CN116015804B - Trusted connector, industrial flow control system and method based on zero trust - Google Patents
Trusted connector, industrial flow control system and method based on zero trust Download PDFInfo
- Publication number
- CN116015804B CN116015804B CN202211618132.1A CN202211618132A CN116015804B CN 116015804 B CN116015804 B CN 116015804B CN 202211618132 A CN202211618132 A CN 202211618132A CN 116015804 B CN116015804 B CN 116015804B
- Authority
- CN
- China
- Prior art keywords
- equipment
- trusted
- strategy
- data packet
- trusted connector
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 26
- 230000004044 response Effects 0.000 claims abstract description 20
- 238000007726 management method Methods 0.000 claims description 106
- 230000006870 function Effects 0.000 claims description 18
- 230000008569 process Effects 0.000 claims description 9
- 238000004088 simulation Methods 0.000 claims description 6
- 238000012795 verification Methods 0.000 claims description 3
- 238000005516 engineering process Methods 0.000 abstract description 4
- 238000012423 maintenance Methods 0.000 description 6
- 238000004891 communication Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 239000008358 core component Substances 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a flow control technology, discloses a trusted connector, an industrial flow control system and a method based on zero trust, and solves the problems that the trust degree of terminal equipment in an industrial system is too high, the terminal is lack of protection, safety risks exist and the like in the traditional technology. The method comprises the following steps: s1, detecting downstream equipment of a control end by TC, if so, entering a step S2, otherwise, returning to the step S1; s2, applying a strategy corresponding to the equipment to the zero trust management platform by the TC; s3, the zero trust management platform judges whether a strategy corresponding to the equipment exists, if so, the step S4 is carried out, otherwise, an invalid response is issued to the TC, and the step S1 is returned; s4, the TC acquires a corresponding strategy through subscribing a strategy theme; s5, applying the distributed digital identity of the equipment to the identity management platform by using the information of the downstream equipment by the TC, and starting a strategy module; s6, after the policy module of TC and the distributed digital identity are initialized successfully, starting the network bridge; and S7, the TC controls the flow of the downstream equipment according to the acquired corresponding strategy.
Description
Technical Field
The invention relates to a flow control technology, in particular to a trusted connector, an industrial flow control system and method based on zero trust.
Background
In a common industrial control system, there is always a terminal device as a main working core of the whole system or one module, for example, the most core module in the industrial system is generally a controller such as a PLC or an industrial control host with higher authority in the system, so that the core devices are very important to industrial product lines, but enterprises often neglect to protect the core devices or trust some terminal devices too, so that access to the internet and intranet is not limited, and safety risks exist.
On the other hand, many industrial equipment in China is greatly imported, maintenance and upgrading of the equipment are operated by maintenance personnel of equipment original factories, the safety and reliability of the operation of the maintenance personnel cannot be judged by personnel in enterprises, meanwhile, an industrial control system often depends on a network to build a control system, illegal network intrusion possibly exists or equipment is provided with illegal programs to steal the internal resources of the enterprises, and therefore network security of the equipment is very important.
Disclosure of Invention
The technical problems to be solved by the invention are as follows: the trusted connector, the industrial flow control system and the method based on zero trust are provided, and the problems that the trust degree of terminal equipment in an industrial system in the prior art is too high, the terminal is lack of protection, safety risks exist and the like are solved.
The technical scheme adopted for solving the technical problems is as follows:
In one aspect, the present invention provides a trusted connector comprising a power module, a processor, and a memory; the memory is electrically connected with the processor; the power module supplies power for the trusted connector; the system also comprises at least two Ethernet ports, wherein one Ethernet port is used as a control end and connected with the controlled equipment and used for controlling the flow of the corresponding equipment; the other Ethernet port is used as a free end, connected with a router or a switch and used as a port for external access; and a policy module is arranged in the memory and is used for generating a flow control rule according to a policy acquired from the zero trust management platform and controlling the flow of the controlled device.
Further, the trusted connector also comprises a bypass module, and the bypass module is connected with the control end and the free end of the network bridge.
In a second aspect, the present invention further provides an industrial flow control system based on zero trust, which includes the trusted connector, and further includes an identity management platform and a zero trust management platform;
The trusted connector is connected with the managed and controlled equipment in series and then is connected to a network;
the identity management platform comprises a blockchain and a distributed digital identity service and is used for assisting in establishing an identity verification channel between a trusted connector and a trusted connector or between a managed and controlled device and the trusted connector;
The zero trust management platform comprises a user management module, a terminal management module, a resource management module, a strategy management module and a log module; the user management module is used for uniformly configuring and managing legal users of the system; the resource management module is used for recording the currently controlled equipment and the types and the quantity of the resources attached to the equipment; the terminal management module is used for recording the equipment and the state which are managed and controlled under the current dynamic time; the policy management module is used for an administrator to configure the flow control function of the management and control equipment; and the log module is used for receiving the log of the terminal.
Furthermore, the trusted connector has two modes, namely a simulation mode and a safety mode, in the simulation mode, the trusted connector simulates the executing process of a strategy, and the executing result is inquired in a log module of the zero trust platform; and in the safety mode, executing flow control on the controlled equipment, intercepting the flow outside the strategy, and releasing the flow allowed by the strategy.
Further, the policy management module is configured to provide an administrator with a flow control function of the management and control device, where the flow control function specifically includes a target address of flow access, and a protocol used by the flow can accommodate access of which users and resources.
In a third aspect, the present invention also provides an industrial traffic control method based on zero trust, including the following steps:
S1, a trusted connector detects downstream equipment of a control end, if the downstream equipment is detected, the step S2 is started, and otherwise, the step S1 is returned after waiting for a certain time;
s2, the trusted connector applies a policy corresponding to the equipment to the zero trust management platform;
S3, the zero trust management platform judges whether a strategy corresponding to the equipment exists, if so, the step S4 is carried out, otherwise, an invalid response is issued to the trusted connector, and the step S1 is returned;
s4, the trusted connector acquires a corresponding strategy through subscribing a strategy theme;
S5, the trusted connector applies for the distributed digital identity of the equipment to the identity management platform by utilizing the information of the downstream equipment, and a strategy module is started;
s6, after the policy module and the distributed digital identity of the trusted connector are initialized successfully, the network bridge is started;
and S7, the trusted connector manages and controls the flow of the downstream equipment according to the acquired corresponding strategy.
Further, in step S6, the method further includes:
The trusted connector actively reports the state to the zero trust management platform, and the reported specific content comprises: bridge status of trusted connectors, IP of the management and control device, IP of the unfortunately connectors, MAC information, line information, and distributed digital identity information.
Further, in step S7, the trusted connector manages the flow of the downstream device according to the obtained corresponding policy, which specifically includes:
access control: namely, the managed and controlled device accesses other device resources are managed and controlled, and the method specifically comprises the following steps:
When the managed and controlled device sends out a data packet for accessing other devices, after the data packet is intercepted by a trusted connector, the trusted connector evaluates whether the accessed resource is within the range of the policy requirement, if so, the DID (distributed digital identity) is used for applying VC (verifiable statement) to an identity management service platform, the VC is used for applying VP (verifiable expression), the VP is embedded into a blank field of a protocol data packet, and then the data packet is forwarded outwards; the data packet waiting for response is intercepted by a trusted connector, firstly, whether VP is issued by an identity management platform or not is checked, then whether the response matched with the previous application is checked, if so, the data packet is forwarded to the managed and controlled equipment;
is access-controlled: namely, the control of other users and equipment access controlled equipment specifically comprises the following steps:
when other users and devices send out protocol data packets for accessing the managed and controlled device, after the protocol data packets are intercepted by a trusted connector, firstly verifying whether VP is issued by an identity management platform, then evaluating whether the accessed resources are within the range of policy requirements, and if so, forwarding the data packets to the managed and controlled device; the data packet waiting for response is intercepted by a trusted connector, then whether the response is matched with the previous application is checked, if yes, the DID is used for applying VC to an identity management platform, the VC is used for applying VP, the VP is embedded into a blank field of the data packet, and then the data packet is forwarded outwards.
Further, step S7 further includes: in the process of controlling, the trusted connector sends the flow control record to the zero trust management platform in the form of a log.
The beneficial effects of the invention are as follows:
The system has the advantages that the zero trust architecture and the flow control technology are utilized, the system is not changed, the safety and access of terminal equipment can be controlled by being embedded into the system, namely, the trusted connector is connected in series to the network outlet of the controlled terminal on the basis of the original system, the fine granularity control of the flow of the equipment can be realized, the running state of the whole system can be clearly seen through a zero trust background, and if illegal access records are found in the feedback log, the source positioning can be rapidly carried out.
Drawings
FIG. 1 is a schematic diagram of a trusted connector in an embodiment;
FIG. 2 is a schematic diagram of an industrial flow control system architecture based on zero trust in an embodiment;
FIG. 3 is a flow chart of an industrial flow control method based on zero trust in an embodiment.
Detailed Description
The invention aims to provide a trusted connector, an industrial flow control system and method based on zero trust, and solves the problems that the trust degree of terminal equipment in an industrial system in the prior art is too high, the terminal is lack of protection, safety risks exist and the like. The invention is based on the zero trust architecture, can embed the trusted connector into the existing system in the form of a network bridge on the basis of not changing the original system, and realizes the flow access control of the related terminal equipment of the current system, including the access control of the output flow and the input flow, thereby improving the safety of the equipment, uploading the management and control log to the zero trust management platform in the access control process, and facilitating the remote management of maintenance personnel and the rapid and accurate positioning of abnormal flow.
Examples:
The trusted connector (hereinafter abbreviated as TC) structure provided in this embodiment is shown in fig. 1, and includes a necessary power module, a memory module, a cpu, and a necessary hardware interface (network port, USB, etc.). All devices that need to be managed must be connected in series with the TC before they can be re-connected to the network. As a direct traffic manager, TCs need to have a function like Linux netfilter, which can forward, monitor and process network traffic, and at the same time, TCs can detect which devices are in the serial link.
Trusted connector hardware description: the TC has at least 2 ethernet ports, 2 ports are basic requirements for bridge creation, and the two ports are named as a control end and a free end, the control end must be connected with a device for controlling, so as to control the flow of the corresponding device, and the free end can be used as a port accessed from outside by a router or a switch.
Meanwhile, the trusted connector has a hardware Bypass function, and can trigger the relay to activate the hardware Bypass function under the condition of equipment failure or equipment power failure, so that the normal operation of the original system can be ensured under the extreme condition.
The TC in the embodiment has two modes of simulation and safety, the TC can simulate the execution process of the strategy in the simulation mode, and the execution result can be inquired in a log module of the zero trust platform; the safety mode is a mode for starting control, the control of the flow is started, the flow outside the strategy is intercepted, and the flow allowed by the strategy module is released. The mode of TC may be set under zero trust terminal management.
The TC deployment only needs to be connected in series with the managed and controlled equipment, does not need to manually perform any other operation, and does not influence the original service of the system no matter what state the TC is in. Notably, the TC can set the emulation mode in advance, and after the configuration policy, the execution log of the TC can be checked on the zero trust platform, and the TC operates in the security mode under the expected condition, so that the effective operation of the system service can be ensured.
Based on the TC, the structure of the industrial flow control system based on zero trust provided in this embodiment is shown in fig. 2, and includes a TC, an identity management platform and a zero trust management platform; the TC core functions comprise all functions with a network bridge function and a function of intercepting or analyzing network bridge traffic; the identity management platform operates on a blockchain network according to standard DID (DID is a group of specific character strings, representing entity identity, and has the characteristics of decentralization, uniqueness in the world, verifiability, resolvable and the like, the DID application VC and VP issuing all follow the DID standard) to carry out DID creation, VC and VP issuing, and the traffic allowed by TC is verified by the identity management platform; the TC obtains the policy corresponding to the device from the zero trust management platform, where the policy generally includes the target ip address that the management device allows to access or can access, where the communication protocol is involved, the policy may limit access of the target ip in what protocol, and the log managed by the TC may also query what device (ip) is accessing the management device in what protocol (protocol) currently, or what protocol (protocol) is currently accessing other devices.
The identity management platform and the zero trust management platform are described as follows:
(1) An identity management platform:
the identity management platform is mainly used for helping the establishment of an identity verification channel between the TCs or between the equipment and the TCs, mainly comprises a block chain and a DID (digital identification in distributed mode), and has the main functions of creating the DID, issuing a VC (verifiable statement) and issuing a VP (verifiable expression). In order to use these functions, the identity template configured in advance by the administrator must be satisfied, and the device requesting the identity needs to configure the corresponding identity template to obtain the VC.
(2) Zero trust management platform:
The zero trust management platform is used as a core component for system management and control and has the highest authority, and has the functions of user management, terminal management, resource management, policy management and log module. The user management is embodied as unified configuration management of legal users of the system, which is equivalent to setting the directional resources which only permit users to access the system; the resource management is embodied by recording the types and the quantity of resources attached to the equipment controlled at present; terminal management is embodied as recording equipment and state managed and controlled under the current dynamic time; policy management is embodied in that an administrator can configure and control the flow of the device, and particularly relates to a target address of flow access, a protocol used by the flow can accommodate access of which users and resources, and the policy management is a core function of flow control. The log module is mainly used for receiving the log of the terminal.
In practical application, before the system is deployed, the resources of the system, the terminal equipment to be managed and controlled, the corresponding resource list to be used, legal users and other information need to be combed; after the system information is carded, an identity template of the identity management service can be configured, the DID application does not need specific conditions, and the equipment needing the identity management service must provide identity information meeting the identity template when applying for VC, for example: the equipment is located in the production line, the equipment name, the equipment number, the equipment provider, the equipment management and control equipment information, the equipment state and other information, the VC is issued by the identity service application meeting the conditions, the VP can be required for the identity service after the VC is available, and the VP can be used as an effective certificate of communication.
Next, performing relevant configuration on the zero trust service, including: the legal user information of the user management module for configuring the zero trust service is mainly expressed as the IP of the user, and can be the IP of a certain network segment, so that the IP of all the network segments is legal; configuring a device list of a zero trust terminal management module, wherein the list is all online TCs; the resource list of the zero trust resource management module is configured, and the policy management module issues the policy of each managed device in a subscription form, and the policy management is mainly similar to mqtt, so that the devices which want to update the policy have to subscribe to the related policy topics, and the zero trust has to configure the policy topics for all the managed devices. After the cloud service is configured, the TC can be deployed into the system.
In addition, some initialization information including production line information, device names, cloud server addresses, etc. needs to be configured to the TCs locally, so as to ensure that the TCs can use cloud services.
The TC intercepts all traffic during the initialization phase, the bridge is not created, the TC must first ensure that the ethernet port of the management and control end is connected to the device to be managed and controlled during deployment, and the source IP in the traffic of the management and control end is regarded as the main information of the device to be managed and controlled, so the correctness of the connection of the hardware is very important.
The flow of the industrial flow control method based on zero trust in this embodiment is shown in fig. 3, which includes the following steps:
1. If the TC detects no equipment at the control end, the TC is always in a detection state and does not start the network bridge, and if the TC detects the equipment at the control end, the TC can save the equipment as a core parameter of the equipment to the local. Then the TC applies for the strategy corresponding to the equipment by the zero trust service, if the strategy zero trust service corresponding to the equipment exists, the TC responds to the theme corresponding to the equipment, and the strategy can be obtained after the TC subscribes to the theme; if the policy corresponding to the device does not exist, the zero trust service will make an invalid response TC and will be in a detected state, and will not start the bridge until a new device is detected.
2. After the TC pulls the strategy, the core parameter is used as the main parameter to apply for the DID of the equipment by the identity management platform, then the TC starts the strategy module, the strategy module and the DID are initialized successfully, then the TC starts the network bridge, the strategy module has the function of screening the flow of the network bridge, and only the flow conforming to the rule of the strategy module can pass. Thus, the TC is initially deployed.
3. The TC is required to be online to the zero trust platform after being deployed, the online process is that the TC actively performs state reporting, the state information of the TC can be queried in a zero trust terminal management module after the success of the reporting, and the reported specific content comprises the bridge state of the TC, the IP of the management and control equipment, the MAC information of the TC, the production line information, the DID information and the like, so that the remote management of maintenance personnel is convenient.
4. Next, the TC shall manage the traffic according to the pulled policy, and for authentication reasons, to manage by TC, VP indicating identity must be embedded in the protocol, and management is divided into access and accessed:
Accessing: the managed and controlled equipment accesses other equipment resources;
Firstly, the managed and controlled device sends out a data packet for accessing other devices, the TC can evaluate whether the accessed resource is in the range of the policy requirement after being intercepted by the TC, if yes, the DID is used for applying VC to the identity management service, the VC is used for applying VP, the VP is embedded into a blank field of the protocol data packet, then the data packet is forwarded, the data packet waiting for response is intercepted by the TC, firstly, whether the identity (VP) is issued by the identity management platform is checked, then whether the response is matched for the previous application is checked, and if yes, the response is forwarded to the managed and controlled device.
Is accessed to: the resource of the managed and controlled equipment is accessed for other users and equipment;
Firstly, other users and devices send out protocol data packets for accessing other devices, after being intercepted by TC, TC firstly verifies whether VP is issued by an identity management service, then evaluates whether accessed resources are within the range of policy requirements, if yes, forwards the data packets to the managed and controlled device, waits for responding data packets to be intercepted by TC, then checks whether the responses are matched with previous applications, if yes, uses DID to apply VC to the identity management service, uses VC to apply VP, embeds VP into blank fields of the data packets, and forwards the data packets.
5. The TC can send the flow control record to the terminal management module of the zero-trust service in the form of a log in the control process, so that the policy of the equipment can be changed through the zero-trust service, the state and the control record of each equipment can be clearly seen, and maintenance personnel can remotely control the TC.
Finally, it should be noted that the above examples are only preferred embodiments and are not intended to limit the invention. It should be noted that modifications, equivalents, improvements and others may be made by those skilled in the art without departing from the spirit of the invention and the scope of the claims, and are intended to be included within the scope of the invention.
Claims (8)
1. A trusted connector comprising: a power module, a processor and a memory; the memory is electrically connected with the processor; the power module supplies power for the trusted connector; it is characterized in that the method comprises the steps of,
The system also comprises a bypass module and at least two Ethernet ports, wherein one Ethernet port is used as a control end and is connected with the controlled equipment and used for controlling the flow of the corresponding equipment; the other Ethernet port is used as a free end, connected with a router or a switch and used as a port for external access; the bypass module is connected with the control end and the free end;
the memory is provided with a strategy module, which is used for generating a flow control rule according to a strategy acquired from the zero trust management platform, and controlling the flow of the controlled device, and specifically comprises the following steps:
access control: namely, the managed and controlled device accesses other device resources are managed and controlled, and the method specifically comprises the following steps:
When the managed and controlled device sends out a data packet for accessing other devices, after the data packet is intercepted by a trusted connector, the trusted connector evaluates whether the accessed resource is within the range of the policy requirement, if so, the DID is used for applying VC to an identity management service platform, the VC is used for applying VP, the VP is embedded into a blank field of a protocol data packet, and then the data packet is forwarded outwards; the data packet waiting for response is intercepted by a trusted connector, firstly, whether VP is issued by an identity management platform or not is checked, then whether the response matched with the previous application is checked, if so, the data packet is forwarded to the managed and controlled equipment;
is access-controlled: namely, the control of other users and equipment access controlled equipment specifically comprises the following steps:
when other users and devices send out protocol data packets for accessing the managed and controlled device, after the protocol data packets are intercepted by a trusted connector, firstly verifying whether VP is issued by an identity management platform, then evaluating whether the accessed resources are within the range of policy requirements, and if so, forwarding the data packets to the managed and controlled device; the data packet waiting for response is intercepted by a trusted connector, then whether the response is matched with the previous application is checked, if yes, the DID is used for applying VC to an identity management platform, the VC is used for applying VP, the VP is embedded into a blank field of the data packet, and then the data packet is forwarded outwards.
2. An industrial flow control system based on zero trust, comprising the trusted connector of claim 1, further comprising an identity management platform and a zero trust management platform;
The trusted connector is connected with the managed and controlled equipment in series and then is connected to a network;
the identity management platform comprises a blockchain and a distributed digital identity service and is used for assisting in establishing an identity verification channel between a trusted connector and a trusted connector or between a managed and controlled device and the trusted connector;
The zero trust management platform comprises a user management module, a terminal management module, a resource management module, a strategy management module and a log module; the user management module is used for uniformly configuring and managing legal users of the system; the resource management module is used for recording the currently controlled equipment and the types and the quantity of the resources attached to the equipment; the terminal management module is used for recording the equipment and the state which are managed and controlled under the current dynamic time; the policy management module is used for an administrator to configure the flow control function of the management and control equipment; and the log module is used for receiving the log of the terminal.
3. The industrial flow control system based on zero trust of claim 2,
The trusted connector has two modes, namely a simulation mode and a safety mode, in the simulation mode, the trusted connector simulates the executing process of a strategy, and the executing result is inquired in a log module of the zero trust platform; and in the safety mode, executing flow control on the controlled equipment, intercepting the flow outside the strategy, and releasing the flow allowed by the strategy.
4. The industrial flow control system based on zero trust according to claim 2, wherein the policy management module is configured for an administrator to configure the flow control function of the control device, wherein the flow control function specifically includes a destination address of the flow access, and a protocol used by the flow, which users and resources can be admitted to access.
5. A zero-trust-based industrial flow control method applied to the zero-trust-based industrial flow control system as claimed in any one of claims 2 to 4, characterized in that the method comprises the following steps:
S1, a trusted connector detects downstream equipment of a control end, if the downstream equipment is detected, the step S2 is started, and otherwise, the step S1 is returned after waiting for a certain time;
s2, the trusted connector applies a policy corresponding to the equipment to the zero trust management platform;
S3, the zero trust management platform judges whether a strategy corresponding to the equipment exists, if so, the step S4 is carried out, otherwise, an invalid response is issued to the trusted connector, and the step S1 is returned;
s4, the trusted connector acquires a corresponding strategy through subscribing a strategy theme;
S5, the trusted connector applies for the distributed digital identity of the equipment to the identity management platform by utilizing the information of the downstream equipment, and a strategy module is started;
s6, after the policy module and the distributed digital identity of the trusted connector are initialized successfully, the network bridge is started;
and S7, the trusted connector manages and controls the flow of the downstream equipment according to the acquired corresponding strategy.
6. A zero trust based industrial flow management method as defined in claim 5, wherein,
In step S6, further includes:
The trusted connector actively reports the state to the zero trust management platform, and the reported specific content comprises: bridge status of trusted connectors, IP of the management and control device, IP of the unfortunately connectors, MAC information, line information, and distributed digital identity information.
7. A zero trust based industrial flow management method as defined in claim 5, wherein,
In step S7, the trusted connector manages the flow of the downstream device according to the obtained corresponding policy, which specifically includes:
access control: namely, the managed and controlled device accesses other device resources are managed and controlled, and the method specifically comprises the following steps:
When the managed and controlled device sends out a data packet for accessing other devices, after the data packet is intercepted by a trusted connector, the trusted connector evaluates whether the accessed resource is within the range of the policy requirement, if so, the DID is used for applying VC to an identity management service platform, the VC is used for applying VP, the VP is embedded into a blank field of a protocol data packet, and then the data packet is forwarded outwards; the data packet waiting for response is intercepted by a trusted connector, firstly, whether VP is issued by an identity management platform or not is checked, then whether the response matched with the previous application is checked, if so, the data packet is forwarded to the managed and controlled equipment;
is access-controlled: namely, the control of other users and equipment access controlled equipment specifically comprises the following steps:
when other users and devices send out protocol data packets for accessing the managed and controlled device, after the protocol data packets are intercepted by a trusted connector, firstly verifying whether VP is issued by an identity management platform, then evaluating whether the accessed resources are within the range of policy requirements, and if so, forwarding the data packets to the managed and controlled device; the data packet waiting for response is intercepted by a trusted connector, then whether the response is matched with the previous application is checked, if yes, the DID is used for applying VC to an identity management platform, the VC is used for applying VP, the VP is embedded into a blank field of the data packet, and then the data packet is forwarded outwards.
8. A zero trust based industrial flow management method as defined in claim 5, wherein,
Step S7 further includes: in the process of controlling, the trusted connector sends the flow control record to the zero trust management platform in the form of a log.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211618132.1A CN116015804B (en) | 2022-12-15 | 2022-12-15 | Trusted connector, industrial flow control system and method based on zero trust |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211618132.1A CN116015804B (en) | 2022-12-15 | 2022-12-15 | Trusted connector, industrial flow control system and method based on zero trust |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116015804A CN116015804A (en) | 2023-04-25 |
| CN116015804B true CN116015804B (en) | 2024-05-28 |
Family
ID=86025848
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211618132.1A Active CN116015804B (en) | 2022-12-15 | 2022-12-15 | Trusted connector, industrial flow control system and method based on zero trust |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116015804B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113300872A (en) * | 2020-11-11 | 2021-08-24 | 众源科技(广东)股份有限公司 | Safety gateway |
| CN114615328A (en) * | 2022-01-26 | 2022-06-10 | 北京美亚柏科网络安全科技有限公司 | Safety access control system and method |
| CN115001870A (en) * | 2022-08-02 | 2022-09-02 | 国汽智控(北京)科技有限公司 | Information security protection system, method and storage medium |
| CN115174144A (en) * | 2022-05-30 | 2022-10-11 | 江苏安几科技有限公司 | Zero-trust gateway self-security detection method and device |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140289794A1 (en) * | 2009-01-28 | 2014-09-25 | Headwater Partners I Llc | Communications device with secure data path processing agents |
| US10341321B2 (en) * | 2016-10-17 | 2019-07-02 | Mocana Corporation | System and method for policy based adaptive application capability management and device attestation |
-
2022
- 2022-12-15 CN CN202211618132.1A patent/CN116015804B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113300872A (en) * | 2020-11-11 | 2021-08-24 | 众源科技(广东)股份有限公司 | Safety gateway |
| CN114615328A (en) * | 2022-01-26 | 2022-06-10 | 北京美亚柏科网络安全科技有限公司 | Safety access control system and method |
| CN115174144A (en) * | 2022-05-30 | 2022-10-11 | 江苏安几科技有限公司 | Zero-trust gateway self-security detection method and device |
| CN115001870A (en) * | 2022-08-02 | 2022-09-02 | 国汽智控(北京)科技有限公司 | Information security protection system, method and storage medium |
Non-Patent Citations (2)
| Title |
|---|
| 《基于可信代理的访问控制模型研究》;刘石磊;《信息科技》;20141015(第2014年第10期);全文 * |
| Ming-Chun Hsu ; Hung-Wen Lin.《Heat dissipation improvement design for QSFP connector》.《 2015 10th International Microsystems, Packaging, Assembly and Circuits Technology Conference (IMPACT)》.2015,全文. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116015804A (en) | 2023-04-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9258308B1 (en) | Point to multi-point connections | |
| CN112035215B (en) | Node autonomous method, system and device of node cluster and electronic equipment | |
| CN103001999B (en) | For privately owned Cloud Server, intelligent apparatus client and the method for public cloud network | |
| CN102111406B (en) | Authentication method, system and DHCP proxy server | |
| US8347378B2 (en) | Authentication for computer system management | |
| US6253325B1 (en) | Apparatus and method for securing documents posted from a web resource | |
| CN101360015B (en) | Method, system and apparatus for test network appliance | |
| CN110324338B (en) | Data interaction method, device, fort machine and computer readable storage medium | |
| CN104219218A (en) | Active safety defense method and active safety defense device | |
| CN114995214A (en) | Method, system, device, equipment and storage medium for remotely accessing application | |
| CN109302397B (en) | Network security management method, platform and computer readable storage medium | |
| CN110502315A (en) | A kind of method, apparatus and system remotely accessing physical machine | |
| CN112437100A (en) | Vulnerability scanning method and related equipment | |
| JP2000132473A (en) | Network system using fire wall dynamic control system | |
| CN110166547A (en) | Terminal remote access control method | |
| CN101548263A (en) | Method and system for modeling options for opaque management data for a user and/or an owner | |
| CN107181785A (en) | Method for executing request instruction and related server | |
| CN102045309A (en) | Method and device for preventing computer from being attacked by virus | |
| CN111212117A (en) | Remote interaction method and device | |
| CN106686003B (en) | Bypass the network admittance control system and method for deployment | |
| CN116015804B (en) | Trusted connector, industrial flow control system and method based on zero trust | |
| CN102404114A (en) | Monitoring method and system both for Web service | |
| KR101432326B1 (en) | Host posing network device and method thereof | |
| CN114619462A (en) | Remote desktop control method based on robot flow automation | |
| Cisco | Glossary |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |