CN115567229A - Cloud-based internet access control method, device, medium, equipment and system - Google Patents

Cloud-based internet access control method, device, medium, equipment and system Download PDF

Info

Publication number
CN115567229A
CN115567229A CN202110745342.6A CN202110745342A CN115567229A CN 115567229 A CN115567229 A CN 115567229A CN 202110745342 A CN202110745342 A CN 202110745342A CN 115567229 A CN115567229 A CN 115567229A
Authority
CN
China
Prior art keywords
access control
target terminal
drainage
strategy
edge node
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110745342.6A
Other languages
Chinese (zh)
Inventor
胡金涌
刘贺
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Yundun Information Technology Co ltd
Original Assignee
Shanghai Yundun Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Yundun Information Technology Co ltd filed Critical Shanghai Yundun Information Technology Co ltd
Priority to CN202110745342.6A priority Critical patent/CN115567229A/en
Priority to PCT/CN2022/102332 priority patent/WO2023274295A1/en
Publication of CN115567229A publication Critical patent/CN115567229A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2441Traffic characterised by specific attributes, e.g. priority or QoS relying on flow classification, e.g. using integrated services [IntServ]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Abstract

The invention provides a cloud-based internet access control method, a system, a device, a computer-readable storage medium and an electronic device, wherein the method comprises the following steps: configuring a drainage strategy and a security access control strategy for a target user through a cloud security management platform, respectively sending the drainage strategy to an edge node and a target terminal corresponding to the target user, and sending the security access control strategy to the edge node; the target terminal drains the access flow to the corresponding edge node according to the drainage strategy; the edge node acquires the network attribute of the target terminal according to the received access flow from the target terminal, determines the security access control strategy of the target user corresponding to the target terminal according to the pre-stored drainage strategy and the network attribute of the target terminal, and performs security access control processing on the access flow of the target terminal according to the security access control strategy. The invention realizes a brand-new and high-efficiency network flow safety management mode.

Description

Cloud-based internet access control method, device, medium, equipment and system
Technical Field
The invention relates to the technical field of network security, in particular to a cloud-based internet access control method, system and device, a computer readable storage medium and electronic equipment.
Background
With the development of internet technology, enterprises use the internet more and more. The connection between the enterprise terminal and the data center is mostly established using the internet. In the current technical scheme, a user can access an enterprise data center through MPLS or VPN, and meanwhile, various security devices such as DDoS, WAF, IDS, IPS, internet behavior management, and the like are deployed in an enterprise to ensure security of internet access. However, in the above process, the access flow needs to be returned to the enterprise for inspection and filtering, so that large time delay and network fluctuation are likely to occur, user experience is affected, various safety devices need to be maintained, and maintenance cost is high. Therefore, how to improve the access efficiency of internet access and ensure the security of internet access becomes an urgent technical problem to be solved.
Disclosure of Invention
In view of this, embodiments of the present invention provide a cloud-based internet access control method, system, apparatus, computer-readable storage medium, and electronic device, so that a target terminal can implement security management and control on a full stack of the target terminal without managing numerous security devices, thereby greatly reducing cost.
In a first aspect, the present invention provides a cloud-based internet access control method, applied to an edge node, where the edge node is connected to at least one target terminal, and the method includes:
acquiring network attributes of a target terminal according to received access traffic from the target terminal;
determining a security access control strategy of a target user corresponding to the target terminal according to a pre-stored drainage strategy and the network attribute of the target terminal;
and performing security access control processing on the access flow from the target terminal according to the security access control strategy.
In a second aspect, the invention provides a cloud-based internet access control method, which is applied to a cloud security management platform, and the method includes:
configuring a drainage strategy and a security access control strategy for a target user;
respectively sending the drainage strategy to an edge node and a target terminal corresponding to the target user, so that the target terminal drains access flow to the edge node according to the drainage strategy;
and sending the security access control strategy to an edge node so that the edge node performs security access control processing on the access flow according to the security access control strategy.
In a third aspect, the present invention provides a cloud-based internet access control method, applied to a target terminal, where the target terminal includes a user terminal device or a network exit of a branch office, and the method includes:
acquiring a drainage strategy from a cloud security management platform, wherein the drainage strategy is a drainage strategy of a target user corresponding to the target terminal;
and draining the access flow to the corresponding edge node according to the drainage strategy.
In a fourth aspect, an embodiment of the present invention provides a cloud-based internet access control system, where the system includes:
the cloud security management platform is used for configuring a drainage strategy and a security access control strategy for a target user and respectively sending the drainage strategy to an edge node and a target terminal corresponding to the target user; sending the security access control policy to the edge node;
and the edge node is used for carrying out security access control processing on the access flow from the target terminal according to the security access control strategy.
In a fifth aspect, the present invention provides a cloud-based internet access control apparatus, which is disposed on an edge node, where the edge node is connected to at least one target terminal, and includes:
the device comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring the network attribute of a target terminal according to the received access flow from the target terminal;
the determining unit is used for determining a security access control strategy of a target user corresponding to the target terminal according to a pre-stored drainage strategy and the network attribute of the target terminal;
and the control unit is used for carrying out security access control processing on the access flow from the target terminal according to the security access control strategy.
In a sixth aspect, the present invention provides a cloud-based internet access control apparatus, which is disposed on a cloud security management platform, and includes:
the configuration unit is used for configuring a drainage strategy and a security access control strategy for a target user;
the first sending unit is used for respectively sending the drainage strategy to an edge node and a target terminal corresponding to the target user so that the target terminal can drain access flow to the edge node according to the drainage strategy;
and the second sending unit is used for sending the security access control strategy to an edge node so that the edge node performs security access control processing on the access flow according to the security access control strategy.
In a seventh aspect, the present invention provides a cloud-based internet access control apparatus, which is disposed on a target terminal, and includes:
the acquisition unit is used for acquiring a drainage strategy from a cloud security management platform, wherein the drainage strategy is a drainage strategy of a target user corresponding to the target terminal;
and the drainage unit is used for draining the access flow to the corresponding edge node according to the drainage strategy.
In an eighth aspect, the present invention provides a computer readable storage medium, on which a computer program is stored, which when executed by a processor, implements a cloud-based internet access control method as provided in the first aspect, or implements a cloud-based internet access control method as provided in the second aspect, or implements a cloud-based internet access control method as provided in the third aspect.
In a ninth aspect, the present invention provides an electronic device comprising:
a processor;
a memory for storing the processor-executable instructions;
wherein the processor is configured to execute the instructions to implement a cloud-based internet access control method provided in the first aspect, or to implement a cloud-based internet access control method as provided in the second aspect, or to implement a cloud-based internet access control method as provided in the third aspect.
Compared with the prior art, the technical scheme of the invention has the following beneficial effects:
1. according to the method, a drainage strategy and a security access control strategy are configured for a target user through a cloud security management platform, the drainage strategy is respectively sent to an edge node and a target terminal corresponding to the target user, so that the target terminal drains access flow to the edge node according to the drainage strategy, and meanwhile, the security access control strategy is sent to the edge node, so that the edge node performs security access control processing on the access flow according to the security access control strategy, and a brand-new and efficient network flow security management mode is realized; compared with the prior art, the security management mode does not need to configure and manage numerous security devices, the whole system has greater elasticity, particularly accords with the development trend of cloud computing and mobile office technology, and greatly reduces the maintenance and management cost because the traffic of the target terminal does not need to be transmitted back to the headquarter for uniform traffic inspection and filtration.
2. In the embodiment of the invention, the cloud security management platform is used as a management center, configures an individualized drainage strategy and a security access control strategy for each target user, is used as the management center of a security cloud gateway for multiple users, and has strong elasticity and service expansion capability;
3. in the embodiment of the invention, the edge node allows the target terminal to directly drain the access flow to the edge node according to the drainage strategy, and uniform flow check and filtration are carried out, so that the use and management cost is greatly reduced;
4. in the embodiment of the invention, the deployment of the distributed edge nodes allows the target terminal to access the edge nodes nearby, so that the time delay of information reaching the edge nodes is obviously reduced, and the user experience is greatly improved;
5. in the embodiment of the invention, the target terminal acquires the drainage strategy from the cloud security management platform, and directly drains the access flow to the corresponding edge node according to the drainage strategy, so that the method is particularly suitable for application scenes such as mobile office and the like, for example, enterprise staff can safely access the Internet at any time and any place through any network without depending on VPN (virtual private network), the problems of delay and bandwidth are solved, and the working efficiency is greatly improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a schematic diagram of a network communication method between a data center of an enterprise headquarters, branch office or other target terminal and a headquarters in the prior art;
FIG. 2 is a schematic diagram of a cloud-based Internet access control scheme provided by an embodiment of the invention;
fig. 3 is a schematic diagram of a cloud-based internet access control method according to an embodiment of the present invention;
fig. 4 is a schematic diagram of introducing access traffic of an egress of a branch network to an edge node according to an embodiment of the present invention;
fig. 5 is a schematic diagram illustrating an access traffic of a user terminal device is introduced to an edge node according to an embodiment of the present invention;
fig. 6 is a schematic diagram of an operation of a cloud-based internet access control system according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of an edge node according to an embodiment of the present invention;
FIG. 8 is a flowchart illustrating steps of a security access control process of an edge node according to an embodiment of the present invention;
FIG. 9 is a logic flow diagram provided in accordance with one embodiment of the present invention for HTTP/HTTPS traffic inspection;
fig. 10 is a schematic structural diagram of a cloud-based internet access control system according to an embodiment of the present invention;
fig. 11 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
As shown in fig. 1, network communications between a data center of an enterprise headquarters, branch office, or other target terminal and the headquarters are typically accomplished through MPLS or VPN. The method comprises the steps that employees access internal resources through an intranet when the employees are inside an enterprise, the employees need to enter the intranet of the enterprise through connection VPN when remotely accessing enterprise applications, the flow of a branch mechanism is firstly returned to a headquarters of the enterprise, various safety devices such as DDoS, WAF, IDS, IPS, internet behavior management and the like are stacked and deployed on the headquarters of the enterprise, and inspection and filtration of the flow of the outgoing direction and the incoming direction are processed in a centralized mode.
However, with the popularization of cloud computing, more and more enterprises will apply the cloud, and diversified mobile users and BYOD devices, the IT department needs to handle the mixed deployment of applications, and provide services for increasingly diversified and widely distributed users, while ensuring security, and such networks and security structures are difficult to adapt to new trends. At present, the implementation scheme has at least the following problems:
the traffic of the branch mechanism accessing the internet needs to be transmitted to the headquarters for traffic check and filtering, so that a large time delay is caused, and in addition, the network fluctuation can bring large negative effects to the user experience;
enterprises need to maintain Virtual Private Networks (VPNs) or multi-protocol Label Switching (MPLS) among headquarters, branch offices, and data centers, and the use and management costs are high and the extensibility is poor;
enterprises need to maintain independent security devices such as DDoS, WAF, IDS, IPS and the like, the maintenance cost is high, the use is difficult, fine access control is difficult to implement, and the internal network is safe by default in the model, so that once the internal network is invaded, transverse movement is extremely easy to cause, and huge security risks are brought.
Therefore, in order to adapt to the new trend of continuously developing cloud computing and more applying cloud, the invention provides a brand-new and efficient cloud-based multi-user security management and control technology to meet the new challenges of the rapidly developing enterprise security (as shown in fig. 2).
Example one
Fig. 3 is a schematic diagram of an interaction process of a cloud-based internet control method according to an embodiment of the present invention. As shown in fig. 3, the interaction process is completed by the cloud security management platform, the target terminal and the edge node together, and the method mainly includes the following steps:
step 101, a cloud security management platform configures a drainage policy and a security access control policy for a target user;
102, the cloud security management platform respectively sends the drainage strategies to the edge nodes and target terminals corresponding to target users, so that the target terminals can drain access flow to the edge nodes according to the drainage strategies;
103, the cloud security management platform sends the security access control policy to the edge node, so that the edge node performs security access control processing on access traffic according to the security access control policy;
104, the target terminal acquires a drainage strategy configured by the cloud security management platform for a target user corresponding to the target terminal from the cloud security management platform;
105, the target terminal drains the access flow to a corresponding edge node according to the acquired drainage strategy;
step 106, the edge node acquires the network attribute of the target terminal according to the access flow from the target terminal;
step 107, the edge node determines a security access control policy of a target user corresponding to the target terminal according to the drainage policy acquired from the cloud security management platform and the network attribute of the target terminal;
and 108, the edge node performs security access control processing on the access flow from the target terminal according to the security access control strategy.
The individual steps of the above-described method, as well as alternative or alternative embodiments thereof, are described in detail below.
As shown in fig. 3, steps 101 to 103 are implemented on the cloud security management platform.
In this embodiment, the target user may be an enterprise user or an individual user. Generally, each target user corresponds to a user account, and the user account may be registered by the target user or allocated by the cloud security management platform. Before configuring the drainage policy and the security access control policy for the target user, the cloud security management platform may also verify user account information sent by the target user in response to an access request sent by the target user through the target terminal to verify the identity of the target user, configure the drainage policy and the security access control policy for the target user only after the identity verification is passed, and issue the drainage policy to the edge node and the target terminal corresponding to the target user, and issue the security access control policy to the edge node. It should be noted here that the manner of issuing the drainage policy and the security access control policy by the cloud security management platform may include active issuing or passive issuing, and direct issuing or indirect issuing. For example, the cloud security management platform may actively issue the drainage policy and the security access control policy to the edge node, or the cloud security management platform may also passively issue the drainage policy to the target terminal in response to a request sent by the target user through the target terminal, or the cloud security management platform may directly issue the drainage policy and the security access control policy to the edge node, or the cloud security management platform may first issue the drainage policy and the security access control policy to the configuration manager, and then issue the drainage policy and the security access control policy to the edge node by the configuration manager (i.e., indirect issue). In short, the present invention does not have any special limitation on the way of issuing the drainage policy and the security access control policy. It should be noted here that the target terminal corresponding to the target user may be a network outlet of a branch office or a terminal device of an individual user (hereinafter, simply referred to as a user terminal device). The user terminal device may include, but is not limited to, one or more of an electronic device with a network connection function and a data access function, such as a smart phone, a tablet computer, a laptop computer, or a desktop computer, which is not limited in this respect.
When the target terminal is a network outlet of a branch mechanism, the drainage strategy comprises configuration information of a drainage tunnel established at the network outlet of the branch mechanism; when the target terminal is the user terminal device, the drainage policy includes configuration information for establishing a drainage tunnel through a drainage application program set on the user terminal device. The target terminal can establish a drainage tunnel between the target terminal and the corresponding edge node according to the configuration information. Specifically, the drainage policy may include a drainage manner and address information of a corresponding edge node. The drainage mode may be a network tunneling protocol, so that the target terminal establishes a drainage tunnel with the corresponding edge node through the drainage mode.
It should be noted that the network tunneling Protocol in the drainage manner may be Generic Routing Encapsulation Protocol (GRE), internet Security Protocol (IPSec), proxy Auto-Configuration (PAC), or other network tunneling protocols supported by the target terminal, and the manner is flexible and various. Wherein: generic Routing Encapsulation (GRE) is used to encapsulate packets of certain network layer protocols (e.g., IP and IPX) so that the encapsulated packets can be transmitted in another network layer protocol; internet Protocol Security (IPSec) is a Protocol packet that protects the network transport Protocol suite (a collection of interrelated protocols) of the IP Protocol by encrypting and authenticating packets of the IP Protocol. For a description of a more specific drainage mode and drainage procedure, reference may be made to the following description of the working principle of the target terminal.
In addition, the address information of the edge node may include, but is not limited to, an IP address, a domain name, etc. of the edge node, and it may also be a device number of the edge node or any related information capable of identifying the edge node, which is not particularly limited in the present invention. Therefore, the target terminal can determine the edge node of the drainage tunnel to be established according to the address information, so as to establish the corresponding drainage tunnel.
Furthermore, preferably, the drainage strategy may further include a flow filtering manner and an inspection strategy. According to the traffic filtering mode, it can be clarified that the access traffic corresponding to some target access domain names of the target terminal needs to be drained, or the access traffic corresponding to some target access domain names does not need to be drained, and the like. According to the check policy, it is clear that a check and a corresponding check rule need to be performed on certain types of access traffic, for example, the check needs to be performed on the access traffic of HTTP/HTTPs, and whether some network attributes included in the access traffic of HTTP/HTTPs meet the check rule or not is checked. From this, through configuration flow filtration mode and inspection strategy in advance, can filter the access flow before the drainage, avoid appearing the condition of mistake drainage or hourglass drainage and appear, guaranteed the accuracy of drainage, and then guaranteed the security of internet access.
In some embodiments, a manager configures a security access control policy for a target user on a cloud security management platform, so that an edge node can perform corresponding security access control processing on access traffic from a corresponding target terminal according to the security access control policy. In particular, the secure access control policy may include at least one of an access control policy to IP, port, protocol, an access control policy to DNS requests, an access control policy to HTTP/HTTPs, and an access control policy to identity information.
In addition, the security access control processing may further include filtering access traffic from the target terminal according to a network attribute (e.g., an IP, a port, or a protocol) of the target terminal, forwarding the allowed access traffic to the target website, and blocking the disallowed access traffic, thereby ensuring security of internet access. .
It should be noted that the security control policy may contain a plurality of rules, wherein each rule corresponds to a matching condition and a handling action, and the corresponding handling action is executed when the matching condition is satisfied. The matching condition corresponds to a logic comparator which is used for judging whether the matching condition is met or not, and the handling action comprises access permission, access prohibition and access observation, wherein the access observation means that the access is permitted and the access of the current time is recorded, so that a safety manager can observe the request behavior on the premise of not blocking the request.
As shown in table 1 below, the definitions of the security control policies in the three-layer firewall, DNS, HTTP access control module are listed in table 1.
TABLE 1
Figure BDA0003142536030000081
Figure BDA0003142536030000091
Furthermore, the rules may correspond to different priorities and be executed according to the priority levels of the priorities. When one of the rules is executed, other rules having a lower priority than the rule are not executed.
As an example, as shown in table 2 below, table 2 lists that each rule may include a combination of a plurality of conditions, and the combination operation may be performed by logical and (&), logical or (| |), logical not (|).
TABLE 2
Figure BDA0003142536030000092
In order to make those skilled in the art better understand the security access control policy in the embodiment of the present invention, a specific manner of setting the security access control policy is illustrated below. For more specific security access control policies and control procedures, reference may be made to the following description of the working principle of the edge node.
For example, for access control of dangerous domain names, a user may select a domain name type that needs blocking treatment on a related operation interface to prevent access to any domain name in the type, such as C & C botnet, malware, phishing, virus trojan or extware, and the like, so as to avoid known and potential security risks of the internet.
For example, for access control to a domain name category, the domain name category may be provided in two levels, a first level (i.e., a large genre such as entertainment) containing a plurality of secondary categories (e.g., entertainment information, literature novels, lottery tickets, etc.). In practical operation, for convenience, when a user selects a certain large class on the relevant operation interface, all the secondary classifications below the large class are selected completely, so that access to domain names under all the secondary classifications can be prohibited or released.
For example, for access control of http/https, a user may set an access control policy on an associated operation interface, and create a corresponding rule, where the number of rules may be set arbitrarily, each rule is set with a matching condition and a handling manner, and a priority, and the user may adjust the priority by an arrow on the operation interface, such as moving up (increasing the priority), moving down (decreasing the priority), setting top (highest priority), or setting bottom (lowest priority).
For example, for filtering and checking traffic, a user may select which traffic to filter and check on an associated operation interface, such as checking HTTP/HTTPs traffic, and may set a matching condition, a logical symbol, a matching target, and the like for the filtering and checking.
For example, for identity and access control, when relevant conditions for identity matching are configured in the control policy, then the automatic triggering of identity authentication is allowed. For example, when a user mailbox, a group mailbox, or a group ID satisfies a certain condition, authentication is triggered. And if the mailbox of the user is equal to the set value, the corresponding target resource can be accessed. Or, when the user accesses the resource for the first time, the policy engine executes the rule to determine whether the rule requires user identity information, if the user identity information is required, the policy engine redirects to an identity authentication page, and after the user provides the identity, the policy engine determines whether the rule setting condition is met and executes a corresponding handling action (here, whether the access is allowed).
As shown in fig. 3, steps 104 to 105 are performed on the target terminal. The target terminal obtains a drainage strategy configured for a target user corresponding to the target terminal from the cloud security management platform, and then the access flow of the target terminal is drained to a corresponding edge node according to the drainage strategy.
In an exemplary embodiment of the present invention, the drainage policy includes a drainage mode and address information of the edge node. And the target terminal establishes a drainage tunnel between the target terminal and the edge node according to the drainage mode and the address information of the edge node so as to guide the access flow which accords with the drainage strategy to the edge node through the drainage tunnel. It should be noted that, in this embodiment, the edge node may be an edge node in the same area as the target terminal, where the same area may be the same city (e.g., beijing, shanghai, etc.) or the same region (e.g., northeast, northchina, north america, asian, etc.). It should be noted that the number of edge nodes in the same area connected by the target terminal may not be limited. For example, the target terminal may establish a drainage tunnel with only one edge node closest to the target terminal to ensure low latency for access traffic to reach the edge node. Or, for example, the target terminal and two edge nodes (i.e., the active edge node and the standby edge node) respectively establish a drainage tunnel (i.e., the active drainage tunnel and the standby drainage tunnel), and respectively drain access traffic to the two edge nodes, so as to ensure high availability and stability of the target terminal to the edge node network.
As previously described, in some embodiments, the target terminal may be a network egress of a branch office, and access traffic for the network egress of the branch office is directed to the corresponding edge node. Fig. 4 is a schematic diagram of introducing access traffic at an egress of a branch network to two edge nodes (a primary edge node and a standby edge node) according to an embodiment of the present invention. As shown in fig. 4, when an enterprise branch accesses an internet application (e.g., iaaS, saaS, a data center, and an enterprise application), the branch obtains a drainage policy from a cloud security management platform, where the drainage policy includes a drainage manner and address information of a primary edge node and a standby edge node allocated to the branch (e.g., the cloud security management platform allocates the drainage manner according to a geographic location of the branch), and the branch configures at a network outlet according to a corresponding drainage manner (e.g., GRE, IPSec, etc.), and establishes a primary drainage tunnel and a standby drainage tunnel with the primary edge node and the standby edge node, respectively, so as to respectively drain access traffic to the primary edge node and the standby edge node for security access control processing when subsequent access traffic occurs. It should be noted that the drainage modes of the two drainage tunnels may be set arbitrarily, may be the same as or different from each other, and the present invention is not particularly limited thereto.
By the method, the access flow of the network outlet of the branch mechanism is directly drained to the edge node, so that the flow of the branch mechanism does not need to be returned to the headquarters of the enterprise for uniform flow check and filtration, in addition, the branch mechanism can also be accessed to the edge node nearby in a flexible and various mode, the time delay of accessing the internet is remarkably reduced, and the user experience is greatly improved.
As described above, in some embodiments, the target terminal may be a user terminal device, and when the target terminal is a user terminal device, a drainage application may be preset thereon, and the target user sends an acquisition request for a drainage policy to the cloud security management platform by logging in the drainage application, where the specific process is as follows:
a user starts and logs in a drainage application program on user terminal equipment, and provides corresponding credentials (such as a user name, a password and the like) to complete identity authentication;
after the identity authentication is passed, the user sends an acquisition request aiming at the drainage strategy to the cloud security management platform through the user terminal equipment;
the user obtains the drainage strategy configured for the user from the cloud security management platform through the user terminal device, wherein the drainage strategy comprises an IP address allocated to the user terminal device and address information allocated to an edge node of the user terminal device, so that a corresponding drainage tunnel can be established according to the IP address allocated to the user terminal device and the address information of the edge node.
The condition is particularly suitable for application scenes such as home office and business trip and outwork of enterprise employees, the employees are allowed to directly access the Internet in a time and place independent mode through identity authentication of the enterprise employees, data do not need to be transmitted back to the enterprise, and the system is flexible and convenient.
Fig. 5 is a schematic diagram illustrating that access traffic of a user terminal device is introduced into two edge nodes (an active edge node and a standby edge node) according to an embodiment of the present invention. As shown in fig. 5, when an employee individual accesses an internet application (e.g., iaaS, saaS, a data center, an enterprise application, etc.) through a user terminal device, it is necessary to first log in client software (i.e., a drainage application) preset on the user terminal device, send a request for configuring a drainage policy to a cloud security management platform, and then receive the drainage policy fed back by the cloud security management platform through the client software, where the drainage policy includes an IP address allocated by the cloud security management platform to the user terminal device and address information of a primary edge node and a standby edge node allocated to the user terminal device according to a geographic location of the user terminal device, the user terminal device configures according to a corresponding drainage manner (e.g., IPSec, PAC, etc.), and establishes a primary drainage tunnel and a standby drainage tunnel with the primary edge node and the standby edge node, and then drains access traffic of the user terminal device to the primary edge node and the standby edge node, respectively. It should be noted that the drainage modes of the two drainage tunnels can be set arbitrarily, can be the same or different from each other, and have high flexibility.
By the method, when the user terminal equipment remotely accesses the enterprise application, a Virtual Private Network (VPN) is not needed any more, an individual user can safely access the Internet through any Network at any time and any place, the access flow does not need to be sent back to a branch office or an enterprise headquarter, but is directly transmitted to a corresponding edge node from the user terminal equipment to enter the Internet, the problems of delay and bandwidth are solved, and the user experience is improved.
In addition, in some embodiments, the target terminal may further obtain and install a CA root certificate from the cloud security management platform, where the CA root certificate may be generated by the cloud security management platform by default, or may be generated and uploaded by the target user. The CA root certificate needs to be added into a root certificate trust list of a system and a browser, and the root CA certificate is used for issuing a dynamic certificate to a domain name requested by a target terminal HTTPS. By this processing mode, the security of internet access is further enhanced.
As shown in fig. 3, steps 106 to 108 are performed on the edge node.
In this embodiment, a plurality of edge nodes deployed in a distributed manner constitute a secure cloud. Each edge node can be connected with at least one target terminal, and a drainage policy and a security access control policy which are acquired from a cloud security management platform and configured for each target user are prestored on each edge node. In addition, preferably, a full stack of security software programs is run on each edge node, various types of security software programs can be added according to requirements, and the security access control method has greater elasticity and can meet various types of security access control requirements.
When the edge node receives the access flow of a target terminal, the network attribute of the target terminal is obtained. Specifically, the network attribute of a target terminal may include an IP address, a port, a protocol, a traffic steering manner, and the like of the target terminal. By analyzing the network attribute of the target terminal, the edge node can judge from which target terminal the received access traffic comes, and further find the security access control policy of the target user corresponding to the target terminal. Because the edge node stores the mapping relation between the IP address of the target terminal and the target user corresponding to the target terminal, when the edge node receives the access flow of one target terminal, the IP address of the target terminal is obtained, and then the target user corresponding to the target terminal is obtained in the mapping relation. The security access control strategy is bound with the target user corresponding to the target terminal, and the security access control strategy of the target user corresponding to the target terminal can be obtained after the target user is determined. Wherein the target user can be identified by the network ID account of the target user.
And then, the edge node operates a security access control engine based on the security access control strategy to realize security access control processing on access flow.
In this embodiment, the security access control process may include various types of security access control from three layers to seven layers, for example, an access control policy for IP, port, protocol, a DNS request, an HTTP/HTTPs, and an identity information.
For this purpose, the edge node of this embodiment runs three to seven layers of security management software, including but not limited to the following security management modules as shown in fig. 6:
three layers of firewalls: and the filtering of the data packets is realized at the network layer according to the types of IP (IP address, IP address list, IP type and the like), ports, protocols, geographical positions and the like.
A domain name classification management module: and acquiring domain names in the DNS analysis request and the HTTP/HTTPS request, and determining the domain name class (such as entertainment, information, video, phishing and the like) to which the domain name belongs according to the domain name so as to support other modules to realize access control aiming at the domain name class. In some embodiments, the cloud security management platform has a domain name classification library for managing domain names, wherein a domain name classification to which the domain name belongs is recorded corresponding to each domain name. Generally, the domain name category is divided by an operator of the cloud security management platform. An operator of the cloud security management platform manages and maintains the classification library on the cloud security management platform, for example, a domain name category is added or deleted, and a domain name is added or deleted under a domain name category, and the like. And the operator of the cloud security management platform sends the domain names in the classification library and the domain name classes to which the domain names belong to the edge nodes. Of course, a domain name classification library may also be customized in the edge node, or a default domain name classification library on the cloud security management platform may be directly used, which is not limited herein.
A secure DNS module: and realizing the safety control of the analysis based on the access control rule according to the domain name in the DNS request and the domain name category corresponding to the domain name. For example blocking phishing, C2 type domain names, passing through specified types of domain names.
A flow checking module: for access control at the HTTP and HTTPs layers. In some embodiments, when receiving https access traffic sent by a target terminal, a traffic inspection module issues a dynamic certificate for a domain name to be accessed using a CA root certificate corresponding to a target user corresponding to the target terminal, and implements https handshake with the https access traffic, thereby further enhancing security of internet access. In addition, request traffic can also be decrypted when https is accessed. The flow check module supports the free combination of URL, domain name, request parameter, domain name classification, response status code, file uploading and downloading type, file suffix and other types to carry out refined access control.
Identity and access control module: the edge node can decide whether to start identity authentication according to the access control strategy, when the identity authentication is started, the access is directed to an identity authentication page, the identity authentication interface comprises at least one identity authentication option, and an identity authentication strategy corresponding to the selection information is determined according to the received selection information aiming at the at least one identity authentication option on the identity authentication interface, wherein the identity authentication strategy comprises an identity information authentication strategy and/or an authority information authentication strategy. In some embodiments, the identity and access control module determines whether to initiate identity authentication for the target user according to the security access control policy, directs access to an identity authentication page when the identity authentication for the target user is initiated, the identity authentication page may be provided by an external identity provider (e.g., enterprise WeChat, stapling), feeds back identity information (username, mailbox, organization department, etc.) of the target user after the target user completes the identity authentication, and then determines whether to allow access to the corresponding resource based on the identity information of the target user and the security access control policy. For example, whether a financial department can access the OA system or not, whether a research and development department can access a technical website or not, and the like are determined, and personalized setting is performed according to specific operation requirements, so that the flexibility is high.
A data leakage prevention module: and the method is used for judging whether the access flow has a data leakage risk or not according to the uniform resource locator URL in the DNS analysis request and the HTTP/HTTPS request and the file information of the uploaded file. In some embodiments, access control may be performed according to information such as a request domain name, a URL (Uniform Resource Locator), a request method, a response status code, and an upload file, and whether the request may cause information leakage is checked. For example, a rule is set in the security access control policy to prevent uploading of files with certain suffixes (such as pdf, doc, xls), or to perform access control on an uploading point URL of a website, thereby avoiding uploading of sensitive files by employees, effectively preventing data leakage, and enhancing security of internet access.
It should be noted that, through the above security management module, the edge node has a full stack security access control capability, but this is only one embodiment of the present invention, and in practical applications, the security management module on the edge node may not be limited by this, and may be deleted or added according to a service requirement.
Here, the arrow direction for indicating the transmission direction of the access traffic in fig. 7 is an outward direction, but in actual application, the present invention is not limited to this. In fact, the edge node may perform security access control not only for outbound access traffic but also for inbound traffic data.
Further, in the above embodiment, the method may further include the following steps (not shown in the figure):
step 109, the edge node records the security access control processing process and/or security access control processing result of the access flow on the edge node through a log, and sends the log information to the cloud security management platform;
and 110, the cloud security management platform receives log information from the edge node, performs aggregation, statistics and analysis of various dimensions (various security problems) on a security access control processing process and/or a security access control processing result in the log information, displays a visual analysis view of each dimension on the platform, conveniently and visually acquires attack and threat conditions, and sends a corresponding threat event to a centralized security analysis SIEM platform for further analysis and reporting, so that damage is prevented or limited, wherein the damage may be caused by the attack.
In this embodiment, the edge node provides full-stack security control management capability, and only the drainage policy and the security access control policy configured for the target terminal according to the cloud security management platform are needed, so that security control over access traffic of the target terminal can be realized, and the target terminal does not need to manage numerous security devices, thereby greatly reducing cost. In addition, the edge nodes in distributed deployment allow the target terminal to access the access traffic to one or more edge nodes in the same area based on the principle of proximity, so that the time delay of information reaching the edge nodes is remarkably reduced, and the user experience is greatly improved.
Example two
In order to make those skilled in the art understand the working principle of the edge node in the above embodiment, the following describes the composition structure and the working flow of the edge node with reference to a specific application example. Fig. 7 is a schematic diagram of a composition structure of an edge node according to an embodiment of the present invention, and fig. 8 is a flowchart of security access control on an edge node according to an embodiment of the present invention.
As shown in fig. 7, the edge node may include a load balancer and a plurality of security servers, where the load balancer is configured to forward access traffic to one of the plurality of security servers, and the security server runs a configuration management module, a traffic scheduling module, a three-layer firewall module, a security DNS module, a traffic inspection module, and the like. The configuration management module receives the configuration of the cloud security management platform and provides the configuration to other modules, and the other modules perform corresponding security access control processing on access flow according to the security access control strategy.
The access traffic of the target terminal reaches the network interface of the edge node, the network interface may be a load balancer, the same network interface may receive the traffic of all the target terminals, the access traffic enters a security server through the network interface, and the security server performs the following processing on the received access traffic (as shown in fig. 8):
the traffic scheduling module stores network attributes (including network outlet IP, tunnel IP on outlet drainage equipment, and the like) of all target terminals and a mapping relation with the target terminals, and identifies which target terminal the traffic belongs to according to the received data packets. As shown in table 3 below, when a packet with an egress IP of 10.2.1.0/24 is received, it is found that the packet belongs to the target terminal a, and when a packet with an egress IP of 10.2.7.0/24 is received, it is found that the packet belongs to the target terminal B.
TABLE 3
Drainage mode Internal network address or public network exit address of drainage equipment Target terminal
GRE 10.2.1.0/24 A
IPSec 10.2.3.0/24 B
PAC 58.56.78.45/32 C
GRE 10.2.5.0/24 D
GRE 10.2.8.0/24 E
IPSec 10.2.7.0/24 B
And the three-layer firewall module is used for realizing the filtering processing of the data packet according to the security access control strategy, supports the setting of a plurality of rules, and sequentially executes each firewall rule according to the priority order, wherein each rule comprises a rule condition and a handling mode (permission, prohibition and observation). Each rule allows for the free combination of multiple rule types. Typical rule types are shown in table 4 below:
TABLE 4
Figure BDA0003142536030000161
In particular, for convenience of installation, the three-layer firewall module also supports handling according to application protocols, including but not limited to the following common application protocols:
TABLE 5
Protocol name Protocol port
HTTP 80
HTTPS 443
ICMP ICMP protocol without port
FTP 20,21
SSH 22
Telnet 23
DNS 53,853(DNSoverTLS)
POP 109 110, 995 (safety POP 3)
SMTP 25 465 (safety SMTP)
MySQL 3306
Typically, there is a corresponding default protocol port for each protocol, but some special scenarios may not use the default protocol port, such as running https service on 8443 port. In addition, the user can also be allowed to customize the application protocol port, for example, an enterprise administrator can configure a non-standard protocol port for a certain protocol, and inform the cloud security management platform of the protocol port information corresponding to the protocol, and the cloud security management platform issues the received protocol port information to the edge node. Thus, a three-layer firewall may implement access control for a non-standard protocol port of the protocol.
For ease of understanding, an example of a firewall rule is given here, as shown in table 6 below, where the destination IP of the rule is 1.1.1.0/24 or 8.8.8.8, and packets whose application protocol is UDP, ICMP, TCP will be blocked:
TABLE 6
Figure BDA0003142536030000171
And if the safe DNS function is started, the data packet enters a safe DNS processing logic.
The HTTP/HTTPS flow inspection module enters the HTTP/HTTPS inspection module if the HTTP/HTTPS flow inspection is started, and the HTTP/HTTPS flow inspection module performs access control according to conditions such as a request domain name, a URL (uniform resource locator), a request method, a response status code and the like;
under the default condition, only the standard HTTP ports (i.e. 80/HTTP, 443/HTTPs) are subjected to access control, for the non-standard ports, the access control needs to be opened on the security management platform for the specific non-standard ports, and in order to implement processing of HTTPs encrypted traffic, the traffic inspection module needs to dynamically issue a certificate according to the current request domain name.
Here, the arrow direction for indicating the transmission direction of the access traffic in fig. 7 is an outward direction, but in actual application, the present invention is not limited to this. In fact, the edge node may perform security access control not only for outbound access traffic but also for inbound traffic data.
Fig. 9 is a logic flow diagram of a HTTP/HTTPs traffic inspection according to an embodiment of the present invention. As shown in fig. 9, performing access control on the request domain name, the uniform resource locator URL, the request method, and the response status code may include:
determining whether the port type is a standard port (i.e., 80/443 port);
if the port is a standard port, directly starting access control on the request domain name, the Uniform Resource Locator (URL), the request method and the response status code;
if the port is a non-standard port, whether a traffic check function is started for the non-standard port is determined, where it should be noted that a traffic check for the non-standard port needs to be started on the cloud security management platform first, and if the port is started, access control is performed on the request domain name, the uniform resource locator URL, the request method, and the response status code.
In this embodiment, after the security access control processing, log information is recorded into a result of the control processing, and the log information is sent to the cloud security management platform, which specifically includes:
and each security module of the edge node outputs a log with a corresponding format after processing the access traffic of a corresponding type, wherein the log format is configurable by the cloud security management platform. For example, only the request logs that hit in the prohibited mode may be logged by default, the other logs may not be logged by default because they are larger, and the statistical output may be aggregated only at time intervals (e.g., once every 5 minutes) and logged for requests in the allowed and observed modes.
Each module has a corresponding log format, but in common, each log contains, but is not limited to, the fields shown in Table 7 below:
TABLE 7
Figure BDA0003142536030000181
In particular, for the log of the DNS security module, there are also log fields as shown in table 8 below:
TABLE 8
Figure BDA0003142536030000182
Figure BDA0003142536030000191
In particular, for HTTP/HTTPs logs, there are also log fields as shown in table 9 below:
TABLE 9
Figure BDA0003142536030000192
It is noted that in some embodiments, for a three-tier firewall, only the aggregated log of hit access control rules may be recorded.
In this embodiment, each security module of the edge node provides rich log information, the cloud security management platform can perform aggregation, statistics, and analysis of each dimension (various security problems) on the log information, and display a visual analysis view of each dimension on the platform, so as to intuitively acquire attack and threat situations and interface corresponding threat events to the SIEM platform.
In this embodiment, the secure cloud platform provides, but is not limited to, data analysis and visualization of the type shown in table 10 below:
TABLE 10
Figure BDA0003142536030000193
EXAMPLE III
Fig. 10 is a block diagram of a cloud-based internet access control system according to an embodiment of the present invention, and as shown in fig. 10, the system includes:
the cloud security management platform 1061 is configured to configure a drainage policy and a security access control policy for a target terminal, send the drainage policy to the edge node 1062 and the target terminal (in the figure, the target terminal may be a branch 10631, an enterprise headquarters 10632, a home office 10633, a mobile office 10634, and a BYOD 10635), and send the security access control policy to the edge node 1062;
and the edge node 1062 is configured to perform security access control processing on the access traffic from the target terminal according to the security access control policy.
In some embodiments, the system may further include:
and the target terminal is used for establishing a drainage tunnel between the target terminal and the edge node according to the drainage strategy.
When the target terminal is the user terminal equipment, a drainage application program is preset on the user terminal equipment, and a drainage tunnel between the user terminal equipment and the edge node 1062 is established through the drainage application program according to a drainage strategy; and when the target terminal is a network outlet of the branch office, establishing a drainage tunnel between the target terminal and the edge node 1062 at the network outlet according to a drainage strategy.
For technical details not disclosed in the cloud-based internet access control system provided in this embodiment, please refer to the description of the cloud-based internet access control method in the foregoing embodiment, which is not repeated herein.
Example four
The following are embodiments of the apparatus of the present invention that may be used to perform embodiments of the method of the present invention. For details which are not disclosed in the embodiments of the apparatus of the present invention, reference is made to the embodiments of the method of the present invention.
The embodiment provides a cloud-based internet access control device which is arranged on an edge node. The device has the functions of executing the method examples, and the functions can be realized by hardware or by hardware executing corresponding software. The apparatus may include:
the acquisition unit is used for acquiring the network attribute of the target terminal according to the received access flow from the target terminal;
the determining unit is used for determining a security access control strategy of a target user corresponding to the target terminal according to a pre-stored drainage strategy and the network attribute of the target terminal;
and the control unit is used for carrying out security access control processing on the access flow from the target terminal according to the security access control strategy.
The embodiment also provides a block diagram of the cloud-based internet access control device, which is arranged on the cloud security management platform. The device has the functions of executing the method examples, and the functions can be realized by hardware or by hardware executing corresponding software. The apparatus may include:
the configuration unit is used for configuring a drainage strategy and a security access control strategy for a target user;
the first sending unit is used for respectively sending the drainage strategy to the edge node and a target terminal corresponding to a target user so that the target terminal can drain the access flow to the edge node according to the drainage strategy;
and the second sending unit is used for sending the security access control strategy to the edge node so that the edge node performs security access control processing on the access flow according to the security access control strategy.
The embodiment also provides a block diagram of the cloud-based internet access control device, which is arranged on the target terminal. The device has the functions of executing the method examples, and the functions can be realized by hardware or by hardware executing corresponding software. The apparatus may include:
the acquisition unit is used for acquiring a drainage strategy from the cloud security management platform, wherein the drainage strategy is a drainage strategy of a target user corresponding to the target terminal;
and the flow guiding unit is used for guiding the access flow to the corresponding edge node according to the flow guiding strategy.
It should be noted that: in the device provided in the foregoing embodiment, when the functions of the device are implemented, only the division of each functional module is illustrated, and in practical applications, the functions may be distributed to different functional modules as needed, that is, the internal structure of the device is divided into different functional modules, so as to complete all or part of the functions described above. In addition, the apparatus and method embodiments provided by the above embodiments belong to the same concept, and specific implementation processes thereof are described in the method embodiments for details, which are not described herein again.
EXAMPLE five
The present embodiment provides a computer readable medium having stored thereon a computer program which, when executed by a processor, implements the steps of a cloud-based internet access control method as shown in fig. 1.
It should be noted that all or part of the flow of the method according to the embodiments of the present invention may be implemented by a computer program, which may be stored in a computer readable storage medium, and when the computer program is executed by a processor, the steps of the method embodiments described above may be implemented. Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, U.S. disk, removable hard disk, magnetic diskette, optical disk, computer Memory, read-Only Memory (ROM), random Access Memory (RAM), electrical carrier wave signal, telecommunications signal, and software distribution medium, etc. Of course, there are other ways of storing media that can be read, such as quantum memory, graphene memory, and so forth. It should be noted that the computer readable medium may contain content that is subject to appropriate increase or decrease as required by legislation and patent practice in jurisdictions, for example, in some jurisdictions, computer readable media does not include electrical carrier signals and telecommunications signals as is required by legislation and patent practice.
EXAMPLE six
Fig. 11 is a schematic structural diagram of an electronic device according to an embodiment of the present invention. As shown in fig. 11, at the hardware level, the electronic device includes a processor, and optionally further includes an internal bus, a network interface, and a memory. The Memory may include a Memory, such as a Random-Access Memory (RAM), and may further include a non-volatile Memory, such as at least 1 disk Memory. Of course, the electronic device may also include hardware required for other services.
The processor, the network interface, and the memory may be connected to each other via an internal bus, which may be an ISA (Industry Standard Architecture) bus, a PCI (peripheral component Interconnect) bus, an EISA (Extended Industry Standard Architecture) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only line segments are shown in FIG. 11, but this does not indicate only one bus or one type of bus.
And the memory is used for storing programs. In particular, the program may include program code comprising computer operating instructions. The memory may include both memory and non-volatile storage and provides instructions and data to the processor. The processor reads the corresponding computer program from the non-volatile memory into the memory and then runs. The processor executes the program stored in the memory to perform all the steps of a cloud-based internet access control method as shown in fig. 3.
The communication bus mentioned in the above devices may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus. The communication interface is used for communication between the electronic equipment and other equipment.
The bus includes hardware, software, or both to couple the above components to each other. For example, a bus may include an Accelerated Graphics Port (AGP) or other graphics bus, an Enhanced Industry Standard Architecture (EISA) bus, a Front Side Bus (FSB), a Hyper Transport (HT) interconnect, an Industry Standard Architecture (ISA) bus, an infiniband interconnect, a Low Pin Count (LPC) bus, a memory bus, a Micro Channel Architecture (MCA) bus, a Peripheral Component Interconnect (PCI) bus, a PCI-Express (PCI-X) bus, a Serial Advanced Technology Attachment (SATA) bus, a video electronics standards association local (VLB) bus, or other suitable bus or a combination of two or more of these. A bus may include one or more buses, where appropriate. Although specific buses have been described and shown in the embodiments of the invention, any suitable buses or interconnects are contemplated by the invention.
The Memory may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.
The memory may include mass storage for data or instructions. By way of example, and not limitation, memory may include a Hard Disk Drive (HDD), floppy Disk Drive, flash memory, optical Disk, magneto-optical Disk, magnetic tape, or Universal Serial Bus (USB) Drive or a combination of two or more of these. The memory may include removable or non-removable (or fixed) media, where appropriate. In a particular embodiment, the memory is non-volatile solid-state memory. In a particular embodiment, the memory includes Read Only Memory (ROM). Where appropriate, the ROM may be mask-programmed ROM, programmable ROM (PROM), erasable PROM (EPROM), electrically Erasable PROM (EEPROM), electrically rewritable ROM (EAROM), or flash memory, or a combination of two or more of these.
The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), application Specific Integrated Circuits (ASICs), field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.
It should be noted that, for convenience and simplicity of description, it is clearly understood by those skilled in the art that the foregoing functional units and modules are merely illustrated in terms of division, and in practical applications, the foregoing functional allocation may be performed by different functional units and modules as needed, that is, the internal structure of the apparatus is divided into different functional units or modules to perform all or part of the above described functions. Each functional unit and module in the embodiments may be integrated in one processing unit, or each unit may exist alone physically, or two or more units are integrated in one unit, and the integrated unit may be implemented in a form of hardware, or in a form of software functional unit. In addition, specific names of the functional units and modules are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present invention. The specific working processes of the units and modules in the system may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
The apparatuses, devices, systems, modules or units illustrated in the above embodiments may be specifically implemented by a computer chip or an entity, or by an article with certain functions. One typical implementation device is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a vehicle-mounted human-computer interaction device, a cellular telephone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.
Although the present invention provides method steps as described in the examples or flowcharts, more or fewer steps may be included based on conventional or non-inventive means. The order of steps recited in the embodiments is merely one manner of performing the steps in a multitude of sequences, and does not represent a unique order of performance. When an actual apparatus or end product executes, it may execute sequentially or in parallel (e.g., parallel processors or multi-threaded environments, or even distributed data processing environments) according to the method shown in the embodiment or the figures.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a," "8230," "8230," or "comprising" does not exclude the presence of additional like elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on differences from other embodiments. In particular, as for the device, the electronic device and the readable storage medium embodiments, since they are substantially similar to the method embodiments, the description is simple, and the relevant points can be referred to the partial description of the method embodiments.
The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.

Claims (34)

1. A cloud-based Internet access control method is applied to an edge node, and is characterized in that the edge node is connected with at least one target terminal, and the method comprises the following steps:
acquiring the network attribute of a target terminal according to the received access flow from the target terminal;
determining a security access control strategy of a target user corresponding to the target terminal according to a pre-stored drainage strategy and the network attribute of the target terminal;
and performing security access control processing on the access flow from the target terminal according to the security access control strategy.
2. The method of claim 1, wherein the secure access control policy comprises at least one of an access control policy for IP, port, protocol, an access control policy for DNS requests, an access control policy for HTTP/HTTPs, and an access control policy for identity information.
3. The method of claim 1, wherein performing security access control processing on the access traffic from the target terminal according to the security access control policy comprises:
filtering the access flow according to the network attribute information of the target terminal;
and if the access flow passes the filtering processing, sending the access flow to a corresponding service node.
4. The method of claim 1, wherein performing security access control processing on the access traffic from the target terminal according to the security access control policy comprises:
acquiring a target access domain name contained in the access flow;
determining a domain name category corresponding to the target access domain name according to the target access domain name;
and if the domain name type is the target type, sending the access flow to a corresponding service node.
5. The method of claim 1, wherein performing security access control processing on the access traffic from the target terminal according to the security access control policy comprises:
instructing the target terminal to display an identity authentication interface, wherein the identity authentication interface comprises at least one identity authentication option;
according to the selection information aiming at the at least one identity authentication option received by the identity authentication interface, determining an identity authentication strategy corresponding to the selection information;
according to the identity authentication strategy, performing identity authentication processing on the target terminal;
and if the access flow passes the identity authentication processing, sending the access flow to a corresponding service node.
6. The method of claim 5, wherein the identity authentication policy comprises an identity information authentication policy and/or a rights information authentication policy.
7. The method of claim 1, wherein performing security access control processing on the access traffic from the target terminal according to a security access control policy comprises:
acquiring uniform resource locators and file information of uploaded files contained in the access flow;
and blocking the access flow if the access flow is judged to have the data leakage risk according to the uniform resource locator and the file information.
8. The method according to claim 1, wherein performing security access control processing on the access traffic from the target terminal according to the security access control policy comprises:
performing HTTP/HTTPS access control processing on the access flow according to a preset HTTP/HTTPS access control strategy;
and if the HTTP/HTTPS access control processing is not passed, returning corresponding error information to the target terminal.
9. The method according to claim 8, before performing HTTP/HTTPs access control processing on the access traffic according to a preset HTTP/HTTPs access control policy, further comprising:
acquiring a CA root certificate from a cloud security management platform;
when receiving https access traffic sent by a target terminal, issuing a certificate to a target access domain name by using a CA root certificate corresponding to a target user corresponding to the target terminal, and realizing https handshake with the https access traffic.
10. A cloud-based Internet access control method is applied to a cloud security management platform and is characterized by comprising the following steps:
configuring a drainage strategy and a security access control strategy for a target user;
respectively sending the drainage strategy to an edge node and a target terminal corresponding to the target user, so that the target terminal drains access flow to the edge node according to the drainage strategy;
and sending the security access control strategy to an edge node so that the edge node performs security access control processing on the access flow according to the security access control strategy.
11. The method of claim 10, wherein the target terminal comprises a user terminal device or a network egress of a branch office.
12. The method according to claim 11, wherein when the target terminal is a user terminal device, the drainage policy includes configuration information for establishing a drainage tunnel through a drainage application provided on the user terminal device.
13. The method of claim 11, wherein when the target terminal is a network exit of a branch office, the drainage policy comprises configuration information for establishing a drainage tunnel at the network exit.
14. The method of claim 10, wherein the drainage policy comprises a drainage mode, and wherein the drainage mode is a network tunneling protocol.
15. The method of claim 14, wherein the network tunneling protocol comprises GRE, IPSec, PAC, custom network tunneling protocol, or other network tunneling protocol supported by the target terminal.
16. The method according to claim 11, wherein when the target terminal is a user terminal device, sending the drainage policy to a target terminal corresponding to the target user includes:
and feeding back a drainage strategy of a target user corresponding to the target terminal according to the access request of the target terminal.
17. The method of claim 10, wherein the secure access control policy comprises at least one of an access control policy for IP, port, protocol, an access control policy for DNS requests, an access control policy for HTTP/HTTPs, and an access control policy for identity information.
18. The method of claim 10, further comprising:
and acquiring log information from the edge node, and analyzing and/or visualizing the security access control processing result in the log information.
19. A cloud-based Internet access control method is applied to a target terminal, and is characterized in that the target terminal comprises user terminal equipment or a network outlet of a branch office, and the method comprises the following steps:
acquiring a drainage strategy from a cloud security management platform, wherein the drainage strategy is a drainage strategy of a target user corresponding to the target terminal;
and guiding the access flow to the corresponding edge node according to the guiding strategy.
20. The method of claim 19, wherein the drainage policy comprises a drainage mode, and wherein the drainage mode is a network tunneling protocol.
21. The method according to claim 19, wherein when the target terminal is a user terminal device, the obtaining of the drainage policy from the cloud security management platform includes:
responding to a login request aiming at the drainage application, and sending an acquisition request aiming at the drainage strategy to a cloud security management platform;
and receiving a drainage strategy of a target user corresponding to the current target terminal, which is fed back by the cloud security management platform.
22. The method of claim 20, wherein the drainage policy further comprises address information of edge nodes;
the method for guiding the access flow to the corresponding edge node according to the guiding strategy comprises the following steps:
establishing a drainage tunnel between a current target terminal and the edge node according to the drainage mode and the address information of the edge node;
and draining the access flow meeting the drainage strategy to the edge node through the drainage tunnel.
23. The method of claim 20, wherein the network tunneling protocol comprises GRE, IPSec, PAC, custom network tunneling protocol, or other network tunneling protocol supported by the target terminal.
24. The method of claim 19, wherein the edge node is an edge node in a same area as the target terminal.
25. The method of claim 19, wherein the edge nodes comprise active edge nodes and standby edge nodes;
the method for guiding the access flow to the corresponding edge node according to the guiding strategy comprises the following steps:
and respectively guiding the access flow to the main edge node and the standby edge node according to the guide strategy.
26. The method of claim 19, further comprising:
and acquiring and installing a CA root certificate from the cloud security management platform, wherein the CA root certificate is generated by the cloud security management platform by default or generated and uploaded by the target user.
27. A cloud-based internet access control system, the system comprising:
the cloud security management platform is used for configuring a drainage strategy and a security access control strategy for a target user and respectively sending the drainage strategy to an edge node and a target terminal corresponding to the target user; sending the security access control policy to the edge node;
and the edge node is used for carrying out security access control processing on the access flow from the target terminal according to the security access control strategy.
28. The system of claim 27, further comprising:
and the target terminal is used for establishing a drainage tunnel between the target terminal and the edge node according to the drainage strategy.
29. The system of claim 28, wherein a drainage application is configured on the target terminal, and wherein the drainage application is configured to establish a drainage tunnel with an edge node.
30. A cloud-based Internet access control device is arranged on an edge node, and the edge node is connected with at least one target terminal, and the cloud-based Internet access control device is characterized by comprising:
the device comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring the network attribute of a target terminal according to the received access flow from the target terminal;
the determining unit is used for determining a security access control strategy of a target user corresponding to the target terminal according to a pre-stored drainage strategy and the network attribute of the target terminal;
and the control unit is used for carrying out security access control processing on the access flow from the target terminal according to the security access control strategy.
31. The utility model provides an internet access controlling means based on cloud sets up in cloud security management platform which characterized in that includes:
the configuration unit is used for configuring a drainage strategy and a security access control strategy for a target user;
the first sending unit is used for respectively sending the drainage strategy to an edge node and a target terminal corresponding to the target user so that the target terminal can drain access flow to the edge node according to the drainage strategy;
and the second sending unit is used for sending the security access control strategy to an edge node so that the edge node performs security access control processing on the access flow according to the security access control strategy.
32. The utility model provides an internet access control device based on cloud sets up in target terminal, its characterized in that includes:
the acquisition unit is used for acquiring a drainage strategy from a cloud security management platform, wherein the drainage strategy is a drainage strategy of a target user corresponding to the target terminal;
and the drainage unit is used for draining the access flow to the corresponding edge node according to the drainage strategy.
33. A computer-readable storage medium on which a computer program is stored, the program, when executed by a processor, implementing a cloud-based internet access control method as claimed in any one of claims 1 to 26.
34. An electronic device, comprising:
a processor;
a memory for storing the processor-executable instructions;
wherein the processor is configured to execute the instructions to implement a cloud-based internet access control method as claimed in any one of claims 1-26.
CN202110745342.6A 2021-06-30 2021-06-30 Cloud-based internet access control method, device, medium, equipment and system Pending CN115567229A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202110745342.6A CN115567229A (en) 2021-06-30 2021-06-30 Cloud-based internet access control method, device, medium, equipment and system
PCT/CN2022/102332 WO2023274295A1 (en) 2021-06-30 2022-06-29 Cloud-based internet access control method and apparatus, medium, device, and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110745342.6A CN115567229A (en) 2021-06-30 2021-06-30 Cloud-based internet access control method, device, medium, equipment and system

Publications (1)

Publication Number Publication Date
CN115567229A true CN115567229A (en) 2023-01-03

Family

ID=84691412

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110745342.6A Pending CN115567229A (en) 2021-06-30 2021-06-30 Cloud-based internet access control method, device, medium, equipment and system

Country Status (2)

Country Link
CN (1) CN115567229A (en)
WO (1) WO2023274295A1 (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116437349B (en) * 2023-06-13 2023-09-05 武汉博易讯信息科技有限公司 Method, device, equipment and medium for controlling access to mobile network
CN116633696B (en) * 2023-07-25 2024-01-02 深圳市永达电子信息股份有限公司 Network computing node access controller system, management and control method and electronic equipment
CN116708033B (en) * 2023-08-04 2023-11-03 腾讯科技(深圳)有限公司 Terminal security detection method and device, electronic equipment and storage medium
CN116743498B (en) * 2023-08-09 2023-10-13 恒辉信达技术有限公司 Method and system for controlling access of equipment nodes in edge computing network
CN117278329B (en) * 2023-11-21 2024-01-16 大连凌一科技发展有限公司 Application resource dynamic control access method based on zero trust gateway

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8312507B2 (en) * 2006-10-17 2012-11-13 A10 Networks, Inc. System and method to apply network traffic policy to an application session
CN104618403A (en) * 2015-03-10 2015-05-13 网神信息技术(北京)股份有限公司 Access control method and device for security gateway
CN105897766B (en) * 2016-06-16 2019-08-09 中电长城网际系统应用有限公司 A kind of virtual network traffic security control method and device
CN111970242B (en) * 2020-07-15 2022-09-30 深信服科技股份有限公司 Cloud security protection method and device and storage medium

Also Published As

Publication number Publication date
WO2023274295A1 (en) 2023-01-05

Similar Documents

Publication Publication Date Title
US11425097B2 (en) Cloud-based virtual private access systems and methods for application access
US20200195614A1 (en) Secure application access systems and methods
CN115567229A (en) Cloud-based internet access control method, device, medium, equipment and system
US11057349B2 (en) Cloud-based multi-function firewall and zero trust private virtual network
US20230006986A1 (en) Time-based network authentication challenges
US20180352004A1 (en) Policy enforcement using host information profile
US10547600B2 (en) Multifactor authentication as a network service
US10944721B2 (en) Methods and systems for efficient cyber protections of mobile devices
US8650620B2 (en) Methods and apparatus to control privileges of mobile device applications
EP3022861B1 (en) Packet classification for network routing
US11750662B2 (en) Multi-access edge computing services security in mobile networks by parsing application programming interfaces
EP3840334A1 (en) Multifactor authentication as a network service
US20210314301A1 (en) Private service edge nodes in a cloud-based system for private application access
CN116601919A (en) Dynamic optimization of client application access via a Secure Access Service Edge (SASE) Network Optimization Controller (NOC)
KR20080012267A (en) Network access protection
TW201505411A (en) Method of interpreting a rule and a rule-interpreting apparatus for rule-based security apparatus
US11949661B2 (en) Systems and methods for selecting application connectors through a cloud-based system for private application access
US11936623B2 (en) Systems and methods for utilizing sub-clouds in a cloud-based system for private application access
US11799832B2 (en) Cyber protections of remote networks via selective policy enforcement at a central network
EP3247082B1 (en) Cloud-based virtual private access systems and methods
WO2023041039A1 (en) Secure access control method, system and apparatus based on dns resolution, and device
US20220086649A1 (en) Partial limitation of a mobile network device
EP3166280A1 (en) Integrated security system having threat visualization and automated security device control
EP3166281A1 (en) Integrated security system having threat visualization
US20240107294A1 (en) Identity-Based Policy Enforcement for SIM Devices

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination