is successfully established, the user can access the application resources protected by the gateway through the client.
Currently, in the SDP architecture based on zero trust, single packet authentication only receives UDP packets but does not reply by monitoring the UDP port, thereby achieving the purpose of hiding the port. However, the scheme still monitors a UDP port on the server, and decrypts the packet sent to the UDP port and determines whether the format requirement of the SPA is satisfied. Therefore, for an attacker, the port can still be used for attack, so the scheme can only delay DDOS attack and cannot completely protect the DDOS attack.
Disclosure of Invention
The purpose of the invention is as follows: the invention aims to provide a DNS-based zero-trust network authorization method and system aiming at the defects of the prior art, and solves the problem of UDP port exposure, so that a controller and a gateway server are completely invisible, and the threat of DDOS is further thoroughly solved.
The technical scheme is as follows: the invention discloses a DNS-based zero-trust network authorization method, which comprises the following steps: acquiring a request which is sent by a client to a DNS server and is used for inquiring a TXT value corresponding to a controller domain name, wherein the DNS server identifies a source IP address of the client and sends the source IP address to the controller;
the controller opens a firewall rule of an SPA knock port for the client, if a source IP address of the client conforms to the firewall rule of the SPA knock port, the client is allowed to carry out knock verification, and the DNS server acquires a TXT value currently corresponding to a domain name of the controller and returns the TXT value to the client;
the client sends an SPA message to the controller according to the returned TXT value corresponding to the domain name of the controller, the controller decrypts and verifies the SPA message, and after the verification is passed, the controller opens a firewall rule of a service port to the client;
the client initiates a login request to the controller, and returns a login result to the client according to the firewall rule of the service port opened by the controller;
if the login result is successful, the client sends an SPA message to a gateway, the gateway decrypts and verifies the SPA message, and after the verification is passed, the gateway opens a firewall rule of a service port to the client;
the client initiates a request for establishing a tunnel to the gateway, and if the request conforms to the firewall rule of the service port opened by the gateway, the tunnel between the client and the gateway is established;
and the user initiates a request for accessing the application resources managed by the gateway through the client, and the gateway returns an application access result according to the user permission.
Further perfecting the technical scheme, in order to ensure the safety, the TXT value corresponding to the controller domain name is updated at regular time, and the time interval can be set by self-definition.
Further, the TXT value corresponding to the controller domain name is generated based on a hash value obtained by performing hash calculation on the timestamp and the hardware feature code of the controller.
Further, an SPA message sent by the client to the controller is encrypted by an SPA shared key, and the SPA shared key is a TXT value corresponding to the domain name of the controller.
Further, the controller judges whether an SPA shared key in the cache exists, if so, the SPA shared key is adopted to decrypt an SPA message sent by the client, and if not, the controller inquires the DNS server again for a TXT value corresponding to the domain name of the controller as a key to decrypt the SPA message.
Further, an SPA message sent by the client to the gateway is encrypted by an SPA shared key, wherein the SPA shared key is a TXT value corresponding to the controller domain name.
Further, the gateway judges whether an SPA shared key in the cache exists, if so, the SPA shared key is adopted to decrypt an SPA message sent to the gateway by the client, and if not, the TXT value corresponding to the controller domain name is inquired to the DNS server again to serve as a key to decrypt the SPA message.
The system for implementing the zero trust network authorization method based on the DNS comprises the following steps: the system comprises a client, a DNS server, a controller and a gateway;
the DNS server is in communication connection with the client and the controller respectively, and is used for acquiring a request which is sent by the client to the DNS server and is about to inquire a TXT value corresponding to a domain name of the controller, identifying a source IP address of the client according to the request and sending the request to the controller, opening a firewall rule of an SPA (maintenance site) knock port for the client by the controller, allowing the client to carry out knock verification if the source IP address of the client accords with the firewall rule of the SPA knock port, synchronizing the TXT value corresponding to the domain name of the controller by the DNS server and returning the TXT value to the client;
the client is in communication connection with the controller and is used for sending an SPA message and login authentication to the controller;
the controller is in communication connection with the DNS server and is used for acquiring an SPA key to decrypt and authenticate the SPA message when the SPA key fails;
the client is in communication connection with the gateway and is used for sending an SPA message to the gateway and establishing a tunnel after the SPA message passes authentication;
the gateway is in communication connection with the DNS server and is used for acquiring the SPA key to decrypt and authenticate the SPA message when the SPA key fails.
Further, the controller manages and configures the DNS server. Namely, the controller needs to have management capability of dynamically adding and deleting the domain name and the TXT value of the DNS server, and can also be manually configured and updated through pages.
Further, the controller is communicatively connected to the DNS server, and includes: the controller judges whether an SPA shared key in the cache exists or not, if so, the SPA shared key is adopted to decrypt an SPA message sent by the client, and if not, the controller inquires a TXT value corresponding to the domain name of the controller from the DNS server again to be used as a key to decrypt the SPA message; the communication connection between the gateway and the DNS server comprises the following steps: the gateway judges whether the SPA shared key in the cache exists, if so, the SPA shared key is adopted to decrypt the SPA message sent to the gateway by the client, and if not, the TXT value corresponding to the domain name of the controller is inquired to the DNS server again to be used as the key to decrypt the SPA message.
Has the advantages that: compared with the prior art, the invention has the advantages that:
1. the invention adds a DNS server in an SDP framework for pre-verification before a client accesses a controller, the client needs to acquire a TXT value corresponding to a domain name of the controller from the DNS server, the DNS server interacts with the controller to open a corresponding SPA knock port for the client, and the DNS server is adopted to hide the controller and a gateway server, thereby achieving the purpose of resisting DDOS attack and ensuring that the controller and the gateway server are safer;
2. the SPA shared key is realized based on the TXT value of the controller domain name, the controller needs to support the timing update of the TXT value, the DNS server obtains the current TXT value from the controller, updates the TXT record of the controller domain name and returns the latest value of the TXT to the client. Based on the dynamic change of the TXT value of the domain name of the controller, the dynamic update of the SPA shared key can be realized, the port of the server can be hidden, the cracking difficulty of the SPA message can be increased, and the SDP overall framework is safer and more reliable.
Drawings
Fig. 1 is a diagram of a conventional SDP architecture and interaction flow;
fig. 2 is a SDP architecture and interaction flow diagram of the DNS-based zero trust network authorization system of the present invention;
fig. 3 is an access flow chart of the DNS-based zero trust network authorization method of the present invention.
Detailed Description
The technical solution of the present invention is described in detail below with reference to the accompanying drawings, but the scope of the present invention is not limited to the embodiments.
As shown in fig. 2, the zero-trust DNS-based network authorization system provided by the present invention includes a client, a DNS server, a controller, and a gateway. The DNS server is in communication connection with the client and the controller respectively and is used for acquiring a request which is sent by the client to the DNS server and is about to inquire the TXT value corresponding to the domain name of the controller, identifying a source IP address of the client according to the request and sending the request to the controller, opening a firewall rule of an SPA (maintenance access point) knock port for the client by the controller, allowing the client to carry out knock verification if the source IP address of the client accords with the firewall rule of the SPA knock port, and synchronizing the TXT value corresponding to the domain name of the controller by the DNS server and returning the TXT value to the client; the client is in communication connection with the controller and is used for sending an SPA message and login authentication to the controller; the controller is in communication connection with the DNS server and is used for acquiring the SPA key to decrypt and authenticate the SPA message when the SPA key fails; the client is in communication connection with the gateway and is used for sending an SPA message to the gateway and establishing a tunnel after the SPA message passes authentication; the gateway is in communication connection with the DNS server and is used for acquiring the SPA key to decrypt and authenticate the SPA message when the SPA key fails.
On the basis of an SDP framework, a DNS server is introduced, a special DNS message from a client is received through the DNS server, and a common user cannot directly access a controller and a gateway in the SDP framework, including a UDP port for providing an SPA service, so that the controller and the gateway in the SDP framework are prevented from being attacked by a DDOS (distributed denial of service) so as to screen and filter illegal clients. The DNS server in the optimized SDP architecture should have the following functions: identifying a DNS request sent by a client, and sending a source IP address of the client to a controller; updating the TXT value corresponding to the controller domain name at regular time, wherein the TXT value is generated based on time and is kept unchanged for a period of time; the DNS server should receive controller management, support to receive management and configuration of the controller. The DNS server can also adopt other third-party modules (such as wechat and nailing) to implement the dynamic SPA check process, and all should be regarded as the same scheme.
When the system is adopted for access, the actual access flow of the client is safer, the server corresponding to the controller and the gateway is completely hidden, the user can not perceive the existence of the controller and the gateway at the Internet, the risk of DDOS attack is greatly reduced, and the specific access flow is shown in figure 3:
1. a client (IH) inquires a TXT value corresponding to the controller domain name from the DNS;
2. after receiving the query message, the DNS server analyzes that the message is from the client, and then sends a source IP address corresponding to the message to the controller;
3. after the controller receives the source IP address queried by the DNS, opening the firewall rule of the SPA for the IP address, and allowing the client to perform SPA single-packet authentication;
4. after the DNS server completes the IP address synchronization of the controller, the corresponding TXT value of the client is returned;
5. the client sends an SPA message to the controller, and an encryption key of the message is a TXT value obtained by analyzing the domain name of the controller;
6. the controller judges whether the SPA key cache exists or not, and if the SPA key cache exists, the SPA key is used;
7. if the SPA key cache does not exist, the TXT value corresponding to the domain name is analyzed to the DNS server again to be used as the key to decrypt the SPA message;
8. the DNS server returns a TXT value corresponding to the domain name to the controller;
9. after receiving the TXT value of the domain name, the controller decrypts the SPA message and opens a firewall corresponding to the service port for the client;
10. after the client knocks, trying to log in the controller;
11. after the firewall control rule is opened, returning a login result;
12. after the client successfully logs in, the client sends an SPA message to the gateway;
13. the gateway judges whether the SPA key cache exists or not as the logic of the controller;
14. if the cache does not exist, the gateway queries the TXT value of the domain name of the controller from the DNS;
15. the DNS server returns a corresponding TXT value;
16. the gateway decrypts the SPA message by using the TXT value as an SPA key, and opens a firewall of a service port to the client after the verification is passed;
17. after the client sends the SPA message, a tunnel can be tried to be established with the gateway;
18. if the firewall rule is opened, the gateway responds to the tunnel establishment request of the client, and the client and the gateway complete the tunnel establishment;
19. after the client tunnel is successfully established, a user actively initiates a request for accessing the application;
20. the gateway judges whether the user has the application authority or not;
21. and if the user has the application authority, returning the application result of the agent.
The invention adopts the DNS server to hide the controller and the gateway server, thereby achieving the purpose of resisting DDOS attack and ensuring that the controller and the gateway server are safer; in addition, based on the dynamic change of the TXT value of the domain name of the controller, the dynamic update of the SPA shared key is realized, the ports of the controller and the gateway server can be hidden, the cracking difficulty of the SPA message can be increased, and the whole architecture of the SDP is safer and more reliable.
As noted above, while the present invention has been shown and described with reference to certain preferred embodiments, it is not to be construed as limited thereto. Various changes in form and detail may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.

Claims (10)

1. A zero trust network authorization method based on DNS is characterized in that the method comprises the following steps:
the method comprises the steps that a request, sent by a client to a DNS server, about a TXT value corresponding to a domain name of a query controller is obtained, and the DNS server identifies a source IP address of the client and sends the source IP address to the controller;
the controller opens a firewall rule of an SPA knock port for the client, if a source IP address of the client conforms to the firewall rule of the SPA knock port, the client is allowed to carry out knock verification, and the DNS server acquires a TXT value currently corresponding to a domain name of the controller and returns the TXT value to the client;
the client sends an SPA message to the controller according to the returned TXT value corresponding to the domain name of the controller, the controller decrypts and verifies the SPA message, and after the verification is passed, the controller opens a firewall rule of a service port to the client;
the client initiates a login request to the controller, and returns a login result to the client according to a firewall rule of a service port opened by the controller;
if the login result is successful, the client sends an SPA message to a gateway, the gateway decrypts and verifies the SPA message, and after the verification is passed, the gateway opens a firewall rule of a service port to the client;
the client initiates a request for establishing a tunnel to the gateway, and if the request conforms to the firewall rule of the service port opened by the gateway, the tunnel between the client and the gateway is established;
and the user initiates a request for accessing the application resources managed by the gateway through the client, and the gateway returns an application access result according to the user permission.
2. The DNS-based zero-trust network delegation method of claim 1, wherein: and updating the TXT value corresponding to the domain name of the controller at regular time.
3. The DNS-based zero-trust network delegation method of claim 2, wherein: and the TXT value corresponding to the controller domain name is generated based on a hash value obtained by carrying out hash calculation on the timestamp and the hardware feature code of the controller.
4. The DNS-based zero trust network delegation method of claim 3, wherein: and the SPA message sent by the client to the controller is encrypted by an SPA shared key, wherein the SPA shared key is a TXT value corresponding to the domain name of the controller.
5. The DNS-based zero-trust network authorization method of claim 4, wherein: the controller judges whether the SPA shared key in the cache exists or not, if so, the SPA shared key is adopted to decrypt the SPA message sent by the client, and if not, the controller inquires the DNS server again for the TXT value corresponding to the domain name of the controller to serve as the key to decrypt the SPA message.
6. The DNS-based zero-trust network delegation method of claim 1 or 5, wherein: and the SPA message sent by the client to the gateway is encrypted by an SPA shared key, wherein the SPA shared key is a TXT value corresponding to the domain name of the controller.
7. The DNS-based zero trust network delegation method of claim 6, wherein: the gateway judges whether the SPA shared key in the cache exists, if so, the SPA shared key is adopted to decrypt the SPA message sent to the gateway by the client, and if not, the TXT value corresponding to the domain name of the controller is inquired to the DNS server again to be used as the key to decrypt the SPA message.
8. A system for implementing the DNS-based zero trust network delegation method of claim 1, characterized by: the system comprises a client, a DNS server, a controller and a gateway;
the DNS server is in communication connection with the client and the controller respectively and is used for acquiring a request which is sent by the client to the DNS server and is used for inquiring a TXT value corresponding to a controller domain name, identifying a source IP address of the client according to the request and sending the request to the controller, the controller opens a firewall rule of an SPA knock port for the client, if the source IP address of the client accords with the firewall rule of the SPA knock port, the client is allowed to carry out knock verification, and the DNS server synchronizes the TXT value corresponding to the controller domain name and returns the TXT value to the client;
the client is in communication connection with the controller and is used for sending an SPA message and login authentication to the controller;
the controller is in communication connection with the DNS server and is used for acquiring an SPA key to decrypt and authenticate the SPA message when the SPA key fails;
the client is in communication connection with the gateway and is used for sending an SPA message to the gateway and establishing a tunnel after the SPA message passes authentication;
the gateway is in communication connection with the DNS server and is used for acquiring the SPA key to decrypt and authenticate the SPA message when the SPA key fails.
9. The DNS-based zero trust network delegation system of claim 8, wherein: the controller manages and configures the DNS server.
10. The DNS-based zero-trust network delegation system of claim 8, wherein the controller communicatively coupling to the DNS server comprises: the controller judges whether an SPA shared key in the cache exists or not, if so, the SPA shared key is adopted to decrypt an SPA message sent by the client, and if not, the controller inquires a TXT value corresponding to the domain name of the controller from the DNS server again to be used as a key to decrypt the SPA message; the communication connection between the gateway and the DNS server comprises the following steps: the gateway judges whether the SPA shared key in the cache exists, if so, the SPA shared key is adopted to decrypt the SPA message sent to the gateway by the client, and if not, the TXT value corresponding to the domain name of the controller is inquired to the DNS server again to be used as the key to decrypt the SPA message.
CN202211183668.5A 2022-09-27 2022-09-27 DNS-based zero-trust network authorization method and system Pending CN115499235A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211183668.5A CN115499235A (en) 2022-09-27 2022-09-27 DNS-based zero-trust network authorization method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211183668.5A CN115499235A (en) 2022-09-27 2022-09-27 DNS-based zero-trust network authorization method and system

Publications (1)

Publication Number Publication Date
CN115499235A true CN115499235A (en) 2022-12-20

Family

ID=84471962

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211183668.5A Pending CN115499235A (en) 2022-09-27 2022-09-27 DNS-based zero-trust network authorization method and system

Country Status (1)

Country Link
CN (1) CN115499235A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116074125A (en) * 2023-03-27 2023-05-05 成都运荔枝科技有限公司 End-to-end password middle station zero trust security gateway system
CN116760633A (en) * 2023-08-11 2023-09-15 深圳市永达电子信息股份有限公司 Method for realizing safe trusted physical network gateway

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116074125A (en) * 2023-03-27 2023-05-05 成都运荔枝科技有限公司 End-to-end password middle station zero trust security gateway system
CN116074125B (en) * 2023-03-27 2023-05-30 成都运荔枝科技有限公司 End-to-end password middle station zero trust security gateway system
CN116760633A (en) * 2023-08-11 2023-09-15 深圳市永达电子信息股份有限公司 Method for realizing safe trusted physical network gateway
CN116760633B (en) * 2023-08-11 2024-03-08 深圳市永达电子信息股份有限公司 Method for realizing safe trusted physical network gateway

Similar Documents

Publication Publication Date Title
CN113572738B (en) Zero trust network architecture and construction method
EP3641266B1 (en) Data processing method and apparatus, terminal, and access point computer
US11647003B2 (en) Concealing internal applications that are accessed over a network
US9210126B2 (en) Method for secure single-packet authorization within cloud computing networks
CN108429730B (en) Non-feedback safety authentication and access control method
US7716331B2 (en) Method of gaining secure access to intranet resources
US7290141B2 (en) Authentication of remotely originating network messages
CN115499235A (en) DNS-based zero-trust network authorization method and system
CN111586025B (en) SDN-based SDP security group implementation method and security system
US20100138910A1 (en) Methods for encrypted-traffic url filtering using address-mapping interception
JP2005503047A (en) Apparatus and method for providing a secure network
Kim et al. Trustworthy gateway system providing IoT trust domain of smart home
CN112291295A (en) High-safety mobile office network based on multi-identification network system
US10791119B1 (en) Methods for temporal password injection and devices thereof
US20200267189A1 (en) Lawful interception security
US20100242112A1 (en) System and method for protecting network resources from denial of service attacks
CN114726513A (en) Data transmission method, apparatus, medium, and product
CN113904826A (en) Data transmission method, device, equipment and storage medium
CN116260656B (en) Main body trusted authentication method and system in zero trust network based on blockchain
CN115567310A (en) Client secure distribution method based on network stealth in zero trust mode
CN109688104A (en) It is a kind of to realize the system and method for the hiding host in network
US10079857B2 (en) Method of slowing down a communication in a network
KR20180099293A (en) Method for communicating between trust domains and gateway therefor
Sy et al. QUICker connection establishment with out-of-band validation tokens
CN117614752B (en) Double-layer zero-trust enterprise production network security ad hoc network method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination