CN116668558B - Method and system for implementing dynamic access control for UDP protocol flow - Google Patents

Method and system for implementing dynamic access control for UDP protocol flow Download PDF

Info

Publication number
CN116668558B
CN116668558B CN202310495803.8A CN202310495803A CN116668558B CN 116668558 B CN116668558 B CN 116668558B CN 202310495803 A CN202310495803 A CN 202310495803A CN 116668558 B CN116668558 B CN 116668558B
Authority
CN
China
Prior art keywords
data packet
udp
protocol
analysis
resource
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202310495803.8A
Other languages
Chinese (zh)
Other versions
CN116668558A (en
Inventor
李玥琦
崔华俊
张棪
杨慧然
张亚文
王伟平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN202310495803.8A priority Critical patent/CN116668558B/en
Publication of CN116668558A publication Critical patent/CN116668558A/en
Application granted granted Critical
Publication of CN116668558B publication Critical patent/CN116668558B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/30Definitions, standards or architectural aspects of layered protocol stacks
    • H04L69/32Architecture of open systems interconnection [OSI] 7-layer type protocol stacks, e.g. the interfaces between the data link level and the physical level
    • H04L69/322Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions
    • H04L69/329Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions in the application layer [OSI layer 7]
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present disclosure relates to a method and system for implementing dynamic access control for UDP protocol traffic. The method is applied to the dynamic access control gateway and comprises the following steps: receiving a tunnel data packet, and stripping the encapsulation of the SSL VPN tunnel from the tunnel data packet to obtain the data packet; the method comprises the steps of obtaining quadruple information and a transmission layer protocol type of a data packet, and converting IP and ports in the quadruple information based on the transmission layer protocol type; specifically, for the data packet loaded in the UDP protocol, application layer analysis is performed on the data packet, and whether the data packet is proxied to the server is determined by combining with the dynamic access control policy. The method and the device can improve the generation efficiency of the key scene. The invention can realize the dynamic access control of UDP protocol flow without subverting the existing dynamic access control flow and without modifying the application client.

Description

Method and system for implementing dynamic access control for UDP protocol flow
Technical Field
The invention belongs to the technical field of communication, and particularly relates to a method and a system for implementing dynamic access control for UDP protocol traffic.
Background
The existing dynamic access control is mainly applied to a mobile office scene, and most of traffic in the scene is TCP and HTTP traffic, so that the existing dynamic access control scheme is mainly designed for controlling the TCP and HTTP traffic at the beginning of design, and does not consider controlling traffic based on UDP protocol.
The basic idea of dynamic access control is that when an application client (denoted as an "application client") requests to access a server resource, the access request is captured from a terminal virtual network card by the dynamic access control client (denoted as a "control client"), and the request is sent to a dynamic access control gateway (abbreviated as a "control gateway") through an SSL VPN tunnel, and the control gateway parses and decides whether to release the request according to the policy of an access control policy center (abbreviated as a "policy center"), thereby realizing dynamic management and control of the traffic of the application client.
From the control object granularity of dynamic access control, existing dynamic access control can be classified into the following categories:
1) The dynamic access control at the transmission layer level can be performed according to a quadruple (called as a quadruple for short) formed by a source address, a destination address, a source port and a destination port of a TCP or UDP protocol. In the access control of the transport layer level, after receiving a request of a control client, a control gateway firstly peels the encapsulation of an SSL VPN tunnel, analyzes the request sent by an application client to the transport layer, acquires the four-tuple information of the request, and then combines the security policy of a policy center to determine whether to forward the request to a corresponding target address and target port, thereby realizing the dynamic access control of the transport layer level. It can be seen that in this case, the control granularity of the control gateway can only make it possible to forward the request to the target address and the target port, but cannot make access control on different requests of the same address and port.
2) The dynamic access control at the application layer level can analyze the HTTP protocol based on TCP, and can combine fields such as request information (e.g. URL, host, etc.) of the HTTP protocol to carry out the access control at the application layer besides the four-tuple information. In the dynamic access control at the application layer level, after receiving a control client request, a control gateway firstly strips the encapsulation of an SSL VPN tunnel, analyzes an HTTP request sent by an application client to an application layer, obtains all information of the request, including a request row, a request head and all information in a request body, and then determines whether to send the request to a server resource as an agent by combining with a security policy of a policy center, thereby realizing the dynamic access control at the application layer level. Compared with the transmission layer access control, the application layer access control further analyzes the protocol information of the HTTP on the basis of analyzing the four-tuple information,
the access control method and the access control system can achieve finer-granularity access control on different requests of the same target address and port.
FIG. 1 illustrates a block diagram of a typical dynamic access control system in the prior art, wherein the client in the prior art comprises an application client and a control client, and the application client sends an access request; the control client establishes a secure channel for traffic transmission, namely an SSL VPN tunnel, with the control server, and the control client captures a request sent by the application client at the terminal and transmits the request to the control gateway through the SSL VPN tunnel.
The control gateway consists of a control server, a forwarding module and an analysis agent module, wherein the control server peels the encapsulation of the SSL VPN tunnel; the forwarding module analyzes a request sent by an application client to a transmission layer, acquires four-tuple information of the request, and combines a security policy of a policy center to determine whether to forward the request to a corresponding target address and target port, so as to realize dynamic access control at the level of the transmission layer; the analysis proxy module can analyze the HTTP protocol based on TCP to obtain the related information of the HTTP request, and combines the security policy of the policy center to determine whether to send the request to the server resource as a proxy or not, thereby realizing the dynamic access control of the application layer level.
1) And a forwarding module: taking Linux operating system software iptables as an example, the software provides rules for processing and forwarding data packets reaching a network card by controlling a Linux kernel netfilter module, and manages the processing and forwarding of the data packets according to predefined rules;
2) The analysis agent module: taking HTTP protocol and reverse proxy server Nginx as examples, the software is used as a Web server to support the analysis of HTTP protocol, and is used as a proxy to send a request to a server resource, and simultaneously send a response of the server resource to a client.
The basic flow of the existing scheme is as follows:
1) When the application client requests to access the server resource, the terminal operating system sends a data packet to the TUN network card according to the routing table information;
2) The control client monitors the TUN network card, reads an access request of the application client, and sends the request to the control gateway external network card through the SSL VPN tunnel via the physical network card;
3) The control gateway monitors an external network card and reads SSL VPN tunnel data packets, the control server side peels the encapsulation of the SSL VPN tunnel to obtain a request of the application client side, and the request is sent to the TUN network card according to the routing table information;
4) The forwarding module of the control gateway monitors the TUN network card and reads the data packet, and analyzes a request sent by an application client to a transmission layer to obtain four-tuple information of the request;
5) The forwarding module generates forwarding rules according to the security policy of the policy center, decides whether to forward the request to the corresponding target address and target port, and forwards the data packet after modification according to the forwarding rules, thereby realizing dynamic access control of the transport layer level;
6) If the data packet is the TCP protocol, the forwarding module forwards the data packet to the analysis proxy module, the analysis proxy module analyzes the HTTP protocol based on the TCP, and determines whether the data packet is used as a proxy to send the request to a server resource according to the analysis result of the data packet and the security policy of the policy center, so that the dynamic access control of the application layer level is realized;
7) The control gateway sends a return result of the server resource to the control client through an SSL VPN tunnel established by the control server;
8) The control client monitors the TUN network card to read the data packet and unpacks the data packet to obtain the data packet of which the target address and the port are the application client, namely the return data packet of the server resource, and sends the data packet to the application client through the operating system protocol stack according to the information of the operating system routing table.
However, the existing dynamic access control system cannot implement control on the application layer level of the UDP-based application layer protocol in the "parsing proxy module".
1) From the perspective of application scenes, the existing application scenes of dynamic access control are mainly mobile office scenes, and most of traffic existing in the scenes is TCP or HTTP protocol, so that the existing scheme only considers the control of TCP and HTTP protocol traffic at the beginning of design, and does not consider fine-grained control of UDP protocol traffic;
2) From the technical aspect, the existing scheme mainly realizes the control of the TCP and HTTP protocol traffic through proxy technology, such as Nginx or the derivative technology of Nginx, which does not support the control of UDP protocol traffic.
However, as the application range of the dynamic access control technology is continuously expanded, there are some situations in which the UDP-based application layer protocol traffic needs to be controlled, and the existing solution cannot be implemented.
Disclosure of Invention
Aiming at the problems, the invention provides a method and a system for implementing dynamic access control on UDP protocol traffic, which realize function expansion on the existing dynamic access control scheme and implement application layer level dynamic access control on UDP protocol traffic.
In order to achieve the above purpose, the technical scheme of the invention comprises:
a method for implementing dynamic access control for UDP protocol traffic, for use in a dynamic access control gateway, said method comprising:
receiving a tunnel data packet, and stripping the encapsulation of an SSL VPN tunnel from the tunnel data packet to obtain the data packet; the tunnel data packet is obtained by a control client based on a request of accessing a server resource sent by an application client;
the method comprises the steps of obtaining quadruple information and a transmission layer protocol type of a data packet, and converting IP and ports in the quadruple information based on the transmission layer protocol type; wherein the transport layer protocol type includes: TCP protocol and UDP protocol;
Under the condition that the transmission layer protocol type is TCP, the HTTP analysis/proxy module obtains based on the converted four-tuple information and analyzes the HTTP of the data packet, and then sends an access request to a server resource by combining an HTTP analysis result, the four-tuple information and a security policy of a policy center;
and under the condition that the transmission layer protocol type is UDP protocol, after the UDP analysis/proxy module obtains based on the converted four-tuple information and carries out application layer analysis on the data packet, the UDP protocol analysis result, the four-tuple information, the application layer analysis result and the security policy of the policy center are combined, and then the access request is sent to the server resource.
Further, the tunnel packet is obtained by the control client based on a request sent by the application client to access the server resource, and includes:
binding a control client with a client TUN network card, and configuring a routing table in an operating system; the routing table item indicates the routing from any application client to the client TUN network card;
when an application client initiates a request for accessing a server resource, a data packet corresponding to the request is sent to a client TUN network card through an operating system protocol stack according to a routing table item;
After the control client reads the data packet corresponding to the request, the data packet corresponding to the request is packaged according to an SSL VPN tunnel format based on the SSL VPN tunnel establishing flow transmission with the control server.
Further, the obtaining the quadruple information and the transport layer protocol type of the data packet, and converting the IP and the port in the quadruple information based on the transport layer protocol type, includes:
acquiring resource configuration information corresponding to server resources; wherein the resource configuration information includes: the resource type, the corresponding IP address and the port number;
adding a forwarding rule according to the resource configuration information; wherein the forwarding rule includes: transmitting the data packet based on the UDP protocol to a UDP parsing/proxy module and transmitting the data packet based on the TCP protocol to an HTTP parsing/proxy module;
acquiring a source IP, a destination IP and a transport layer protocol type of the data packet request in an IP header, and acquiring a source port and a destination port of the data packet request in a transport layer protocol header;
based on the transport layer protocol type, the destination IP and the destination port are converted so that the data packet based on the UDP protocol is sent to the UDP parsing/proxy module, and the data packet based on the TCP protocol is sent to the HTTP parsing/proxy module.
Further, the obtaining based on the converted four-tuple information and performing application layer analysis on the data packet includes:
according to the length information in the UDP packet header, a complete UDP data packet is restored;
judging the type of the application layer protocol carried by the data packet from the complete UDP data packet;
analyzing the data packet according to the protocol type of the application layer to obtain a UDP protocol analysis result; the UDP protocol parsing result includes: the four-tuple information of the data packet, the transmission layer protocol type, the application layer protocol type and the contents of various fields of the application layer.
Further, the determining the type of the application layer protocol carried by the data packet from the complete UDP data packet includes:
judging the protocol type of the application layer according to the port number;
or alternatively, the first and second heat exchangers may be,
traversing the application layer protocol assembly after obtaining the data load in the data packet;
and judging the corresponding application layer protocol type according to the format and the rule of the data load.
Further, the sending the access request to the server resource by combining the UDP protocol analysis result, the four-tuple information, the application layer analysis result, and the security policy of the policy center includes:
acquiring resource configuration information corresponding to server resources; wherein the resource configuration information includes: the resource type, the corresponding IP address and the port number;
Adding a reverse proxy rule according to the resource configuration information to realize the configuration that an access request of an application client to a certain server resource should pass through a certain port of a proxy server;
comparing the UDP protocol analysis result, the four-tuple information and the application layer analysis result with the security policy of the policy center, and judging whether to allow access to the server resource;
under the condition that the access to the server resource is allowed, generating an access request by modifying the source IP and the source port in the quadruple into the content configured in the reverse proxy rule, and sending the access request to the server resource;
and returning the disallowed access to the application client under the condition that the access to the server resource is disallowed.
Further, the method further comprises:
the HTTP analysis/proxy module or the UDP analysis/proxy module acquires the returned resource information of the server resource;
and the resource information is sent to the control client through the SSL VPN tunnel, so that the application client sends the resource information to the application client through an operating system protocol stack according to the operating system routing table information.
A dynamic access control gateway, comprising:
the control server is used for receiving the tunnel data packet and stripping the encapsulation of the SSL VPN tunnel from the tunnel data packet to obtain the data packet; the tunnel data packet is obtained by a control client based on a request of accessing a server resource sent by an application client;
The flow distribution module is used for acquiring the four-tuple information and the transmission layer protocol type of the data packet and converting the IP and the port in the four-tuple information based on the transmission layer protocol type; wherein the transport layer protocol type includes: TCP protocol and UDP protocol;
the HTTP analysis/proxy module is used for sending an access request to a server resource by combining an HTTP analysis result, the four-tuple information and a security policy of a policy center after acquiring based on the converted four-tuple information and carrying out HTTP analysis on the data packet under the condition that the transmission layer protocol type is a TCP protocol;
and the UDP analysis/agent module is used for sending the access request to the server resource by combining the UDP protocol analysis result, the quadruple information, the analysis result of the application layer and the security policy of the policy center after acquiring based on the converted quadruple information and carrying out application layer analysis on the data packet under the condition that the transmission layer protocol type is the UDP protocol.
A computer readable storage medium having stored thereon computer program instructions which, when executed, implement any of the methods described above.
A system for performing dynamic access control for UDP protocol traffic, said system comprising:
the application client is used for sending out a request for accessing the server resource;
the control client is used for obtaining a tunnel data packet based on the request for accessing the server resource;
a dynamic access control gateway for:
receiving a tunnel data packet, and stripping the encapsulation of an SSL VPN tunnel from the tunnel data packet to obtain the data packet;
the method comprises the steps of obtaining quadruple information and a transmission layer protocol type of a data packet, and converting IP and ports in the quadruple information based on the transmission layer protocol type; wherein the transport layer protocol type includes: TCP protocol and UDP protocol;
under the condition that the transmission layer protocol type is TCP, the HTTP analysis/proxy module obtains based on the converted four-tuple information and analyzes the HTTP of the data packet, and then sends an access request to a server resource by combining an HTTP analysis result, the four-tuple information and a security policy of a policy center;
and under the condition that the transmission layer protocol type is UDP, the UPP analysis/proxy module obtains based on the converted four-tuple information and carries out application layer analysis on the data packet, and then sends an access request to a server resource by combining a UDP analysis result, the four-tuple information, the application layer analysis result and a security policy of a policy center.
And the server side resource is used for providing corresponding resource information based on the access request.
Compared with the prior art, the invention has the following positive effects:
1) Based on the idea of route forwarding, the invention adds a flow distribution module so that the control gateway can respectively forward the access request of the application client to the UDP analysis proxy module or the HTTP analysis proxy module according to the protocol type of the request after obtaining the access request of the application client.
2) The invention decouples the analysis agent function, takes the UDP analysis agent module as a function module independent of the prior analysis agent module, supports analysis and agent of various UDP-based application layer protocols, such as DNS, COAP, GOOSE and the like, realizes dynamic access control of UDP protocol flow application layer level, supports analysis components added with other UDP-based application layer protocols, and has expandability.
3) The invention can independently deploy the flow distribution module and the UDP analysis agent module, is flexibly applied to various scenes, and has higher expandability.
Drawings
FIG. 1 is a block diagram of a typical dynamic access control system of the prior art.
Figure 2 is a general architecture diagram of the present invention.
Fig. 3 is a modified packet schematic diagram of the traffic distribution module.
Fig. 4 is a schematic diagram of the UDP parsing proxy module.
Fig. 5 is a workflow diagram of a UDP parsing proxy module.
Detailed Description
In order to better understand the technical solution in the embodiments of the present invention and make the objects, features and advantages of the present invention more obvious and understandable, the technical core of the present invention is described in further detail below with reference to the accompanying drawings. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
The basic idea of the invention is that the control gateway operating system routes the data packet accessing the server resource to the TUN network card according to the pre-configured routing table information; the flow distribution module monitors TUN network cards to read data packets, analyzes the data packets to a transmission layer, forwards UDP flow to the UDP analysis proxy module according to the protocol type of the data packets, and forwards HTTP flow to the HTTP analysis proxy module; the UDP analysis agent module analyzes the data packet based on the UDP protocol at an application layer, and determines whether the data packet is used as an agent to send the request to a server resource by combining the source-destination address, the source-destination port, the information of the application layer protocol corresponding to the data packet and the security policy of a policy center, thereby realizing the dynamic access control of the application layer level of UDP protocol flow.
Referring to fig. 2, the service access flow of the method is as follows:
1) When the system is started, the control client starts the TUN network card (marked as TUN network card 1) of the client, binds the network card, configures a routing table in the operating system, and indicates a data packet needing to be routed to the TUN network card 1;
2) When the application client requests to access the server resource, the client operating system sends a data packet to the TUN network card 1 through an operating system protocol stack according to the routing table information;
3) The control client monitors the TUN network card 1, reads an access request of the application client, establishes an SSL VPN tunnel for traffic transmission with the control server, and encapsulates the data packet according to an SSL VPN tunnel format;
4) The control client sends the packaged data packet to an external network card of the control gateway through the SSL VPN tunnel by a physical network card;
5) The control gateway reads a tunnel data packet (marked as a data packet 1) from a physical network card of a server, the control server peels off the encapsulation of the SSL VPN tunnel to obtain a decapsulated data packet (marked as a data packet 2), and the data packet 2 is sent to a TUN network card (marked as a TUN network card 2) of the control gateway according to the routing table information of the operating system;
6) The flow distribution module of the control gateway monitors the TUN network card 2 to read the data packet 2 and analyze the data packet 2 to a transmission layer, acquires the four-tuple information and the transmission layer protocol type of the data packet 2, and then forwards UDP flow to the UDP analysis proxy module according to the transmission layer protocol type of the data packet, and forwards HTTP flow to the HTTP analysis proxy module;
7) The UDP analysis agent module analyzes the data packet in an application layer according to the protocol format of the application layer carried by the UDP flow, and determines whether to send the request to the server resource as an agent according to the analysis result of the data packet and in combination with the security policy of the policy center so as to realize the dynamic access control of the UDP flow application layer level;
8) If the control gateway does not allow the access, the UDP analysis proxy module returns 'access not allowed' to be sent to the control client through the SSL VPN tunnel established by the control server;
9) If the control gateway allows the access, the UDP analysis proxy module establishes connection with the server resource and sends the return information of the server resource to the control client through an SSL VPN tunnel established by the control server;
10 Monitoring TUN network card 1 by the control client to read the data packet and unpacking the data packet to obtain the data packet with the target address and the port being the application client, namely the return data packet of the server resource, and sending the data packet to the application client through the operating system protocol stack according to the information of the operating system routing table.
In summary, the method adds the flow distribution module and the UDP parsing proxy module on the architecture of the prior art, and the parsing proxy module originally responsible for parsing the HTTP flow keeps the current situation, runs independently of the UDP parsing proxy module, and distributes the HTTP flow and the UDP flow to the corresponding parsing proxy module through the flow distribution module. The flow distribution module and the UDP parsing agent module are described in detail below.
Flow distribution module
The traffic distribution module is used as a key module and bears traffic distribution and forwarding functions of the bottom layer of the system. The flow distribution module modifies the destination IP and the destination port of the matched data packet by matching the destination address and the destination port with the data packet of the server resource, and converts the data packet into the IP and the port of the corresponding analysis proxy module according to the type of the transmission layer protocol, thereby forwarding the data packet to the corresponding analysis proxy module. And recording the conversion information so as to perform corresponding source IP and source port conversion on the data packet returned by the server resource, and forwarding the data packet to the client, thereby realizing the flow distribution module.
As shown in fig. 3, the principle that the flow distribution module identifies the protocol type of the data packet is implemented by parsing the IP header of the data packet, where a "transport layer protocol type" field exists in the IP header to indicate the protocol type used by the data packet, for example, the protocol field value of the TCP protocol is 6, and the protocol field value of the udp protocol is 17. In addition, the first 4 bytes of the TCP protocol and UDP protocol headers focused by the invention are the source port and the destination port respectively, so that the flow distribution module reads the last 4 bytes of the IP header again, and the source port and the destination port information can be obtained. In summary, the invention decouples the forwarding function of the existing scheme by using the flow distribution module, and uses the flow distribution module as a function module independent of the existing forwarding module, thereby supporting the modification and forwarding of the data packet, being flexibly applied to various scenes and not turning over the forwarding function of the existing scheme.
Based on the above, the workflow of the flow distribution module of the present invention may include:
(1) Before the control gateway is started, firstly, configuring resource types (such as HTTP resources and UDP resources) corresponding to the server resources, corresponding IP addresses and port numbers on a management interface of the control gateway;
(2) The control gateway adds a forwarding rule according to the server resource configuration information (information such as the IP address, the port number and the like of the server resource);
(3) After the control gateway is started, the resource allocation of the server side can be increased or decreased at any time, and meanwhile, the control gateway can add/delete rules according to the operation of an administrator;
(4) When the control gateway sends a data packet 2 to a TUN network card 2 of the control gateway according to the routing table information of the operating system, a flow distribution module monitors the TUN network card 2 and reads the information of the data packet 2, a source IP, a destination IP and a transport layer protocol type of the data packet request are obtained in an IP header, and a source port and a destination port of the data packet request are obtained in a transport layer protocol header;
(5) Then the flow distribution module matches in the configured rule according to the information, and forwards the flow accessing the UDP resource to the UDP analysis proxy module, and forwards the flow accessing the HTTP resource to the HTTP analysis proxy module;
(6) When receiving the data packet returned by the server resource, converting the source address and the source port according to the corresponding rule, and finally forwarding the data packet to the client.
2. UDP analysis proxy module
The UDP analysis agent module in the method is divided into an analysis part and an agent part.
1. Analysis part
The analysis part of the UDP parsing agent module can determine the packet length, and parse the application layer data according to the application layer protocol type, the principle of which is shown in fig. 4. The analysis part integrates the analysis function of a specific UDP-based application layer protocol in the module in a component form, can increase or decrease analysis components according to the actual requirements of specific application scenes, and has flexibility and expandability. Specifically, when the data packet is forwarded to the module, the parsing part performs application layer parsing on the data packet according to the application layer protocol type and the protocol format corresponding to the data packet, so as to obtain a parsing result.
2. Proxy part
The proxy part comprises an authentication function, and can compare the data packet with a strategy corresponding to an access control strategy center according to the analysis result of the data packet so as to judge whether to proxy the data packet to a server resource; the proxy function is implemented based on reverse proxy technology, where a reverse proxy is a server located in front of one or more Web servers, and when using a reverse proxy, when a client sends requests to a target server, the reverse proxy server intercepts the requests at the network edge, and then the reverse proxy server sends requests to the target server and receives responses from the target server.
Specifically, the reverse proxy technique works as follows:
a. the client sends a request to the reverse proxy server, wherein the request contains information such as a server resource IP, a port number and the like to be accessed by the client;
b. after receiving the request, the reverse proxy server forwards the request to the real server according to the reverse proxy rule in the configuration file;
c. the reverse proxy server uses the own IP address as a source IP address to establish connection with the IP address of the real server, namely, establishes connection with the real server by using the IP address of the reverse proxy server;
d. when the real server receives the request, the IP address of the reverse proxy server is used as a source IP address to establish connection with the IP address of the reverse proxy server, namely, the IP address of the real server is used for establishing connection with the reverse proxy server;
e. the real server processes the request, generates a response and sends the response to the reverse proxy server;
f. after receiving the response of the real server, the reverse proxy server uses its own IP address to send the response to the client, i.e. uses the IP address of the reverse proxy server as the source IP address to establish a connection to the IP address of the client.
Based on the above, the workflow of the UDP parsing proxy module of the present invention, as shown in fig. 5, may include:
(1) When the data packet is forwarded to the UDP analysis proxy module, the module firstly restores the complete UDP data packet from the UDP data stream according to the length information in the UDP packet header;
(2) Judging the type of the application layer protocol carried by the complete UDP data packet from the complete UDP data packet, wherein the module judges the type of the application layer protocol in two ways:
a. some application layer protocols will usually use a fixed port number, so the module first determines the application according to the port number
Layer protocol type and analyzing according to the application layer protocol characteristics;
b. if the type of the application layer protocol cannot be determined according to the port number, traversing all the application layer protocol components in the module, attempting to analyze the load part in the UDP data packet, and judging the loaded application layer protocol according to the format and rule of the data load.
(3) After the data packet is analyzed according to the application layer protocol type, the analysis result (including the four-tuple information of the data packet, the transmission layer protocol type, the application layer protocol type, the content of each field of the application layer and the like) is transmitted to an agent part in the UDP analysis agent module.
(4) Before the control gateway is started, firstly, configuring resource types (such as HTTP (hyper text transport protocol) resources, UDP (user datagram protocol) resources, corresponding IP addresses and port numbers) corresponding to the server resources on a management interface of the control gateway;
(5) The UDP analysis proxy module adds reverse proxy rules according to the server resource configuration information (information such as the IP address and the port number of the server resource) so as to realize the configuration that the client side accesses a certain server resource through a certain port of the proxy server, thereby enabling the client side to access the server resource through the proxy server;
(6) After the UDP analysis agency module obtains the analysis result of the data packet, comparing the analysis result with the strategy corresponding to the access control strategy center, so as to judge whether to agency the data packet to the server resource;
(7) If the access is allowed, the UDP analysis proxy module modifies the source IP and the source port of the request into the content configured in the reverse proxy rule according to the preset rule, connection is established with the server resource, after the server resource processes the request, the response is sent to the UDP analysis proxy module, and finally the module returns the response of the server to the client;
(8) If the access is not allowed, the module directly returns 'not allowed access' to the client.
In summary, the dynamic access control method of the invention realizes the dynamic access control of the application layer level of the UDP-based application layer protocol flow, and decouples the flow distribution and analysis proxy functions as two newly added modules of the flow distribution module and the UDP analysis proxy module. The two newly added modules are integrated in the existing scheme, so that the dynamic access control of the UDP flow at the application layer level can be realized, the existing dynamic access control flow is not subverted, and the normal operation of the original system function is maintained.
The method can be used for independently deploying the flow distribution module and the UDP analysis agent module, is flexibly applied to various scenes, and has higher expandability, wherein:
(1) And the flow distribution module is used for: the invention adds a flow distribution module, supports the modification and forwarding of the data packet according to the transmission layer protocol type, and can flexibly perform operations such as adding/deleting/modifying on forwarding rules in the running process of the system;
(2) UDP analysis agent module: the invention performs functional decoupling on the analysis agent module in the original scheme, is divided into two parts of analysis and agent, supports analysis and agent of various UDP-based application layer protocols, such as DNS, COAP, GOOSE and the like, realizes dynamic access control of UDP protocol flow application layer level, and supports analysis components added with other UDP-based application layer protocols; the module is independent of the HTTP analysis proxy module in the original scheme, and can be independently configured under the condition of not affecting the original functions of the system.
The above examples merely represent embodiments of the invention, which are described in more detail but are not to be construed as limiting the scope of the invention. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the invention, which are all within the scope of the invention. Accordingly, the scope of protection of the present patent should be determined by the appended claims.

Claims (7)

1. A method for implementing dynamic access control for UDP traffic, applied to a dynamic access control gateway, wherein the dynamic access control gateway includes an HTTP resolution proxy module and a UDP resolution proxy module, the method comprising:
receiving a tunnel data packet, and stripping the encapsulation of an SSL VPN tunnel from the tunnel data packet to obtain the data packet; the tunnel data packet is obtained by a control client based on a request of accessing a server resource sent by an application client;
the method comprises the steps of obtaining quadruple information and a transmission layer protocol type of a data packet, and converting IP and ports in the quadruple information based on the transmission layer protocol type; wherein the transport layer protocol type includes: TCP protocol and UDP protocol; the obtaining the four-tuple information and the transmission layer protocol type of the data packet, and converting the IP and the port in the four-tuple information based on the transmission layer protocol type, includes:
acquiring resource configuration information corresponding to server resources; wherein the resource configuration information includes: the resource type, the corresponding IP address and the port number;
adding a forwarding rule according to the resource configuration information; wherein the forwarding rule includes: transmitting the data packet based on the UDP protocol to a UDP analysis proxy module and transmitting the data packet based on the TCP protocol to an HTTP analysis proxy module;
Acquiring a source IP, a destination IP and a transport layer protocol type of the data packet request in an IP header, and acquiring a source port and a destination port of the data packet request in a transport layer protocol header;
based on the protocol type of the transmission layer, converting the destination IP and the destination port so that the data packet based on the UDP protocol is sent to the UDP analysis proxy module, and the data packet based on the TCP protocol is sent to the HTTP analysis proxy module;
under the condition that the transmission layer protocol type is TCP, the HTTP analysis proxy module obtains based on the converted four-tuple information and carries out HTTP analysis on the data packet, and then sends an access request to a server resource by combining an HTTP analysis result, the four-tuple information and a security policy of a policy center;
when the transmission layer protocol type is UDP protocol, after the UDP analysis proxy module obtains based on the converted four-tuple information and carries out application layer analysis on the data packet, the UDP protocol analysis result, the four-tuple information, the application layer analysis result and the security policy of the policy center are combined to send an access request to a server resource; after the UDP analysis agent module obtains the converted four-tuple information and performs application layer analysis on the data packet, the UDP analysis agent module sends an access request to a server resource in combination with a UDP protocol analysis result, the four-tuple information, the application layer analysis result, and a security policy of a policy center, including:
According to the length information in the UDP packet header, a complete UDP data packet is restored;
judging the type of the application layer protocol carried by the data packet from the complete UDP data packet;
analyzing the data packet according to the protocol type of the application layer to obtain a UDP protocol analysis result; the UDP protocol parsing result includes: the four-tuple information, the transmission layer protocol type, the application layer protocol type and the contents of all fields of the application layer of the data packet;
acquiring resource configuration information corresponding to server resources; wherein the resource configuration information includes: the resource type, the corresponding IP address and the port number;
adding a reverse proxy rule according to the resource configuration information to realize the configuration that an access request of an application client to a certain server resource should pass through a certain port of a proxy server;
comparing the UDP protocol analysis result, the four-tuple information and the application layer analysis result with the security policy of the policy center, and judging whether to allow access to the server resource;
under the condition that the access to the server resource is allowed, generating an access request by modifying the source IP and the source port in the quadruple into the content configured in the reverse proxy rule, and sending the access request to the server resource;
And returning the disallowed access to the application client under the condition that the access to the server resource is disallowed.
2. The method of claim 1, wherein the tunneling packet is derived by the control client based on a request from the application client to access the server resource, comprising:
binding a control client with a client TUN network card, and configuring a routing table in an operating system; the routing table item indicates the routing from any application client to the client TUN network card;
when an application client initiates a request for accessing a server resource, a data packet corresponding to the request is sent to a client TUN network card through an operating system protocol stack according to a routing table item;
after the control client reads the data packet corresponding to the request, the data packet corresponding to the request is packaged according to an SSL VPN tunnel format based on the SSL VPN tunnel establishing flow transmission with the control server.
3. The method of claim 1, wherein determining the type of application layer protocol carried by the packet from the complete UDP packet comprises:
judging the protocol type of the application layer according to the port number;
or alternatively, the first and second heat exchangers may be,
traversing the application layer protocol assembly after obtaining the data load in the data packet;
And judging the corresponding application layer protocol type according to the format and the rule of the data load.
4. A method according to any one of claims 1-3, wherein the method further comprises:
the HTTP analysis proxy module or the UDP analysis proxy module acquires the returned resource information of the server resource;
and the resource information is sent to the control client through the SSL VPN tunnel, so that the control client sends the resource information to the application client through an operating system protocol stack according to the operating system routing table information.
5. A dynamic access control gateway, comprising:
the control server is used for receiving the tunnel data packet and stripping the encapsulation of the SSL VPN tunnel from the tunnel data packet to obtain the data packet; the tunnel data packet is obtained by a control client based on a request of accessing a server resource sent by an application client;
the flow distribution module is used for acquiring the four-tuple information and the transmission layer protocol type of the data packet and converting the IP and the port in the four-tuple information based on the transmission layer protocol type; wherein the transport layer protocol type includes: TCP protocol and UDP protocol; the obtaining the four-tuple information and the transmission layer protocol type of the data packet, and converting the IP and the port in the four-tuple information based on the transmission layer protocol type, includes:
Acquiring resource configuration information corresponding to server resources; wherein the resource configuration information includes: the resource type, the corresponding IP address and the port number;
adding a forwarding rule according to the resource configuration information; wherein the forwarding rule includes: transmitting the data packet based on the UDP protocol to a UDP analysis proxy module and transmitting the data packet based on the TCP protocol to an HTTP analysis proxy module;
acquiring a source IP, a destination IP and a transport layer protocol type of the data packet request in an IP header, and acquiring a source port and a destination port of the data packet request in a transport layer protocol header;
based on the protocol type of the transmission layer, converting the destination IP and the destination port so that the data packet based on the UDP protocol is sent to the UDP analysis proxy module, and the data packet based on the TCP protocol is sent to the HTTP analysis proxy module;
the HTTP analysis proxy module is used for sending an access request to a server resource by combining an HTTP analysis result, the four-tuple information and a security policy of a policy center after acquiring based on the converted four-tuple information and carrying out HTTP analysis on the data packet under the condition that the transmission layer protocol type is a TCP protocol;
The UDP analysis agent module is used for sending the access request to the server resource by combining the UDP protocol analysis result, the quadruple information, the analysis result of the application layer and the security policy of the policy center after acquiring based on the converted quadruple information and carrying out application layer analysis on the data packet under the condition that the transmission layer protocol type is the UDP protocol; after the UDP analysis agent module obtains the converted four-tuple information and performs application layer analysis on the data packet, the UDP analysis agent module sends an access request to a server resource in combination with a UDP protocol analysis result, the four-tuple information, the application layer analysis result, and a security policy of a policy center, including:
according to the length information in the UDP packet header, a complete UDP data packet is restored;
judging the type of the application layer protocol carried by the data packet from the complete UDP data packet;
analyzing the data packet according to the protocol type of the application layer to obtain a UDP protocol analysis result; the UDP protocol parsing result includes: the four-tuple information, the transmission layer protocol type, the application layer protocol type and the contents of all fields of the application layer of the data packet;
acquiring resource configuration information corresponding to server resources; wherein the resource configuration information includes: the resource type, the corresponding IP address and the port number;
Adding a reverse proxy rule according to the resource configuration information to realize the configuration that an access request of an application client to a certain server resource should pass through a certain port of a proxy server;
comparing the UDP protocol analysis result, the four-tuple information and the application layer analysis result with the security policy of the policy center, and judging whether to allow access to the server resource;
under the condition that the access to the server resource is allowed, generating an access request by modifying the source IP and the source port in the quadruple into the content configured in the reverse proxy rule, and sending the access request to the server resource;
and returning the disallowed access to the application client under the condition that the access to the server resource is disallowed.
6. A computer readable storage medium having stored thereon computer program instructions, characterized in that the computer program instructions, when executed, implement the method of any of claims 1 to 4.
7. A system for performing dynamic access control for UDP protocol traffic, said system comprising:
the application client is used for sending out a request for accessing the server resource;
the control client is used for obtaining a tunnel data packet based on the request for accessing the server resource;
The dynamic access control gateway comprises an HTTP analysis proxy module and a UDP analysis proxy module, and is used for:
receiving a tunnel data packet, and stripping the encapsulation of an SSL VPN tunnel from the tunnel data packet to obtain the data packet; the tunnel data packet is obtained by a control client based on a request of accessing a server resource sent by an application client;
the method comprises the steps of obtaining quadruple information and a transmission layer protocol type of a data packet, and converting IP and ports in the quadruple information based on the transmission layer protocol type; wherein the transport layer protocol type includes: TCP protocol and UDP protocol; the obtaining the four-tuple information and the transmission layer protocol type of the data packet, and converting the IP and the port in the four-tuple information based on the transmission layer protocol type, includes:
acquiring resource configuration information corresponding to server resources; wherein the resource configuration information includes: the resource type, the corresponding IP address and the port number;
adding a forwarding rule according to the resource configuration information; wherein the forwarding rule includes: transmitting the data packet based on the UDP protocol to a UDP analysis proxy module and transmitting the data packet based on the TCP protocol to an HTTP analysis proxy module;
Acquiring a source IP, a destination IP and a transport layer protocol type of the data packet request in an IP header, and acquiring a source port and a destination port of the data packet request in a transport layer protocol header;
based on the protocol type of the transmission layer, converting the destination IP and the destination port so that the data packet based on the UDP protocol is sent to the UDP analysis proxy module, and the data packet based on the TCP protocol is sent to the HTTP analysis proxy module;
under the condition that the transmission layer protocol type is TCP, the HTTP analysis proxy module obtains based on the converted four-tuple information and carries out HTTP analysis on the data packet, and then sends an access request to a server resource by combining an HTTP analysis result, the four-tuple information and a security policy of a policy center;
when the transmission layer protocol type is UDP protocol, after the UDP analysis proxy module obtains based on the converted four-tuple information and carries out application layer analysis on the data packet, the UDP protocol analysis result, the four-tuple information, the application layer analysis result and the security policy of the policy center are combined to send an access request to a server resource; after the UDP analysis agent module obtains the converted four-tuple information and performs application layer analysis on the data packet, the UDP analysis agent module sends an access request to a server resource in combination with a UDP protocol analysis result, the four-tuple information, the application layer analysis result, and a security policy of a policy center, including:
According to the length information in the UDP packet header, a complete UDP data packet is restored;
judging the type of the application layer protocol carried by the data packet from the complete UDP data packet;
analyzing the data packet according to the protocol type of the application layer to obtain a UDP protocol analysis result; the UDP protocol parsing result includes: the four-tuple information, the transmission layer protocol type, the application layer protocol type and the contents of all fields of the application layer of the data packet;
acquiring resource configuration information corresponding to server resources; wherein the resource configuration information includes: the resource type, the corresponding IP address and the port number;
adding a reverse proxy rule according to the resource configuration information to realize the configuration that an access request of an application client to a certain server resource should pass through a certain port of a proxy server;
comparing the UDP protocol analysis result, the four-tuple information and the application layer analysis result with the security policy of the policy center, and judging whether to allow access to the server resource;
under the condition that the access to the server resource is allowed, generating an access request by modifying the source IP and the source port in the quadruple into the content configured in the reverse proxy rule, and sending the access request to the server resource;
Returning the disallowed access to the application client under the condition that the access to the server resource is disallowed;
and the server side resource is used for providing corresponding resource information based on the access request.
CN202310495803.8A 2023-05-05 2023-05-05 Method and system for implementing dynamic access control for UDP protocol flow Active CN116668558B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310495803.8A CN116668558B (en) 2023-05-05 2023-05-05 Method and system for implementing dynamic access control for UDP protocol flow

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310495803.8A CN116668558B (en) 2023-05-05 2023-05-05 Method and system for implementing dynamic access control for UDP protocol flow

Publications (2)

Publication Number Publication Date
CN116668558A CN116668558A (en) 2023-08-29
CN116668558B true CN116668558B (en) 2024-03-01

Family

ID=87712714

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310495803.8A Active CN116668558B (en) 2023-05-05 2023-05-05 Method and system for implementing dynamic access control for UDP protocol flow

Country Status (1)

Country Link
CN (1) CN116668558B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8566452B1 (en) * 2006-08-03 2013-10-22 F5 Networks, Inc. Intelligent HTTP based load-balancing, persistence, and application traffic management of SSL VPN tunnels
CN103746928A (en) * 2013-12-30 2014-04-23 迈普通信技术股份有限公司 Method and system for controlling flow rate by utilizing access control list

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9215131B2 (en) * 2012-06-29 2015-12-15 Cisco Technology, Inc. Methods for exchanging network management messages using UDP over HTTP protocol
EP2908491A1 (en) * 2014-02-12 2015-08-19 HOB GmbH & Co. KG A communication system for transmitting data under a tunnel protocol
US11057340B2 (en) * 2019-07-19 2021-07-06 Vmware, Inc. Per-application split-tunneled UDP proxy

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8566452B1 (en) * 2006-08-03 2013-10-22 F5 Networks, Inc. Intelligent HTTP based load-balancing, persistence, and application traffic management of SSL VPN tunnels
CN103746928A (en) * 2013-12-30 2014-04-23 迈普通信技术股份有限公司 Method and system for controlling flow rate by utilizing access control list

Non-Patent Citations (8)

* Cited by examiner, † Cited by third party
Title
SSL VPN及其基于校园网络的应用;别牧;赵毅;袁柱;;重庆工学院学报(第02期);全文 *
一种基于Nginx的UDP反向代理服务器数据转发策略;郭大伟;张伟;姜晓艳;;北京信息科技大学学报(自然科学版)(第06期);全文 *
别牧 ; 赵毅 ; 袁柱 ; .SSL VPN及其基于校园网络的应用.重庆工学院学报.2006,(第02期),全文. *
基于Netfilter的内网流量监控系统应用研究;张文盛;侯整风;;山东理工大学学报(自然科学版)(第06期);全文 *
基于虚拟服务的SSL VPN研究;欧阳凯;周敬利;夏涛;余胜生;;小型微型计算机系统(第02期);全文 *
张文盛 ; 侯整风 ; .基于Netfilter的内网流量监控系统应用研究.山东理工大学学报(自然科学版).2012,(第06期),全文. *
欧阳凯 ; 周敬利 ; 夏涛 ; 余胜生 ; .基于虚拟服务的SSL VPN研究.小型微型计算机系统.2006,(第02期),全文. *
郭大伟 ; 张伟 ; 姜晓艳 ; .一种基于Nginx的UDP反向代理服务器数据转发策略.北京信息科技大学学报(自然科学版).2019,(第06期),全文. *

Also Published As

Publication number Publication date
CN116668558A (en) 2023-08-29

Similar Documents

Publication Publication Date Title
US6816890B2 (en) Gateway apparatus with LAC function
US8996657B2 (en) Systems and methods for multiplexing network channels
US8885649B2 (en) Method, apparatus, and system for implementing private network traversal
US11546444B2 (en) Traffic forwarding and disambiguation by using local proxies and addresses
US7630368B2 (en) Virtual network interface card loopback fastpath
EP3225014B1 (en) Source ip address transparency systems and methods
Lee et al. Netserv framework design and implementation 1.0
EP2922246B1 (en) Method and data center network for cross-service zone communication
JP2021506144A (en) Local interception of traffic to the remote forward proxy associated with the application
US20100257276A1 (en) Virtual network interface for relayed nat traversal
US20150381563A1 (en) Relay system for transmitting ip address of client to server and method therefor
CN112583618B (en) Method, device and computing equipment for providing network service for business
US10742768B2 (en) Relaying system and method of transmitting IP address of client to server using encapsulation protocol
CN112671628A (en) Business service providing method and system
CN112104744A (en) Traffic proxy method, server and storage medium
CN112671938A (en) Business service providing method and system and remote acceleration gateway
CN110995763B (en) Data processing method and device, electronic equipment and computer storage medium
CN116668558B (en) Method and system for implementing dynamic access control for UDP protocol flow
US20070147376A1 (en) Router-assisted DDoS protection by tunneling replicas
CN115834472A (en) Message processing method, forwarding strategy obtaining method and device
CN115150312B (en) Routing method and device
CN117376233A (en) Data processing method, device and system
CN108650179B (en) Method for configuring forwarding table, forwarding device and computer readable storage medium
WO2022134970A1 (en) Location information conversion method, network gateway, controller, terminal, device, and medium
CN116192677B (en) Network flow data differentiated storage method and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant