CN116192460A - Traffic forwarding method and device, storage medium and electronic equipment - Google Patents

Traffic forwarding method and device, storage medium and electronic equipment Download PDF

Info

Publication number
CN116192460A
CN116192460A CN202211728673.XA CN202211728673A CN116192460A CN 116192460 A CN116192460 A CN 116192460A CN 202211728673 A CN202211728673 A CN 202211728673A CN 116192460 A CN116192460 A CN 116192460A
Authority
CN
China
Prior art keywords
target
information
browser
access request
transponder
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211728673.XA
Other languages
Chinese (zh)
Inventor
韦明豪
蒙斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Corp Ltd
Original Assignee
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Corp Ltd filed Critical China Telecom Corp Ltd
Priority to CN202211728673.XA priority Critical patent/CN116192460A/en
Publication of CN116192460A publication Critical patent/CN116192460A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a traffic forwarding method, a traffic forwarding device, a storage medium and electronic equipment. Wherein the method comprises the following steps: receiving a first access request initiated by a target object, wherein the first access request at least comprises account information of the target object; determining whether the source of the first access request is a target browser, and checking account information under the condition that the source of the first access request is the target browser; and under the condition that the account information passes the verification, determining a target transponder from the plurality of transponders, and sending the address information of the target transponder to a target browser, so that the target transponder receives the service request flow sent by the target browser, and under the condition that the service request flow meets the preset condition, forwarding the service request flow to a target service system. The invention solves the technical problem that the protection safety degree of enterprise assets is lower when the VPN technology is adopted for traffic forwarding in the prior art.

Description

Traffic forwarding method and device, storage medium and electronic equipment
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a traffic forwarding method, a traffic forwarding device, a storage medium, and an electronic device.
Background
The operator network is large and complex, comprising a large number of service systems of different functions, different service domains. The business system is faced with network security risks such as 0day attack, advanced persistent threat (Advanced Persistent Threat, APT), social engineering attack and the like in the operation process.
Currently, operators commonly use VPN technology in combination with whitelist technology to protect enterprise assets (e.g., business systems) from the above-mentioned cyber-security risks. However, other cyber-security risks may exist during the use of conventional VPN technology. For example, since VPN clients are generic, an attacker can use the generic client to conduct a cryptographic blasting attack; because the TCP port of the VPN server is in a monitoring state for a long time, the TCP port is easy to suffer from TLS vulnerability and DDOS vulnerability attack; because the VPN virtual network card captures the traffic of all processes, the traffic generated by the hacking tool can also attack the service system through the VPN tunnel. Therefore, the related technology adopts VPN technology to forward traffic, and has the problem of lower protection safety degree on enterprise assets.
In view of the above problems, no effective solution has been proposed at present.
Disclosure of Invention
The embodiment of the invention provides a traffic forwarding method, a traffic forwarding device, a storage medium and electronic equipment, which at least solve the technical problem that the protection safety degree of enterprise assets is low when a VPN technology is adopted for traffic forwarding in the prior art.
According to an aspect of an embodiment of the present invention, there is provided a traffic forwarding method, including: receiving a first access request initiated by a target object, wherein the first access request at least comprises account information of the target object; determining whether the source of the first access request is a target browser, and checking account information under the condition that the source of the first access request is the target browser; and under the condition that the account information passes the verification, determining a target transponder from the plurality of transponders, and sending the address information of the target transponder to a target browser, so that the target transponder receives the service request flow sent by the target browser, and under the condition that the service request flow meets the preset condition, forwarding the service request flow to a target service system.
Further, the traffic forwarding method further includes: detecting whether the first access request contains the identification of the target browser or not; in the case that the first access request includes the identification of the target browser, the source of the first access request is determined to be the target browser.
Further, the traffic forwarding method further includes: and comparing the account information with the account information in the database of the identity management system to obtain a comparison result, wherein the identity management system is used for managing a plurality of accounts accessing the target service system, and the comparison result is used for representing whether the account information passes the verification.
Further, the traffic forwarding method further includes: acquiring operation information of a plurality of transponders, wherein the operation information characterizes performance conditions of the plurality of transponders; the target transponder is determined from the plurality of transponders based on the operational information.
Further, the traffic forwarding method further includes: under the condition that account information passes verification, acquiring authority information and a target key corresponding to the account information, wherein the authority information is used for representing whether a target object is allowed to access a target service system or not, and the target key is used for carrying out encryption processing on service request flow; the rights information and the target key are sent to the target forwarder.
Further, the traffic forwarding method further includes: before the address information of a target transponder is sent to a target browser, receiving first short message verification information sent by an identity management system; receiving a second access request initiated by the target object, wherein the second access request at least comprises second short message verification information; comparing whether the first short message verification information is consistent with the second short message verification information, and sending the address information of the target transponder to the target browser under the condition that the first short message verification information is consistent with the second short message verification information.
Further, the traffic forwarding method further includes: after the address information of the target transponder is sent to the target browser, the target transponder receives the service response flow sent by the target service system and forwards the service response flow to the target browser.
According to another aspect of the embodiment of the present invention, there is also provided a traffic forwarding device, including: the receiving module is used for receiving a first access request initiated by a target object, wherein the first access request at least comprises account information of the target object; the determining module is used for determining whether the source of the first access request is a target browser or not, and checking account information under the condition that the source of the first access request is the target browser; and the sending module is used for determining the target transponder from the plurality of transponders and sending the address information of the target transponder to the target browser under the condition that the account information passes the verification so that the target transponder receives the service request flow sent by the target browser and forwards the service request flow to the target service system under the condition that the service request flow meets the preset condition.
According to another aspect of the embodiments of the present invention, there is also provided a computer readable storage medium having a computer program stored therein, wherein the computer program is configured to perform the above-described traffic forwarding method when run.
According to another aspect of an embodiment of the present invention, there is also provided an electronic device including one or more processors; and a memory for storing one or more programs that, when executed by the one or more processors, cause the one or more processors to implement a method for running the program, wherein the program is configured to perform the traffic forwarding method described above when run.
In the embodiment of the invention, a special browser is adopted to carry out trust negotiation and a traffic forwarding mode is adopted through a relay transponder, a first access request initiated by a target object is received firstly, then whether the source of the first access request is the target browser is determined, under the condition that the source of the first access request is the target browser, account information is checked, under the condition that account information passes the check, the target transponder is determined from a plurality of transponders, address information of the target transponder is sent to the target browser, so that the target transponder receives traffic request traffic sent by the target browser, and under the condition that the traffic request traffic meets preset conditions, the traffic request traffic is forwarded to a target traffic system. Wherein the first access request includes at least account information of the target object.
In the process, a data basis is provided for subsequently determining the source of the first access request by receiving the first access request initiated by the target object; by determining whether the source of the first access request is a target browser, the validity check of the browser is realized, the remote connection of the TCP protocol is allowed after the verification is passed, and compared with the condition that the TCP port of the VPN server in the prior art is in a monitoring state for a long time, the remote network attack risk such as TLS vulnerability and DDOS vulnerability attack can be avoided; under the condition that the source of the first access request is a target browser, checking account information, and realizing the trust negotiation safety relay forwarding by adopting a special browser, compared with the prior art, an attacker cannot use a general client to carry out password blasting attack; under the condition that account information passes verification, a target transponder is determined from a plurality of transponders, address information of the target transponder is sent to a target browser, the target transponder can receive service request flow sent by the target browser, and the service request flow is forwarded to a target service system under the condition that the service request flow meets preset conditions, so that the exposure surface of an asset is contracted onto a safe relay forwarding channel, the exposure surface of the asset of an enterprise is reduced, the protection safety degree of the asset of the enterprise is improved, and the system has a better safety protection effect.
Therefore, through the technical scheme of the invention, the purposes of carrying out trust negotiation through the special browser and forwarding the flow through the relay repeater are achieved, and the comprehensive vulnerability protection of the enterprise assets is realized, so that the technical effect of improving the protection safety degree of the enterprise assets is realized, and the technical problem that the protection safety degree of the enterprise assets is lower when the VPN technology is adopted for forwarding the flow in the prior art is solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiments of the invention and together with the description serve to explain the invention and do not constitute a limitation on the invention. In the drawings:
FIG. 1 is a flow chart of an alternative traffic forwarding method according to an embodiment of the present invention;
fig. 2 is a schematic diagram of an alternative traffic forwarding system according to an embodiment of the present invention;
fig. 3 is a schematic diagram of an alternative flow forwarding device according to an embodiment of the present invention;
fig. 4 is a schematic diagram of an alternative electronic device according to an embodiment of the invention.
Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It should be noted that, the related information (including, but not limited to, user equipment information, user personal information, etc.) and data (including, but not limited to, data for presentation, analyzed data, etc.) related to the present invention are information and data authorized by the user or sufficiently authorized by each party. For example, an interface is provided between the system and the relevant user or institution, before acquiring the relevant information, the system needs to send an acquisition request to the user or institution through the interface, and acquire the relevant information after receiving the consent information fed back by the user or institution.
Example 1
In accordance with an embodiment of the present invention, there is provided an embodiment of a traffic forwarding method, it being noted that the steps shown in the flowchart of the figures may be performed in a computer system such as a set of computer executable instructions, and, although a logical order is shown in the flowchart, in some cases, the steps shown or described may be performed in an order other than that shown or described herein.
Fig. 1 is a flowchart of an alternative traffic forwarding method according to an embodiment of the present invention, as shown in fig. 1, the method includes the steps of:
step S101, a first access request initiated by a target object is received, wherein the first access request at least comprises account information of the target object.
In the above step, the first access request initiated by the target object may be received by an application system, a processor, an electronic device, or the like. Alternatively, the target object may be a user who wants to access the service system, the first access request may be a login request, and the account information may be information such as an account number and a password.
Fig. 2 is a schematic diagram of an alternative traffic forwarding system according to an embodiment of the present invention, where, as shown in fig. 2, the traffic forwarding system includes a dedicated browser, an application controller, and a relay forwarder, where the dedicated browser is used for user identity login, application rights negotiation, service presentation, and the like, the unified identity management system is used for managing multiple accounts (e.g., identity information, authentication information, rights information) accessing the service system, the application controller is used for performing user identity authentication, authorization verification, and the like, and the relay forwarder is used for forwarding an access request.
Optionally, in this embodiment, the first access request initiated by the target object is received by the application controller. Specifically, before the first access request initiated by the target object is received through the application controller, the target object, that is, the user applies for the account number and the corresponding service system authority through the work order system, for example, the user initiates the work order of applying for the account number and the corresponding service system authority through the OA system. The account number applied is an account number managed by a unified identity management system, and the service system may be an IT system of an operator, for example, a service support system BSS, a management support system MSS, an operation support system OSS, or may be an EDA system of the operator. The service system authority may be an access authority, for example, an authority for applying to access a home page of the service support system BSS.
Optionally, after the work order passes, the user performs identity authentication and living body identification authentication to the administrator, further, after the authentication passes, an account number and related service system authorization information are generated in the unified identity management system, and the installation package of the special browser and the address of the application controller are delivered to the user. Wherein the dedicated browser may be an enterprise-specific browser.
Optionally, the user fills in an account number, a password and an address of the application controller in the enterprise-specific browser, sends a login request, namely a first access request, to the application controller through the enterprise-specific browser, and the application controller receives the login request. The first access request carries trust seed information, namely identification of the professional browser.
Step S102, determining whether the source of the first access request is a target browser, and checking account information when the source of the first access request is the target browser.
In the above step, the target browser may be the aforementioned enterprise-specific browser, and the application controller confirms whether the source of the application sending the login request is the enterprise-specific browser, that is, determines whether the source of the first access request is the target browser, by checking the trust seed information.
Optionally, the application controller trusts the seed information through verification, and if verification fails, namely the application source for sending the login request is not an enterprise-specific browser, the session is interrupted; if the verification is passed, that is, if the source of the first access request is an enterprise-specific browser, the account information is verified. Optionally, the application controller sends an identity verification request to the unified identity management system, that is, the account information (account number and password information) is forwarded to the unified identity management system, and the account information is verified through the unified identity management system.
Step S103, under the condition that account information passes verification, determining a target transponder from a plurality of transponders, and sending address information of the target transponder to a target browser, so that the target transponder receives service request flow sent by the target browser, and under the condition that the service request flow meets a preset condition, forwarding the service request flow to a target service system.
In the above step, the target transponder may be the foregoing relay transponder, and in the case that the account information passes the verification, the application controller determines the target transponder from the plurality of transponders, for example, checks the performance of the current plurality of transponders, and regards the good-performance transponder as the target transponder, that is, the relay transponder. Optionally, the application controller sends the address information of the target transponder, i.e. the address information of the relay transponder, to the enterprise-specific browser.
Optionally, as shown in fig. 2, the application controller issues a configuration to the dedicated browser, and specifically, the application controller sends the application authorization information, the application communication key, and the account information obtained from the unified identity management system, that is, the login permission flag, to the enterprise dedicated browser through the verified identifier. Optionally, the application controller issues a configuration to the relay repeater, and specifically, the application controller sends the application authorization information and the application communication key to the target repeater, that is, the relay repeater.
Optionally, after receiving the address information of the relay repeater and the application communication key, the enterprise dedicated browser invokes the embedded traffic relay module to send the application communication key and the trust seed information to the relay repeater, and sends the traffic request traffic, for example, HTTP/HTTPs request traffic, to the relay repeater.
Optionally, the relay repeater receives the service request flow sent by the enterprise dedicated browser, performs security verification, and forwards the service request flow to the target service system when the service request flow meets a preset condition, namely, passes the security verification. Specifically, the relay repeater verifies the identity of the user according to the application communication key, verifies whether the traffic is from an enterprise-specific browser according to the trust seed information, and verifies whether the user has access rights according to the HOST field in the HTTP/HTTPS traffic. If all three items of verification are passed, the service request flow is forwarded to the service system by the relay repeater after the connection to the relay repeater is successful (namely, the TCP connection is established successfully).
Based on the scheme defined in the above steps S101 to S103, it can be known that in the embodiment of the present invention, a specific browser is adopted to perform trust negotiation and forward the traffic through the relay forwarder, first the first access request initiated by the target object is received, then whether the source of the first access request is the target browser is determined, if the source of the first access request is the target browser, the account information is verified, if the account information passes the verification, the target forwarder is determined from the plurality of forwarders, and the address information of the target forwarder is sent to the target browser, so that the target forwarder receives the traffic request traffic sent by the target browser, and if the traffic request traffic meets the preset condition, the traffic request traffic is forwarded to the target traffic system. Wherein the first access request includes at least account information of the target object.
It is easy to note that in the above process, by receiving the first access request initiated by the target object, a data basis is provided for subsequent determination of the source of the first access request; by determining whether the source of the first access request is a target browser, the validity check of the browser is realized, the remote connection of the TCP protocol is allowed after the verification is passed, and compared with the condition that the TCP port of the VPN server in the prior art is in a monitoring state for a long time, the remote network attack risk such as TLS vulnerability and DDOS vulnerability attack can be avoided; under the condition that the source of the first access request is a target browser, checking account information, and realizing the trust negotiation safety relay forwarding by adopting a special browser, compared with the prior art, an attacker cannot use a general client to carry out password blasting attack; under the condition that account information passes verification, a target transponder is determined from a plurality of transponders, address information of the target transponder is sent to a target browser, the target transponder can receive service request flow sent by the target browser, and the service request flow is forwarded to a target service system under the condition that the service request flow meets preset conditions, so that the exposure surface of an asset is contracted onto a safe relay forwarding channel, the exposure surface of the asset of an enterprise is reduced, the protection safety degree of the asset of the enterprise is improved, and the system has a better safety protection effect.
Therefore, through the technical scheme of the invention, the purposes of carrying out trust negotiation through the special browser and forwarding the flow through the relay repeater are achieved, and the comprehensive vulnerability protection of the enterprise assets is realized, so that the technical effect of improving the protection safety degree of the enterprise assets is realized, and the technical problem that the protection safety degree of the enterprise assets is lower when the VPN technology is adopted for forwarding the flow in the prior art is solved.
In an alternative embodiment, in determining whether the source of the first access request is the target browser, it is detected whether the first access request includes an identifier of the target browser, and in case the first access request includes an identifier of the target browser, the source of the first access request is determined to be the target browser.
Optionally, the application controller confirms whether the source of the application sending the login request is an enterprise-specific browser by verifying the trust seed information, i.e. determines whether the source of the first access request is a target browser. Specifically, the application controller detects whether the first access request, i.e., the login request, includes an identifier of the enterprise-specific browser, and determines that the source of the login request is the enterprise-specific browser when the login request includes the identifier of the enterprise-specific browser.
In an alternative embodiment, in the process of checking account information, the account information is compared with account information in a database of an identity management system to obtain a comparison result, wherein the identity management system is used for managing a plurality of accounts accessing a target service system, and the comparison result is used for representing whether the account information passes the check.
Alternatively, the identity management system may be the aforementioned unified identity management system. The application controller sends an identity verification request to the unified identity management system, namely, the account information (account number and password information) is forwarded to the unified identity management system, and the account information is verified through the unified identity management system. Specifically, the unified identity management system can query the database to perform data comparison, namely account information is compared with the account information in the database of the identity management system.
Optionally, checking whether the account number and the password information are correct or not by comparing the information in the database to obtain a comparison result. If verification fails, namely the comparison result is that the account number and the password information are wrong, and if the comparison result fails to pass the verification, the prompt information of the account number and the password information are wrong is returned, and the user is prompted to submit the authentication data again. Optionally, if the verification is successful, that is, the comparison result is that the account number and the password information are correct, and the verification is passed, a short message verification code is sent to the mobile phone of the user through a short message module of the unified identity management system, and the verification code is synchronized to the application controller.
In an alternative embodiment, in determining the target transponder from the plurality of transponders, operational information of the plurality of transponders is obtained, and the target transponder is then determined from the plurality of transponders based on the operational information. Wherein the operational information characterizes performance of the plurality of transponders.
Alternatively, the operation information may be current operation state information, performance information, etc. of the repeater. The application controller obtains operation information of the plurality of transponders, and determines a target transponder from the plurality of transponders based on the operation information. For example, performance information of a plurality of current transponders is acquired, and a good-performance transponder is used as a target transponder, i.e., a relay transponder.
In an alternative embodiment, in the case that the account information passes the verification, the authority information and the target key corresponding to the account information are acquired, and then the authority information and the target key are sent to the target transponder. The authority information is used for representing whether the target object is allowed to access the target service system, and the target key is used for conducting encryption processing on service request traffic.
In an alternative embodiment, before the address information of the target transponder is sent to the target browser, the first short message verification information sent by the identity management system is received, then a second access request initiated by the target object is received, then whether the first short message verification information is consistent with the second short message verification information is compared, and the address information of the target transponder is sent to the target browser under the condition that the first short message verification information is consistent with the second short message verification information. The second access request at least comprises second short message authentication information.
Optionally, under the condition that the account information passes the verification, the application controller acquires authority information corresponding to the account information, namely the application authorization information and the target key, namely the application communication key, from the unified identity management system, and issues configuration to the relay transponder, namely the authority information and the target key are sent to the target transponder.
Optionally, before the address information of the target transponder is sent to the target browser, the application controller receives the first short message verification information sent by the identity management system, that is, the process of synchronizing the verification code to the application controller is implemented.
Further, the user inputs a short message verification code in the enterprise-specific browser, logs in the verification page for the second time through the enterprise-specific browser and sends the short message verification code to the application controller, namely the target object initiates a second access request. Optionally, the application controller receives a second access request initiated by the user, and compares whether the first short message verification information is consistent with the second short message verification information, namely, compares whether the short message verification code sent by the identity management system is consistent with the short message verification code input by the user.
Optionally, if the first short message authentication information is inconsistent with the second short message authentication information, the application controller sends a sign of rejection to the enterprise-specific browser without sending any information to the relay transponder.
Optionally, if the first short message verification information is consistent with the second short message verification information, that is, if the application controller verifies that the trust seed information and the short message verification code are correct, the address information, the application authorization information, the application communication key and the permission login mark of the relay transponder are sent to the enterprise dedicated browser. The application controller sends the application authorization information and the application communication key to the relay repeater.
Optionally, the enterprise dedicated browser receives the return information of the application controller, and if the login permission mark is received, the application authorization information, the relay transponder address and the application communication key are stored in the local configuration; if the sign of refusing to log in is received, the second login check page is returned to, and the user is prompted to input the correct short message authentication code again.
Optionally, the enterprise dedicated browser reads the local file configuration information, and decides whether the access traffic of the user, that is, the traffic request traffic, can be forwarded by the relay repeater according to the application authorization information. Specifically, when the URL address of the user access application does not match the application authorization information, the enterprise dedicated browser is the same as the common browser, and the traffic forwarding is performed to the service system through the routing table local to the operating system. When the URL address of the user access application matches the application authorization information, the enterprise special browser calls an embedded relay forwarding module and sends the application communication key, the trust seed information and the HTTP/HTTPS request flow of the user to the relay forwarder.
Optionally, the relay repeater verifies the identity of the user according to the application communication key, verifies whether the traffic is from an enterprise-specific browser according to the trust seed information, and verifies whether the user has access rights according to the HOST field in the HTTP/HTTPS traffic. If all three items of verification are passed, the service request flow is forwarded to the service system by the relay repeater after the connection to the relay repeater is successfully established (namely, the TCP connection is successfully established).
In this embodiment, a dedicated browser is used to trust negotiation secure relay forwarding, and an attacker cannot use a general client to perform password blasting attack. In addition, in the embodiment, the validity of the special browser is verified by using the trust seed information through the application controller and the relay repeater, and the remote connection of the TCP protocol is allowed after the verification is passed, so that the remote network attack risks such as TLS vulnerability and DDOS vulnerability attack are avoided. In addition, in the embodiment, relay forwarding is performed based on the user identity and the application authority, and compared with the VPN tunnel technology adopted in the prior art, the risk that an attacker realizes illegal tunnel crossing through process spoofing in the traditional VPN technology can be avoided.
In an alternative embodiment, after the address information of the target forwarder is sent to the target browser, the target forwarder receives the service response traffic sent by the target service system and forwards the service response traffic to the target browser.
Optionally, the service system only trusts forwarding traffic from the relay forwarder based on a firewall whitelist policy. If the source IP of the service request flow is the IP of the relay repeater, returning the service response flow to the relay repeater, otherwise, interrupting the session connection.
Optionally, the relay repeater receives the service response flow returned by the service system, returns the service response flow to the enterprise-specific browser, and ends the HTTP/HTTPs access request.
In this embodiment, after a series of information verification, the repeater is used to forward the service request flow, so that the exposed surface of the asset is shrunk onto the safe repeater channel, the exposed surface of the asset of the enterprise is reduced, the protection safety degree of the asset of the enterprise is improved, and the method has a better safety protection effect.
Therefore, through the technical scheme of the invention, the purposes of carrying out trust negotiation through the special browser and forwarding the flow through the relay repeater are achieved, and the comprehensive vulnerability protection of the enterprise assets is realized, so that the technical effect of improving the protection safety degree of the enterprise assets is realized, and the technical problem that the protection safety degree of the enterprise assets is lower when the VPN technology is adopted for forwarding the flow in the prior art is solved.
Example 2
According to an embodiment of the present invention, there is provided an embodiment of a traffic forwarding device, wherein fig. 3 is a schematic diagram of an alternative traffic forwarding device according to an embodiment of the present invention, as shown in fig. 3, and the device includes: the receiving module 301 is configured to receive a first access request initiated by a target object, where the first access request includes at least account information of the target object; a determining module 302, configured to determine whether the source of the first access request is a target browser, and verify account information if the source of the first access request is the target browser; and the sending module 303 is configured to determine a target transponder from the plurality of transponders and send address information of the target transponder to the target browser when the account information passes the verification, so that the target transponder receives the service request traffic sent by the target browser and forwards the service request traffic to the target service system when the service request traffic meets a preset condition.
It should be noted that the above-mentioned receiving module 301, determining module 302 and transmitting module 303 correspond to steps S101 to S103 in the above-mentioned embodiment, and the three modules are the same as examples and application scenarios implemented by the corresponding steps, but are not limited to those disclosed in the above-mentioned embodiment 1.
Optionally, the determining module includes: the first detection module is used for detecting whether the first access request contains the identification of the target browser or not; the first determining module is configured to determine that the source of the first access request is the target browser if the first access request includes an identifier of the target browser.
Optionally, the determining module further includes: the first comparison module is used for comparing the account information with the account information in the database of the identity management system to obtain a comparison result, wherein the identity management system is used for managing a plurality of accounts accessing the target service system, and the comparison result is used for representing whether the account information passes the verification.
Optionally, the sending module includes: the first acquisition module is used for acquiring the operation information of the plurality of transponders, wherein the operation information characterizes the performance conditions of the plurality of transponders; and the second determining module is used for determining the target transponder from the plurality of transponders according to the operation information.
Optionally, the traffic forwarding device further includes: the second acquisition module is used for acquiring authority information and a target key corresponding to the account information under the condition that the account information passes the verification, wherein the authority information is used for representing whether a target object is allowed to access a target service system or not, and the target key is used for carrying out encryption processing on service request flow; and the first sending module is used for sending the authority information and the target key to the target transponder.
Optionally, the traffic forwarding device further includes: the first receiving module is used for receiving the first short message verification information sent by the identity management system; the second receiving module is used for receiving a second access request initiated by the target object, wherein the second access request at least comprises second short message verification information; the second comparison module is used for comparing whether the first short message verification information is consistent with the second short message verification information or not, and sending the address information of the target transponder to the target browser under the condition that the first short message verification information is consistent with the second short message verification information.
Optionally, the traffic forwarding device further includes: and the second sending module is used for receiving the service response flow sent by the target service system by the target transponder and forwarding the service response flow to the target browser.
Example 3
According to another aspect of the embodiments of the present invention, there is also provided a computer readable storage medium having a computer program stored therein, wherein the computer program is configured to perform the above-described traffic forwarding method when run.
Example 4
According to another aspect of the embodiments of the present invention, there is also provided an electronic device, wherein fig. 4 is a schematic diagram of an alternative electronic device according to an embodiment of the present invention, as shown in fig. 4, the electronic device including one or more processors; and a memory for storing one or more programs that, when executed by the one or more processors, cause the one or more processors to implement a method for running the program, wherein the program is configured to perform the traffic forwarding method described above when run.
The device herein may be a server, PC, PAD, cell phone, etc.
The foregoing embodiment numbers of the present invention are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
In the foregoing embodiments of the present invention, the descriptions of the embodiments are emphasized, and for a portion of this disclosure that is not described in detail in this embodiment, reference is made to the related descriptions of other embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed technology content may be implemented in other manners. The above-described embodiments of the apparatus are merely exemplary, and the division of the units, for example, may be a logic function division, and may be implemented in another manner, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interfaces, units or modules, or may be in electrical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied essentially or in part or all of the technical solution or in part in the form of a software product stored in a storage medium, including instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely a preferred embodiment of the present invention and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present invention, which are intended to be comprehended within the scope of the present invention.

Claims (10)

1. A method for forwarding traffic, comprising:
receiving a first access request initiated by a target object, wherein the first access request at least comprises account information of the target object;
determining whether the source of the first access request is a target browser, and checking the account information when the source of the first access request is the target browser;
and under the condition that the account information passes the verification, determining a target transponder from a plurality of transponders, and sending the address information of the target transponder to the target browser, so that the target transponder receives the service request flow sent by the target browser, and under the condition that the service request flow meets the preset condition, forwarding the service request flow to a target service system.
2. The method of claim 1, wherein determining whether the source of the first access request is a target browser comprises:
detecting whether the first access request contains the identification of the target browser or not;
and determining that the source of the first access request is the target browser under the condition that the first access request contains the identification of the target browser.
3. The method of claim 1, wherein verifying the account information comprises:
comparing the account information with account information in a database of an identity management system to obtain a comparison result, wherein the identity management system is used for managing a plurality of accounts accessing the target service system, and the comparison result is used for representing whether the account information passes the verification.
4. The method of claim 1, wherein determining the target transponder from the plurality of transponders comprises:
acquiring operation information of the plurality of transponders, wherein the operation information characterizes performance conditions of the plurality of transponders;
and determining the target transponder from the plurality of transponders according to the operation information.
5. The method according to claim 1, wherein the method further comprises:
acquiring authority information and a target key corresponding to the account information under the condition that the account information passes the verification, wherein the authority information is used for representing whether the target object is allowed to access the target service system or not, and the target key is used for carrying out encryption processing on the service request flow;
and sending the authority information and the target key to the target transponder.
6. The method of claim 1, wherein prior to sending the address information of the target forwarder to the target browser, the method further comprises:
receiving first short message verification information sent by an identity management system;
receiving a second access request initiated by the target object, wherein the second access request at least comprises second short message verification information;
comparing whether the first short message verification information is consistent with the second short message verification information, and sending the address information of the target transponder to the target browser under the condition that the first short message verification information is consistent with the second short message verification information.
7. The method according to claim 1, wherein after transmitting the address information of the target transponder to the target browser, the method further comprises:
and the target forwarder receives the service response flow sent by the target service system and forwards the service response flow to the target browser.
8. A traffic forwarding device, comprising:
the system comprises a receiving module, a processing module and a processing module, wherein the receiving module is used for receiving a first access request initiated by a target object, and the first access request at least comprises account information of the target object;
the determining module is used for determining whether the source of the first access request is a target browser or not, and checking the account information when the source of the first access request is the target browser;
and the sending module is used for determining a target transponder from a plurality of transponders and sending the address information of the target transponder to the target browser under the condition that the account information passes the verification so that the target transponder receives the service request flow sent by the target browser and forwards the service request flow to a target service system under the condition that the service request flow meets the preset condition.
9. A computer readable storage medium, characterized in that the computer readable storage medium has stored therein a computer program, wherein the computer program is arranged to execute the traffic forwarding method according to any of the claims 1 to 7 when run.
10. An electronic device, the electronic device comprising one or more processors; a memory for storing one or more programs that, when executed by the one or more processors, cause the one or more processors to implement a method for running a program, wherein the program is configured to perform the traffic forwarding method of any of claims 1 to 7 when run.
CN202211728673.XA 2022-12-29 2022-12-29 Traffic forwarding method and device, storage medium and electronic equipment Pending CN116192460A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211728673.XA CN116192460A (en) 2022-12-29 2022-12-29 Traffic forwarding method and device, storage medium and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211728673.XA CN116192460A (en) 2022-12-29 2022-12-29 Traffic forwarding method and device, storage medium and electronic equipment

Publications (1)

Publication Number Publication Date
CN116192460A true CN116192460A (en) 2023-05-30

Family

ID=86431923

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211728673.XA Pending CN116192460A (en) 2022-12-29 2022-12-29 Traffic forwarding method and device, storage medium and electronic equipment

Country Status (1)

Country Link
CN (1) CN116192460A (en)

Similar Documents

Publication Publication Date Title
US10264001B2 (en) Method and system for network resource attack detection using a client identifier
EP3453136B1 (en) Methods and apparatus for device authentication and secure data exchange between a server application and a device
US8959650B1 (en) Validating association of client devices with sessions
EP2755162B1 (en) Identity controlled data center
US20220394026A1 (en) Network identity protection method and device, and electronic equipment and storage medium
CN108259406B (en) Method and system for verifying SSL certificate
US20140026196A1 (en) Anti-cloning system and method
CN105721412A (en) Method and device for authenticating identity between multiple systems
WO2016188335A1 (en) Access control method, apparatus and system for user data
CN112272089A (en) Cloud host login method, device, equipment and computer readable storage medium
CN115333840A (en) Resource access method, system, device and storage medium
EP4274192A1 (en) Access control method and apparatus, and network-side device, terminal and blockchain node
CN108900595B (en) Method, device and equipment for accessing data of cloud storage server and computing medium
CN114553480A (en) Cross-domain single sign-on method and device
KR101583698B1 (en) Authentication system and method for device attempting connection
KR102062851B1 (en) Single sign on service authentication method and system using token management demon
US11177958B2 (en) Protection of authentication tokens
CN112422292B (en) Network security protection method, system, equipment and storage medium
CN111064731B (en) Identification method and identification device for access authority of browser request and terminal
WO2020253662A1 (en) Decryption method, apparatus, and system, medium, and device
CN116192460A (en) Traffic forwarding method and device, storage medium and electronic equipment
CN108574657B (en) Server access method, device and system, computing equipment and server
CN114500074B (en) Single-point system security access method and device and related equipment
TWI778319B (en) Method for cross-platform authorizing access to resources and authorization system thereof
US20240195797A1 (en) Systems and Methods to Ensure Proximity of a Multi-Factor Authentication Device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination