CN116321136A - Stealth gateway design method supporting multi-factor identity authentication - Google Patents
Stealth gateway design method supporting multi-factor identity authentication Download PDFInfo
- Publication number
- CN116321136A CN116321136A CN202310284003.1A CN202310284003A CN116321136A CN 116321136 A CN116321136 A CN 116321136A CN 202310284003 A CN202310284003 A CN 202310284003A CN 116321136 A CN116321136 A CN 116321136A
- Authority
- CN
- China
- Prior art keywords
- user
- stealth
- gateway
- access
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/041—Key generation or derivation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
- H04W12/033—Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
- H04W12/088—Access security using filters or firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W88/00—Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
- H04W88/16—Gateway arrangements
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a stealth gateway design method supporting multi-factor identity authentication, which takes a software definition boundary technology as a core, dynamically authorizes user access initiated by authenticated equipment, blocks user access initiated by unauthenticated equipment, and forwards an access request of a legal user after multi-factor identity authentication based on a password, a dynamic password, an IP address and the like through the stealth gateway. Compared with the traditional VPN, firewall and the like, the stealth gateway can effectively reduce the network attack surface, achieve multi-factor authentication and boundary stealth, and improve the security of global data.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a stealth gateway design method supporting multi-factor identity authentication.
Background
The network exposure surface of the network security devices is large, and an attacker can easily permeate into the network by carrying out vulnerability scanning on externally exposed information such as ports, IP addresses and the like, so that core data assets are leaked.
In addition, conventional network security devices cannot effectively address security threats inside the network, and an attacker may latency inside the network through viruses and phishing mails, thus bringing a huge security challenge to the whole network.
Therefore, designing a stealth gateway with boundary stealth, persistent identity detection, and dynamic access control is critical to address the challenges described above.
Disclosure of Invention
Aiming at the problems existing in the prior art, the invention provides a stealth gateway design method supporting multi-factor identity authentication, which aims to design a stealth gateway with the characteristics of boundary stealth, SSL (secure socket layer) encryption tunnel, multi-factor identity authentication, dynamic access control and the like, solve the problems that the traditional network security equipment has larger exposure surface, cannot carry out fine granularity access control, has single authentication means, cannot effectively cope with increasingly strong internal and external threats and the like, and enable an attacker to not see an attack target in a network space and cannot attack, thereby protecting resources of enterprises or servers in an omnibearing manner.
In order to achieve the above purpose, the present invention adopts the following technical scheme:
a stealth gateway design method supporting multi-factor identity authentication comprises the following steps:
step 1, installing a zero trust client on a user terminal in a local area network, wherein the zero trust client perceives and scores the security state of the user terminal in real time, and defaults the user terminal to be a trusted terminal after legal authentication only when the score exceeds a set threshold value;
step 2, opening a firewall by default on the stealth gateway, setting the iptables firewall configuration as a default access refusing strategy, and discarding all incoming messages;
step 3, starting a single-packet authentication service on the stealth gateway, and monitoring an authentication result in real time;
step 4, starting the zero trust client on the trusted client provided with the zero trust client, encrypting a single UDP message, and then sending the encrypted single UDP message to a designated port of the stealth gateway for port knocking service;
step 5, the port of the server receives the message, decrypts the message, and verifies the decrypted data packet;
step 6, performing multi-factor authentication on the user identity information, the ip address and the geographic position information in the decrypted data packet, and judging whether the user is legal or not;
step 7, after the legal user passes the verification, carrying out access authorization on the user, configuring an iptables firewall policy, allowing the legal user to pass, and designating the service access range of the user; at this time, the single-packet authentication service of the stealth gateway monitors the successful result of the single-packet authentication;
step 8, setting access time intervals in the stealth gateway configuration file, and if the user exceeds the access time range, losing access rights;
and 9, monitoring the access behavior of the user in real time, and if the access behavior is abnormal, performing secondary interception on the user by the stealth gateway to prevent the user from continuing to access.
Further, the specific process of step 1 is as follows:
installing a zero trust client on a user terminal in a local area network, wherein the zero trust client senses the security state of the user terminal in real time, including terminal basic security sensing, system security sensing and application software compliance sensing, and comprehensively scores, and defaults the user terminal to be a trusted terminal after legal authentication only when the score exceeds a set threshold s 0; the non-installed zero trust client is regarded as an untrusted terminal, and access applications initiated on the untrusted terminal are intercepted;
the specific way of comprehensive scoring is as follows:
the terminal basic security perception score comprises: windows firewall on-state perceived score s1, antivirus software installation perceived score s2; s1 is set to 2 when the Windows firewall is turned on, and s1 is set to 0 when the Windows firewall is turned off; s2 is set to 2 after the anti-virus software is installed, otherwise, is set to 0;
the system security awareness score includes: a local identity theft prevention perception score s3, a password complexity perception score s4, an account locking threshold perception score s5, and an account auditing management perception score s6; if the corresponding service is started, setting the corresponding score as 1, otherwise, setting the score as 0;
the application software compliance awareness scoring includes: a Bluetooth start perception score s7 and a blacklist service perception score s8, if the corresponding service is started, the corresponding score is set to be 1, otherwise, the corresponding score is set to be 0;
the composite score result s=s1+s2+ & gt s8, when s > s0, this terminal is considered a trusted terminal, otherwise it is considered an untrusted terminal.
Further, the specific process of step 2 is as follows:
all incoming data packets are discarded by default, so that an external network user cannot access any port in the local area network by default, but the established communication connection is not blocked; in this case, the firewall will default to discard all incoming udp messages without any user tapping, and will not be able to directly access the background resources, i.e. the port is closed for the foreign network.
Further, the specific process of step 3 is as follows:
step 301, starting a single-packet authentication service;
step 302, monitoring the single-packet authentication result in real time, wherein if the monitoring result is empty, the single-packet authentication result is not monitored, otherwise, the single-packet authentication result is successfully monitored.
Further, the specific process of step 4 is as follows:
in step 401, the zero trust client generates a client message, where the message information includes: 16 byte random number, device fingerprint, timestamp, version number, hardware feature code, message type, identity information, geographic location;
step 402, combining the message information according to rules and transcoding, and then performing abstract calculation to form plaintext information to be encrypted;
step 403, encrypting the plaintext information by a secret key, wherein the sequence of the operations is that encryption is performed before authentication so as to avoid the problem of password analysis;
step 404, starting a zero trust client program, triggering a port knocking action, and sending the message to a port designated well by the stealth gateway server.
Further, the specific process of step 5 is as follows:
step 501, before deploying a firewall with a default discard policy, sending a key generated by a client to a server by using ssh or other security tools; the KEYs are stored in the/etc/fwknop/access. Conf file, including KEY_BASE64 and HMAC_KEY_BASE_64;
step 502, an ethernet detector of the stealth gateway acquires a UDP message of a designated port in real time in a PCAP packet capturing manner;
in step 503, the stealth gateway decrypts the message by using the key, and then is responsible for identifying the grabbed UDP message.
Further, the specific process of step 6 is as follows:
step 601, BASE64 decoding is performed on the plaintext; after decoding is finished, extracting a 16-byte random number, a time stamp, a hardware feature code, a message type, identity information and a geographic position according to corresponding rules, analyzing a plaintext, and obtaining detailed information of terminal equipment and a user;
step 602, splitting plaintext and abstract according to rules; performing abstract calculation on the plaintext, comparing the calculated abstract with the carried abstract, if the calculated abstract and the carried abstract are different, the inner layer information is possibly tampered, and discarding the message; if the two types are matched, executing the next step;
step 601, verifying passwords and dynamic passwords when a user applies for access, and checking whether access time and position information of the user are in a set range after verification is passed; if the access time and the position information of the user are normal, the user is considered as a legal user, otherwise, the user is considered as an illegal user.
Further, the specific process of step 7 is as follows:
step 701, after the identity of the user is legal, carrying out access authorization on the user, and determining the service range accessible to the user;
step 702, setting the first rule of the INPUT chain of the stealth gateway iptables as a fwknop_input chain, where the chain is used to record temporary admittance rules, and because the chain is located in the first rule of the INPUT, packets incoming to a legal user will match the temporary rule of the fwknop_input chain and thus be released; at this time, the single-packet authentication service of the stealth gateway monitors the result of success of the single-packet authentication.
Further, the specific process of step 8 is as follows:
after 30s, the temporary rules are automatically deleted, and the stealth gateway resumes the "off" state for all ports outside.
Further, the specific process of step 9 is as follows:
and monitoring the access behaviors of the visitor in real time, and if the access behaviors are abnormal and the real-time score is lower than a threshold value, performing secondary interception on the user to block the access process.
Compared with the prior art, the invention has the following advantages:
1. the zero-trust client can monitor the terminal safety environment in real time, so that the credibility and safety of the user terminal are ensured, and the equipment of the unsecure zero-trust client cannot initiate effective access application.
2. The invention realizes the 'stealth' of the network, can furthest reduce the exposed surface of the network, and the stealth gateway supports a dynamic encryption mechanism based on one phone and one phone, thereby ensuring that decryption cannot be carried out even if the session key is stolen.
3. The stealth gateway has rich and varied identity authentication modes, supports at least 5-dimensional identity authentication modes such as passwords, digital certificates, dynamic passwords, time, IP addresses and the like, and ensures the security of the system to the greatest extent.
Drawings
Fig. 1 is a schematic diagram of a stealth gateway workflow in an embodiment of the present invention.
Fig. 2 is a block diagram of a stealth gateway system in accordance with an embodiment of the present invention.
Detailed Description
In order to more clearly and completely describe the technical solutions in the embodiments of the present application, the technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application. It will be apparent that the described embodiments are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
As shown in fig. 1, a stealth gateway design method supporting multi-factor identity authentication includes the following steps:
step 1, installing a zero trust client on a user terminal in a local area network, wherein the zero trust client perceives and scores the security state of the user terminal in real time, and defaults the user terminal to be a trusted terminal after legal authentication only when the score exceeds a set threshold value;
step 2, opening a firewall by default on the stealth gateway, setting the iptables firewall configuration as a default access refusing strategy, and discarding all incoming messages;
step 3, inputting a single-packet authentication script on the stealth gateway, starting a single-packet authentication service, and monitoring an authentication result in real time;
step 4, starting the zero trust client on the trusted client provided with the zero trust client, encrypting a single UDP message, and then sending the encrypted single UDP message to a designated port of the stealth gateway for port knocking service;
step 5, the port of the server receives the message, decrypts the message, and verifies the decrypted data packet;
step 6, performing multi-factor authentication on the user identity information, the ip address and the geographic position information in the decrypted data packet, and judging whether the user is legal or not;
step 7, after the legal user passes the verification, carrying out access authorization on the user, configuring an iptables firewall policy, allowing the legal user to pass, and designating the service access range of the user; at this time, the single-packet authentication script of the stealth gateway monitors the successful result of the single-packet authentication;
step 8, setting access time intervals in the stealth gateway configuration file, and if the user exceeds the access time range, losing access rights;
and 9, monitoring the access behavior of the user in real time, and if the access behavior is abnormal, performing secondary interception on the user by the stealth gateway to prevent the user from continuing to access.
The specific process of the step 1 is as follows:
installing a zero trust client on a user terminal in a local area network, wherein the zero trust client senses the security state of the user terminal in real time, including terminal basic security sensing, system security sensing, application software compliance sensing and the like, and comprehensively scores, and defaults that the user terminal is a trusted terminal after legal authentication only when the score exceeds a set threshold s 0; all non-installed zero trust clients are regarded as non-trusted terminals, and access applications initiated on the non-trusted terminals are intercepted.
The scoring process is as follows:
the terminal basic security perception score comprises: windows firewall on-state awareness score s1 and antivirus installation awareness score s2. S1 is set to 2 when the Windows firewall is on, and s1 is set to 0 when the Windows firewall is off. And s2 is set to 2 after the antivirus software is installed, otherwise, the antivirus software is set to 0.
The system security awareness score includes: the local identity anti-theft perception score s3, the password complexity perception score s4, the account locking threshold perception score s5 and the account auditing management perception score s6 are respectively set to 1 after successful perception, and otherwise, the service is set to 0.
The application software compliance awareness scoring includes: the Bluetooth starting perception score s7 and the blacklist service perception score s8, the s7 and s8 are set to be 1 after the perception is started, otherwise, the s7 and s8 are set to be 0.
The composite score result s=s1+s2+ & gt s8, when s > s0, this terminal is considered a trusted terminal, otherwise it is considered an untrusted terminal.
The specific process of the step 2 is as follows:
all incoming packets are discarded by default, which makes it impossible for the outside network user to access any one of the ports inside the local area network by default, without blocking the already established communication connection. At this time, the firewall defaults to discard all incoming udp messages without any user tapping, and cannot directly access the background resources, i.e., the port is closed for the external network.
The specific process of the step 3 is as follows:
step 301, under the entry/app/script folder, the input script opens the single package authentication service.
Step 302, monitoring the single-packet authentication result in real time, if the monitoring result is empty, indicating that the single-packet authentication result is not monitored, and if the monitoring result shows 'Starting fwknopdmain event loop', proving that the single-packet authentication result is successfully monitored.
The specific process of the step 4 is as follows:
in step 401, the zero trust client generates a client message, where the message information includes: 16 byte random number, device fingerprint, timestamp, version number, hardware feature code, message type, identity information, geographic location;
step 402, combining the message information according to rules and transcoding, and then performing abstract calculation to form plaintext information to be encrypted;
in step 403, the plaintext information is encrypted by means of a key. The sequence of operations is encryption-followed by authentication to avoid various password resolution problems.
Step 404, starting a zero trust client program, triggering a port knocking action, and sending the message to a port designated well by the stealth gateway server.
The specific process of the step 5 is as follows:
step 501, the client generated key is sent to the server with ssh or other security tool before deploying the firewall of the default discard policy. The KEYs are stored in the/etc/fwknop/access. Conf file and mainly comprise key_base64 and hmac_key_base_64.
Step 502, an ethernet detector of the stealth gateway acquires a UDP message of a designated port in real time by using a PCAP packet capturing method.
In step 503, the stealth gateway decrypts the message by using the key, and then is responsible for identifying the grabbed UDP message.
The specific process of the step 6 is as follows:
step 601, BASE64 decoding is performed on the plaintext; after decoding is finished, a 16-byte random number, a time stamp, a hardware feature code, a message type, identity information and a geographic position are extracted according to corresponding rules, a plaintext is analyzed, and detailed information of terminal equipment and a user is obtained.
Step 602, splitting plaintext and abstract according to rules; performing abstract calculation on plaintext, comparing the calculated abstract with the carried abstract, and discarding the message if the calculated abstract and the carried abstract are different and the inner layer information is possibly tampered; executing the next step if the matching is carried out;
step 603, performing multi-factor authentication on the ip address, the timestamp, the password information and the like in the message, and judging whether the user is legal or not. Specifically, when the user applies for access, the password and the dynamic password are verified, and after verification, whether the access time and the position information of the user are in a set range (the default normal access time is 8:00-17:00, and the default access position information is in the Shijia city) is checked. And if the access time and the position information of the user are normal, the user is considered as a legal user, otherwise, the user is considered as an illegal user.
The specific process of the step 7 is as follows:
and 701, after the identity of the user is legal, performing access authorization on the user, and determining the service range accessible to the user.
Step 702, setting the first rule of the INPUT chain of the stealth gateway iptables as a fwknop_input chain, where the chain is used to record temporary admittance rules, and because the chain is located in the first rule of the INPUT, packets incoming to a legal user will match the temporary rule of the fwknop_input chain and thus be released;
step 703, at this time, checking the single-packet authentication listening script of the stealth gateway.
The specific process of the step 8 is as follows:
after the limited time (default 30 s) is exceeded, the temporary rules are automatically deleted and the stealth gateway resumes the "off" state for all ports outside.
The specific process of step 9 is as follows:
and monitoring the access behaviors of the visitor in real time, and if the access behaviors are abnormal, performing secondary interception on the user to block the access process after the real-time scores are lower than a threshold value (default 80).
In order to verify the effect of the gateway described above, the following procedure may be performed:
in the access process, on the premise that a zero trust client is not installed, all ports of the stealth gateway are scanned by an illegal user terminal kali virtual machine, and the operation command is nmap 172.16.1.3. After scanning, 0 ports are found, and the stealth gateway is proved to realize port hiding for illegal users, namely, the gateway stealth is realized.
The following is a more specific example:
as shown in fig. 1, a stealth gateway design method supporting multi-factor identity authentication includes the following steps:
and step 1, installing a zero trust client on a host with ip of 172.16.1.22, wherein the zero trust client can sense and score the security state of a user computer terminal in real time, and defaults to a trusted terminal with legal authentication for the user terminal only when the score exceeds a set threshold value.
And 2, opening a firewall by default on a stealth gateway with ip of 172.16.1.3, configuring a default access rejection strategy for the iptables firewall, and discarding all incoming messages.
And step 3, inputting a single-packet authentication script in the stealth gateway, starting a single-packet authentication service, and monitoring an authentication result in real time.
And 4, starting the zero-trust client on the trusted user terminal provided with the zero-trust client, encrypting a single UDP message, and then sending the encrypted UDP message to a designated port (the port number is 62235) of the server for port knocking service.
And 5, receiving the message at a 62235 port of the server, decrypting the message, and verifying the decrypted data packet.
And 6, performing multi-factor authentication on the information such as user identity information, ip address, geographic position and the like in the decrypted data packet, and judging whether the user is legal or not.
And 7, after the legal user passes the verification, carrying out access authorization on the user, configuring an iptables firewall policy, allowing the legal user to pass, and designating the service access range of the user. At this time, the single-packet authentication script of the stealth gateway can monitor the successful result of the single-packet authentication.
And 8, setting access time intervals in the stealth gateway configuration file, and if the user exceeds the access time range, losing access rights.
And 9, monitoring the access behavior of the user in real time, and if the access behavior is abnormal, performing secondary interception on the user by the stealth gateway to prevent the user from continuing to access.
The specific implementation process of the step 1 is as follows:
all the non-trusted clients are regarded as non-trusted terminals, and access applications initiated on the non-trusted terminals are intercepted. And installing a zero trust client on the host with ip of 172.16.1.22, wherein the zero trust client can sense the security state of the user computer terminal in real time, wherein the zero trust client comprises terminal basic security sensing, system security sensing, application software compliance sensing and the like, and comprehensively scores, and the user terminal is a trusted terminal after legal authentication only when the score exceeds a set threshold (the default threshold is 80).
The specific implementation process of the step 2 is as follows:
by default, there is only one rule for the firewall of the server to enter: all incoming packets are discarded, so that the external network user can not access any internal port by default, and the port scanning tool can find that all ports are in a closed state, and simultaneously a new link FWKNOP_INPUT is independently added on the fireproof wall for subsequent dynamic addition and deletion of admission rules. The specific commands are as follows:
iptables-A INPUT-p udp--dport 22-m conntrack--ctstate ESTABLISHED,RELATED-j ACCEPT
-not blocking an already established communication connection
iptables-AINPUT-p udp--dport 22-j DROP
-discarding all udp connections by default
At this time, the firewall discards all the incoming udp messages when there is no user click, and cannot directly access the background resources, i.e., the port is closed for the external network.
The specific implementation process of the step 3 is as follows:
step 301, under the entry/app/script folder, the input script opens the single package authentication service/start-spa.
And 302, inputting a monitoring script tail-f./nohup.out to monitor the single-packet authentication result in real time.
The specific implementation process of the step 4 is as follows:
in step 401, the zero trust client generates a client message. The report specific information comprises: 16 byte random number, device fingerprint, timestamp, version number, hardware signature, message type, identity information, geographic location, message digest (default algorithm SHA-256).
Step 402, combining the message information according to rules, transcoding, and then performing abstract calculation to form plaintext information to be encrypted.
In step 403, the plaintext information is encrypted by means of a key. The sequence of operations is encryption-followed by authentication to avoid various password resolution problems.
Step 404, starting a zero trust client program, triggering a port knocking action, and sending the message to a port designated well by the stealth gateway server. The specific operation commands are as follows:
Fwknop-Audp/22-a client ip-D server ip-key-gen-use-hmac-save-rc-stanza.
The specific implementation process of the step 5 is as follows:
step 501, the client generated key is sent to the server with ssh or other security tool before deploying the firewall of the default discard policy. The KEYs are stored in the/etc/fwknop/access. Conf file and mainly comprise key_base64 and hmac_key_base_64.
Step 502, an ethernet detector of the stealth gateway acquires a UDP message of a designated port in real time by using a PCAP packet capturing method.
In step 503, the stealth gateway decrypts the message by using the key, and then is responsible for identifying the grabbed UDP message.
The specific implementation process of the step 6 is as follows:
step 601, performing BASE64 decoding on the message; after decoding is finished, a 16-byte random number, a time stamp, a hardware feature code, a message type, identity information and a geographic position are extracted according to corresponding rules, a plaintext is analyzed, and detailed information of terminal equipment and a user is obtained.
Step 602, splitting plaintext and abstract according to rules; comparing the calculated abstract with the carried abstract, if the calculated abstract is different, the inner layer information is possibly tampered, and discarding the message; matching then the next step is performed.
Step 603, performing multi-factor authentication on the ip address, the timestamp, the password information and the like in the message, and judging whether the user is legal or not.
The specific implementation process of the step 7 is as follows:
and 701, after the identity of the user is legal, performing access authorization on the user, and determining the service range accessible to the user.
In step 702, the first rule of the INPUT chain of the stealth gateway iptables is set to be the fwknop_input chain, and this chain is used to record temporary admission rules, and since this chain is located in the first entry, packets incoming to a legitimate user will match the temporary rules of the fwknop_input chain and thus be released.
Step 703, at this time, the single-packet authentication monitoring script of the stealth gateway is checked, and "SPA Packet from IP:172.16.1.22received with access source match" is displayed to indicate that authentication is successful.
The specific implementation process of the step 8 is as follows:
after the limited time (default 30 s) is exceeded, the temporary rules are automatically deleted and the stealth gateway resumes the "off" state for all ports outside.
The specific implementation process of the step 9 is as follows:
different access rights are classified according to the grades of visitors, and fine-grained access control based on the minimum rights is achieved. Meanwhile, the access behaviors of the visitors are monitored in real time, and if the access behaviors are abnormal, the user is intercepted secondarily to block the access process after the real-time scores are lower than a threshold value (default 80).
In the access process, on the premise that a zero trust client is not installed, an illegal user terminal kali virtual machine is used for scanning all ports of the stealth gateway, and 0 ports are found, so that the stealth gateway is proved to realize gateway stealth for illegal users.
A stealth gateway system supporting multi-factor identity authentication comprises a zero trust client, a stealth gateway and a service system.
The zero trust client is the sender of the message and generates single-packet authentication message information after dynamic encryption;
the stealth gateway is a message receiving party, extracts the required identity information after decrypting the message to carry out multi-factor authentication, and decides whether to allow access to the service system according to the authentication result;
the service system stores key information which needs to be accessed by the user, and legal users can access the appointed information of the service system after being authorized by the stealth gateway.
As shown in fig. 1, a stealth gateway design method supporting multi-factor identity authentication includes the following steps:
and step 1, installing a zero trust client on a host with ip of 172.16.1.22, sensing and scoring the security state of a computer terminal in real time, and judging whether the terminal is a trusted terminal or not. The specific implementation process is as follows:
and installing a zero trust client on the host with ip of 172.16.1.22, wherein the zero trust client can sense the security state of the user computer terminal in real time, wherein the zero trust client comprises terminal basic security sensing, system security sensing, application software compliance sensing and the like, and comprehensively scores, and the user terminal is a trusted terminal after legal authentication only when the score exceeds a set threshold (the default threshold is 80). All the non-trusted clients are regarded as non-trusted terminals, and access applications initiated on the non-trusted terminals are intercepted.
And 2, opening a firewall by default on a stealth gateway with ip of 172.16.1.3, configuring a default access rejection strategy for the iptables firewall, and discarding all incoming messages. The specific implementation process is as follows:
by default, there is only one rule for the firewall of the server to enter: all incoming packets are discarded, so that the external network user can not access any internal port by default, and the port scanning tool can find that all ports are in a closed state, and simultaneously a new link FWKNOP_INPUT is independently added on the fireproof wall for subsequent dynamic addition and deletion of admission rules. The specific commands are as follows:
iptables-A INPUT-p udp--dport 22-m conntrack--ctstate ESTABLISHED,RELATED-j ACCEPT
-not blocking an already established communication connection
iptables-AINPUT-p udp--dport 22-j DROP
-discarding all udp connections by default
At this time, the firewall discards all the incoming udp messages when there is no user click, and cannot directly access the background resources, i.e., the port is closed for the external network.
And step 3, inputting a single-packet authentication script in the stealth gateway, starting a single-packet authentication service, and monitoring an authentication result in real time. The specific implementation process is as follows:
firstly, entering a/app/script folder, and enabling an input script to open a single package authentication service. And inputting a monitoring script tail-f./nohup.out to monitor the single-packet authentication result in real time.
And 4, starting the zero-trust client on the trusted user terminal provided with the zero-trust client, encrypting a single UDP message, and then sending the encrypted UDP message to a designated port (the port number is 62235) of the server for port knocking service. The specific implementation process is as follows:
the zero trust client generates a client message. And combining the message information according to rules, transcoding, and then performing abstract calculation to form plaintext information to be encrypted. The plaintext information is encrypted by a key. And then starting the zero trust client program, triggering the port knocking action, and sending the message to the port appointed by the stealth gateway server. The specific operation commands are as follows:
Fwknop-Audp/22-a client ip-D server ip-key-gen-use-hmac-save-rc-stanza
And 5, receiving the message at a 62235 port of the server, decrypting the message, and verifying the decrypted message. The specific implementation process is as follows:
prior to deploying the firewall of the default drop policy, the client generated KEY is sent to the server/etc/fwknop/access. Conf file with ssh or other security tools, mainly including KEY_BASE64 and HMAC_KEY_BASE_64. The Ethernet detector of the stealth gateway acquires the UDP message of the appointed port in real time in a PCAP packet capturing mode. Then the stealth gateway decrypts the message by using the key, and then is responsible for identifying and processing the grabbed UDP message.
And 6, performing multi-factor authentication on the information such as user identity information, ip address and the like in the decrypted message, and judging whether the user is legal or not. The specific implementation process is as follows:
performing BASE64 decoding on the message; after decoding is finished, a 16-byte random number, a time stamp, a hardware feature code, a message type, identity information and a geographic position are extracted according to corresponding rules, a plaintext is analyzed, and detailed information of terminal equipment and a user is obtained. Comparing the calculated abstract with the carried abstract, if the calculated abstract is different, the inner layer information is possibly tampered, and discarding the message; and if the user is matched with the user, multi-factor authentication is carried out, and whether the user is legal or not is judged. Firstly, when a user applies for access, verifying passwords and dynamic passwords, and checking whether the access time and the position information of the user are in a set range after verification is passed (the default normal access time is 8:00-17:00, and the default access position information is in Shijia). And if the access time and the position information of the user are normal, the user is considered as a legal user, otherwise, the user is considered as an illegal user.
And 7, after the legal user passes the verification, carrying out access authorization on the user, configuring an iptables firewall policy, allowing the legal user to pass, and designating the service access range of the user. At this time, the single-packet authentication script of the stealth gateway can monitor the successful result of the single-packet authentication. The specific implementation process is as follows:
and after the identity of the user is legal, carrying out access authorization on the user, and determining the service range accessible to the user. The first rule of the INPUT chain of the stealth gateway iptables is set as a fwknop_input chain, and the chain is used for recording temporary admittance rules. And then checking the single-packet authentication monitoring script of the stealth gateway.
And 8, setting access time intervals in the stealth gateway configuration file, and if the user exceeds the access time range, losing access rights.
And 9, monitoring the access behavior of the user in real time, and if the access behavior is abnormal, performing secondary interception on the user by the stealth gateway to prevent the user from continuing to access. The specific implementation process is as follows:
the temporary rules are automatically deleted after the default 30s, and after the single-packet authentication is successful, the stealth gateway is found to recover the 'closed' state of all external ports after the 30s, so that the user cannot continuously access the service system. And monitoring the access behaviors of the visitor in real time, and if the access behaviors are abnormal, performing secondary interception on the user to block the access process after the real-time scores are lower than a threshold value (default 80).
In the access process, all ports of the stealth gateway are scanned by using an illegal user terminal kali virtual machine on the premise that a zero trust client is not installed, and the network stealth effect is checked, and the details are shown in figure 2. The specific implementation process is as follows:
the terminal is opened in the kali virtual machine, and the input port scan command nmap 172.16.1.3 finds that the scan is to 0 results.
In short, the invention takes a software defined boundary (SDP) technology as a core, dynamically authorizes user access initiated by authenticated equipment, blocks user access initiated by unauthenticated equipment, and forwards an access request of a legal user after multi-factor identity authentication based on a password, a dynamic password, an IP address and the like through a stealth gateway. Compared with the traditional VPN, firewall and the like, the stealth gateway can effectively reduce the network attack surface, achieve multi-factor authentication and boundary stealth, and improve the security of global data.
The invention can monitor the safe environment of the terminal in real time on the premise that the device is provided with the zero trust client, thereby ensuring the credibility of the device. The stealth gateway supports SSL/TLS encryption tunnels, has rich and various identity authentication modes, supports at least 5-dimensional multi-factor authentication modes such as passwords, digital certificates, dynamic passwords, time, IP addresses and the like, and ensures the security of the system to the greatest extent. Compared with the traditional network protection method, the method can obviously reduce the network exposure surface and realize omnibearing and multi-factor authentication and access control.
Claims (10)
1. A stealth gateway design method supporting multi-factor identity authentication is characterized by comprising the following steps:
step 1, installing a zero trust client on a user terminal in a local area network, wherein the zero trust client perceives and scores the security state of the user terminal in real time, and defaults the user terminal to be a trusted terminal after legal authentication only when the score exceeds a set threshold value;
step 2, opening a firewall by default on the stealth gateway, setting the iptables firewall configuration as a default access refusing strategy, and discarding all incoming messages;
step 3, starting a single-packet authentication service on the stealth gateway, and monitoring an authentication result in real time;
step 4, starting the zero trust client on the trusted client provided with the zero trust client, encrypting a single UDP message, and then sending the encrypted single UDP message to a designated port of the stealth gateway for port knocking service;
step 5, the port of the server receives the message, decrypts the message, and verifies the decrypted data packet;
step 6, performing multi-factor authentication on the user identity information, the ip address and the geographic position information in the decrypted data packet, and judging whether the user is legal or not;
step 7, after the legal user passes the verification, carrying out access authorization on the user, configuring an iptables firewall policy, allowing the legal user to pass, and designating the service access range of the user; at this time, the single-packet authentication service of the stealth gateway monitors the successful result of the single-packet authentication;
step 8, setting access time intervals in the stealth gateway configuration file, and if the user exceeds the access time range, losing access rights;
and 9, monitoring the access behavior of the user in real time, and if the access behavior is abnormal, performing secondary interception on the user by the stealth gateway to prevent the user from continuing to access.
2. The stealth gateway design method supporting multi-factor identity authentication according to claim 1, wherein the specific process of step 1 is as follows:
installing a zero trust client on a user terminal in a local area network, wherein the zero trust client senses the security state of the user terminal in real time, including terminal basic security sensing, system security sensing and application software compliance sensing, and comprehensively scores, and defaults the user terminal to be a trusted terminal after legal authentication only when the score exceeds a set threshold s 0; the non-installed zero trust client is regarded as an untrusted terminal, and access applications initiated on the untrusted terminal are intercepted;
the specific way of comprehensive scoring is as follows:
the terminal basic security perception score comprises: windows firewall on-state perceived score s1, antivirus software installation perceived score s2; s1 is set to 2 when the Windows firewall is turned on, and s1 is set to 0 when the Windows firewall is turned off; s2 is set to 2 after the anti-virus software is installed, otherwise, is set to 0;
the system security awareness score includes: a local identity theft prevention perception score s3, a password complexity perception score s4, an account locking threshold perception score s5, and an account auditing management perception score s6; if the corresponding service is started, setting the corresponding score as 1, otherwise, setting the score as 0;
the application software compliance awareness scoring includes: a Bluetooth start perception score s7 and a blacklist service perception score s8, if the corresponding service is started, the corresponding score is set to be 1, otherwise, the corresponding score is set to be 0;
the composite score result s=s1+s2+ & gt s8, when s > s0, this terminal is considered a trusted terminal, otherwise it is considered an untrusted terminal.
3. The stealth gateway design method supporting multi-factor identity authentication according to claim 2, wherein the specific process of step 2 is as follows:
all incoming data packets are discarded by default, so that an external network user cannot access any port in the local area network by default, but the established communication connection is not blocked; in this case, the firewall will default to discard all incoming udp messages without any user tapping, and will not be able to directly access the background resources, i.e. the port is closed for the foreign network.
4. The stealth gateway design method supporting multi-factor identity authentication according to claim 3, wherein the specific process of step 3 is as follows:
step 301, starting a single-packet authentication service;
step 302, monitoring the single-packet authentication result in real time, if the monitoring result is empty, indicating that the single-packet authentication result is not monitored,whether or notThe successful monitoring of the single packet authentication result is demonstrated.
5. The stealth gateway design method supporting multi-factor identity authentication according to claim 4, wherein the specific process of step 4 is as follows:
in step 401, the zero trust client generates a client message, where the message information includes: 16 byte random number, device fingerprint, timestamp, version number, hardware feature code, message type, identity information, geographic location;
step 402, combining the message information according to rules and transcoding, and then performing abstract calculation to form plaintext information to be encrypted;
step 403, encrypting the plaintext information by a secret key, wherein the sequence of the operations is that encryption is performed before authentication so as to avoid the problem of password analysis;
step 404, starting a zero trust client program, triggering a port knocking action, and sending the message to a port designated well by the stealth gateway server.
6. The stealth gateway design method supporting multi-factor identity authentication according to claim 5, wherein the specific process of step 5 is as follows:
step 501, before deploying a firewall with a default discard policy, sending a key generated by a client to a server by using ssh or other security tools; the KEYs are stored in the/etc/fwknop/access. Conf file, including KEY_BASE64 and HMAC_KEY_BASE_64;
step 502, an ethernet detector of the stealth gateway acquires a UDP message of a designated port in real time in a PCAP packet capturing manner;
in step 503, the stealth gateway decrypts the message by using the key, and then is responsible for identifying the grabbed UDP message.
7. The stealth gateway design method supporting multi-factor identity authentication according to claim 6, wherein the specific process of step 6 is as follows:
step 601, BASE64 decoding is performed on the plaintext; after decoding is finished, extracting a 16-byte random number, a time stamp, a hardware feature code, a message type, identity information and a geographic position according to corresponding rules, analyzing a plaintext, and obtaining detailed information of terminal equipment and a user;
step 602, splitting plaintext and abstract according to rules; performing abstract calculation on the plaintext, comparing the calculated abstract with the carried abstract, if the calculated abstract and the carried abstract are different, the inner layer information is possibly tampered, and discarding the message; if the two types are matched, executing the next step;
step 601, verifying passwords and dynamic passwords when a user applies for access, and checking whether access time and position information of the user are in a set range after verification is passed; if the access time and the position information of the user are normal, the user is considered as a legal user, otherwise, the user is considered as an illegal user.
8. The stealth gateway design method supporting multi-factor identity authentication according to claim 7, wherein the specific process of step 7 is as follows:
step 701, after the identity of the user is legal, carrying out access authorization on the user, and determining the service range accessible to the user;
step 702, setting the first rule of the INPUT chain of the stealth gateway iptables as a fwknop_input chain, where the chain is used to record temporary admittance rules, and because the chain is located in the first rule of the INPUT, packets incoming to a legal user will match the temporary rule of the fwknop_input chain and thus be released; at this time, the single-packet authentication service of the stealth gateway monitors the result of success of the single-packet authentication.
9. The stealth gateway design method supporting multi-factor identity authentication according to claim 8, wherein the specific process of step 8 is as follows:
after 30s, the temporary rules are automatically deleted, and the stealth gateway resumes the "off" state for all ports outside.
10. The stealth gateway design method supporting multi-factor identity authentication according to claim 9, wherein the specific process of step 9 is as follows:
and monitoring the access behaviors of the visitor in real time, and if the access behaviors are abnormal and the real-time score is lower than a threshold value, performing secondary interception on the user to block the access process.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310284003.1A CN116321136A (en) | 2023-03-22 | 2023-03-22 | Stealth gateway design method supporting multi-factor identity authentication |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310284003.1A CN116321136A (en) | 2023-03-22 | 2023-03-22 | Stealth gateway design method supporting multi-factor identity authentication |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116321136A true CN116321136A (en) | 2023-06-23 |
Family
ID=86777713
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310284003.1A Pending CN116321136A (en) | 2023-03-22 | 2023-03-22 | Stealth gateway design method supporting multi-factor identity authentication |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116321136A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117478428A (en) * | 2023-12-26 | 2024-01-30 | 北京英迪瑞讯网络科技有限公司 | Stealth communication system and configuration method |
-
2023
- 2023-03-22 CN CN202310284003.1A patent/CN116321136A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117478428A (en) * | 2023-12-26 | 2024-01-30 | 北京英迪瑞讯网络科技有限公司 | Stealth communication system and configuration method |
| CN117478428B (en) * | 2023-12-26 | 2024-03-19 | 北京英迪瑞讯网络科技有限公司 | Stealth communication system and configuration method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Panchal et al. | Security issues in IIoT: A comprehensive survey of attacks on IIoT and its countermeasures | |
| CN108429730B (en) | Non-feedback safety authentication and access control method | |
| US8413248B2 (en) | Method for secure single-packet remote authorization | |
| US8307208B2 (en) | Confidential communication method | |
| US8806572B2 (en) | Authentication via monitoring | |
| CN111770071B (en) | Method and device for gateway authentication of trusted device in network stealth scene | |
| Al-Bahadili et al. | Network security using hybrid port knocking | |
| CN111510453A (en) | Business system access method, device, system and medium | |
| CA2506418C (en) | Systems and apparatuses using identification data in network communication | |
| CN114422194A (en) | Single package authentication method, device, server and storage medium | |
| CN104883364A (en) | Method and device for judging abnormity of user access server | |
| CN113904826B (en) | Data transmission method, device, equipment and storage medium | |
| CN116321136A (en) | Stealth gateway design method supporting multi-factor identity authentication | |
| Khan | Securing network infrastructure with cyber security | |
| Gromov et al. | Tackling Multiple Security Threats in an IoT Environment | |
| Khandelwal et al. | Frontline techniques to prevent web application vulnerability | |
| Gu et al. | Wireless LAN attacks and vulnerabilities | |
| Anderson | Securing embedded linux | |
| Cárdenas et al. | Cyber security basic defenses and attack trends | |
| Park et al. | A new approach to building a disguised server using the honey port against general scanning attacks | |
| Brar | Additional Security Mechanism in Single Packet Authorization | |
| TEKDOĞAN et al. | Prevention Techniques for SSL Hacking Threats to E-Government Services. | |
| Efe et al. | Prevention Techniques for SSL Hacking Threats to E-Government Services | |
| Datir | A Modified Hybrid Port Knocking Technique for Host Authentication: A Review | |
| Qureshi | Analysis of Network Security Through VAPT and Network Monitoring |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |