CN116455646A - SPA data transmission method and system based on zero trust - Google Patents
SPA data transmission method and system based on zero trust Download PDFInfo
- Publication number
- CN116455646A CN116455646A CN202310444928.8A CN202310444928A CN116455646A CN 116455646 A CN116455646 A CN 116455646A CN 202310444928 A CN202310444928 A CN 202310444928A CN 116455646 A CN116455646 A CN 116455646A
- Authority
- CN
- China
- Prior art keywords
- spa
- server
- data packet
- client
- proxy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000005540 biological transmission Effects 0.000 title claims abstract description 32
- 238000000034 method Methods 0.000 title claims abstract description 29
- 238000013475 authorization Methods 0.000 claims abstract description 15
- 238000013507 mapping Methods 0.000 claims description 8
- 230000007246 mechanism Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The application discloses an SPA data transmission method and system based on zero trust. According to the method, firstly, an SPA data packet is sent to a random proxy server in a plurality of proxy servers corresponding to the acquired single-packet authorization request; the proxy server performs validity judgment after acquiring the SPA data packet, and when the validity judgment passes, analyzes the SPA data packet and acquires an SPA server identifier in the SPA data packet; and finally, the proxy server determines the SPA server address according to the SPA server identification obtained by analysis, and transmits SPA data packets according to the SPA server address. The method not only can protect the resources behind the SPA server, but also can protect the SPA server, thereby improving the safety of data transmission.
Description
Technical Field
The invention relates to the technical field of communication, in particular to an SPA data transmission method and system based on zero trust.
Background
The single package authorization (SinglePacketAuthorization, SPA) aims at alleviating the problems caused by application vulnerabilities, and the thinking is to hide enterprise resources. For the data packet sent by the client, the corresponding port is opened only after the authentication is passed.
The realization of the current zero trust SPA scheme is that a client directly sends SPA data packets to an SPA-Server, the SPA-Server unpacks the data, a rear authentication authorization mechanism is called for judgment, and the service period of one data packet is completed.
The prior art can hide the resources behind the SPA-Server, but the SPA-Server is exposed outside. When data is transmitted to the SPA-Server, if the source IP and the target IP in the UDP (or TCP) based data packet are both clear text, the information of the SPA Server is leaked, and the data is a vulnerability which is easy to be utilized for potential attackers. If an attacker intercepts a client data packet, the IP address where the SPA is located can be extracted through a protocol in a four-layer data packet in an OSI seven-layer model, so that DDOS attack is carried out on the SPAServer.
Disclosure of Invention
Based on the above, the embodiment of the application provides the SPA data transmission method and the system based on zero trust, which not only can protect the resources behind the SPA-Server, but also can protect the SPA-Server itself, and a DDOS attacker cannot see the SPA-Server, so that the attack to the SPA-Server cannot be formed.
In a first aspect, a method for transmitting SPA data based on zero trust is provided, where the method includes:
the client sends an SPA data packet to a random proxy server in a plurality of proxy servers corresponding to the client according to the acquired single-packet authorization request; wherein, the SPA data packet at least comprises an SPA server identifier;
the proxy server performs validity judgment after acquiring the SPA data packet, and when the validity judgment passes, analyzes the SPA data packet and acquires an SPA server identifier in the SPA data packet;
and the proxy server determines an SPA server address according to the SPA server identification obtained by analysis, and transmits SPA data packets according to the SPA server address.
Optionally, the proxy server performs validity judgment after acquiring the SPA data packet, and when the validity judgment fails, the method includes:
discarding the SPA data packet, and stopping the current SPA data transmission flow.
Optionally, the proxy server determines the SPA server address according to the SPA server identifier obtained by parsing, including:
determining an SPA server address according to a pre-established identification address configuration table; the identification address configuration table comprises SPA server identifications and mapping relations between SPA server addresses.
Optionally, before the proxy server performs validity judgment after acquiring the SPA data packet, the method further includes:
judging whether the client is authorized to access the proxy server according to the data packet;
and if so, receiving the SPA data packet sent by the client.
Optionally, determining, according to the data packet, whether the client has access to the proxy server, the method further includes:
and if not, refusing to receive the SPA data packet sent by the client.
In a second aspect, a SPA data transmission system based on zero trust is provided, the system comprising:
the client sends an SPA data packet to a random proxy server in a plurality of proxy servers corresponding to the client according to the acquired single-packet authorization request; wherein, the SPA data packet at least comprises an SPA server identifier;
the proxy server is used for judging the legitimacy after acquiring the SPA data packet, and analyzing the SPA data packet and acquiring an SPA server identifier in the SPA data packet when the legitimacy judgment passes; and determining an SPA server address according to the SPA server identification obtained by analysis, and transmitting SPA data packets according to the SPA server address.
Optionally, the proxy server performs validity judgment after acquiring the SPA data packet, and when the validity judgment fails, the system includes:
discarding the SPA data packet, and stopping the current SPA data transmission flow.
Optionally, the proxy server determines the SPA server address according to the SPA server identifier obtained by parsing, including:
determining an SPA server address according to a pre-established identification address configuration table; the identification address configuration table comprises SPA server identifications and mapping relations between SPA server addresses.
Optionally, before the proxy server performs validity judgment after acquiring the SPA data packet, the system further includes:
judging whether the client is authorized to access the proxy server according to the data packet;
and if so, receiving the SPA data packet sent by the client.
Optionally, determining, according to the data packet, whether the client has access to the proxy server, where the system further includes:
and if not, refusing to receive the SPA data packet sent by the client.
According to the technical scheme provided by the embodiment of the application, a client sends an SPA data packet to a random proxy server in a plurality of proxy servers corresponding to the client according to the acquired single-packet authorization request; the proxy server performs validity judgment after acquiring the SPA data packet, and when the validity judgment passes, analyzes the SPA data packet and acquires an SPA server identifier in the SPA data packet; and the proxy server determines an SPA server address according to the SPA server identification obtained by analysis, and transmits SPA data packets according to the SPA server address.
It can be seen that the beneficial effects brought by the technical scheme provided by the embodiment of the application at least include: by adopting the SPA super stealth technology, not only the resources behind the SPA-Server can be protected, but also the SPA-Server itself can be protected, and a DDOS attacker cannot see the SPA-Server, so that the attack on the SPA-Server cannot be formed.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below. It will be apparent to those skilled in the art from this disclosure that the drawings described below are merely exemplary and that other embodiments may be derived from the drawings provided without undue effort.
Fig. 1 is a flow chart of SPA data transmission based on zero trust provided in an embodiment of the present application;
fig. 2 is a diagram of an SPA data transmission architecture based on zero trust according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be further described in detail with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application.
In the description of the present invention, the terms "comprises," "comprising," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements but may include other steps or elements not expressly listed but inherent to such process, method, article, or apparatus or steps or elements added based on further optimization of the inventive concept.
The terms appearing are first described in this application:
zero trust: zero trust represents a new generation of network security protection concept, and is characterized by breaking default 'trust', namely 'continuous verification' and 'never trust', which are summarized by a sentence of popular words. Anyone, devices and systems inside and outside the enterprise network are not trusted by default, and the trust basis for access control is reconstructed based on identity authentication and authorization, thereby ensuring identity trust, device trust, application trust and link trust. Based on the zero trust principle, three 'security' of the office system can be ensured: terminal security, link security, and access control security.
SPA: single packet Authorization, which is mainly represented by the name of single packet Authorization, but in fact Authentication is the core of the single packet Authorization, SPA may also be called single packet Authentication.
Proxy refers to Proxy software or Proxy servers and may also be considered a network access mode. Proxy class, which is used to do other operations that the thing does not want or cannot. The Proxy (Proxy) herein provides exactly the same interface (attributes and methods) as the remote object (SPAServer)
SPA aims at relieving the problems caused by application vulnerabilities, and the thought of SPA is to hide enterprise resources. For the data packet sent by the client, the corresponding port is opened only after authentication passes (according to the setting of the policy management system).
When data is transmitted to the SPA-Server, if the data is realized based on UDP (TCP and UDP are both realized by different ideas, in the embodiment, only UDP is taken as an example), the source IP and the target IP in the data packet are both clear text, the information of the SPA Server is revealed, and the data is a vulnerability which is easy to be utilized for potential attackers. Such as DDOS attacks on SPAServer.
The invention aims to thoroughly solve the stealth problem in the zero trust scheme, and the protected resources are stealth through SPA. The application further solves the stealth problem of the SPA, namely super stealth.
Specifically, please refer to fig. 1, which illustrates a flowchart of a SPA data transmission method based on zero trust according to an embodiment of the present application, the method may include the following steps:
step 101, the client sends an SPA data packet to a random proxy server in a plurality of proxy servers corresponding to the client according to the acquired single-packet authorization request.
The SPA data packet at least comprises an SPA Server identifier (SPA-Server-ID).
And 102, the proxy server performs validity judgment after acquiring the SPA data packet, and when the validity judgment passes, analyzes the SPA data packet and acquires the SPA server identification therein.
In an alternative embodiment of the present application, after the Proxy server (i.e., SPA-Proxy) acquires the SPA data packet, a validity judgment is performed, and when the validity judgment fails, the SPA data packet is discarded, and the current SPA data transmission flow is stopped.
Before this step, the proxy server further includes: judging whether the client is authorized to access the proxy server according to the data packet; if yes, receiving an SPA data packet sent by the client; if not, refusing to receive the SPA data packet sent by the client.
And 103, determining the SPA server address by the proxy server according to the SPA server identification obtained by analysis, and transmitting the SPA data packet according to the SPA server address.
In this embodiment, the SPA Server address (SPA-Server-IP) is determined according to a pre-established identification address configuration table; the identification address configuration table comprises SPA server identifications and mapping relations among SPA server addresses.
The realization of the existing zero trust SPA scheme is that a client directly transmits SPA data packets to an SPA-Server, the SPA-Server unpacks the data, a rear authentication authorization mechanism is called for judgment, and the service period of one data packet is completed. In the prior art, although the resources behind the SPA-Server can be hidden, the SP2-Server is exposed to the outside.
In the present application, as shown in fig. 2, a plurality of SPA-Proxy are set up between the client and the SPA-Server; the client is internally provided with an SPA-Proxy list; SPA-Proxy embeds SPA-Server lists.
And then realizes the data flow:
1. the client has SPA-Proxy list, randomly selects one SPA-Proxy to send SPA data packet (SPA-Server-ID after SPA-Server confusion is contained)
2. And after the SAP-Proxy receives the data packet, judging the validity, and if the SAP-Proxy is illegally and directly discarded. Playing a role in protecting SPA-Server. And if the data is legal data, taking out the SPA-Server-ID in the SPA data packet.
3. Inquiring the built-in SPA-Server-ID configuration table, and transferring legal data packets to the SPA-Server.
In summary, it can be seen that the present application protects SPA-Server by SPA-Proxy. (front SPA-Proxy completely stealth SPA-Server, invisible to the attacker)
And SPA-Proxy embeds SPA-Server-ID and SPA-ServerIP mapping relation. (even if an attacker intercepts a data packet, the attacker does not know the mapping relation between SPA-Server-ID and SPA-Server, so that the attacker cannot directly attack SPA-Proxy)
The embodiment of the application also provides an SPA data transmission system based on zero trust. The system comprises:
the client sends an SPA data packet to a random proxy server in a plurality of proxy servers corresponding to the client according to the acquired single-packet authorization request; the SPA data packet at least comprises an SPA server identifier;
the proxy server is used for judging the legitimacy after acquiring the SPA data packet, and analyzing the SPA data packet and acquiring an SPA server identifier in the SPA data packet when the legitimacy judgment passes; and determining an SPA server address according to the SPA server identification obtained by analysis, and transmitting SPA data packets according to the SPA server address.
In an alternative embodiment of the present application, after the proxy server acquires the SPA packet, a validity judgment is performed, and when the validity judgment fails, the system includes: and discarding the SPA data packet, and stopping the current SPA data transmission flow.
In an alternative embodiment of the present application, the proxy server determines an SPA server address according to the SPA server identifier obtained by parsing, including: determining an SPA server address according to a pre-established identification address configuration table; the identification address configuration table comprises SPA server identifications and mapping relations among SPA server addresses.
In an alternative embodiment of the present application, before the proxy server performs validity judgment after acquiring the SPA data packet, the system further includes: judging whether the client is authorized to access the proxy server according to the data packet; and if so, receiving the SPA data packet sent by the client.
In an alternative embodiment of the present application, the system further includes: if not, refusing to receive the SPA data packet sent by the client.
The SPA data transmission system based on zero trust provided in the embodiments of the present application is used to implement the above-mentioned SPA data transmission method based on zero trust, and specific limitation regarding the SPA data transmission system based on zero trust may be referred to the limitation regarding the SPA data transmission method based on zero trust, which is not described herein. The various parts of the zero trust based SPA data transmission system described above may be implemented in whole or in part in software, hardware, and combinations thereof. The above modules may be embedded in hardware or independent of a processor in the device, or may be stored in software in a memory in the device, so that the processor may call and execute operations corresponding to the above modules.
The technical features of the above-described embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above-described embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The above examples only represent a few embodiments of the present application, which are described in more detail and are not to be construed as limiting the scope of the claims. It should be noted that it would be apparent to those skilled in the art that various modifications and improvements could be made without departing from the spirit of the present application, which would be within the scope of the present application. Accordingly, the scope of protection of the present application is to be determined by the claims appended hereto.
Claims (10)
1. An SPA data transmission method based on zero trust, the method comprising:
the client sends an SPA data packet to a random proxy server in a plurality of proxy servers corresponding to the client according to the acquired single-packet authorization request; wherein, the SPA data packet at least comprises an SPA server identifier;
the proxy server performs validity judgment after acquiring the SPA data packet, and when the validity judgment passes, analyzes the SPA data packet and acquires an SPA server identifier in the SPA data packet;
and the proxy server determines an SPA server address according to the SPA server identification obtained by analysis, and transmits SPA data packets according to the SPA server address.
2. The SPA data transmission method according to claim 1, wherein the proxy server performs a validity determination after acquiring the SPA data packet, and when the validity determination fails, the method includes:
discarding the SPA data packet, and stopping the current SPA data transmission flow.
3. The SPA data transmission method according to claim 1, wherein the proxy server determining the SPA server address from the parsed SPA server identifier includes:
determining an SPA server address according to a pre-established identification address configuration table; the identification address configuration table comprises SPA server identifications and mapping relations between SPA server addresses.
4. The SPA data transmission method according to claim 1, wherein the proxy server performs a validity determination after obtaining the SPA data packet, the method further comprising:
judging whether the client is authorized to access the proxy server according to the data packet;
and if so, receiving the SPA data packet sent by the client.
5. The SPA data transmission method of claim 4, wherein determining from the data packet whether the client is authorized to access the proxy server further comprises:
and if not, refusing to receive the SPA data packet sent by the client.
6. A zero trust based SPA data transmission system, the system comprising:
the client sends an SPA data packet to a random proxy server in a plurality of proxy servers corresponding to the client according to the acquired single-packet authorization request; wherein, the SPA data packet at least comprises an SPA server identifier;
the proxy server is used for judging the legitimacy after acquiring the SPA data packet, and analyzing the SPA data packet and acquiring an SPA server identifier in the SPA data packet when the legitimacy judgment passes; and determining an SPA server address according to the SPA server identification obtained by analysis, and transmitting SPA data packets according to the SPA server address.
7. The SPA data transmission system according to claim 6, wherein the proxy server performs a validity determination after acquiring the SPA data packet, and wherein the system includes:
discarding the SPA data packet, and stopping the current SPA data transmission flow.
8. The SPA data transmission system according to claim 6, wherein the proxy server determining the SPA server address from the parsed SPA server identification includes:
determining an SPA server address according to a pre-established identification address configuration table; the identification address configuration table comprises SPA server identifications and mapping relations between SPA server addresses.
9. The SPA data transmission system according to claim 6, wherein the proxy server is configured to perform a validity determination after the SPA data packet is acquired, the system further comprising:
judging whether the client is authorized to access the proxy server according to the data packet;
and if so, receiving the SPA data packet sent by the client.
10. The SPA data transmission system according to claim 9, wherein the determination of whether the client is authorized to access the proxy server is based on the data packet, the system further comprising:
and if not, refusing to receive the SPA data packet sent by the client.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310444928.8A CN116455646A (en) | 2023-04-20 | 2023-04-20 | SPA data transmission method and system based on zero trust |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310444928.8A CN116455646A (en) | 2023-04-20 | 2023-04-20 | SPA data transmission method and system based on zero trust |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116455646A true CN116455646A (en) | 2023-07-18 |
Family
ID=87121791
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310444928.8A Pending CN116455646A (en) | 2023-04-20 | 2023-04-20 | SPA data transmission method and system based on zero trust |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116455646A (en) |
-
2023
- 2023-04-20 CN CN202310444928.8A patent/CN116455646A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108471432B (en) | Method for preventing network application program interface from being attacked maliciously | |
| US7472414B2 (en) | Method of processing data traffic at a firewall | |
| CN108429730B (en) | Non-feedback safety authentication and access control method | |
| US8745723B2 (en) | System and method for providing unified transport and security protocols | |
| US11539695B2 (en) | Secure controlled access to protected resources | |
| US20110107410A1 (en) | Methods, systems, and computer program products for controlling server access using an authentication server | |
| EP3442195B1 (en) | Reliable and secure parsing of packets | |
| CN113904826B (en) | Data transmission method, device, equipment and storage medium | |
| US20200267189A1 (en) | Lawful interception security | |
| CN114726513A (en) | Data transmission method, apparatus, medium, and product | |
| US20110154469A1 (en) | Methods, systems, and computer program products for access control services using source port filtering | |
| CN116633562A (en) | Network zero trust security interaction method and system based on WireGuard | |
| CN116455646A (en) | SPA data transmission method and system based on zero trust | |
| US10079857B2 (en) | Method of slowing down a communication in a network | |
| KR20170084778A (en) | System for Protecting Server using Authenticated Server Relay Server, and Method there of | |
| CN113242249B (en) | Session control method and device | |
| CN114745138B (en) | Equipment authentication method, device, control platform and storage medium | |
| Belbachir et al. | Involved Security Solution in Voice over IP Networks | |
| CN115733618A (en) | Access control method based on single-packet authorization mechanism and cipher machine | |
| Leon et al. | Comparison between safety and efficient security of the ARP protocol | |
| CN117061140A (en) | Penetration defense method and related device | |
| CN117439739A (en) | Interface request safety protection method and system | |
| Kasslin et al. | Replay attack on Kerberos V and SMB | |
| CN116489125A (en) | Method and system for realizing network stealth fusion domain name resolution service | |
| CN117319080A (en) | Mobile terminal for isolating secret communication and communication method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |