CN116938486A

CN116938486A - Access control method, device, system, equipment and storage medium

Info

Publication number: CN116938486A
Application number: CN202210339664.5A
Authority: CN
Inventors: 胡金涌; 刘贺
Original assignee: Shanghai Yundun Information Technology Co ltd
Current assignee: Shanghai Yundun Information Technology Co ltd
Priority date: 2022-04-01
Filing date: 2022-04-01
Publication date: 2023-10-24

Abstract

The application provides a method, a device, a system, equipment and a storage medium for access control. The terminal equipment acquires attribute information of a protected target application, when a network request aiming at the target application is initiated, a DNS analysis request corresponding to the network request is locally detected, DNS analysis is carried out, a local IP address is allocated for the target application, the network request is guided to a local proxy to establish TCP connection aiming at the network request, and the network request is sent to an edge node through a secure channel; the edge node receives the network request aiming at the target application, determines the attribute information of the corresponding target application, and combines the access control strategy to realize the zero trust access control of the network request aiming at the target application. By the method, zero-trust access control to various network applications including Web applications based on the TCP protocol can be realized, and the access security is ensured, so that the application scene of the zero-trust access control is greatly expanded.

Description

Access control method, device, system, equipment and storage medium

Technical Field

The application relates to the technical field of computer network security, in particular to an access control technology.

Background

Traditional network security architecture is built based on network boundaries to secure network resources. However, with the development of networks such as mobile internet and internet of things, the network boundaries are becoming unclear, and applications based on TCP (Transmission Control Protocol ) protocol (such as Web applications, mail services, telnet services, etc.) are increasing, so that the conventional network security architecture cannot provide enough security protection, and thus the network resource access control method based on zero trust is becoming more and more popular and appreciated.

The zero trust based network resource access control method is to have security override each user, each device and each connection accessing network resources. By identifying the user, the user is identified with a unique identity, and dynamic authority access control is performed on the user based on the identity.

In the related art, the access control of zero trust is mainly provided for the Web application, but for other non-browser type native applications based on the TCP protocol, the access control of zero trust is difficult to realize.

Disclosure of Invention

The application aims to provide a technical scheme for access control, which is used for realizing the technical problem of zero trust access control of application based on a TCP protocol.

An embodiment 1 of the present application provides an access control method applied to a terminal device, where the method includes:

acquiring attribute information of a target application, and constructing a safety channel with an edge node;

initiating a network request aiming at the target application, and distributing a local IP address for the target application when a DNS resolution request corresponding to the network request is locally detected;

based on the local IP address and the attribute information of the target application, streaming the network request to a local agent to establish a TCP connection for the network request;

and receiving the network request based on the TCP connection, and sending the network request to the edge node through the secure channel so as to realize access control of the network request.

Optionally, the attribute information of the target application includes at least:

the identity, domain name and port of the target application.

Optionally, when the local detecting the DNS resolution request corresponding to the network request, allocating a local IP address to the target application includes:

and when the local hijacking is carried out to the DNS analysis request corresponding to the network request, carrying out DNS analysis to allocate a local IP address for the target application according to the domain name of the target application.

Optionally, after the local IP address is allocated to the target application according to the domain name of the target application, the method further includes:

and establishing a mapping relation between the identification of the target application and the local IP address.

Optionally, the streaming the network request to a home agent based on the home IP address and attribute information of the target application to establish a TCP connection for the network request includes:

and sending a network request based on the TCP connection to the local proxy based on the local IP address and the port of the target application, and establishing the TCP connection aiming at the network request.

Optionally, the receiving the network request based on the TCP connection and sending the network request to the edge node through the secure channel, so as to implement access control for the network request includes:

acquiring a corresponding local IP address of the TCP connection through the local proxy;

acquiring the identification of the target application corresponding to the local IP address based on the mapping relation;

and packaging the identification of the target application into a data packet corresponding to the network request, and then sending the data packet to the edge node through the secure channel so as to realize access control of the network request according to the identification of the target application.

Optionally, the constructing a secure channel with the edge node includes:

and sending a request for establishing a secure channel to an edge node, if the authentication is passed, establishing the secure channel with the edge node, and sending user identity and/or equipment security information of a user side to the edge node for controlling the access to the network request.

Optionally, the method for access control further includes:

and receiving a response which corresponds to the network request and is sent by the edge node, or a security event which is pushed by the edge node.

Embodiment 2 of the present application provides a method for access control, applied to an edge node, where the method includes:

based on a security channel, receiving a network request for a target application sent by a terminal device, wherein the network request comprises attribute information of the target application and user identity initiating the network request and/or device security information of the terminal device;

determining an access control rule corresponding to the target application from an access control policy based on the attribute information of the target application, wherein the access control policy is acquired from a security management platform;

Based on the access control rule, judging the user identity and/or the equipment security information of the user side which initiate the network request, and performing corresponding processing according to the judging result so as to realize the access control of the network request.

Optionally, the access control policy is set based on the following information:

attribute information of the target application;

and the access control rule corresponds to the target application, wherein the access control rule is provided with user identity and/or equipment security information of the terminal equipment, which are authorized to access the target application.

Optionally, the performing the corresponding processing according to the judgment result includes:

based on the judging result, if access is allowed, sending a response corresponding to the network request to the terminal equipment;

and if the access is not allowed, pushing the security event to the terminal equipment.

Embodiment 3 of the present application provides a method for access control, which is applied to a security management platform, wherein the method includes:

acquiring an access control policy, wherein the access control policy comprises attribute information of a target application and an access control rule corresponding to the target application;

and sending the access control policy to an edge node, and sending attribute information of the target application to terminal equipment, so that when the terminal equipment initiates a network request aiming at the target application, the edge node realizes access control on the network request based on the access control policy.

Embodiment 4 of the present application provides a method for access control, which is applied to a terminal device, wherein the method includes:

receiving a DNS resolution request corresponding to a network request of a target application, and distributing a local IP address for the target application;

establishing a TCP connection for the network request based on the local IP address and the attribute information of the target application;

the identity, domain name and port of the target application.

Optionally, the receiving a DNS resolution request corresponding to a network request for a target application, and allocating a local IP address to the target application includes:

and when the DNS analysis request corresponding to the network request is hijacked, performing DNS analysis to allocate a local IP address for the target application according to the domain name of the target application.

Optionally, the establishing the TCP connection for the network request based on the local IP address and the attribute information of the target application includes:

and establishing TCP connection for the network request based on the local IP address and the port of the target application.

acquiring a corresponding local IP address of the TCP connection;

Optionally, the constructing a secure channel with the edge node includes:

Optionally, the method for access control further includes:

The embodiment 5 of the application provides an access control device deployed in a terminal device, wherein the device comprises:

the acquisition module is used for acquiring attribute information of the target application and constructing a safety channel with the edge node;

the processing module is used for initiating a network request aiming at the target application, and distributing a local IP address for the target application when a DNS resolution request corresponding to the network request is locally detected;

the connection module is used for guiding the network request to a local agent based on the local IP address and the attribute information of the target application so as to establish TCP connection for the network request;

and the sending module is used for receiving the network request based on the TCP connection and sending the network request to the edge node through the secure channel so as to realize access control of the network request.

Optionally, the processing module is further configured to:

establishing a mapping relation between the identification of the target application and the local IP address;

Wherein, the sending module is used for:

Optionally, the apparatus for access control further includes:

and the receiving module is used for receiving a response which is sent by the edge node and corresponds to the network request, or a security event which is pushed by the edge node.

Embodiment 6 of the present application provides an apparatus for access control, deployed at an edge node, wherein the apparatus includes:

the receiving module is used for receiving a network request aiming at a target application sent by a terminal device based on a security channel, wherein the network request comprises attribute information of the target application, user identity initiating the network request and/or device security information of the terminal device;

the acquisition module is used for determining an access control rule corresponding to the target application from an access control strategy based on the attribute information of the target application, wherein the access control strategy is acquired from a security management platform;

And the access control module is used for judging the user identity and/or the equipment security information of the user side which initiate the network request based on the access control rule, and carrying out corresponding processing according to the judgment result so as to realize the access control of the network request.

Embodiment 7 of the present application provides an apparatus for access control, deployed on a security management platform, where the apparatus includes:

the access control module is used for acquiring an access control strategy, wherein the access control strategy comprises attribute information of a target application and an access control rule corresponding to the target application;

and the sending module is used for sending the access control strategy to an edge node and sending the attribute information of the target application to terminal equipment so as to realize the access control on the network request based on the access control strategy at the edge node when the terminal equipment initiates the network request aiming at the target application.

An embodiment 8 of the present application provides an apparatus for access control, deployed in a terminal device, where the apparatus includes:

The processing module is used for receiving a DNS resolution request corresponding to a network request of a target application and distributing a local IP address for the target application;

the connection module is used for establishing TCP connection aiming at the network request based on the local IP address and the attribute information of the target application;

Embodiment 9 of the present application provides a system for access control, wherein the system includes:

the security management platform is used for acquiring an access control policy, wherein the access control policy comprises attribute information of a target application and an access control rule corresponding to the target application, synchronizing the access control policy to an edge node, and sending the attribute information of the target application to a terminal device so as to realize access control on the network request based on the access control policy at the edge node when the terminal device initiates the network request for the target application;

the terminal equipment is provided with a client side of the target application and a local proxy, and is used for acquiring attribute information of the target application, constructing a safety channel with an edge node, distributing a local IP address for the target application when detecting a network request for the target application based on the local proxy, guiding the network request to the local proxy based on the local IP address and the attribute information of the target application, establishing a TCP connection for the network request, receiving the network request based on the TCP connection, and sending the network request to the edge node through the safety channel;

The edge node is used for acquiring a network request aiming at a target application sent by the terminal equipment based on a security channel, wherein the network request comprises attribute information of the target application, user identity initiating the network request and/or equipment security information of the user side, determining the attribute information of the target application based on the network request, and determining an access control rule corresponding to the target application from an access control strategy based on the attribute information of the target application, wherein the access control strategy is acquired from a security management platform, judging the user identity initiating the network request and/or the equipment security information of the user side based on the access control rule, and carrying out corresponding processing according to a judgment result.

Compared with the prior art, the application provides a technical scheme of access control. Firstly, at a security management platform side, acquiring attribute information and an access control policy which are established for a target application and at least comprise the target application, wherein the access control policy at least comprises an access control rule corresponding to the target application, synchronizing the access control policy to an edge node, and sending the attribute information of the target application to terminal equipment; secondly, a target application client and a local proxy are deployed on a terminal device side, attribute information of a target application sent by a security management platform is obtained, the terminal device constructs a security channel with an edge node through the local proxy, the target application client initiates a network request for the target application, DNS analysis is carried out when the DNS analysis request corresponding to the network request is detected locally, a local IP address is allocated for the target application, the network request is guided to the local proxy based on the local IP address and the attribute information of the target application, TCP connection for the network request is established based on the TCP connection, the network request is received, and the network request is sent to the edge node through the security channel; finally, at the edge node side, based on a secure channel between the edge node side and the terminal equipment, acquiring a network request for a target application sent by the terminal equipment, wherein the network request comprises relevant information of the target application and user identity and/or equipment security information of the terminal equipment for initiating the network request, determining the relevant information of the target application based on the network request, determining an access control rule corresponding to the target application from an access control strategy based on the relevant information of the target application, judging the user identity and/or the equipment security information of the terminal equipment for initiating the network request based on the access control rule, and correspondingly processing according to a judging result to realize access control of the network request. Optionally, at the terminal device side, before sending the network request to the edge node through the secure channel, the identifier of the target application is encapsulated into a data packet of the network request, and then sent to the edge node through the secure channel, so as to realize access control on the network request according to the identifier of the target application.

The technical scheme of the access control provided by the application has the following technical effects:

the method comprises the steps of constructing local TCP connection at a terminal device side, constructing a secure channel between the terminal device and an edge node, realizing access control on various network applications including Web applications based on TCP protocol by authenticating user identity and/or device security information which initiate network requests, and ensuring the security of access, thereby greatly expanding the application scenario of zero-trust access control. Further, the identification of the target application is encapsulated into the data packet corresponding to the network request, so that sniffing and hijacking risks on a network link can be eliminated, and network access is safer.

Drawings

Other features, objects and advantages of the present application will become more apparent upon reading of the detailed description of non-limiting embodiments, made with reference to the accompanying drawings in which:

fig. 1 shows a flowchart of a method for access control applied to a terminal device according to embodiment 1 of the present application;

fig. 2 is a flowchart of a method for access control applied to an edge node according to embodiment 2 of the present application;

FIG. 3 is a flow chart of a method of access control applied to a security management platform according to embodiment 3 of the present application;

Fig. 4 is a flowchart showing a method of access control applied to a terminal device according to embodiment 4 of the present application;

fig. 5 is a schematic diagram of an apparatus for access control deployed in a terminal device according to embodiment 5 of the present application;

FIG. 6 is a schematic diagram of an apparatus for access control deployed at an edge node according to embodiment 6 of the present application;

FIG. 7 is a schematic diagram of an apparatus for access control deployed on a security management platform according to embodiment 7 of the present application;

fig. 8 is a schematic diagram of an apparatus for access control deployed in a terminal device according to embodiment 8 of the present application;

FIG. 9 is a system diagram of access control according to embodiment 9 of the present application;

fig. 10 shows a schematic diagram of the structure of a terminal device according to an alternative embodiment of embodiment 1 of the present application;

fig. 11 is a schematic diagram showing the structure of a terminal device according to an alternative embodiment of embodiment 4 of the present application;

the same or similar reference numbers in the drawings refer to the same or similar parts.

Detailed Description

The application is described in further detail below with reference to the accompanying drawings.

In one exemplary configuration of the application, each module of the system and the trusted party includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.

Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer readable media, as defined herein, does not include non-transitory computer readable media (transmission media), such as modulated data signals and carrier waves.

In order to further illustrate the technical means and the effects adopted by the present application, the technical solution of the present application will be clearly and completely described below with reference to the accompanying drawings and preferred embodiments.

An exemplary system for providing access control of the present application includes a terminal device, an edge node, and a security management platform.

The terminal device is provided with at least a protected target application client supporting the TCP protocol and a home agent, wherein the protected target application may be a browser application, or may be a native network application in a non-browser mode, such as outlook, SSH (Secure Shell protocol) telnet host, etc. The application client and the home agent may be two independent clients or may be integrated into one client. The terminal device may be various computer devices or intelligent terminal devices, and the devices may be asset devices of enterprises or personal BYOD (Bring Your Own Device, self-contained device). The computer equipment comprises, but is not limited to, a personal computer and a notebook computer, and the intelligent terminal equipment comprises, but is not limited to, a smart phone and a tablet computer. The computer device and/or the intelligent terminal device are only examples, and other devices and/or resources that may be present in the present application or may appear in the future are also included in the scope of the present application as applicable, and are included herein by reference.

The edge node may be, but not limited to, a logic functional unit of a CDN (Content Delivery Network ), as a main entity providing CDN services, perform authentication according to a secure channel construction request initiated by a terminal device, establish a secure channel with the terminal device after the authentication is passed, receive a network request initiated by a user for a protected target application, a user identity, and/or device security information of the terminal device based on the secure channel, perform authentication based on an access control policy, and if the authentication is passed, send a response corresponding to the network request to the terminal device; if the authentication is not passed, pushing a corresponding security event to the terminal equipment. It should be emphasized that the edge node may also be an SD-WAN (Software Defined Wide Area Network ), an edge node of a zero trust network or an edge cloud network, including but not limited to an edge server, an edge gateway, an edge controller, and any other form of edge node that is present or hereafter presented is included within the scope of the present application if applicable.

The security management platform acquires an access control policy created by an enterprise security manager or other authorized personnel, wherein the access control policy at least comprises a protected target application and attribute information thereof and an access control rule corresponding to the protected target application, synchronizes the access control policy to an edge node, and sends the attribute information of the target application to a terminal device according to a request of the terminal device.

Fig. 1 shows a flowchart of a method for access control applied to a terminal device according to embodiment 1 of the present application, where the method includes:

s101, acquiring attribute information of a target application, and constructing a safety channel with an edge node;

s102, initiating a network request aiming at the target application, and distributing a local IP address for the target application when a DNS resolution request corresponding to the network request is locally detected;

s103, based on the local IP address and the attribute information of the target application, streaming the network request to a local agent to establish a TCP connection for the network request;

s104, receiving the network request based on the TCP connection, and sending the network request to the edge node through the secure channel so as to realize access control on the network request.

In this embodiment, the terminal device 100 deploys a client 110, wherein the client 110 has integrated a protected target application client 111 and a home agent 112, as shown in fig. 10.

In this embodiment, in step S101, the user starts the client 110 in the terminal device 100, inputs account number and identity information through the local proxy 112 integrated therein, initiates a login and identity authentication request to the security management platform 300, and when authentication passes, the client 110 receives attribute information of the protected target application from the security management platform 300, constructs configuration parameters of a secure channel, and constructs a secure channel for data communication with the edge node 200 according to the received configuration parameters of the secure channel, where the secure channel may be constructed based on the encrypted TCP connection, tunnel, VPN and other existing technologies, and will not be described herein.

In an alternative embodiment, the user starts the client 110 in the terminal device 100, and through the local agent 112 integrated therein, a login page is displayed to request the user to log in, and after the user inputs an account number, a password and/or an organization identifier, the user submits the login page to the security management platform 300; the security management platform 300 detects whether the user input information is correct, and if so, sends an identity authentication mode of the organization to the client 110; after receiving the identity information, the client 110 inputs the identity information and selects an identity authentication mode, and submits an identity authentication request to the security management platform 300; if the identity authentication is passed, the security management platform 300 sends a corresponding configuration file to the client 110 according to the organization identifier input by the user and the identity information of the user, where the configuration file at least includes configuration parameters of the security channel, attribute information of the protected target application, and the like; according to the configuration parameters of the secure channel, the client 110 establishes a secure channel for data communication with the edge node 200 to ensure that traffic of the protected target application can be drained into the secure channel, and stores attribute information of the protected target application locally for processing for different protected target applications.

If the terminal device 100 receives m protected target applications, where there are n attribute information of each protected target application, the attribute information may be stored in the manner of table 1 below.

TABLE 1

Continuing in this embodiment, in step S102, a network request for a protected target application is initiated by the protected target application client 111 integrated in the client 110, and when the local proxy 112 detects a DNS resolution request corresponding to the network request, a local IP address is assigned to the target application.

Wherein, for any network request of an application supporting the TCP protocol initiated on the terminal device 100, the network request is hijacked by the local proxy 112 to a DNS resolution request corresponding to the network request, DNS resolution is performed, attribute information of the application corresponding to the network request, such as a domain name of the application, is obtained, and compared with stored attribute information of a protected target application, if the network request is a protected target application, a local IP address is allocated to the target application; if the target application is not protected, continuing to request the upper-level DNS analysis to acquire the corresponding IP address. In an optional application scenario, the local DNS of the terminal device 100 is set to a local address by the local proxy 112, for example, 127.0.0.1, when an application client supporting the TCP protocol on the terminal device 100 initiates a network request, the DNS resolution request corresponding to the network request is obtained by local DNS hijacking, and first judgment is made, if the attribute information of the application matches with the stored attribute information of the protected target application, a local IP address is allocated to the target application after DNS resolution, for example, any one of 127.10.0.0-127.255.0.0, where the local IP addresses allocated by different protected target applications can be recorded, so as to ensure that no duplicate allocation is performed and ensure that different TCP connections can be established for each protected target application. If the attribute information of the application is not matched with the stored attribute information of the protected target application, which indicates that the application is not the protected application, if the local DNS does not cache the IP address corresponding to the attribute information, the DNS analysis request is continuously sent to the superior DNS, and the superior DNS is used for processing. The processing of the upper level DNS belongs to the prior art, and is not described herein.

Continuing in this embodiment, in step S103, based on the local IP address allocated for the target application and the received attribute information of the target application, the network request for the target application is streamed to the local proxy to establish a TCP connection for the network request.

Wherein, according to the local IP address and the attribute information of the target application, the protected target application client 111 initiates a TCP connection request to the local IP address, and after the request is streamed to the local proxy 112, establishes a TCP connection for the network request.

Continuing in this embodiment, in step S104, the home agent 112 receives a network request for the target application over a TCP connection and sends the network request to the edge node 200 over the constructed secure channel to implement access control for the network request. Wherein the network request includes the domain name of the target application.

In an alternative embodiment, in step S101, the constructing a secure channel with an edge node includes:

After acquiring the target application information, the terminal device 100 sends a request for establishing a secure channel to the edge node 200, where the request may be sent when a network request for the target application is initiated, or may be sent after receiving attribute information of the target application sent by the security management platform 300, and may be determined by combining with a specific product form or an application scenario, which is not limited herein. After receiving the request, the edge node 200 performs identity authentication, and if the authentication passes, a secure channel for data communication is established between the terminal device 100 and the edge node 200, and the user identity and/or device security information of the terminal device 100 is sent to the edge node 200 for access control of the network request by the edge device 200.

In an alternative embodiment, in step S101, the attribute information of the protected target application received by the terminal device 100 includes at least:

identification, domain name and port of the target application.

The identifier of the protected target application may be a number sequentially allocated when the protected target application is created, for example, the number allocated to the target application when the first protected target application is created is 1, the number allocated to the target application when the second protected target application is created is 2, and so on. The attribute information of the protected target application received by the terminal device may further include other attribute information such as an application name of the target application, for example, an OA (Office Auto) system, a CRM (Customer Relationship Management ) system, and the like. An application mode of the protected target application may also be included, such as a TCP proxy mode. Here, the attribute information of the protected target application is not limited, and any attribute information of the protected target application is included in the scope of the present application if applicable to the present application.

In an alternative embodiment, when the attribute information of the protected target application includes at least an identifier, a domain name and a port of the protected target application, in step S102, a local DNS hijacking a network request of any application supporting the TCP protocol initiated on the terminal device 100 to a DNS resolution request corresponding to the network request, performing DNS resolution, obtaining a domain name of the corresponding application, comparing with a stored domain name of the protected target application, and if the domain name is the same as the domain name of the protected target application, allocating a local IP address to the target application; if the domain name is not the same as the domain name of the protected target application, the upper-level DNS resolution is continuously requested to acquire the corresponding IP address.

In an alternative embodiment, when the attribute information of the protected target application includes at least an identifier, a domain name, and a port of the protected target application, in step S103, a network request based on the TCP connection is sent to the local proxy 112 according to the local IP address allocated for the target application and the port of the target application, and a TCP connection for the network request is established.

To further eliminate the risk of sniffing and hijacking on the network link, making network access more secure, in an alternative embodiment, when the attribute information of the protected target application includes at least the identity, domain name and port of the protected target application, the method further comprises, after step S102:

S1021 (not shown) establishes a mapping relationship between the identification of the target application and the local IP address.

In the above optional application scenario, if the attribute information of the 3 protected target applications received by the terminal device 100 includes the identifier (number), the domain name, and the port of the target application, after each protected target application initiates the network application, the allocated local IP addresses are 127.10.0.1, 127.10.0.2, and 127.10.0.3, respectively, and the mapping relationship between the attribute information of the target application and the local IP address established in the terminal device 100 may be as shown in table 2 below.

TABLE 2

Local IP address	Application identification	Applying domain names	Application port
				127.10.0.1	1	Target application 1 Domain name	Target application 1 port
127.10.0.2	2	Target application 2 domain name	Target application 2 port
				127.10.0.3	3	Target application 3 domain name	Target application 3 port

In an alternative embodiment, step S104 includes:

acquiring a corresponding local IP address of the TCP connection through a local proxy;

acquiring an identification of the target application corresponding to the local IP address based on the mapping relation;

and packaging the identification of the target application into a data packet corresponding to the network request, and then sending the data packet to an edge node through a secure channel so as to realize access control of the network request according to the identification of the target application.

The identification of the target application is encapsulated into the data packet corresponding to the network request, and the transmission data is encrypted again, so that the security of data transmission can be further improved. And then the encapsulated data packet is sent to the edge node 200 through a secure channel to realize access control to the network request according to the identification of the target application.

In an optional embodiment, in step S104, a header may be added to the header of the first TCP payload of the data packet corresponding to the network request for the target application to encrypt and verify, where at least the identifier of the target application is included, for example, the application number of the target application. When the edge node 200 receives the data packet of the network request for the protected target application sent by the terminal device 100, after decapsulation and verification, the application identifier is parsed from the header acquired from the header of the first TCP payload, thereby determining the target application, and further determining the access control rule corresponding to the target application from the access control policy.

In an alternative embodiment, after step S104, the method further includes:

s105 (not shown) receives a response sent by the edge node corresponding to the network request, or a security event pushed by the edge node.

When the edge node 200 receives a network request for a target application sent by the terminal device 100 through the target application client 111 integrated in the client 110 through a secure channel, authenticating identity information of a user and/or device security information of the terminal device by combining an access control rule corresponding to the target application in an access control policy, if the authentication is passed, the terminal device 100 receives a response sent by the edge node 200 and corresponding to the network request, wherein if response data is not stored in the edge node 200, a corresponding source station is determined, the response data is sent to the terminal device 100 after the response data is requested from the source station, wherein if a plurality of source stations are provided, the response data can be obtained through a load equalizer, if the response data is applied to an intranet, the response data can be obtained through a bound to the intranet through a bound connector, and the response data is requested to the source station or the intranet in the prior art without specific expansion; if the authentication is not passed, the terminal device 100 receives a corresponding security event pushed by the edge node 200 to inform the user of the reason why the access is not successful, for example, the security event may be a similar "you have blocked access to OA applications: an unauthorized notification for presenting to the user the reason for blocking access. The security event may be pushed to the terminal device 100 via a third party push platform instead of the edge node 200 being pushed directly to the terminal device 100. Here, the specific pushing manner is not limited, and any manner in which the edge node 200 pushes the security event to the terminal device 100, if the present application is applicable, should be included in the protection scope of the present application.

Fig. 2 shows a flowchart of a method for access control applied to an edge node according to embodiment 2 of the present application, wherein the method includes:

s201, based on a secure channel, receiving a network request for a target application sent by a terminal device, wherein the network request comprises attribute information of the target application and user identity initiating the network request and/or device security information of the terminal device;

s202, determining an access control rule corresponding to the target application from an access control strategy based on the attribute information of the target application, wherein the access control strategy is acquired from a security management platform;

s203, based on the access control rule, judging the user identity and/or the equipment security information of the user side which initiate the network request, and performing corresponding processing according to the judging result so as to realize the access control of the network request.

In this embodiment, in step S201, the edge node 200 receives a network request for a protected target application sent by the terminal device 100 based on a secure channel constructed with the terminal device 100, where the network request includes attribute information of the target application, and a user identity of the network request for the protected target application and/or device security information of the terminal device 100 initiated from the terminal device 100.

In an alternative embodiment, if the terminal device 100 sends the user identity and/or the device security information of the terminal device 100 to the edge node 200 after initiating the establishment of the secure channel with the edge node 200, the network request for the protected target application initiated by the terminal device 100 may not carry the user identity and/or the device security information of the terminal device 100, so as to avoid repeated transmission, and improve the network communication and data processing efficiency.

Continuing with this embodiment, in step S202, the edge node 200 obtains attribute information of the target application from the received network request, and determines, according to the attribute information of the target application, an access control rule corresponding to the target application from an access control policy, where the access control policy is obtained from the security management platform 300.

In this embodiment, in step S203, the edge node 200 determines, according to the access control rule, the identity of the user that initiates the network request and/or the device security information of the user side, and performs corresponding processing according to the determination result, so as to implement access control on the network request.

In an alternative embodiment, the access control policy acquired by the edge node 200 from the security management platform 300 is set based on the following information:

Attribute information of the protected target application;

The attribute information of the protected target application at least comprises an application identifier, a domain name, a port, a proxy mode and source station information of the application, wherein the source station information comprises an IP address and a port of a source station, and if the same target application comprises a plurality of source stations, the source station information can also comprise load balancer information for balancing loads of the plurality of source stations so that a user with authority can access the source stations. If the protected target application belongs to the enterprise internal application, the attribute information of the protected target application should also include connector information bound to the target application, so that the internal application can be accessed by the authorized user.

The access control rule corresponding to the protected target application is provided with user identity and/or equipment security information of the terminal equipment, wherein the user identity and/or the equipment security information of the terminal equipment are/is authorized to access the protected target application.

In an alternative embodiment, the performing the corresponding processing according to the determination result in step S203 includes:

When the edge node 200 receives a network request for a target application sent by the terminal device 100 through a secure channel, the edge node obtains attribute information of the application from the network request, then determines the target application according to the attribute information of the application, further determines an access control rule corresponding to the target application from an access control policy, authenticates identity information of a user and/or device security information of the terminal device, if the authentication passes, sends a response corresponding to the network request to the terminal device 100, wherein if response data is not stored in the edge node 200, a corresponding source station is determined, the response data is sent to the terminal device 100 after the response data is requested to the source station, if a plurality of source stations are available, the response data can be obtained through a load equalizer, if the response data is available, the response data can be obtained through a binding connector back to an intranet, and the response data is requested to the source station or the intranet, and the response data is not specifically expanded in the prior art; if the authentication is not passed, a corresponding security event is pushed to the terminal device 100 to inform the user of the reason why the access was not successful. The security event may be pushed to the terminal device 100 via a third party push platform instead of the edge node 200 being pushed directly to the terminal device 100. Here, the specific pushing manner is not limited, and any manner in which the edge node 200 pushes the security event to the terminal device 100, if the present application is applicable, should be included in the protection scope of the present application.

In an alternative embodiment, if the edge node 200 receives that the data packet of the network request for the protected target application sent by the terminal device 100 includes an application identifier, the application identifier is obtained, so as to determine the target application, and further determine an access control rule corresponding to the target application from the access control policy.

Fig. 3 is a flowchart of a method for access control applied to a security management platform according to embodiment 3 of the present application, where the method includes:

s301, acquiring an access control strategy, wherein the access control strategy comprises attribute information of a target application and an access control rule corresponding to the target application;

s302, the access control strategy is sent to an edge node, and attribute information of the target application in the access control strategy is sent to terminal equipment, so that when the terminal equipment initiates a network request for the target application, the edge node realizes access control on the network request based on the access control strategy.

In this embodiment, in step S301, the security management platform 300 obtains an access control policy created by an enterprise security administrator or other authorized person, where the access control policy includes at least attribute information of at least one protected target application and an access control rule corresponding to each target application.

Continuing in this embodiment, in step S302, the security management platform 300 sends the access control policy to the edge node 200, and sends attribute information of a corresponding target application therein to the authenticated terminal device 100, so that when the terminal device 100 initiates a network request for the target application, access control to the network request can be implemented on the edge node 200 based on the access control rule corresponding to the target application in the access control policy.

Fig. 4 shows a flowchart of a method for access control applied to a terminal device according to embodiment 4 of the present application, where the method includes:

s401, acquiring attribute information of a target application, and constructing a safety channel with an edge node;

s402, receiving a DNS resolution request corresponding to a network request for a target application, and distributing a local IP address for the target application;

s403, establishing TCP connection for the network request based on the local IP address and the attribute information of the target application;

s404 receives the network request based on the TCP connection and sends the network request to the edge node through the secure channel, so as to implement access control for the network request.

In this embodiment, a protected target application client 111 and a home agent 112 are deployed in the terminal device 100, as shown in fig. 11.

In this embodiment, in step S401, the user starts the home agent 112 in the terminal device 100, inputs account number and identity information, initiates a login and identity authentication request to the security management platform 300, and when authentication passes, the home agent 112 receives attribute information of the protected target application and configuration parameters of the secure channel, and then constructs a secure channel for data communication with the edge node 200 according to the received configuration parameters of the secure channel.

In an alternative embodiment, the local agent 112 in the terminal device 100 is started to display a login page, and after the user is required to login and input an account number, a password and/or an organization identifier, the login page is submitted to the security management platform 300; the security management platform 300 detects whether the input information is correct, and if so, sends an identity authentication mode of the organization to the local agent; the local agent 112 provides identity information and submits an identity authentication request to the security management platform 300 after selecting an identity authentication mode after receiving the identity information; if the identity authentication is passed, the security management platform 300 sends a corresponding configuration file to the local agent 112 according to the organization number and the identity information of the user, wherein the configuration file at least comprises configuration parameters of the security channel, attribute information of the protected target application and the like; configuration parameters of the secure channel are entered and a secure channel for data communication is established with the edge node 200 to ensure that traffic of the protected target application can be drained into the secure channel and attribute information of the protected target application is stored locally for processing for different protected target applications.

When the user initiates a network request through the target application client 111 protected in the terminal device 100, continuing in this embodiment, in step S402, the local proxy receives a DNS resolution request corresponding to the network request for the target application, and assigns a local IP address to the target application.

For any network request of an application supporting the TCP protocol initiated on the terminal device 100, the network request is hijacked to a DNS resolution request corresponding to the network request by a local proxy, DNS resolution is performed, attribute information of the application corresponding to the network request, such as a domain name of the application, is obtained, the attribute information is compared with stored attribute information of a protected target application, and if the target application is protected, a local IP address is allocated to the target application; if the target application is not protected, continuing to request the upper-level DNS analysis to acquire the corresponding IP address. In an optional application scenario, the local DNS of the terminal device 100 is set to a local address by the local proxy, for example, 127.0.0.1, when an application client supporting the TCP protocol on the terminal device initiates a network request, the DNS resolution request corresponding to the network request is obtained by local DNS hijacking, and it is first determined that, if the attribute information of the application matches with the stored attribute information of the protected target application, a local IP address is allocated to the target application after DNS resolution, for example, any one of 127.10.0.0-127.255.0.0, where the local IP addresses allocated for different protected target applications are recorded, so as to ensure that no allocation is repeated, and ensure that different TCP connections can be established for each protected target application. If the attribute information of the application is not matched with the stored attribute information of the protected target application, which indicates that the application is not the protected application, if the local DNS does not cache the IP address corresponding to the attribute information, the DNS analysis request is continuously sent to the superior DNS, and the superior DNS is used for processing. The processing of the upper level DNS belongs to the prior art, and is not described herein.

Continuing in this embodiment, in step S403, a TCP connection for the network request is established based on the local IP address assigned for the target application and the received attribute information of the target application.

The protected target application client 111 that initiates the network request receives the local IP address resolved by the local DNS and the attribute information of the target application, initiates a TCP connection request to the local IP address, and after receiving the TCP connection request, the local proxy 112 establishes a TCP connection for the network request.

Continuing in this embodiment, in step S404, the home agent 112 receives a network request for the target application over a TCP connection and sends the network request to the edge node 200 over the constructed secure channel to implement access control for the network request. Wherein the network request includes the domain name of the target application.

In an alternative embodiment, in step S401, the constructing a secure channel with an edge node includes:

In an alternative embodiment, in step S401 of the above embodiment, the attribute information of the protected target application received by the terminal device 100 includes at least:

identification, domain name and port of the target application.

The identifier of the protected target application may be a number sequentially allocated when the protected target application is created, for example, the number allocated to the target application when the first protected target application is created is 1, the number allocated to the target application when the second protected target application is created is 2, and so on. The attribute information of the protected target application received by the terminal device 100 may further include other attribute information such as an application name of the target application, for example, an OA (Office Auto) system, a CRM (Customer Relationship Management ) system, and the like. An application mode of the protected target application may also be included, such as a TCP proxy mode. Here, the attribute information of the protected target application is not limited, and any attribute information of the protected target application is included in the scope of the present application if applicable to the present application.

In an alternative embodiment, when the attribute information of the protected target application includes at least an identifier, a domain name and a port of the protected target application, in step S402, for any network request of an application supporting the TCP protocol initiated on the terminal device 100, the network request is hijacked by the local proxy to a DNS resolution request corresponding to the network request, after DNS resolution is performed, the domain name of the corresponding application is obtained, and compared with the stored domain name of the protected target application, if the domain name is the same as the domain name of the protected target application, a local IP address is allocated to the target application; if the domain name is not the same as the domain name of the protected target application, the upper-level DNS resolution is continuously requested to acquire the corresponding IP address.

In an alternative embodiment, when the attribute information of the protected target application includes at least an identifier, a domain name, and a port of the protected target application, in step S403, a TCP connection for the network request is established according to the local IP address allocated for the target application and the port of the target application.

To further eliminate the risk of sniffing and hijacking on the network link, making network access more secure, in an alternative embodiment, when the attribute information of the protected target application comprises at least the identity, domain name and port of the protected target application, the method further comprises, after step S402:

S4021 (not shown) establishes a mapping relationship between the identification of the target application and the local IP address.

In an alternative embodiment, step S404 includes:

acquiring a corresponding local IP address of the TCP connection;

In an optional embodiment, in step S404, a header may be added to the header of the first TCP payload of the data packet corresponding to the network request for the target application to encrypt and verify, where at least the identifier of the target application is included, for example, the application number of the target application. When the edge node 200 receives the data packet of the network request for the protected target application sent by the terminal device 100, the data packet is unpacked and checked, and then the application identifier is parsed from the header acquired from the header of the first TCP payload, so as to determine the target application, and further determine the access control rule corresponding to the target application from the access control policy.

In an alternative embodiment, after step S404, the protected target application client 111 of the terminal device 100 also receives a response sent by the edge node 200 corresponding to the network request, or a security event pushed by the edge node 200.

When the edge node 200 receives a network request for a target application sent by the terminal device 100 through a secure channel, authenticating identity information of a user and/or device security information of the terminal device by combining an access control rule corresponding to the target application in an access control policy, if the authentication is passed, the terminal device 100 receives a response corresponding to the network request sent by the edge node 200, wherein if response data is not stored in the edge node 200, a corresponding source station is determined, the response data is requested to the source station and then sent to the terminal device 100, wherein if a plurality of source stations are available, the response data can be obtained through a load equalizer, if the response data is available, the response data can be obtained through a bound connector back to an intranet, and the response data is requested to the source station or the intranet in the prior art without specific expansion; if the authentication is not passed, the terminal device 100 receives a corresponding security event pushed by the edge node 200, so as to inform the user of the reason that the access is not successful. The security event may be pushed to the terminal device 100 via a third party push platform instead of the edge node 200 being pushed directly to the terminal device 100. Here, the specific pushing manner is not limited, and any manner in which the edge node 200 pushes the security event to the terminal device 100, if the present application is applicable, should be included in the protection scope of the present application.

Fig. 5 is a schematic diagram of an apparatus for access control deployed in a terminal device according to embodiment 5 of the present application, where the apparatus includes:

the obtaining module 510 is configured to obtain attribute information of a target application, and construct a secure channel with an edge node;

a processing module 520, configured to initiate a network request for the target application, and allocate a local IP address to the target application when a DNS resolution request corresponding to the network request is detected locally;

a connection module 530, configured to stream the network request to a home agent based on the home IP address and attribute information of the target application, so as to establish a TCP connection for the network request;

and a sending module 540, configured to receive the network request based on the TCP connection, and send the network request to the edge node through the secure channel, so as to implement access control on the network request.

In an alternative embodiment, the processing module 520 is further configured to establish a mapping relationship between the identifier of the target application and the local IP address, where the sending module 540 is configured to obtain, by using a local proxy, a corresponding local IP address of the TCP connection, obtain, based on the mapping relationship, the identifier of the target application corresponding to the local IP address, encapsulate the identifier of the target application into a data packet corresponding to the network request, and send the data packet to the edge node 200 through the secure channel, so as to implement access control on the network request according to the identifier of the target application.

In an alternative embodiment, the apparatus further comprises a receiving module 550 (not shown) configured to receive a response sent by the edge node and corresponding to the network request, or a security event pushed by the edge node.

In this embodiment and the optional embodiments thereof, the apparatus is disposed in the terminal device 100, where the terminal device 100 has the same software and hardware environment as the related devices in the foregoing method embodiment 1, and each module is configured to execute the corresponding steps of the foregoing method embodiment 1 or the optional embodiments thereof, and will not be described herein.

Fig. 6 is a schematic diagram of an apparatus for access control deployed at an edge node according to embodiment 6 of the present application, where the apparatus includes:

a receiving module 610, configured to receive, based on a secure channel, a network request for a target application sent by a terminal device, where the network request includes attribute information of the target application and user identity initiating the network request and/or device security information of the terminal device;

an obtaining module 620, configured to determine, based on attribute information of the target application, an access control rule corresponding to the target application from an access control policy, where the access control policy is obtained from a security management platform;

And the access control module 630 is configured to determine, based on the access control rule, a user identity and/or device security information of the user side that initiates the network request, and perform corresponding processing according to a determination result, so as to implement access control on the network request.

In this embodiment, the apparatus is disposed in the edge node 200, where the edge node 200 is the same as the software and hardware environments of the related devices in the foregoing method embodiment 2, and each module is configured to execute the corresponding steps in the foregoing method embodiment 2, which is not described herein again.

Fig. 7 is a schematic diagram of an apparatus for access control deployed on a security management platform according to embodiment 7 of the present application, where the apparatus includes:

an obtaining module 710, configured to obtain an access control policy, where the access control policy includes attribute information of a target application and an access control rule corresponding to the target application;

and a sending module 720, configured to send the access control policy to an edge node, and send attribute information of the target application therein to a terminal device, so as to implement, at the edge node, access control on a network request based on the access control policy when the terminal device initiates the network request for the target application.

In this embodiment, the device is disposed in the security management platform 300, where the security management platform 300 is the same as the software and hardware environments of the related devices in the foregoing method embodiment 3, and each module is configured to execute the corresponding steps in the foregoing method embodiment 3, which is not described herein again.

Fig. 8 is a schematic diagram of an apparatus for access control deployed in a terminal device according to embodiment 8 of the present application, where the apparatus includes:

an obtaining module 810, configured to obtain attribute information of a target application, and construct a secure channel with an edge node;

a processing module 820, configured to receive a DNS resolution request corresponding to a network request for a target application, and allocate a local IP address to the target application;

a connection module 830, configured to establish a TCP connection for the network request based on the local IP address and attribute information of the target application;

and a sending module 840, configured to receive the network request based on the TCP connection, and send the network request to the edge node through the secure channel, so as to implement access control for the network request.

In an alternative embodiment, the processing module 820 is further configured to establish a mapping relationship between the identifier of the target application and the local IP address, where the sending module 840 is configured to obtain, by using a local proxy, a corresponding local IP address of the TCP connection, obtain, based on the mapping relationship, the identifier of the target application corresponding to the local IP address, encapsulate the identifier of the target application into a data packet corresponding to the network request, and send the data packet to the edge node 200 through the secure channel, so as to implement access control on the network request according to the identifier of the target application.

In an alternative embodiment, the apparatus further comprises a receiving module 850 (not shown) configured to receive a response sent by the edge node corresponding to the network request, or a security event pushed by the edge node.

In this embodiment and the optional embodiments thereof, the apparatus is disposed in the terminal device 100, where the software and hardware environments of the terminal device 100 are the same as those of the related devices in the foregoing method embodiment 4, and each module is configured to execute the corresponding steps of the foregoing method embodiment 4 or the optional embodiments thereof, and will not be described herein again.

Fig. 9 is a schematic diagram of a system for access control according to embodiment 9 of the present application, wherein the system includes:

the security management platform 300 is configured to obtain an access control policy, where the access control policy includes attribute information of a target application and an access control rule corresponding to the target application, synchronize the access control policy to an edge node, and send the attribute information of the target application to a terminal device, so as to implement access control on a network request based on the access control policy at the edge node when the terminal device initiates the network request for the target application;

Terminal equipment 100, configured to deploy a client and a local proxy of the target application, obtain attribute information of the target application, and construct a secure channel with an edge node, allocate a local IP address to the target application based on the local proxy when detecting a network request for the target application, and stream the network request to the local proxy based on the local IP address and the attribute information of the target application to establish a TCP connection for the network request, receive the network request based on the TCP connection, and send the network request to the edge node through the secure channel;

the edge node 200 is configured to obtain, based on a security channel, a network request for a target application sent by a terminal device, where the network request includes attribute information of the target application and user identity and/or device security information of the user terminal that initiates the network request, determine, based on the network request, attribute information of the target application, and determine, based on the attribute information of the target application, an access control rule corresponding to the target application from an access control policy, where the access control policy is obtained from a security management platform, determine, based on the access control rule, user identity and/or device security information of the user terminal that initiates the network request, and perform corresponding processing according to a determination result.

In this embodiment, the security management platform 300, the terminal device 100, and the edge node 200 are the same as the software and hardware environments of the related devices in the foregoing method embodiments, so as to execute the foregoing method embodiments.

According to yet another aspect of the present application, there is also provided a computer readable medium storing computer readable instructions executable by a processor to implement the foregoing method.

It should be noted that the present application may be implemented in software and/or a combination of software and hardware, for example, using Application Specific Integrated Circuits (ASIC), a general purpose computer, a cache computer, and/or any other similar hardware device. In one embodiment, the software program referred to in the present application may be executed by a processor to implement the steps or functions as described above. Likewise, the software program of the present application (including the related data structures) may be stored in a computer-readable recording medium. In addition, some steps or functions of the present application may be implemented in hardware, for example, as circuitry that cooperates with the processor to perform various steps or functions.

Furthermore, portions of the present application may be implemented as a computer program product, such as computer program instructions, which when executed by a computer, may invoke or provide methods and/or techniques in accordance with the present application by way of operation of the computer. Program instructions for invoking the inventive methods may be stored in fixed or removable recording media and/or transmitted via a data stream in a broadcast or other signal bearing medium and/or stored within a working memory of a computer device operating according to the program instructions. An embodiment according to the application here comprises an apparatus comprising a memory for storing computer program instructions and a processor for executing the program instructions, wherein the computer program instructions, when executed by the processor, trigger the apparatus to run a method and/or a solution according to the embodiments of the application as described above.

It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential characteristics thereof. The present embodiments are, therefore, to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned. Furthermore, it is evident that the word "comprising" does not exclude other elements or steps, and that the singular does not exclude a plurality. The units or means recited in the apparatus claims may also be implemented by means of software and/or hardware. The terms first, second, etc. are used to denote a name, but not any particular order.

Claims

1. A method of access control, applied to a terminal device, the method comprising:

2. The method according to claim 1, wherein the attribute information of the target application includes at least:

the identity, domain name and port of the target application.

3. The method of claim 2, wherein the assigning a local IP address to the target application when the DNS resolution request corresponding to the network request is locally detected comprises:

4. A method according to claim 3, wherein after assigning a local IP address to the target application according to the domain name of the target application, the method further comprises:

5. The method of claim 4, wherein the streaming the network request to a home agent to establish a TCP connection for the network request based on the home IP address and attribute information of the target application comprises:

6. The method of claim 5, wherein the receiving the network request based on the TCP connection and sending the network request to the edge node over the secure channel to implement access control for the network request comprises:

7. The method of claim 1, wherein said constructing a secure channel with an edge node comprises:

8. The method according to claim 1, wherein the method further comprises:

9. A method of access control, applied to an edge node, the method comprising:

10. The method of claim 9, wherein the access control policy is set based on the following information:

attribute information of the target application;

11. The method according to claim 9, wherein the performing the corresponding processing according to the determination result includes:

12. A method of access control, for use with a security management platform, the method comprising:

13. A method of access control, applied to a terminal device, the method comprising:

14. The method according to claim 13, wherein the attribute information of the target application includes at least:

the identity, domain name and port of the target application.

15. The method of claim 14, wherein receiving a DNS resolution request corresponding to a network request for a target application, and wherein assigning a local IP address to the target application comprises:

16. The method of claim 15, wherein after assigning a local IP address to the target application based on the domain name of the target application, the method further comprises:

17. The method of claim 16, wherein establishing a TCP connection for the network request based on the local IP address and attribute information of the target application comprises:

18. The method of claim 17, wherein said receiving said network request based on said TCP connection and sending said network request to said edge node over said secure channel to effect access control to said network request comprises:

acquiring a corresponding local IP address of the TCP connection;

19. The method of claim 13, wherein said constructing a secure channel with an edge node comprises:

20. The method of claim 13, wherein the method further comprises:

21. An apparatus for access control, deployed at a terminal device, the apparatus comprising:

22. An apparatus for access control, deployed at an edge node, the apparatus comprising:

23. An apparatus for access control, deployed on a security management platform, the apparatus comprising:

24. An apparatus for access control, deployed at a terminal device, the apparatus comprising:

25. A system for access control, the system comprising:

26. A computer-readable medium comprising,

having stored thereon computer readable instructions to be executed by a processor to implement the method of any of claims 1 to 20.

27. An apparatus for access control, the apparatus comprising:

one or more processors; and

a memory storing computer readable instructions that, when executed, cause the processor to perform the operations of the method of any one of claims 1 to 20.