CN116760877A - Communication method, device, equipment and medium - Google Patents

Communication method, device, equipment and medium Download PDF

Info

Publication number
CN116760877A
CN116760877A CN202310769011.5A CN202310769011A CN116760877A CN 116760877 A CN116760877 A CN 116760877A CN 202310769011 A CN202310769011 A CN 202310769011A CN 116760877 A CN116760877 A CN 116760877A
Authority
CN
China
Prior art keywords
user
authentication
resource
target
network card
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310769011.5A
Other languages
Chinese (zh)
Inventor
常芳妍
王国利
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Security Technologies Co Ltd
Original Assignee
New H3C Security Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Security Technologies Co Ltd filed Critical New H3C Security Technologies Co Ltd
Priority to CN202310769011.5A priority Critical patent/CN116760877A/en
Publication of CN116760877A publication Critical patent/CN116760877A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a communication method, a device, equipment and a medium, and relates to the technical field of communication. When the controller implements the method, a first authentication request sent by a client in the network equipment is received, wherein the first authentication request comprises authentication information of a user; authenticating the user according to the authentication information; after the authentication is passed, an authentication result is sent to the client, wherein the authentication result comprises a resource list of resources which are allowed to be accessed by a user and address information of gateway equipment corresponding to the resources which are allowed to be accessed by the user, so that when the client confirms that the user needs to access target resources in the resource list, a second authentication request is sent to the target gateway equipment according to the address information of target gateway equipment corresponding to the target resources; after confirming that the target gateway device authenticates the user based on the second authentication request, a communication connection establishment request is sent to the target gateway device to establish a communication connection with the target gateway device.

Description

Communication method, device, equipment and medium
Technical Field
The present application relates to the field of communications technologies, and in particular, to a communications method, apparatus, device, and medium.
Background
With the rise of internet technologies such as cloud computing, internet of things and mobile office, enterprise resources are not limited to use in enterprises, and demands for enterprise staff to access enterprise intranets at any time and any place are becoming more common. Traditional network protection boundaries become increasingly obscured, and traditional network boundary-based security approaches are increasingly difficult to meet. To solve the above problem, SDP (Software Defined Perimeter, software defined boundary) zero trust technique has developed. The SDP zero trust core concept is to not trust any person, equipment and system, and to perform continuous dynamic authentication and minimum authority authorization on all users accessing limited resources.
The SDP zero trust function is that the equipment is used as an SDP gateway to be linked with an SDP controller to carry out identity authentication and authentication on a user accessing a designated application or API so as to realize centralized control on the user identity and access authority and prevent illegal user access. In the zero trust scenario the SDP gateway serves as an enterprise boundary device connecting the remote user and the enterprise internal network.
When the user side needs to access the enterprise internal network, the controller needs to be firstly authenticated, after the authentication is passed, the controller can issue all gateway addresses which the user side can access and application lists protected by all gateways to the user side, and the controller can issue the resources and access rights which the user can access to the corresponding gateways. After receiving all gateway addresses returned by the controller, the user side needs to establish communication connection with all gateways, which has the following problems: because the user side may only need to access the resources corresponding to a certain gateway in some cases, namely the user side only needs to establish connection with the gateway, connection with all gateways returned by the controller is not required to be established at all, and resource waste is caused.
In addition, when the user side only wants to access the resource through a certain gateway, the user authority needs to be modified through the controller, only the application to be accessed is authorized, at this time, the user only returns the corresponding gateway address after online authentication, and the user can establish a tunnel with the specific gateway. However, if the user needs to dynamically adjust the tunnel connection with the gateway, the relevant configuration in the controller needs to be repeatedly modified, so that maintainability is not achieved, usability is poor, and user experience is affected.
Therefore, how to dynamically establish connection with the gateway according to the access requirement of the user side, and avoiding the waste of resources is one of the technical problems worth considering.
Disclosure of Invention
In view of the above, the present application provides a communication method, apparatus, device and medium, which are used to dynamically establish connection with a gateway according to the access requirement of a user side, so as to avoid wasting resources.
Specifically, the application is realized by the following technical scheme:
according to a first aspect of the present application, there is provided a communication method applied to a controller, the method comprising:
receiving a first authentication request sent by a client in network equipment, wherein the first authentication request comprises authentication information of a user;
Authenticating the user according to the authentication information;
after the authentication is passed, an authentication result is sent to the client, wherein the authentication result comprises a resource list of resources which are allowed to be accessed by the user and address information of gateway equipment corresponding to the resources which are allowed to be accessed by the user, so that when the client confirms that the user needs to access target resources in the resource list, a second authentication request is sent to the target gateway equipment according to the address information of the target gateway equipment corresponding to the target resources; and after confirming that the user authentication is passed by the target gateway device based on the second authentication request, sending a communication connection establishment request to the target gateway device to establish a communication connection with the target gateway device.
According to a second aspect of the present application, there is provided another communication method applied to a client in a network device for communicating with a controller and a gateway device, respectively, the method comprising:
sending a first authentication request to the controller, wherein the first authentication request comprises authentication information of a user;
receiving an authentication result fed back by the controller after the user is authenticated according to the authentication information, wherein the authentication result comprises a resource list of resources which are allowed to be accessed by the user and address information of gateway equipment corresponding to the resources which are allowed to be accessed by the user;
When the user needs to access the target resource in the resource list, a second authentication request is sent to target gateway equipment according to the address information of the target gateway equipment corresponding to the target resource;
and after confirming that the target gateway equipment passes the authentication of the user based on the second authentication request, sending a communication connection establishment request to the target gateway equipment so as to establish communication connection with the target gateway equipment.
According to a third aspect of the present application, there is provided a communication apparatus provided in a controller, the apparatus comprising:
the receiving module is used for receiving a first authentication request sent by a client in the network equipment, wherein the first authentication request comprises authentication information of a user;
the authentication module is used for authenticating the user according to the authentication information;
the sending module is used for sending an authentication result to the client after the authentication module passes the authentication, wherein the authentication result comprises a resource list of resources which are allowed to be accessed by the user and address information of gateway equipment corresponding to the resources which are allowed to be accessed by the user, so that the client sends a second authentication request to the target gateway equipment according to the address information of the target gateway equipment corresponding to the target resources when confirming that the user needs to access the target resources in the resource list; and after confirming that the user authentication is passed by the target gateway device based on the second authentication request, sending a communication connection establishment request to the target gateway device to establish a communication connection with the target gateway device.
According to a fourth aspect of the present application, there is provided another communication apparatus provided in a client in a network device for communicating with a controller, a gateway device, respectively, the apparatus comprising:
the first sending module is used for sending a first authentication request to the controller, wherein the first authentication request comprises authentication information of a user;
the receiving module is used for receiving an authentication result fed back by the controller after the user is authenticated according to the authentication information, wherein the authentication result comprises a resource list of resources which are allowed to be accessed by the user and address information of gateway equipment corresponding to the resources which are allowed to be accessed by the user;
the second sending module is used for sending a second authentication request to the target gateway equipment according to the address information of the target gateway equipment corresponding to the target resource when the user needs to access the target resource in the resource list;
the second sending module is further configured to send a communication connection establishment request to the target gateway device after confirming that the target gateway device passes the user authentication based on the second authentication request, so as to establish communication connection with the target gateway device.
According to a fifth aspect of the present application there is provided an electronic device comprising a processor and a machine-readable storage medium storing a computer program executable by the processor, the processor being caused by the computer program to perform the method provided by the first aspect of the embodiment of the present application.
According to a sixth aspect of the present application there is provided a machine-readable storage medium storing a computer program which, when invoked and executed by a processor, causes the processor to perform the method provided by the first aspect of the embodiments of the present application.
The embodiment of the application has the beneficial effects that:
in the communication method, device, equipment and medium provided by the embodiment of the application, a controller receives a first authentication request sent by a client in network equipment, wherein the first authentication request comprises authentication information of a user; authenticating the user according to the authentication information; after the authentication is passed, an authentication result is sent to the client, wherein the authentication result comprises a resource list of resources which are allowed to be accessed by the user and address information of gateway equipment corresponding to the resources which are allowed to be accessed by the user, so that when the client confirms that the user needs to access target resources in the resource list, a second authentication request is sent to the target gateway equipment according to the address information of the target gateway equipment corresponding to the target resources; and after confirming that the user authentication is passed by the target gateway device based on the second authentication request, sending a communication connection establishment request to the target gateway device to establish a communication connection with the target gateway device. Therefore, the user establishes communication connection with the gateway equipment corresponding to the resource expected to be accessed according to the requirement, and the purpose of accessing the corresponding resource is achieved; therefore, the client does not need to establish communication connection with all gateway devices, and network resources required for establishing communication connection with all gateway devices are effectively saved.
Drawings
Fig. 1 is a schematic flow chart of a communication method according to an embodiment of the present application;
FIG. 2 is a flow chart of another communication method according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of a communication device according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of another communication device according to an embodiment of the present application;
fig. 5 is a schematic hardware structure of an electronic device for implementing a communication method according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the application. Rather, they are merely examples of apparatus and methods consistent with aspects of the application.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this disclosure, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will also be understood that the term "and/or" as used herein refers to and encompasses any or all possible combinations of one or more of the corresponding listed items.
It should be understood that although the terms first, second, third, etc. may be used herein to describe various information, these information should not be limited by these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the application. The word "if" as used herein may be interpreted as "at … …" or "at … …" or "responsive to a determination", depending on the context.
The communication method provided by the application is described in detail below.
Referring to fig. 1, fig. 1 is a flowchart of a communication method provided by the present application, where the method may be applied to a controller, and the controller may be, but is not limited to, a controller in a zero trust network, for example, an SDN controller, etc. The controller may include the following steps when implementing the method:
s101, receiving a first authentication request sent by a client in network equipment, wherein the first authentication request comprises authentication information of a user.
In this step, in the zero-trust network, when a user needs to access a resource in the zero-trust network through the network device, authentication is required to be performed to a controller in the zero-trust network, and a client for interacting with the controller in the zero-trust network is set in the network device, so that the user can initiate a first authentication request to the controller through the client, and in order to facilitate authentication of the user by the controller, authentication information of the user is carried in the first authentication request.
Alternatively, the authentication information may include, but is not limited to, user information of the user, e.g., the user information may be a user name, password, etc.
S102, authenticating the user according to the authentication information.
In this step, after receiving the first authentication request sent by the client, the controller may parse the authentication information of the user from the first authentication request, and then authenticate the user according to the authentication information. For example, if the authentication information of the user locally stored by the controller is consistent with the authentication information parsed from the first authentication request, indicating that the user is authenticated; if the user authentication does not match, the user authentication is confirmed not to pass.
S103, after authentication is passed, an authentication result is sent to the client, wherein the authentication result comprises a resource list of resources which are allowed to be accessed by the user and address information of gateway equipment corresponding to the resources which are allowed to be accessed by the user, so that the client sends a second authentication request to the target gateway equipment according to the address information of the target gateway equipment corresponding to the target resources when confirming that the user needs to access the target resources in the resource list; and after confirming that the user authentication is passed by the target gateway device based on the second authentication request, sending a communication connection establishment request to the target gateway device to establish a communication connection with the target gateway device.
In this step, after the authentication of the user based on step S102 is passed, the controller indicates that the user is allowed to access the resources in the zero trust network, so the controller can confirm the resources of the resources that the user is allowed to access based on the authentication information of the user, and generate a resource list; in addition, in the zero trust network, in order to further ensure the security of the resources in the network, gateway equipment is arranged between the client and the resources so as to further authenticate the user when accessing the resources. Therefore, the controller sets the corresponding relation between the gateway device and the resource, so that the gateway device can further authenticate the user accessing the corresponding resource.
In addition, in this embodiment, in order to enable the user to establish a communication connection with the gateway device corresponding to the accessed resource as required, without establishing communication connections with all gateways, the present application proposes that, after confirming the resource that allows the user to access, the controller may obtain the gateway device corresponding to the resource that allows the user to access based on the correspondence; therefore, after the controller passes the authentication of the user, when the authentication result is fed back to the client, the resource list of the resource which is allowed to be accessed by the user and the address information of the gateway equipment corresponding to each resource which is allowed to be accessed by the user can be carried in the authentication result and fed back to the client.
On the basis, after receiving the authentication result, the client can analyze the resource list and the address information of the gateway equipment corresponding to each resource in the resource list from the authentication result; then the user can confirm the resource which he expects to visit based on the resource list, and record as the target resource; based on this, the client, after knowing that the user desires to access the target resource, can confirm the address information of the gateway device (denoted as target gateway device) corresponding to the target resource based on the authentication result. Further, the client may trigger an authentication request to the target gateway device based on the address information of the target gateway device, and mark the authentication request sent to the target gateway device as a second authentication request in order to distinguish from the authentication request of the controller.
The target gateway device may authenticate the user after receiving the second authentication request. For example, the second authentication request may carry user information of the user and resource information of the target resource accessed by the user; based on this, the target gateway device may first authenticate the user, and after the authentication is passed, confirm whether the user has access rights to access the target resource. Specifically, after the user authentication is passed, the controller returns an authentication result to the client, and simultaneously, the controller also issues resource information of resources which are authorized to be accessed by the user under the gateway equipment to each gateway equipment in the resource list, so that the target gateway equipment can confirm that the resource information of the target resources carried in the second authentication request is compared with the resource information of the resources which are locally stored in the target gateway equipment and can be accessed by the user under the target gateway equipment, and when the comparison is successful, the controller indicates that the user is allowed to access the target resources through the target gateway equipment, so that the target gateway equipment can confirm that the user authentication is passed; if the comparison is inconsistent, the user authentication is confirmed not to pass.
On the basis, the target gateway equipment can send an indication message for passing the authentication to the client after passing the authentication to the user. After receiving the indication message, the client can establish communication connection with the target gateway device, namely, send SSL handshake connection to the target gateway device so as to successfully establish communication connection with the target gateway device, thereby achieving the purpose that the user accesses the target resource through the target gateway device.
When the controller fails to authenticate the user, the authentication result may be carried with a result that the authentication fails; accordingly, when the target gateway device fails to authenticate the user, an indication message of authentication failure can be fed back to the user.
It should be noted that the target resource may be at least one resource in the resource list, and correspondingly, the target gateway device may be a gateway device corresponding to at least one resource in the resource list.
By adopting the method, the user can establish communication connection with the gateway equipment corresponding to the resource expected to be accessed according to the need, so that the purpose of accessing the corresponding resource is achieved; therefore, the client does not need to establish communication connection with all gateway devices, and network resources required for establishing communication connection with all gateway devices are effectively saved.
It should be noted that the authentication result also carries a user token. Specifically, after the user is authenticated based on the first authentication request, the controller also allocates a user token to the user, and it should be noted that the user tokens allocated by different users are different, so that when the user accesses the gateway device, the user can be authenticated based on the user token. That is, after the controller distributes the user token to the user, the user token is carried in the authentication result and fed back to the client, and meanwhile, when the controller feeds back the resource which can be accessed by the user to the corresponding gateway equipment, the controller also sends the user token of the user to the gateway equipment. In this way, when the user selects the target resource to be accessed, and then obtains the target gateway device corresponding to the target resource, after sending the second authentication request to the target gateway device, the user token is carried in the second authentication request, for example, the user token can be carried in the user information. In this way, the target gateway device will parse the user token after receiving the second authentication request, and if it is confirmed that the user token is consistent with the locally stored user token of the user, it indicates that the user authentication is passed. On the basis, whether the user accesses the access authority of the target resource is confirmed.
Optionally, based on any one of the foregoing embodiments, in this embodiment, the authentication result further includes a virtual network card address allocated to the client, where the virtual network card address is used to instruct the client to configure a network card address of a local virtual network card as the virtual network card address, and send a second authentication request to the target gateway device through the virtual network card.
Specifically, in order to ensure the security of the client accessing the resource in the zero-trust network, the client needs to access according to the address approved by the zero-trust network when accessing the resource, and based on the access, the controller allocates a virtual network card address for the user when subsequently accessing the resource in the zero-trust network when the user authentication is passed. On the basis, the controller can also carry the virtual network card address allocated by the controller to the user in the authentication result, so that the client can access the resource through the virtual network card address. Specifically, the client may parse the virtual network card address from the authentication result, and then after determining the address information of the target gateway device corresponding to the target resource, may configure the address of the local virtual network card as the virtual network card address fed back by the controller, so that the client may send the second authentication request to the target gateway device through the virtual network card.
Further, the authentication result may further include resource address information of the resource in the resource list.
Specifically, when the user accesses the target resource, the user needs to execute the access according to a certain access path, so the network device needs to locally generate the route information of the access path, and therefore, the client needs to acquire the resource address information of the target resource from the resource list, and meanwhile, can acquire the virtual network card address allocated by the controller from the authentication result, and based on the resource address information and the virtual network card address of the target resource, the client can generate the route information for accessing the target resource according to a set algorithm. After the client side successfully establishes communication connection with the target gateway equipment, an output interface related to the routing information generated in the network equipment can be configured into a virtual network card address, and then the target resource can be accessed through the output interface according to the generated routing information by the target gateway equipment.
Optionally, based on any one of the above embodiments, in this embodiment, before feeding back, to the target gateway device, resource information of a resource accessed by a user under the target gateway device, the target gateway device needs to register with the controller to notify the controller that the target gateway device is online; specifically, the target gateway device may register with the controller by way of a cloud pipe and a restful sub-link. On the basis, after the controller allows the target gateway equipment to be on line, the controller can issue a kafka connection address, a port and equipment identifiers distributed for the target gateway equipment to the target gateway equipment through the restful sub-connection, and the equipment identifiers corresponding to different gateway equipment are different; on this basis, the target gateway device can register based on the kafka address and the port, and after the registration is successful, the controller can display that the target gateway device is successfully online.
Note that, the resource information of each resource in the resource list carried in the authentication result may include, but is not limited to, an IP address and a port for accessing the resource; the address information of the gateway device corresponding to the resource carried in the authentication result may, but is not limited to, include the IP address and the port of the gateway device.
Alternatively, the client may be, but is not limited to being, an authentication client such as an enode. The communication connection may be, but is not limited to, a tunnel connection, which may be, but is not limited to, an SSLvpn tunnel or the like.
When the controller authorizes the user to access the plurality of resources, by adopting the communication method provided by the embodiment, the client on the user side can establish communication connection with the target gateway equipment corresponding to the target resource which the user needs to access currently based on the resource list of the resource which is allowed to access and the address information of the gateway equipment corresponding to the resource which is allowed to access and fed back by the controller, so that the user can dynamically establish communication connection with the gateway equipment corresponding to the required resource as required, the communication connection with each gateway equipment is not required, the resources required by the communication connection between the client and the gateway equipment are greatly saved, and the communication pressure is reduced. In addition, the operation and maintenance personnel are not required to manually modify the configuration in the controller so as to realize that the user establishes communication connection with the gateway equipment according to the requirement.
Based on the same inventive concept, this embodiment also provides a communication method, and referring to the flow chart of the communication method shown in fig. 2, the communication method may be applied to a client in a network device for communicating with a controller and a gateway device in a zero trust network, where the client may implement the following steps when implementing the communication method:
s201, a first authentication request is sent to the controller, wherein the first authentication request comprises authentication information of a user.
In this step, in the zero-trust network, when a user needs to access a resource in the zero-trust network through the network device, authentication needs to be performed to a controller in the zero-trust network, so that the user can initiate a first authentication request to the controller through the client, and in order to facilitate authentication of the user by the controller, authentication information of the user is carried in the first authentication request.
Alternatively, the authentication information may include, but is not limited to, user information of the user, e.g., the user information may be a user name, password, etc.
S202, receiving an authentication result fed back by the controller after the user is authenticated according to the authentication information.
The authentication result comprises a resource list of the resources which are allowed to be accessed by the user and address information of gateway equipment corresponding to the resources which are allowed to be accessed by the user.
In this step, after receiving the first authentication request, the controller may authenticate the user based on the authentication information of the user in the first authentication request, and after the authentication is passed, feedback the authentication result to the client.
In addition, in order to achieve the purpose that a user can establish communication connection with gateway equipment corresponding to the accessed resource as required without establishing communication connection with all gateways, the application proposes that the controller can obtain the gateway equipment corresponding to the resource which is allowed to be accessed by the user based on the corresponding relation after confirming the resource which is allowed to be accessed by the user; therefore, after the controller passes the authentication of the user, when the authentication result is fed back to the client, the resource list of the resource which is allowed to be accessed by the user and the address information of the gateway equipment corresponding to each resource which is allowed to be accessed by the user can be carried in the authentication result and fed back to the client.
And S203, when the user needs to access the target resource in the resource list, a second authentication request is sent to the target gateway equipment according to the address information of the target gateway equipment corresponding to the target resource.
In this step, after receiving the authentication result, the client may analyze the resource list and address information of the gateway device corresponding to each resource in the resource list from the authentication result; then the user can confirm the resource which he expects to visit based on the resource list, and record as the target resource; based on this, the client, after knowing that the user desires to access the target resource, can confirm the address information of the gateway device (denoted as target gateway device) corresponding to the target resource based on the authentication result. Further, the client may trigger an authentication request to the target gateway device based on the address information of the target gateway device, and mark the authentication request sent to the target gateway device as a second authentication request in order to distinguish from the authentication request of the controller.
S204, after confirming that the user authentication of the target gateway equipment based on the second authentication request is passed, sending a communication connection establishment request to the target gateway equipment so as to establish communication connection with the target gateway equipment.
In this step, after the target gateway device confirms that the user authentication is passed based on the second authentication request, an indication message indicating that the user authentication is passed may be fed back to the client. In this way, the client can confirm that the target gateway device is authenticated to the user based on the indication message, i.e., allow the user to access the target resource through the target gateway device. Based on this, the client can establish a communication connection with the target gateway device, thereby achieving the goal of accessing the target resource through the target gateway device.
By adopting the method, after the user authentication is passed, the controller feeds back the address information of the gateway equipment corresponding to the resource which is allowed to be accessed by the user to the user while feeding back the resource list of the resource which is allowed to be accessed by the user, so that the user can establish communication connection with the gateway equipment corresponding to the resource through the client according to the actual resource access requirement of the user, thereby realizing that the user establishes communication connection with the gateway equipment corresponding to the resource which is expected to be accessed according to the requirement, and further achieving the purpose of accessing the corresponding resource; therefore, the client does not need to establish communication connection with all gateway devices, and network resources required for establishing communication connection with all gateway devices are effectively saved.
Optionally, based on any one of the above embodiments, in this embodiment, the authentication result further includes a virtual network card address allocated to the client; on this basis, the step of sending the second authentication request to the target gateway device according to the address information of the target gateway device corresponding to the target resource in step S203 may be performed according to the following procedure: configuring a network card address of a local virtual network card as the virtual network card address; and sending a second authentication request to the target gateway equipment through the virtual network card.
Specifically, in order to ensure the security of the client accessing the resource in the zero-trust network, the client needs to access according to the address approved by the zero-trust network when accessing the resource, and based on the access, when the controller feeds back the authentication result to the client, the controller carries the virtual network card address allocated by the controller to the user in the authentication result. Thus, the client can analyze the virtual network card address from the authentication result. After determining the address information of the target gateway device corresponding to the target resource, the address of the local virtual network card can be configured as the virtual network card address fed back by the controller, so that the client can send a second authentication request to the target gateway device through the virtual network card.
Specifically, the client may present the user with a list of resources currently accessible to the user in the form of an output presentation. And then the user can select the resource which the user desires to access from the resource list and record as the target resource, so that the client can acquire the resource which the user desires to access currently, and further can determine the address information of the target gateway equipment corresponding to the target resource based on the authentication result, and based on the address information, the communication connection with the target gateway equipment is established.
Further, the authentication result further includes resource address information of the resources in the resource list; on the basis, the communication method provided by the embodiment can further comprise the following steps: generating route information for accessing the target resource according to the local virtual network card and the resource address information, so as to configure an output interface in the route information as the local virtual network card; and accessing the target resource through the local virtual network card according to the routing information.
Specifically, when the user accesses the target resource, the user needs to execute the access according to a certain access path, so the network device needs to locally generate the route information of the access path, and therefore, the client needs to acquire the resource address information of the target resource from the resource list, and meanwhile, can acquire the virtual network card address allocated by the controller from the authentication result, and based on the resource address information and the virtual network card address of the target resource, the client can generate the route information for accessing the target resource according to a set algorithm. After the client side successfully establishes communication connection with the target gateway equipment, an output interface related to the routing information generated in the network equipment can be configured into a virtual network card address, and then the target resource can be accessed through the output interface according to the generated routing information by the target gateway equipment.
Note that, the resource information of each resource in the resource list carried in the authentication result may include, but is not limited to, an IP address and a port for accessing the resource; the address information of the gateway device corresponding to the resource carried in the authentication result may, but is not limited to, include the IP address and the port of the gateway device.
Alternatively, the client may be, but is not limited to being, an authentication client, such as an enode client. The communication connection may be, but is not limited to, a tunnel connection, which may be, but is not limited to, an SSLvpn tunnel or the like.
Further, after the client side successfully establishes communication connection with the target gateway equipment, the client side initiates a resource access request when accessing the target resource through the target gateway equipment, and then performs SSL encapsulation on the resource access request to obtain a resource access message, and sends the resource access message to the target gateway equipment. When the target gateway device receives the resource access message, the resource access message can be unpacked and the resource access authority can be checked out, and after confirming that the user has the access authority for accessing the target resource, the resource access request can be forwarded to the resource server of the target resource. The resource server responds to the resource access request, and forwards the response message to the target gateway equipment, wherein the target gateway equipment can carry out encapsulation processing on the response message to obtain a response message and forwards the response message to the client, so that the user access to the target resource is realized.
When the controller authorizes the user to access the plurality of resources, by adopting the communication method provided by the embodiment, the client on the user side can establish communication connection with the target gateway equipment corresponding to the target resource which the user needs to access currently based on the resource list of the resource which is allowed to access and the address information of the gateway equipment corresponding to the resource which is allowed to access and fed back by the controller, so that the user can dynamically establish communication connection with the gateway equipment corresponding to the required resource as required, the communication connection with each gateway equipment is not required, the resources required by the communication connection between the client and the gateway equipment are greatly saved, and the communication pressure is reduced.
For a better understanding of the present embodiment, when a user accesses a resource in a zero trust network by setting an enode client, the access flow is approximately as follows:
step 1: the gateway registers online with the controller and establishes cloud pipeline and restful sub-connection.
Step 2: the controller transmits the kafka connection address, the port and the unique equipment identification of the gateway to the gateway through the restful sub-connection, and the controller displays the gateway on line after the gateway is successfully registered with the kafka.
Step 3: the controller issues resource information for providing the resource service to the gateway through the kafka message.
Step 4: the enode client performs SPA (single packet authorization authentication) authentication to the controller.
Step 5: (1) After SPA authentication is successful, the user logs in, and after user name and password authentication is successful, the following two operations are carried out: the controller issues a user name, a user IP address, a user token and a resource list of resources which can be accessed by the user to the gateway; (2) The controller returns a user token, a resource list of the resources which can be accessed by the user, gateway address information corresponding to the accessible resources, a virtual network card address allocated to the user by the controller and the like to the iNode client; it should be noted that, the gateway address information may include a gateway IP address and a port, and each resource list includes a resource IP address and a port;
step 6: the iNode client configures the virtual network card address of the local virtual network card;
step 9: when the user confirms to access a certain resource according to the resource list, the iNode client initiates SPA authentication to the gateway corresponding to the resource.
Step 10: after confirming that the gateway authentication is passed, the iNode client initiates SSL handshake connection to the gateway, and successfully establishes handshake, thereby completing communication connection with the gateway.
Step 11: the iNode client sets the address of the outbound interface in the routing information of the resource as a virtual network card address.
Step 12: and the iNode client performs SSL encapsulation on the resource access request for initiating access to the resource and sends the resource access request to the gateway.
Step 13: the gateway unpacks the resource access request to check the request authority, and forwards the request authority to the resource server after the request passes.
Step 14: the message replied by the resource server is returned to the gateway, and the gateway carries out the encapsulation processing and forwards the message to the iNode client, thereby completing the purpose of smoothly accessing the resources expected to be accessed by the user.
Therefore, when the controller authorizes the user to multi-gateway resources, the user can flexibly and dynamically select which gateway to establish connection with, so that communication connection with all gateways is not needed, and resource expenditure of the gateways and the iNode client is effectively saved.
Based on the same inventive concept, the application also provides a communication device corresponding to the communication method provided by the controller side. The implementation of the communication device may refer specifically to the description of the communication method by the controller, which is not discussed here.
Referring to fig. 3, fig. 3 is a communication device provided in a controller according to an exemplary embodiment of the present application, the device including:
An authentication module 301, configured to authenticate the user according to the authentication information;
a sending module 302, configured to send an authentication result to the client after the authentication module authenticates, where the authentication result includes a resource list of resources allowed to be accessed by the user and address information of a gateway device corresponding to the resources allowed to be accessed by the user, so that when the client confirms that the user needs to access a target resource in the resource list, the client sends a second authentication request to the target gateway device according to the address information of the target gateway device corresponding to the target resource; and after confirming that the user authentication is passed by the target gateway device based on the second authentication request, sending a communication connection establishment request to the target gateway device to establish a communication connection with the target gateway device.
By providing the communication device at the controller side, the user can establish communication connection with the gateway equipment corresponding to the resource expected to be accessed according to the need, so that the purpose of accessing the corresponding resource is achieved; therefore, the client does not need to establish communication connection with all gateway devices, and network resources required for establishing communication connection with all gateway devices are effectively saved.
Optionally, based on the foregoing embodiment, in this embodiment, the authentication result further includes a virtual network card address allocated to the client, where the virtual network card address is used to instruct the client to configure a network card address of a local virtual network card as the virtual network card address, and send a second authentication request to the target gateway device through the virtual network card.
Optionally, based on the foregoing embodiment, in this embodiment, the authentication result further includes resource address information of a resource in the resource list.
Based on the same conception, the application also provides a communication device corresponding to the communication method provided by the client side. The implementation of the communication device may refer specifically to the description of the communication method by the client, which is not discussed here.
Referring to fig. 4, fig. 4 is a communication apparatus provided in an exemplary embodiment of the present application, which is disposed in a client in a network device and is used to communicate with a controller and a gateway device, respectively, and includes:
a first sending module 401, configured to send a first authentication request to the controller, where the first authentication request includes authentication information of a user;
a receiving module 402, configured to receive an authentication result fed back by the controller after the user is authenticated according to the authentication information, where the authentication result includes a resource list of resources allowed to be accessed by the user and address information of a gateway device corresponding to the resources allowed to be accessed by the user;
A second sending module 403, configured to send a second authentication request to a target gateway device according to address information of the target gateway device corresponding to a target resource when the user needs to access the target resource in the resource list;
the second sending module 403 is further configured to send a communication connection establishment request to the target gateway device after confirming that the target gateway device passes the user authentication based on the second authentication request, so as to establish a communication connection with the target gateway device.
By providing the communication device at the client side, the user can establish communication connection with the gateway equipment corresponding to the resource expected to be accessed according to the need, so that the purpose of accessing the corresponding resource is achieved; therefore, the client does not need to establish communication connection with all gateway devices, and network resources required for establishing communication connection with all gateway devices are effectively saved.
Optionally, based on the foregoing embodiment, the authentication result in this embodiment further includes a virtual network card address allocated to the client;
on this basis, the second sending module 403 is specifically configured to configure a network card address of a local virtual network card as the virtual network card address; and sending a second authentication request to the target gateway equipment through the virtual network card.
Further, the authentication result further includes resource address information of the resources in the resource list; on this basis, the communication device further comprises:
a generating module (not shown in the figure) for generating route information for accessing the target resource according to the local virtual network card and the resource address information, so as to configure an output interface in the route information as the local virtual network card;
and the access module (not shown in the figure) is used for accessing the target resource through the local virtual network card according to the routing information.
Based on the same inventive concept, the embodiments of the present application provide an electronic device, which may be, but not limited to, a controller as described above, a network device provided with a client implementing the communication method provided in any of the embodiments described above. As shown in fig. 5, the electronic device includes a processor 501 and a machine-readable storage medium 502, the machine-readable storage medium 502 storing a computer program executable by the processor 501, the processor 501 being caused by the computer program to perform a communication method provided by any one of the embodiments of the present application. The electronic device further comprises a communication interface 503 and a communication bus 504, wherein the processor 501, the communication interface 503 and the machine readable storage medium 502 perform communication with each other via the communication bus 504.
The communication bus mentioned above for the electronic devices may be a peripheral component interconnect standard (Peripheral Component Interconnect, PCI) bus or an extended industry standard architecture (Extended Industry Standard Architecture, EISA) bus, etc. The communication bus may be classified as an address bus, a data bus, a control bus, or the like. For ease of illustration, the figures are shown with only one bold line, but not with only one bus or one type of bus.
The communication interface is used for communication between the electronic device and other devices.
The machine-readable storage medium 502 may be a Memory, which may include random access Memory (Random Access Memory, RAM), DDR SRAM (Double Data Rate Synchronous Dynamic Random Access Memory, double rate synchronous dynamic random access Memory), or Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the aforementioned processor.
The processor may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU), a network processor (Network Processor, NP), etc.; but also digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), field programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components.
For the electronic device and the machine-readable storage medium embodiments, the description is relatively simple, and reference should be made to the description of the method embodiments for relevant points, since the method content involved is substantially similar to that of the method embodiments described above.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The implementation process of the functions and roles of each unit/module in the above device is specifically shown in the implementation process of the corresponding steps in the above method, and will not be repeated here.
For the device embodiments, reference is made to the description of the method embodiments for the relevant points, since they essentially correspond to the method embodiments. The above described apparatus embodiments are merely illustrative, wherein the units/modules illustrated as separate components may or may not be physically separate, and the components shown as units/modules may or may not be physical units/modules, i.e. may be located in one place, or may be distributed over a plurality of network units/modules. Some or all of the units/modules may be selected according to actual needs to achieve the purposes of the present solution. Those of ordinary skill in the art will understand and implement the present application without undue burden.
The foregoing description of the preferred embodiments of the application is not intended to be limiting, but rather to enable any modification, equivalent replacement, improvement or the like to be made within the spirit and principles of the application.

Claims (13)

1. A method of communication, for use in a controller, the method comprising:
receiving a first authentication request sent by a client in network equipment, wherein the first authentication request comprises authentication information of a user;
authenticating the user according to the authentication information;
after the authentication is passed, an authentication result is sent to the client, wherein the authentication result comprises a resource list of resources which are allowed to be accessed by the user and address information of gateway equipment corresponding to the resources which are allowed to be accessed by the user, so that when the client confirms that the user needs to access target resources in the resource list, a second authentication request is sent to the target gateway equipment according to the address information of the target gateway equipment corresponding to the target resources; and after confirming that the user authentication is passed by the target gateway device based on the second authentication request, sending a communication connection establishment request to the target gateway device to establish a communication connection with the target gateway device.
2. The method of claim 1, wherein the authentication result further includes a virtual network card address allocated to the client, the virtual network card address being used to instruct the client to configure a network card address of a local virtual network card as the virtual network card address, and send a second authentication request to the target gateway device through the virtual network card.
3. The method of claim 1, wherein the authentication result further comprises resource address information for a resource in the resource list.
4. A communication method, applied to a client in a network device for communicating with a controller and a gateway device, respectively, the method comprising:
sending a first authentication request to the controller, wherein the first authentication request comprises authentication information of a user;
receiving an authentication result fed back by the controller after the user is authenticated according to the authentication information, wherein the authentication result comprises a resource list of resources which are allowed to be accessed by the user and address information of gateway equipment corresponding to the resources which are allowed to be accessed by the user;
when the user needs to access the target resource in the resource list, a second authentication request is sent to target gateway equipment according to the address information of the target gateway equipment corresponding to the target resource;
and after confirming that the target gateway equipment passes the authentication of the user based on the second authentication request, sending a communication connection establishment request to the target gateway equipment so as to establish communication connection with the target gateway equipment.
5. The method of claim 4, wherein the authentication result further comprises a virtual network card address assigned for the client;
according to the address information of the target gateway equipment corresponding to the target resource, sending a second authentication request to the target gateway equipment, wherein the second authentication request comprises the following steps:
configuring a network card address of a local virtual network card as the virtual network card address;
and sending a second authentication request to the target gateway equipment through the virtual network card.
6. The method of claim 5, wherein the authentication result further comprises resource address information of a resource in the resource list; the method further comprises the steps of:
generating route information for accessing the target resource according to the local virtual network card and the resource address information, so as to configure an output interface in the route information as the local virtual network card;
and accessing the target resource through the local virtual network card according to the routing information.
7. A communication device, disposed in a controller, the device comprising:
the receiving module is used for receiving a first authentication request sent by a client in the network equipment, wherein the first authentication request comprises authentication information of a user;
The authentication module is used for authenticating the user according to the authentication information;
the sending module is used for sending an authentication result to the client after the authentication module passes the authentication, wherein the authentication result comprises a resource list of resources which are allowed to be accessed by the user and address information of gateway equipment corresponding to the resources which are allowed to be accessed by the user, so that the client sends a second authentication request to the target gateway equipment according to the address information of the target gateway equipment corresponding to the target resources when confirming that the user needs to access the target resources in the resource list; and after confirming that the user authentication is passed by the target gateway device based on the second authentication request, sending a communication connection establishment request to the target gateway device to establish a communication connection with the target gateway device.
8. The apparatus of claim 7, wherein the authentication result further comprises a virtual network card address allocated for the client, the virtual network card address being used to instruct the client to configure a network card address of a local virtual network card as the virtual network card address, and send a second authentication request to the target gateway device through the virtual network card.
9. A communication apparatus, disposed in a client in a network device for communication with a controller, a gateway device, respectively, the apparatus comprising:
the first sending module is used for sending a first authentication request to the controller, wherein the first authentication request comprises authentication information of a user;
the receiving module is used for receiving an authentication result fed back by the controller after the user is authenticated according to the authentication information, wherein the authentication result comprises a resource list of resources which are allowed to be accessed by the user and address information of gateway equipment corresponding to the resources which are allowed to be accessed by the user;
the second sending module is used for sending a second authentication request to the target gateway equipment according to the address information of the target gateway equipment corresponding to the target resource when the user needs to access the target resource in the resource list;
the second sending module is further configured to send a communication connection establishment request to the target gateway device after confirming that the target gateway device passes the user authentication based on the second authentication request, so as to establish communication connection with the target gateway device.
10. The apparatus of claim 9, wherein the authentication result further comprises a virtual network card address assigned to the client;
The second sending module is specifically configured to configure a network card address of a local virtual network card as the virtual network card address; and sending a second authentication request to the target gateway equipment through the virtual network card.
11. The apparatus of claim 10, wherein the authentication result further comprises resource address information of resources in the resource list; the device further comprises:
the generation module is used for generating route information for accessing the target resource according to the local virtual network card and the resource address information so as to configure an output interface in the route information as the local virtual network card;
and the access module is used for accessing the target resource through the local virtual network card according to the routing information.
12. An electronic device comprising a processor and a machine-readable storage medium storing a computer program executable by the processor, the processor being caused by the computer program to perform the method of any one of claims 1-3 or to perform the method of any one of claims 4-6.
13. A machine-readable storage medium storing a computer program which, when invoked and executed by a processor, causes the processor to perform the method of any one of claims 1-3 or to perform the method of any one of claims 4-6.
CN202310769011.5A 2023-06-26 2023-06-26 Communication method, device, equipment and medium Pending CN116760877A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310769011.5A CN116760877A (en) 2023-06-26 2023-06-26 Communication method, device, equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310769011.5A CN116760877A (en) 2023-06-26 2023-06-26 Communication method, device, equipment and medium

Publications (1)

Publication Number Publication Date
CN116760877A true CN116760877A (en) 2023-09-15

Family

ID=87949428

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310769011.5A Pending CN116760877A (en) 2023-06-26 2023-06-26 Communication method, device, equipment and medium

Country Status (1)

Country Link
CN (1) CN116760877A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118432957A (en) * 2024-07-04 2024-08-02 阿里云计算有限公司 Network communication management and control method, readable storage medium, device and product

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118432957A (en) * 2024-07-04 2024-08-02 阿里云计算有限公司 Network communication management and control method, readable storage medium, device and product

Similar Documents

Publication Publication Date Title
CN105991614B (en) It is a kind of it is open authorization, resource access method and device, server
WO2016188256A1 (en) Application access authentication method, system, apparatus and terminal
CN102457507B (en) Cloud computing resources secure sharing method, Apparatus and system
US9369286B2 (en) System and methods for facilitating authentication of an electronic device accessing plurality of mobile applications
US10986186B2 (en) Systems and methods for remote management of appliances
JP6526248B2 (en) Server and program
US20100043065A1 (en) Single sign-on for web applications
US20100197293A1 (en) Remote computer access authentication using a mobile device
WO2017016252A1 (en) Token generation and authentication method, and authentication server
CN112583834B (en) Method and device for single sign-on through gateway
CN105516171B (en) Portal keep-alive system and method, Verification System and method based on authentication service cluster
CN107070931B (en) Cloud application data uploading/accessing method and system and cloud proxy server
CN110069909B (en) Method and device for login of third-party system without secret
CN113949566B (en) Resource access method, device, electronic equipment and medium
US20160261593A1 (en) Systems and methods for decentralized user authentication
CN112615810A (en) Access control method and device
CN116760877A (en) Communication method, device, equipment and medium
CN107566329A (en) A kind of access control method and device
US20240275794A1 (en) Limiting discovery of a protected resource in a zero trust access model
CN113051035B (en) Remote control method, device, system and host
CN116962020A (en) Communication method, device, equipment and medium
CN113169999A (en) Securely sharing files with user devices based on location
CN113890864A (en) Data packet processing method and device, electronic equipment and storage medium
CN103607403A (en) Method, device and system for using safety domain in NAT network environment
US20230291726A1 (en) System and method for providing multi factor authorization to rdp services through a zero trust cloud environment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination