CN116827646A - Terminal flow agent and access control method based on eBPF - Google Patents
Terminal flow agent and access control method based on eBPF Download PDFInfo
- Publication number
- CN116827646A CN116827646A CN202310817603.XA CN202310817603A CN116827646A CN 116827646 A CN116827646 A CN 116827646A CN 202310817603 A CN202310817603 A CN 202310817603A CN 116827646 A CN116827646 A CN 116827646A
- Authority
- CN
- China
- Prior art keywords
- data packet
- ebpf
- access control
- user
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 50
- 238000001914 filtration Methods 0.000 claims abstract description 67
- 238000012545 processing Methods 0.000 claims abstract description 35
- 230000004044 response Effects 0.000 claims abstract description 20
- 230000005540 biological transmission Effects 0.000 claims abstract description 14
- 230000000977 initiatory effect Effects 0.000 claims abstract description 5
- 230000008569 process Effects 0.000 claims description 24
- 238000011217 control strategy Methods 0.000 claims description 22
- 238000004458 analytical method Methods 0.000 claims description 18
- 238000001514 detection method Methods 0.000 claims description 17
- 230000002159 abnormal effect Effects 0.000 claims description 5
- 230000009471 action Effects 0.000 claims description 5
- 230000002155 anti-virotic effect Effects 0.000 claims description 5
- 238000005516 engineering process Methods 0.000 abstract description 5
- 238000007726 management method Methods 0.000 description 13
- 238000012795 verification Methods 0.000 description 4
- 238000012550 audit Methods 0.000 description 3
- 238000013475 authorization Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 3
- 238000011161 development Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000003908 quality control method Methods 0.000 description 2
- 238000005422 blasting Methods 0.000 description 1
- 230000015556 catabolic process Effects 0.000 description 1
- 238000006731 degradation reaction Methods 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 238000012502 risk assessment Methods 0.000 description 1
- 238000007493 shaping process Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000012384 transportation and delivery Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0245—Filtering by information in the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/029—Firewall traversal, e.g. tunnelling or, creating pinholes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Abstract
The invention discloses a terminal flow agent and an access control method based on eBPF, which comprises the following steps: (1) a user requesting access to an internal resource: when a user remotely accesses the internal resources of the enterprise, firstly, initiating a request, entering a step (2) if the request is legal, and refusing access if the request is non-legal; (2) drainage and filtration: the eBPF conducts drainage and filtering operation on the data packet based on the rule; (3) The processed service data packet is sent to the security gateway through the client Agent: (4) the user receives the target resource response: if the data packet passes through the processing of the eBPF and is successfully forwarded to the target resource, the user will receive the response and access the required internal resources. The invention utilizes the eBPF technology to apply in terminal drainage, transmission, proxy, application identification and fine management and control, so that the terminal drainage and filtration are more efficient, the transmission mode is more flexible, the application identification is more accurate, and the fine management and control is more accurate.
Description
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a terminal flow agent and an access control method based on an eBPF.
Background
With the development of globalization and flexible working modes, business trip staff and home office staff are required to remotely office in the foreign places, and it is desired to remotely access the resources inside the business over the Internet at any time and any place. Meanwhile, in order to ensure the safety of intranet resources, enterprises hope to carry out various types of identity authentication on mobile office users and carry out fine control on the authority of the mobile office users for accessing the intranet resources.
The main flow scheme in the current remote office scene uses access control products in the network security field, such as SSL VPN, zero trust SDP and other systems, but the two systems cannot realize fine flow control at the terminal, so that the terminal has poor compatibility, low transmission efficiency, poor user perception and other problems, and meanwhile, the large-scale concurrent service request problem cannot be efficiently and rapidly processed in the large-scale user access scene.
The traditional SSL VPN architecture is based on a virtual network card in a drainage mode, wherein traffic on user equipment is intercepted and forwarded through the virtual network card, and then encrypted and tunneled through an SSL protocol. The workflow is as shown in figure 1:
step one: the user equipment sends a network request to a target server;
step two: the SSL VPN client intercepts traffic on the user equipment and sends the traffic to the virtual network card;
step three: the virtual network card forwards the traffic to the SSL VPN server;
step four: the SSL VPN server decrypts the traffic and forwards the request to the target server;
step five: the target server returns a response to the SSL VPN server;
step six: the SSL VPN server encrypts the response and forwards the response to the user equipment;
step seven: the SSL VPN client decrypts the response on the user equipment to complete the request response flow.
From this, the conventional SSL VPN has the following disadvantages:
performance bottlenecks: traditional SSL VPN leads to performance bottleneck based on the drainage mode of the virtual network card. Since SSL VPN clients need to intercept and process traffic on the user device and send it to the virtual network card, this involves frequent switching between user space and kernel space, eventually resulting in performance degradation.
Device compatibility: conventional SSL VPN clients typically require additional software to be installed on the user device, which can lead to device compatibility issues. Different operating systems and devices require SSL VPN clients of different versions or different configurations, which introduces a certain complexity to deployment and management.
Limitations: traditional SSL VPN drainage methods are typically only able to drain based on the network layer or transport layer, such as IP addresses and ports. This is not flexible enough in some scenarios to meet the flow control requirements of the application layer or higher.
Security risk: because the traditional SSL VPN client needs to run on the user equipment and intercept and process traffic, a certain security risk exists. Malware or attackers may exploit vulnerabilities or unsafe configurations of SSL VPN clients to attack, threatening user equipment and network security.
Configuration and management complexity: configuration and management of conventional SSL VPNs typically requires independent settings for each user device, including installation and configuration of SSL VPN clients, management of user credentials, and the like. This is cumbersome and complex for large scale deployment and management.
The tunnel technology realizes security control at the transmission level and mainly comprises 3 key contents: drainage, transport, and proxy. The drainage is to accurately grasp the service access flow, the transmission is to transmit the encrypted service access flow to the tunnel proxy gateway, and the proxy is to complete service access by the gateway proxy client.
Another main stream mode is that the zero trust SDP architecture has two terminal drainage and management modes, one is the virtual network card mode same as the traditional SSL VPN, and is not repeated, and the other scheme adopts a Packet Filtering-based drainage scheme, in which a WFP framework is used to filter and drive to obtain user traffic, and a set of rule engine is implemented in a Filtering and driving layer, so that the workflow of the Filtering and driving layer can be implemented as shown in fig. 2, and the workflow of the Filtering and driving layer can be implemented as follows:
step one: user initiated connection: the user initiates a connection request through the terminal device, for example to access an enterprise internal resource or a remote office application.
Step two: flow capture: at the end device, the WFP filter driver is located in the appropriate place in the network protocol stack, which is responsible for capturing and processing network traffic. When a user initiates a connection, the WFP filter driver intercepts the traffic.
Step three: security policy checking: the WFP filter driver examines the intercepted traffic according to a predefined security policy. These security policies may include a number of factors including source IP address, destination IP address, port number, application identification, etc.
Step four: authorization verification: after the security policy check passes, the WFP filter driver passes the traffic to the authorization verification module. The module performs identity verification on the user according to the identity authentication information of the user, such as a user name, a password, a certificate and the like.
Step five: access control: once the user passes the authentication, the WFP filter driver will decide whether to allow the traffic to continue to flow into the internal network according to the authorization level and rights of the user. Such access control may be based on a number of factors, such as user group, role, resource type, etc.
Step six: flow drainage: the access-controlled traffic will be directed to the enterprise's internal resources, i.e., the target servers or applications that are allowed access. In this way, the user can remotely access the resources within the enterprise and perform work or use the desired application.
From this, the Packet Filtering-based zero-trust SDP scheme has the following disadvantages:
limited fine control capability: although Packet Filtering can implement coarse-grained access control based on IP, port, and protocol, there is a limit in fine-grained access control. It cannot carefully control and policy define factors such as specific applications, user identities, data content, etc.
Lack of deep application identification: packet Filtering is mainly based on information of a network layer and a transmission layer for Filtering and access control, and depth recognition and control capability of an application layer are weak. This means that its inability to accurately identify and process application layer protocols, application features and behavior will result in an inability to meet the security requirements for a particular application.
Flexibility and scalability limitations: packet Filtering typically relies on a specific filter driver or framework whose rule definition and configuration are relatively fixed, making it difficult to flexibly cope with complex network environments and security requirements. When dynamic updating and expanding of rules is required, additional development and configuration work is required, increasing the complexity of management and maintenance.
Performance overhead: packet Filtering requires deep inspection and matching during Packet processing and Filtering, which introduces a certain performance overhead. Particularly in high traffic and high concurrency network environments, there will be some impact on the processing power and network latency of the system.
Therefore, the systems combining the current mainstream access control security products SSL VPN, zero trust SDP and the like can be known to have the problems of insufficient performance, incapability of realizing refined access control, insufficient security and the like.
Disclosure of Invention
The invention aims to: aiming at the problems existing in the prior art, the invention provides the terminal flow agent and the access control method based on the eBPF, which not only can reduce the size and the number of data packets, improve the network performance, create a lightweight and efficient access channel, but also can realize more flexible access control and security policy.
The technical scheme is as follows: in order to solve the technical problems, the invention provides an eBPF-based terminal flow agent and an access control method, which comprise the following steps:
step 1: the user requests access to an internal resource: when a user remotely accesses the internal resources of an enterprise, firstly, initiating a request, entering a step 2 if the request is legal, and refusing access if the request is non-legal;
step 2: drainage and filtration: the eBPF conducts drainage and filtering operation on the data packet based on the rule;
step 2.1: carrying out drainage operation on the data packet;
step 2.2: filtering the data packet;
step 3: the processed service data packet is sent to the security gateway through the client Agent: the service request data packet of the user is filtered by the kernel layer and hits the corresponding security rule and then is led to the security gateway; and performing application layer identification and refined access control through eBPF;
step 4: the user receives the target resource response: if the data packet passes through the processing of the eBPF and is successfully forwarded to the target resource, the user will receive the response and access the required internal resources.
Further, the specific steps of the step 1 for requesting access to the internal resource by the user are as follows:
step 1.1: the client Agent establishes an access tunnel and sends an authentication request of a user to a control center;
step 1.2: the control center verifies and judges the user identity, the authority and the terminal security state, confirms whether the request is legal, if the request is legal, the step 1.3 is entered, and if the request is illegal, the access is refused;
step 1.3: if the control center judges that the request is legal, the message is fed back to the zero-trust client, and the client is allowed to forward the service flow.
Further, the specific steps of the drainage operation for the data packet in the step 2.1 are as follows:
step 2.1.1: configuring drainage rules: rules for the drain operation need to be defined, which may be matched based on different conditions, such as source IP address, destination IP address, port number, protocol, etc.;
step 2.1.2: drainage matching: when a network packet arrives at the system, the eBPF module checks if the packet matches the drainage rule. The method is realized through a filter defined in the eBPF module, and if the data packet is matched with the rule, the data packet is drained by the eBPF module;
step 2.1.3: capturing a data packet: once the data packet is determined to need to be drained, the eBPF module captures and forwards it to the user space program;
step 2.1.4: and (3) data packet forwarding: filtering operation is carried out on the drained data packet, and the data packet meeting the filtering condition is forwarded.
Further, the specific steps of the filtering operation for the data packet in the step 2.2 are as follows:
step 2.2.1: defining a filtering rule: determining conditions of specific data packets needing filtering, such as source IP address, target IP address, port number, protocol and the like, and security rules needing traffic to meet, such as terminal compliance, context environment rules and the like;
step 2.2.2: filtering the data packet: when the data packet meets the filtering rule, the eBPF program processes the data packet, including discarding, modifying or forwarding;
step 2.2.3: and (3) data packet forwarding: the data packet matching the filtering rule forwards the traffic further to the zero trust security gateway.
Further, the service data packet processed in the step 3 is sent to the security gateway through the client Agent: the service request data packet of the user is filtered by the kernel layer and hits the corresponding security rule and then is led to the security gateway; the specific steps of application layer identification and refined access control through eBPF are as follows:
step 3.1: the data packet is transmitted to a security gateway, the security gateway executes an access control policy to judge whether a user is matched with the access control policy, the policy mainly comprises a terminal security policy, an access behavior policy, an identity security policy, an application security policy and the like, such as a PC terminal software black and white list detection, a terminal antivirus software detection, a patch detection, an abnormal time login detection, a hacking attack operation detection and the like, if the security policies are all detected to pass, the step 3.2 is entered, and if the security policies are not detected to pass, the step is ended;
step 3.2: the traffic meeting the conditions is continuously sent to the security gateway through an access tunnel established by the client Agent;
step 3.3: application layer identification by eBPF: the eBPF carries out application identification on the data packet, and determines the application or service which is being accessed by the user by analyzing the characteristic or protocol information in the data packet;
step 3.4: performing refined access control through eBPF;
step 3.5: and (3) data packet forwarding: depending on the processing result of the eBPF, the data packet is delivered to a specific destination by accepting, dropping, or redirecting.
Further, the specific steps of application layer identification by the eBPF in the step 3.3 are as follows:
step 3.3.1: and (3) data packet analysis: analyzing the captured data packet by the eBPF program, and extracting key network protocol header information such as a source IP address, a target IP address, a protocol type, a port number and the like;
step 3.3.2: application layer filtering: filtering the parsed data packet through a filtering rule in the eBPF module, analyzing the characteristics of an application layer, and focusing on the analysis of a protocol, such as HTTP, HTTPS, SSH, telnet;
step 3.3.3: application layer identification: and further identifying the application layer of the filtered data packet. This can be achieved by application layer parsing logic in the eBPF program, parsing the payload of the data packet, extracting key application layer features such as HTTP header, TLS handshake data, etc.
Further, the specific steps of performing the fine access control in the step 3.4 through the eBPF are as follows:
step 3.4.1: eBPF program loading and initialization:
step 3.4.1.1: loading and initializing an eBPF program in an operating system, wherein the program is responsible for analyzing and processing a data packet;
step 3.4.1.2: configuring an access control strategy of an eBPF program, wherein the access control strategy comprises an IP address range, a port number range and a process identifier;
step 3.4.2: analyzing the data packet;
step 3.4.3: matching access control strategies;
step 3.4.4: and (5) data packet processing.
Further, the specific steps of the data packet parsing in the step 3.4.2 are as follows:
step 3.4.2.1: when the data packet reaches the network layer of the operating system, the eBPF program intercepts and analyzes the header information of the data packet;
step 3.4.2.2: extracting a source IP address, a target IP address, a source port number and a target port number from the data packet, and related process identification information;
further, the specific steps of the access control policy matching in the step 3.4.3 are as follows:
step 3.4.3.1: matching the IP address obtained by analysis with an IP access control list, and determining whether to allow the data packet of the IP address to pass;
step 3.4.3.2: matching the port number obtained by analysis with a port access control strategy, and determining whether to allow the data packet of the port number to pass;
step 3.4.3.3: matching the process identification obtained by analysis with a process access control strategy to determine whether to allow the data packet of the process to pass;
further, the specific steps of the packet processing in the step 3.4.4 are as follows:
step 3.4.4.1: if the data packet is successfully matched with the access control strategy, allowing the data packet to pass through, and continuing to transmit to the target address;
step 3.4.4.2: if the data packet fails to match the access control policy, the data packet is blocked from transmission and is optionally discarded or other processing actions are taken.
Compared with the prior art, the invention has the advantages that:
the invention adopts novel drainage, transmission and proxy modes based on eBPF technology in the zero trust SDP architecture, and converts the tunnel technology at the network level into the data packet filtering technology at the application level. By filtering and processing the data packets at the application layer, the size and the number of the data packets can be reduced, the network performance is improved, a lightweight and efficient access channel is created, and more flexible access control and security policies can be realized.
The invention adopts terminal drainage and security agent: the eBPF implements the drainage and security proxy functions on the terminal device. The network data packet processing method can capture and process the network data packet at the kernel level, and monitor and analyze the flow in real time. By identifying malicious traffic, application layer protocols, and security threats, the eBPF provides finer granularity of security control and protection.
The invention adopts network transmission and encryption: the eBPF is integrated with a network transmission layer protocol, so that encryption and decryption of the data packet are realized. It ensures confidentiality and integrity of data during transmission. By performing efficient encryption and decryption operations at the kernel level, the eBPF reduces transmission delay and provides more powerful data security.
The invention adopts application layer identification and access control: the eBPF can deeply analyze the application layer content of the data packet, and realizes the identification and classification of the application layer protocol. This allows the eBPF to fine-grained control and management of access according to application layer characteristics, including dynamic adjustment of access rights, traffic restrictions, qoS policies, etc. for a particular application or service.
The invention adopts refined flow management and quality control: the eBPF realizes the functions of flow management and quality control at the kernel level, including bandwidth control, flow shaping, queuing scheduling and the like. By processing and deciding the data packet in real time, the eBPF provides a more flexible and intelligent flow management mechanism, ensures the priority processing of important services and improves the network performance and user experience.
The invention adopts security policy execution and audit: the eBPF may be used to implement security policies and provide audit and logging functions. The method monitors and intercepts network activities at a kernel level, and monitors and records the execution condition of the security policy in real time. By providing rich audit information and log data, the eBPF assists security teams in threat detection, security event response, and risk assessment, among other tasks.
The invention also has the following advantages over conventional solutions:
optimized performance: the eBPF is executed by utilizing the data packet processing and the security policy at the kernel level, so that frequent switching between a user state and a kernel state is avoided, and faster and more efficient data packet processing capability is provided. Thus, the eBPF-based zero-trust SDP has lower latency and higher throughput in handling network traffic and enforcing security policies.
Powerful application layer analysis: the eBPF is capable of deep application layer analysis, identifying and classifying various application layer protocols. Based on this capability, zero trust SDP can personalize access control and traffic management for different applications. By identifying the application layer features, the enterprise can better protect key business and sensitive data and precisely control access rights.
Real-time security monitoring and response: the eBPF can monitor network activity in real time and intercept and process malicious traffic and security threats at the kernel level. This enables zero-trust SDP to quickly detect and respond to security events, reducing the impact of potential threats on networks and systems. By timely safety monitoring and response, enterprises can improve safety and reduce the influence of safety events on services.
Fine-grained network traffic control: the eBPF can monitor and analyze the network data packet in real time and finely control the flow according to predefined rules and strategies. An enterprise may define access policies based on multiple dimensions of users, applications, protocols, ports, etc., implementing restrictions, permissions, or denials of particular traffic.
Dynamic access rights adjustment: the eBPF allows dynamic adjustment of access rights according to real-time conditions. By monitoring and analyzing the traffic in real time, the eBPF can automatically identify and respond to security threats or abnormal activities and update access policies in real time. The dynamic authority adjustment can quickly prevent unauthorized access, and improves the security and flexibility of the system.
Drawings
Fig. 1 is a flowchart of a conventional SSL VPN in the prior art;
fig. 2 is a flow chart of WFP-based zero-trust SDP in the prior art;
fig. 3 is a flow chart of the present invention.
Detailed Description
The invention is further elucidated below in connection with the drawings and the detailed description.
As shown in fig. 3, the present invention provides a terminal flow agent and access control method based on eBPF, which specifically includes the following steps:
step 1: the user requests access to an internal resource: when a user remotely accesses the internal resources of an enterprise, firstly, initiating a request, entering a step 2 if the request is legal, and refusing access if the request is non-legal;
step 1.1: the client Agent establishes an access tunnel and sends an authentication request of a user to a control center;
step 1.2: the control center verifies and judges the user identity, the authority and the terminal security state, confirms whether the request is legal, if the request is legal, the step 1.3 is entered, and if the request is illegal, the access is refused;
step 1.3: if the control center judges that the request is legal, the message is fed back to the zero-trust client, and the client is allowed to forward the service flow.
Step 2: drainage and filtration: the eBPF conducts drainage and filtering operation on the data packet based on the rule;
step 2.1: carrying out drainage operation on the data packet;
step 2.1.1: configuring drainage rules: rules for the drain operation need to be defined, which may be matched based on different conditions, such as source IP address, destination IP address, port number, protocol, etc.;
step 2.1.2: drainage matching: when a network packet arrives at the system, the eBPF module checks if the packet matches the drainage rule. The method is realized through a filter defined in the eBPF module, and if the data packet is matched with the rule, the data packet is drained by the eBPF module;
step 2.1.3: capturing a data packet: once the data packet is determined to need to be drained, the eBPF module captures and forwards it to the user space program;
step 2.1.4: and (3) data packet forwarding: filtering operation is carried out on the drained data packet, and the data packet meeting the filtering condition is forwarded.
Step 2.2: filtering the data packet;
step 2.2.1: defining a filtering rule: determining conditions of specific data packets needing filtering, such as source IP address, target IP address, port number, protocol and the like, and security rules needing traffic to meet, such as terminal compliance, context environment rules and the like;
step 2.2.2: filtering the data packet: when the data packet meets the filtering rule, the eBPF program processes the data packet, including discarding, modifying or forwarding;
step 2.2.3: and (3) data packet forwarding: the data packet matching the filtering rule forwards the traffic further to the zero trust security gateway.
Step 3: the processed service data packet is sent to the security gateway through the client Agent: the service request data packet of the user is filtered by the kernel layer and hits the corresponding security rule and then is led to the security gateway; and performing application layer identification and refined access control through eBPF;
step 3.1: the data packet is transmitted to a security gateway, the security gateway executes an access control policy to judge whether a user is matched with the access control policy, the policy mainly comprises a terminal security policy, an access behavior policy, an identity security policy, an application security policy and the like, such as a PC terminal software black and white list detection, a terminal antivirus software detection, a patch detection, an abnormal time login detection, a hacking attack operation detection and the like, if the security policies are all detected to pass, the step 3.2 is entered, and if the security policies are not detected to pass, the step is ended;
step 3.2: the traffic meeting the conditions is continuously sent to the security gateway through an access tunnel established by the client Agent;
step 3.3: application layer identification by eBPF: the eBPF carries out application identification on the data packet, and determines the application or service which is being accessed by the user by analyzing the characteristic or protocol information in the data packet;
step 3.3.1: and (3) data packet analysis: analyzing the captured data packet by the eBPF program, and extracting key network protocol header information such as a source IP address, a target IP address, a protocol type, a port number and the like;
step 3.3.2: application layer filtering: filtering the parsed data packet through a filtering rule in the eBPF module, analyzing the characteristics of an application layer, and focusing on the analysis of a protocol, such as HTTP, HTTPS, SSH, telnet;
step 3.3.3: application layer identification: and further identifying the application layer of the filtered data packet. This can be achieved by application layer parsing logic in the eBPF program, parsing the payload of the data packet, extracting key application layer features such as HTTP header, TLS handshake data, etc.
Step 3.4: performing refined access control through eBPF;
step 3.4.1: eBPF program loading and initialization:
step 3.4.1.1: loading and initializing an eBPF program in an operating system, wherein the program is responsible for analyzing and processing a data packet;
step 3.4.1.2: configuring an access control strategy of an eBPF program, wherein the access control strategy comprises an IP address range, a port number range and a process identifier;
step 3.4.2: analyzing the data packet;
step 3.4.2.1: when the data packet reaches the network layer of the operating system, the eBPF program intercepts and analyzes the header information of the data packet;
step 3.4.2.2: extracting a source IP address, a target IP address, a source port number and a target port number from the data packet, and related process identification information;
step 3.4.3: matching access control strategies;
step 3.4.3.1: matching the IP address obtained by analysis with an IP access control list, and determining whether to allow the data packet of the IP address to pass;
step 3.4.3.2: matching the port number obtained by analysis with a port access control strategy, and determining whether to allow the data packet of the port number to pass;
step 3.4.3.3: matching the process identification obtained by analysis with a process access control strategy to determine whether to allow the data packet of the process to pass;
step 3.4.4: and (5) data packet processing.
Step 3.4.4.1: if the data packet is successfully matched with the access control strategy, allowing the data packet to pass through, and continuing to transmit to the target address;
step 3.4.4.2: if the data packet fails to match the access control policy, the data packet is blocked from transmission and is optionally discarded or other processing actions are taken.
Step 3.5: and (3) data packet forwarding: depending on the processing result of the eBPF, the data packet is delivered to a specific destination by accepting, dropping, or redirecting.
Step 4: the user receives the target resource response: if the data packet passes through the processing of the eBPF and is successfully forwarded to the target resource, the user will receive the response and access the required internal resources.
In the invention, the eBPF analyzes the data packet and matches the access control strategy, and the processing process of the data packet is determined according to the matching result. If the packet passes the detection of the access control policy, it is accepted and passed on to the destination address. If the data packet does not meet the detection of the access control policy, the data packet is discarded by the security gateway, i.e. the transfer is not continued. In addition, for a specific data packet, the eBPF can redirect the data packet to a specific destination for further processing according to the need, if the current terminal environment risk of the current user is higher, if the version of the key patch or the antivirus engine library is too low, the data packet is redirected to a patch server or an antivirus server for updating the version and the characteristics, or if the user triggers a security policy such as remote login, abnormal time login, password blasting and the like, the data packet is redirected to forced secondary authentication for identity verification, and the processing of the data packet is often to further verify the terminal risk and the identity risk so as to ensure that the initiating account and the equipment of the data packet are credible. Thus, accurate control and directional management of network traffic can be realized through the refined access control and packet forwarding capability of the eBPF.
Accept (Accept):
when the packet meets the conditions of the access control policy, the eBPF may accept the packet and continue to pass on to the destination address.
The received data packet will continue to be forwarded from the source address to the destination address according to the normal network flow.
Drop (Drop):
when the packet does not meet the condition of the access control policy, the eBPF may choose to drop the packet, i.e., not continue delivery.
The discarded data packets will be discarded directly and will not be passed to the destination address, thereby preventing unauthorized data flows through the network.
Redirect (Redirect):
when the packet meets the conditions of the access control policy, but requires specific processing, the eBPF may redirect the packet to a specific destination.
Redirection is typically used to send data packets to a particular handler, application, or network device for further analysis, processing, or operation.
Specific embodiments of the invention are as follows:
embodiment one:
it is assumed that ABC corporation is an enterprise with sensitive services, and in order to ensure security of data, they employ an eBPF-based refined access control scheme. The following is a case where a user requests access to an internal resource, which covers a terminal security policy, an access behavior policy, and an application security policy.
Step 1: user requests access to internal resources
User a remotely accesses the ABC company's internal resources.
The request of user a is first checked through the security gateway.
Step 2: drainage and filtration
And loading and initializing an eBPF program and configuring an access control strategy.
The security gateway transmits the data packet of the user A to the eBPF program for drainage and filtering.
Step 2.1: packet drainage operation
The drainage rules are configured, for example, to match according to the source IP address, destination IP address, and port number.
The eBPF program checks whether the packet matches the drainage rule.
The packet matching is successful and the eBPF procedure captures and forwards the packet to the user space procedure.
Step 2.2: packet filtering operations
Filter rules are defined, e.g., matching based on conditions such as terminal security, access behavior, and application security.
The eBPF program checks whether the data packet meets the security policy requirements according to the filtering rules.
The data packet is successfully matched, and the next step is continued; the match fails and the choice is discarded or other processing measures are taken.
Step 3: the processed business data packet is sent to the security gateway through the client Agent
And the client Agent sends the data packet conforming to the security policy to the security gateway.
The data packet is subjected to application layer identification and refined access control through the eBPF program again.
Step 4: the user receives the target resource response
If the data packet passes through the processing of the eBPF and is successfully forwarded to the target resource, the user will receive the response and access the required internal resources.
If the data packet fails the security policy detection, the user will not be able to access the target resource and the security gateway may prevent the data packet from being transmitted or take other appropriate action.
In this case, the eBPF procedure plays an important role in the terminal traffic proxy and access control procedures. By loading and initializing an eBPF program and configuring a fine-granularity access control strategy, the data packet can be continuously transmitted and accessed to internal resources only after the data packet is subjected to drainage and filtering operations, and the data packet accords with the security strategy. Meanwhile, through the cooperation of the user space program and the client Agent, the application layer identification and the refined access control are further realized. The scheme can ensure the security of resources inside enterprises and prevent unauthorized access and potential security threat.
Embodiment two:
ABC hospitals are assumed to be an important medical institution that employs an eBPF-based sophisticated access control scheme in order to protect patient privacy and medical data security. The following is a case where a user accesses the hospital system remotely, which covers terminal security policies, access behavior policies and identity security policies.
Step 1: user request remote access to hospital system
User a requests access to the hospital system through a remote access platform provided by the hospital.
The request of user a is first checked through the security gateway.
Step 2: drainage and filtration
And loading and initializing an eBPF program and configuring an access control strategy.
The security gateway transmits the data packet of the user A to the eBPF program for drainage and filtering.
Step 2.1: packet drainage operation
The drainage rules are configured, for example, to match according to the source IP address, destination IP address, and port number.
The eBPF program checks whether the packet matches the drainage rule.
The packet matching is successful and the eBPF procedure captures and forwards the packet to the user space procedure.
Step 2.2: packet filtering operations
Filter rules are defined, e.g. matching based on conditions of terminal security, access behavior and identity security.
The eBPF program checks whether the data packet meets the security policy requirements according to the filtering rules.
The data packet is successfully matched, and the next step is continued; the match fails and the choice is discarded or other processing measures are taken.
Step 3: the processed business data packet is sent to the security gateway through the client Agent
And the client Agent sends the data packet conforming to the security policy to the security gateway.
The data packet is subjected to application layer identification and refined access control through the eBPF program again.
Step 4: the user receives the response of the hospital system
If the data packet passes the processing of the eBPF and is successfully forwarded to the hospital system, the user will receive the response and access the required medical services.
If the data packet fails the security policy detection, the user will not be able to access the hospital system and the security gateway may prevent the data packet from being transmitted or take other appropriate action.
In this case, the eBPF procedure plays a key role in the terminal traffic proxy and access control procedures. By loading and initializing the eBPF program and configuring a fine-grained access control policy, accurate filtering and control of user requests can be achieved. According to different policy requirements, the data packet can be accepted, discarded or redirected, thereby realizing fine access control. The scheme can effectively protect the security of hospital systems and patient data and prevent unauthorized access and potential threat.
The foregoing is merely exemplary of the present invention and is not intended to limit the present invention. All equivalents and alternatives falling within the spirit of the invention are intended to be included within the scope of the invention. What is not elaborated on the invention belongs to the prior art which is known to the person skilled in the art.
Claims (10)
1. The terminal flow agent and the access control method based on eBPF are characterized by comprising the following steps:
step 1: the user requests access to an internal resource: when a user remotely accesses the internal resources of an enterprise, firstly, initiating a request, entering a step 2 if the request is legal, and refusing access if the request is non-legal;
step 2: drainage and filtration: the eBPF conducts drainage and filtering operation on the data packet based on the rule;
step 2.1: carrying out drainage operation on the data packet;
step 2.2: filtering the data packet;
step 3: the processed service data packet is sent to the security gateway through the client Agent: the service request data packet of the user is filtered by the kernel layer and hits the corresponding security rule and then is led to the security gateway; and performing application layer identification and refined access control through eBPF;
step 4: the user receives the target resource response: if the data packet passes through the processing of the eBPF and is successfully forwarded to the target resource, the user will receive the response and access the required internal resources.
2. The eBPF-based terminal flow agent and access control method of claim 1, wherein the specific steps of the step 1 for the user to request access to the internal resource are as follows:
step 1.1: the client Agent establishes an access tunnel and sends an authentication request of a user to a control center;
step 1.2: the control center verifies and judges the user identity, the authority and the terminal security state, confirms whether the request is legal, if the request is legal, the step 1.3 is entered, and if the request is illegal, the access is refused;
step 1.3: if the control center judges that the request is legal, the message is fed back to the zero-trust client, and the client is allowed to forward the service flow.
3. The eBPF-based terminal flow agent and access control method of claim 1, wherein the specific steps of the draining operation of the data packet in step 2.1 are as follows:
step 2.1.1: configuring a drainage rule;
step 2.1.2: drainage matching: when a network data packet arrives at the system, the eBPF module can check whether the data packet is matched with the drainage rule;
step 2.1.3: capturing a data packet: once the data packet is determined to need to be drained, the eBPF module captures and forwards it to the user space program;
step 2.1.4: and (3) data packet forwarding: filtering operation is carried out on the drained data packet, and the data packet meeting the filtering condition is forwarded.
4. The eBPF-based terminal flow agent and access control method of claim 1, wherein the specific steps of filtering the data packet in step 2.2 are as follows:
step 2.2.1: defining a filtering rule: determining the condition of a specific data packet needing filtering;
step 2.2.2: filtering the data packet: when the data packet meets the filtering rule, the eBPF program processes the data packet, including discarding, modifying or forwarding;
step 2.2.3: and (3) data packet forwarding: the data packet matching the filtering rule forwards the traffic further to the zero trust security gateway.
5. The eBPF-based terminal flow Agent and access control method of claim 1, wherein the service data packet processed in the step 3 is sent to the security gateway through the client Agent: the service request data packet of the user is filtered by the kernel layer and hits the corresponding security rule and then is led to the security gateway; the specific steps of application layer identification and refined access control through eBPF are as follows:
step 3.1: the data packet is transmitted to a security gateway, the security gateway executes an access control policy to judge whether a user is matched with the access control policy, the policy mainly comprises a terminal security policy, an access behavior policy, an identity security policy, an application security policy and the like, such as a PC terminal software black and white list detection, a terminal antivirus software detection, a patch detection, an abnormal time login detection, a hacking attack operation detection and the like, if the security policies are all detected to pass, the step 3.2 is entered, and if the security policies are not detected to pass, the step is ended;
step 3.2: the traffic meeting the conditions is continuously sent to the security gateway through an access tunnel established by the client Agent;
step 3.3: application layer identification by eBPF: the eBPF carries out application identification on the data packet, and determines the application or service which is being accessed by the user by analyzing the characteristic or protocol information in the data packet;
step 3.4: performing refined access control through eBPF;
step 3.5: and (3) data packet forwarding: depending on the processing result of the eBPF, the data packet is delivered to a specific destination by accepting, dropping, or redirecting.
6. The eBPF-based terminal flow agent and access control method of claim 1, wherein the specific steps of application layer identification by the eBPF in step 3.3 are as follows:
step 3.3.1: and (3) data packet analysis: analyzing the captured data packet by the eBPF program, and extracting key network protocol header information;
step 3.3.2: application layer filtering: filtering the parsed data packet through a filtering rule in the eBPF module, analyzing the characteristics of an application layer, and focusing on the analysis of a protocol;
step 3.3.3: application layer identification: and further identifying the application layer of the filtered data packet.
7. The eBPF-based terminal flow agent and access control method of claim 1, wherein the specific steps of performing fine access control by the eBPF in step 3.4 are as follows:
step 3.4.1: eBPF program loading and initialization:
step 3.4.1.1: loading and initializing an eBPF program in an operating system, wherein the program is responsible for analyzing and processing a data packet;
step 3.4.1.2: configuring an access control strategy of an eBPF program, wherein the access control strategy comprises an IP address range, a port number range and a process identifier;
step 3.4.2: analyzing the data packet;
step 3.4.3: matching access control strategies;
step 3.4.4: and (5) data packet processing.
8. The eBPF-based terminal flow agent and access control method of claim 1, wherein the specific steps of packet parsing in step 3.4.2 are as follows:
step 3.4.2.1: when the data packet reaches the network layer of the operating system, the eBPF program intercepts and analyzes the header information of the data packet;
step 3.4.2.2: the source IP address, destination IP address, source port number and destination port number, and associated process identification information are extracted from the data packet.
9. The eBPF-based terminal flow agent and access control method of claim 1, wherein the specific steps of access control policy matching in step 3.4.3 are as follows:
step 3.4.3.1: matching the IP address obtained by analysis with an IP access control list, and determining whether to allow the data packet of the IP address to pass;
step 3.4.3.2: matching the port number obtained by analysis with a port access control strategy, and determining whether to allow the data packet of the port number to pass;
step 3.4.3.3: and matching the process identification obtained by analysis with a process access control strategy to determine whether to allow the data packet of the process to pass.
10. The eBPF-based terminal flow agent and access control method of claim 1, wherein the specific steps of the packet processing in step 3.4.4 are as follows:
step 3.4.4.1: if the data packet is successfully matched with the access control strategy, allowing the data packet to pass through, and continuing to transmit to the target address;
step 3.4.4.2: if the data packet fails to match the access control policy, the data packet is blocked from transmission and is optionally discarded or other processing actions are taken.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310817603.XA CN116827646A (en) | 2023-07-05 | 2023-07-05 | Terminal flow agent and access control method based on eBPF |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310817603.XA CN116827646A (en) | 2023-07-05 | 2023-07-05 | Terminal flow agent and access control method based on eBPF |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116827646A true CN116827646A (en) | 2023-09-29 |
Family
ID=88123875
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310817603.XA Pending CN116827646A (en) | 2023-07-05 | 2023-07-05 | Terminal flow agent and access control method based on eBPF |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116827646A (en) |
-
2023
- 2023-07-05 CN CN202310817603.XA patent/CN116827646A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10003616B2 (en) | Destination domain extraction for secure protocols | |
| US10003608B2 (en) | Automated insider threat prevention | |
| US7313618B2 (en) | Network architecture using firewalls | |
| US8060927B2 (en) | Security state aware firewall | |
| US20180352004A1 (en) | Policy enforcement using host information profile | |
| US7610375B2 (en) | Intrusion detection in a data center environment | |
| US20150058916A1 (en) | Detecting encrypted tunneling traffic | |
| US20060026680A1 (en) | System and method of characterizing and managing electronic traffic | |
| EP3643001B1 (en) | Actively monitoring encrypted traffic by inspecting logs | |
| US20080282080A1 (en) | Method and apparatus for adapting a communication network according to information provided by a trusted client | |
| JP2006506853A (en) | Active network defense system and method | |
| US11539695B2 (en) | Secure controlled access to protected resources | |
| CA2506418C (en) | Systems and apparatuses using identification data in network communication | |
| CN111295640A (en) | Fine-grained firewall policy enforcement using session APP ID and endpoint process ID correlation | |
| CN116827646A (en) | Terminal flow agent and access control method based on eBPF | |
| Jawahar et al. | Application Controlled Secure Dynamic Firewall for Automotive Digital Cockpit | |
| Sulaman | An Analysis and Comparison of The Security Features of Firewalls and IDSs | |
| Ibitola et al. | Analysis of Network-Based Intrusion Detection and Prevention System in an Enterprise Network Using Snort Freeware | |
| MARTINI | Managing Security of Computer Network Applications using Encryption Techniques |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |