CN117081800A - Proxy method and system for accessing B/S application by zero trust hierarchy - Google Patents

Proxy method and system for accessing B/S application by zero trust hierarchy Download PDF

Info

Publication number
CN117081800A
CN117081800A CN202311028783.XA CN202311028783A CN117081800A CN 117081800 A CN117081800 A CN 117081800A CN 202311028783 A CN202311028783 A CN 202311028783A CN 117081800 A CN117081800 A CN 117081800A
Authority
CN
China
Prior art keywords
zero
data
trust
application
zero trust
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311028783.XA
Other languages
Chinese (zh)
Inventor
王浩
黄瑞
吴界壁
朱伟
刘永强
沈智杰
景晓军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Surfilter Network Technology Co ltd
Original Assignee
Surfilter Network Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Surfilter Network Technology Co ltd filed Critical Surfilter Network Technology Co ltd
Priority to CN202311028783.XA priority Critical patent/CN117081800A/en
Publication of CN117081800A publication Critical patent/CN117081800A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/029Firewall traversal, e.g. tunnelling or, creating pinholes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application discloses a proxy method and a proxy system for accessing B/S application by a zero trust system. Carrying out trust evaluation on the zero trust client by the zero trust management platform according to the request of the zero trust client, and determining application strategy information of the zero trust client according to an evaluation result; the zero trust client establishes a socks connection with a local browser, encrypts and encapsulates original access data obtained by analyzing socks data generated by an access target application, sends the original access data to a corresponding zero trust gateway, and then decrypts the original access data by the zero trust gateway and forwards the original access data in a proxy mode. Therefore, the agent is carried out based on the data stream connection, each data stream can be assigned with different connection tunnels, and further, a single client of the zero trust system can be guaranteed to access different zero trust gateways, and a plurality of gateway nodes can be used for networking to carry out unified management control access on the application under the scenes of different regions, so that the problem that branches of different regions can access multiple applications by using one zero trust client can be solved.

Description

Proxy method and system for accessing B/S application by zero trust hierarchy
Technical Field
The application relates to the technical field, in particular to a proxy method and a proxy device for accessing B/S application by a zero trust system.
Background
With the rising "cloud big transfer", enterprise IT architecture is transitioning from "bordered" to "borderless" and traditional security boundaries gradually collapse. The continuous promotion of new infrastructure represented by 5G and industrial Internet further accelerates the evolution process without boundary. Meanwhile, the zero trust security gradually enters the field of view of people, and becomes a new concept, a new architecture and a new solution for solving the network security in the new era. The zero trust technique is a network security defense mode, emphasizes that enterprises should maintain doubt attitudes to all users, devices and applications in internal and external network environments, and does not trust any party, thereby improving security in an environment with increased network threats. The zero trust mode requires that the user perform a secondary authentication when accessing the enterprise resource, which can only be used after the authentication is passed. Unlike traditional security policies, zero trust technology focuses on measures such as network traffic monitoring and access restriction, so as to achieve better security protection effects.
The application of zero trust access is mainly divided into two types of B/S application and C/S application, and the zero trust system needs to split the access tunnels of the B/S application and the C/S application. The B/S application adopts an application layer proxy tunnel to forward data traffic, and the C/S application adopts a terminal to create a virtual network card to forward data traffic on a network layer. However, in the existing zero-trust product, a client only supports access to one zero-trust gateway, and if different B/S application resources of a different place authority need to be accessed, a network tunnel needs to be established between different gateways, and the client must log in to different zero-trust system connection switches. Therefore, it is difficult for a zero trust client to access multiple B/S applications at the same time if a branch office in different areas of an enterprise opens the network without using an internal network using products such as SDWAN.
Based on this, a new solution is needed.
Disclosure of Invention
The application mainly aims to provide a proxy method and a proxy system for accessing B/S application by a zero trust system.
In order to achieve the above object, the present application provides a proxy method for accessing a B/S application by a zero trust system, which is used in a zero trust client, and includes the following steps:
updating local PAC rule files and gateway connection information based on the obtained application strategy information, wherein the application strategy information is a plurality of application information which is determined according to trust evaluation results and can be accessed by a user and zero trust gateway information corresponding to each application;
the method comprises the steps that a socks connection is established between local browsers corresponding to monitoring addresses of local socks connection servers included in the PAC rule file;
analyzing the socks data from the monitoring address of the local socks connection server, and extracting the original access data of the local browser access target application;
encrypting and packaging the extracted original access data, and forwarding the encrypted and packaged tunnel encrypted data to a corresponding zero trust gateway according to the application strategy information;
and decrypting the received encrypted data from the zero-trust gateway and then sending the decrypted data to a local browser initiating a request through a socks connection, wherein the encrypted data from the zero-trust gateway is data obtained by encrypting response data from a target server by the zero-trust gateway, the response data is data obtained by responding an access request of the zero-trust gateway by the target server, and the access request comprises original access data obtained by decrypting the tunnel encrypted data by the zero-trust gateway.
In the method provided by the application, before the step of updating the local PAC rules file and the gateway connection information based on the obtained application policy information, the method further comprises:
and initiating authentication to the zero trust management platform to acquire the application strategy information.
In addition, in order to achieve the above purpose, the present application also provides a proxy method for accessing a B/S application by a zero trust system, which is used in a zero trust gateway, and includes the following steps:
decrypting tunnel encrypted data from a zero-trust client to obtain original access data, wherein the tunnel encrypted data from the zero-trust client is data generated by encrypting and packaging original access data obtained by analyzing the socks data from a monitoring address of a local socks connection server by the zero-trust client, and the original access data is data generated by accessing a target application by a local browser;
according to the address of the target application server in the original access data, an access request is initiated to the target application server; and
and encrypting and packaging response data from the target server and forwarding the response data to the zero-trust client.
In the method provided by the application, the step of decrypting the tunnel encrypted data from the zero-trust client to obtain the original access data further comprises the following steps:
and receiving a release notice from the zero-trust management platform, wherein the release notice comprises a source IP of a release zero-trust client.
In addition, to achieve the above object, the present application further provides a proxy device for accessing a B/S application by using a zero trust hierarchy, which is used in a zero trust client, and includes:
the updating module is used for updating local PAC rule files and gateway connection information based on the acquired application strategy information, wherein the application strategy information is a plurality of application information which is determined according to trust evaluation results and can be accessed by a user and zero trust gateway information corresponding to each application, and the PAC rule files are used for designating monitoring addresses of local socks connection servers;
the socks connection establishment module is used for establishing socks connection with the local browser corresponding to the monitoring address of the local socks connection server;
the socks data analysis module is used for analyzing the socks data from the monitoring address of the local socks connection server and extracting the original access data of the local browser access target application;
the first data encryption module is used for encrypting and packaging the extracted original access data and forwarding the encrypted and packaged tunnel encrypted data to a corresponding zero trust gateway according to the application strategy information;
the first data decryption module is used for decrypting the received encrypted data from the zero trust gateway and then sending the decrypted data to the local browser initiating the request through the socks connection, wherein the encrypted data from the zero trust gateway is data obtained by encrypting response data from the target server by the zero trust gateway, the response data is data obtained by responding an access request of the zero trust gateway by the target server, and the access request comprises original access data obtained by decrypting the tunnel encrypted data by the zero trust gateway.
In addition, in order to achieve the above object, the present application further provides a proxy device for accessing B/S applications by using a zero trust system, which is used in a zero trust gateway, and includes:
the second data decryption module is used for decrypting the tunnel encrypted data from the zero-trust client to obtain original access data, wherein the tunnel encrypted data from the zero-trust client is data generated by encrypting and packaging original access data obtained by analyzing the socks data from the local socks connection server by the zero-trust client, and the original access data is data generated by accessing a target application by a local browser;
the data forwarding module is used for initiating an access request to a target application server according to the target application server address in the original access data; and
and the second data encryption module is used for encrypting and packaging the response data from the target server and then forwarding the response data to the zero trust client.
In addition, in order to achieve the aim, the application also provides a proxy system for accessing the B/S application by a zero trust system, which comprises a zero trust client, a zero trust management platform and a zero trust gateway,
the zero trust management platform is used for carrying out trust evaluation on the zero trust client, determining application strategy information of the zero trust client according to a trust evaluation result, wherein the application strategy information defines a plurality of application information which can be accessed by the zero trust client and zero trust gateway information corresponding to each application, and sending a release notification to the zero trust gateway, and the release notification comprises a source IP of the zero trust client which can be released;
the zero trust client is used for initiating authentication to the zero trust management platform, acquiring application policy information, updating a local PAC rule file and gateway connection information based on the acquired application policy information, establishing a socks connection with a local browser corresponding to a local socks connection server monitoring address included in the PAC rule file, analyzing socks data from the local socks connection server monitoring address, extracting original access data of the local browser for accessing a target application, encrypting and packaging the extracted original access data, and forwarding the encrypted and packaged tunnel encryption data to a corresponding zero trust gateway according to the application policy information;
the zero trust gateway is used for decrypting the tunnel encrypted data from the zero trust client to obtain original access data, initiating an access request to a target application server according to a target application server address in the original access data, and forwarding response data from the target server to the zero trust client after being encrypted and packaged;
the zero trust client is also used for decrypting the encrypted data from the zero trust gateway and then sending the decrypted data to the local browser initiating the request through the socks connection.
In the application, the zero trust management platform carries out trust evaluation on the zero trust client according to the request of the zero trust client, and determines application strategy information of the zero trust client according to the evaluation result, namely a plurality of application systems which can be accessed by the zero trust client and zero trust gateway information corresponding to each application; the zero trust client establishes a socks connection with a local browser, encrypts and encapsulates original access data obtained by analyzing socks data generated by an access target application, sends the original access data to a corresponding zero trust gateway, and then decrypts the original access data by the zero trust gateway and forwards the original access data in a proxy mode. Therefore, the agent is carried out based on the data stream connection, each data stream can be assigned with different connection tunnels, and further, a single client of the zero trust system can be guaranteed to access different zero trust gateways, and a plurality of gateway nodes can be used for networking to carry out unified management control access on the application under the scenes of different regions, so that the problem that branches of different regions can access multiple applications by using one zero trust client can be solved.
Drawings
For a clearer description of an embodiment of the application or of a technical solution in the prior art, the drawings that are needed in the description of the embodiment or of the prior art will be briefly described, it being obvious that the drawings in the description below are only embodiments of the application, and that other drawings can be obtained, without inventive effort, by a person skilled in the art from the drawings provided:
FIG. 1 is a flow chart of a proxy method for accessing a B/S application by a zero trust hierarchy according to a first embodiment of the present application;
FIG. 2 is a data flow diagram illustrating a proxy method for accessing a B/S application using a zero trust hierarchy according to a first embodiment of the present application;
FIG. 3 is a schematic diagram of a proxy system for accessing a B/S application using a zero trust hierarchy according to a second embodiment of the present application;
fig. 4 is a schematic diagram of an application scenario of a proxy for accessing a B/S application by using a zero trust hierarchy provided by the present application.
Detailed Description
In order that the application may be readily understood, a more complete description of the application will be rendered by reference to the appended drawings. Exemplary embodiments of the present application are illustrated in the accompanying drawings. This application may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used herein in the description of the application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application.
The application has the following general ideas: aiming at the problem that a zero trust client can not access different zero trust gateways at the same time in the prior art, a proxy method and a proxy system for accessing B/S application by a zero trust system are provided, a zero trust management platform carries out trust evaluation on the zero trust client according to the request of the zero trust client, and application strategy information of the zero trust client, namely a plurality of application systems which can be accessed by the zero trust client and zero trust gateway information corresponding to each application are determined according to an evaluation result; the zero trust client establishes a socks connection with a local browser, encrypts and encapsulates original access data obtained by analyzing socks data generated by an access target application, sends the original access data to a corresponding zero trust gateway, and then decrypts the original access data by the zero trust gateway and forwards the original access data in a proxy mode. Therefore, the agent is carried out based on the data stream connection, each data stream can be assigned with different connection tunnels, and further, a single client of the zero trust system can be guaranteed to access different zero trust gateways, and a plurality of gateway nodes can be used for networking to carry out unified management control access on the application under the scenes of different regions, so that the problem that branches of different regions can access multiple applications by using one zero trust client can be solved.
In order to better understand the above technical solutions, the following detailed description will be made with reference to the accompanying drawings and specific embodiments, and it should be understood that specific features in the embodiments and examples of the present application are detailed descriptions of the technical solutions of the present application, and not limit the technical solutions of the present application, and the technical features in the embodiments and examples of the present application may be combined with each other without conflict.
Example 1
Referring to FIG. 1, FIG. 1 is a flow chart of an embodiment of a proxy method for accessing a B/S application using a zero trust hierarchy according to the present application. In one embodiment, the proxy method for accessing B/S application by the zero trust hierarchy comprises the following steps:
and step S10, the zero trust client initiates authentication to the zero trust management platform to acquire application policy information.
Specifically, in an embodiment of the present application, a zero trust client installed on a local PC end first sends a UDP packet to a zero trust management platform to initiate SPA authentication. The method specifically comprises the following steps:
the zero trust client encapsulates the unique identification message generated according to the hardware information and sends a UDP authentication message to the zero trust management platform; after the terminal equipment installs the zero trust client, filling in the service address of the zero trust management platform, calculating the ID of the terminal equipment by the zero trust client according to the information and the like of the hard disk and the BIOS main board of the PC, and then sending a UDP port knock data packet to the server address of the zero trust management platform through the included SPA authentication program;
after receiving the message of the zero-trust client, the zero-trust management platform identifies the source IP of the zero-trust client, performs network release on the source IP of the zero-trust client, and simultaneously notifies the zero-trust gateway client of the source IP of the zero-trust gateway to perform network release; the zero trust management platform monitors the UDP message of the zero trust client received by the UDP port, verifies the legality of the UDP message, verifies the network release by the source IP of the message sent by the zero trust client, and simultaneously informs the zero trust gateway client of the network release of the source IP.
Specifically, in an embodiment of the present application, after passing the SPA authentication, the zero trust client initiates user identity authentication to obtain application policy information. And the zero-trust client initiates an account authentication request, and after receiving the authentication request, the zero-trust management platform verifies the identity information of the zero-trust terminal, and the identity information verifies the multiple application information accessible to the user and the zero-trust gateway information corresponding to each application, which are determined according to the trust evaluation result.
After the zero-trust client sends the SPA authentication message of UDP, the zero-trust client can access the TCP service port of the zero-trust management platform. And the zero-trust client initiates an MTLS connection request through a first authentication module, and carries account information of the zero-trust client to carry out authentication interaction with the zero-trust management platform after the MTLS connection is established with the zero-trust management platform, and the zero-trust management platform verifies user identity information of the client and carries out trust evaluation on the identity of the user. The identity information is returned to the zero-trust client by inquiring preset user application strategy information after trust evaluation, gateway list information which can be connected with the client and is returned by the zero-trust management platform can be selected by the client to carry out tunnel connection data forwarding.
And step S20, the zero trust client updates the local PAC rule file and gateway connection information based on the acquired application strategy information.
Specifically, in an embodiment of the present application, after receiving application policy information of a zero trust management platform, a zero trust client updates a local gateway connection list, and at the same time, the zero trust client generates a Proxy auto-configuration (PAC) rule text according to application address information in the issued application policy information, and a local socks connection server monitoring address is specified in the PAC rule text, which defines how a browser automatically selects an appropriate Proxy server to access a website, and can Proxy browser access data in a socks manner.
And step S30, establishing a socks connection with the local browser corresponding to the local socks connection server monitoring address included in the PAC rule file.
Specifically, in an embodiment of the present application, as shown in fig. 2, after updating the PAC rule file, the zero trust client locally starts a port for monitoring the socks service, and receives a socks connection request sent by the local browser. Therefore, the zero trust client can utilize the local socks connection server specified in the PAC rule file to monitor the establishment of the socks connection between the address and the corresponding browser.
And S40, analyzing the socks data from the monitoring address of the local socks connection server, and extracting the original access data of the local browser for accessing the target application.
Specifically, in an embodiment of the present application, as shown in fig. 2, when a user accesses a target application through a local browser, the local browser forwards the accessed network data to a corresponding local socket connection server monitoring address through a socket connection, and in a windows system, the corresponding socket forwarding address is searched for and filled in an automatic configuration script in an internet option through system function setting. After receiving the socks data through the socks connection, the zero trust client analyzes the monitored socks data to extract the original access data.
And S50, encrypting and packaging the extracted original access data, and forwarding the encrypted and packaged tunnel encrypted data to a corresponding zero trust gateway according to the application strategy information.
Specifically, in an embodiment of the present application, after parsing a socks proxy data packet, the original access data of the B/S application is encapsulated by adopting a local SM4 encryption algorithm, and meanwhile, the local gateway and the application policy information are read, the gateway address corresponding to the server of the target application is checked, the encrypted data of the application is forwarded to the corresponding gateway tunnel address, and if a plurality of zero trust gateways can access the server of the target application, one of the zero trust gateways is selected for forwarding.
And step S30 to step S50 are mainly used for establishing a local socks proxy, guiding application data to the socks proxy, establishing the socks connection by a socks connection establishment module of the zero trust client, and analyzing, encrypting and packaging the received socks data by a socks data analysis module and forwarding the received socks data to the zero trust gateway.
And step S60, the zero trust gateway decrypts the tunnel encrypted data from the zero trust client to obtain the original access data.
Step S70, according to the address of the target application server in the original access data, an access request is initiated to the target application server.
And step S80, response data from the target server is encrypted and packaged and then forwarded to the zero trust client.
Step S90, the received encrypted data from the zero trust gateway is decrypted and then sent to the local browser initiating the request through the socks connection.
Specifically, in an embodiment of the present application, after receiving an encrypted message of a zero trust client, a second data decryption module of the zero trust gateway decrypts the data message by using an SM4 algorithm to extract an original request, and then sends the request to a target application server address through a data forwarding module. And meanwhile, the second data encryption module of the gateway encrypts the response data of the target application server, and obtains a response original path and sends the response original path to the zero trust client. And the first data decryption module of the zero-trust client decrypts the response data, the response data is returned to the browser application, and the service application completes the proxy access flow.
As shown in fig. 2, after the tunnel second data decryption module of the zero-trust gateway receives the tunnel encrypted data of the zero-trust client, the tunnel second data decryption module decrypts the encrypted data. And obtaining the address of the target application server and the source data after decryption. The zero trust gateway initiates an access request to the target application server by using the local address, the target server generates response data, and the zero trust gateway encrypts and encapsulates the response data through the second data encryption module and sends the response data to the zero trust client. And the first data decryption module of the zero-trust client decrypts the received data and then gives the decrypted data to the browser application program which initiates the request, and the whole application access business flow is completed.
Through steps S60 to S90, the zero trust gateway receives the tunnel encrypted data of the client, initiates an access request to the application server after decryption, simultaneously receives response data of the application server, encrypts and packages the response data to the zero trust client, and returns the response data to the local browser application program initiating the request after analysis by the zero trust client.
The steps S10 to S50 and S90 may be implemented as a proxy method on the zero-trust client side, and the steps S60 to S80 may be implemented as a proxy method on the zero-trust client side.
Example two
The application also provides a proxy system for accessing the B/S application by the zero trust system, as shown in fig. 3, the proxy system for accessing the B/S application by the zero trust system comprises a zero trust client 10, a zero trust management platform 20 and a zero trust gateway 30, wherein the zero trust client 10 comprises a first authentication module 110, an updating module 120, a socks connection establishment module 130, a socks data analysis module 140, a first data encryption module 150 and a first data decryption module 160; the zero trust gateway 30 comprises a second authentication module 310, a second data decryption module 320, a data forwarding module 330, a second data encryption module 340.
Specifically, in an embodiment of the present application, the zero trust management platform 20 is configured to perform trust evaluation on the zero trust client, determine application policy information of the zero trust client according to a trust evaluation result, where the application policy information defines a plurality of application information accessible to the zero trust client and zero trust gateway information corresponding to each application, and is further configured to send a release notification to the zero trust gateway, where the release notification includes a source IP of the zero trust client that can be released. The zero trust management platform performs identity authentication according to the identity information of the user, performs application policy distribution on the user, performs authorization verification on the zero trust client, and simultaneously performs unified management on the zero trust gateway. A trust evaluation engine and an access policy engine are included in the zero trust management platform. The trust evaluation engine is a core component for realizing continuous trust evaluation capability in the zero trust management platform, is linked with the dynamic access policy engine, and provides trust level evaluation for the dynamic access policy engine as an authorization judgment basis. The trust evaluation engine continuously receives log information of the trusted agent and the dynamic access policy engine, combines the identity library and the authority library data, continuously portrays the identity based on a big data intelligent algorithm, continuously analyzes the access behavior, continuously evaluates the trust, finally generates and maintains a trust library, and provides decision basis for the dynamic access policy engine. The access policy engine is used for authenticating and dynamically authorizing all requests and is responsible for policy application control of all users of the whole system.
In actual use, the zero trust management platform may be deployed in an enterprise internal network or an external carrier network. Three configuration ports are configured on the zero trust management platform, namely a UDP port of the SPA authentication server, a TCP port of client authentication policy interaction and a TCP port of gateway policy authentication interaction. The zero trust management platform needs to be configured with identity organization information of enterprise users, accessed application resource information, access application authority of users, policy information of user authentication and the like.
The zero trust gateway is used for decrypting the tunnel encrypted data from the zero trust client to obtain original access data, initiating an access request to a target application server according to a target application server address in the original access data, encrypting and packaging response data from the target server, and forwarding the response data to the zero trust client
Specifically, in an embodiment of the present application, the zero-trust client 10 is configured to perform identity authentication with the zero-trust management platform, obtain an application policy, and package and forward an original data packet of a proxy access request to the zero-trust gateway. The first authentication module 110 is configured to initiate authentication to the zero trust management platform to obtain application policy information; the updating module 120 is configured to update the local PAC rules file and gateway connection information based on the obtained application policy information; the socks connection establishment module 130 is configured to establish a socks connection with a local browser corresponding to a local socks connection server listening address included in the PAC rule file; the socks data analysis module 140 is configured to analyze the socks data from the local socks connection server monitoring address and extract the original access data of the local browser access target application; the first data encryption module 150 is configured to encrypt and encapsulate the extracted original access data, and forward the encrypted and encapsulated tunnel encrypted data to a corresponding zero trust gateway according to the application policy information; the first data decryption module 160 is configured to decrypt the received encrypted data from the zero trust gateway and send the decrypted encrypted data to the local browser that initiates the request via the socks connection.
In practical use, the zero-trust client is deployed on a terminal PC of the client, and after installation, the connection address of the zero-trust management platform needs to be filled in an initialization page. The zero trust client can carry out TCP network communication with the zero trust management platform after sending the UDP authentication message of the SPA. The zero-trust client initiates an MTLS connection request to register to a zero-trust management platform, the zero-trust management platform returns application strategy information of a user to the zero-trust client, and the zero-trust client accesses the data flow forwarding agent according to the corresponding application strategy.
Specifically, in an embodiment of the present application, the zero trust gateway is configured to receive tunnel encrypted data of the zero trust client, decrypt the encrypted data, and proxy-forward the decrypted network access data. The second authentication module 310 is configured to receive a release notification from the zero trust management platform, where the release notification includes a source IP of a releasable zero trust client; the second data decryption module 320 is configured to decrypt the tunnel encrypted data from the zero trust client to obtain original access data; the data forwarding module 330 is configured to initiate an access request to a target application server according to a target application server address in the original access data; the second data encryption module 340 is configured to encrypt and encapsulate response data from the target server and forward the response data to the zero trust client.
In actual use, the zero-trust gateway is deployed in the enterprise intranet, and the TCP ports of the connection platform are configured in the zero-trust gateway. The zero trust gateway can carry out TCP network communication with the zero trust management platform after sending the UDP authentication message of the SPA. The zero trust gateway initiates an MTLS connection request to register to the zero trust management platform, the zero trust management platform distributes an application access policy of the zero trust gateway after registration, and the zero trust gateway receives the policy to perform application policy control effective execution.
Fig. 4 is a schematic view of an application scenario of an agent for accessing a B/S application by using a zero trust system provided by the present application, where, as shown in fig. 4, a zero trust management platform is deployed in a cloud, and each branch office deploys a zero trust gateway in each place, where each zero trust gateway is uniformly registered to the zero trust management platform. The zero trust client can uniformly access the enterprise internal application resources of all branches when logging in all places.
In another application scenario of the application, two zero-trust gateways can be deployed in the same branch office scenario for access, and the zero-trust management platform provides load balancing scheduling according to three modes of a client source IP (Internet protocol) sharing method, a user number sharing method and a gateway polling method, namely, when the zero-trust management platform issues application policy information to a zero-trust client, the zero-trust management platform distributes gateways connected with the client according to actual conditions, so that normal work under a main mode of the two gateways is ensured to protect enterprise application resource security access.
It will be appreciated by those skilled in the art that the foregoing is an embodiment of a proxy system for accessing a B/S application by using a zero trust system provided by the embodiment of the present application, where the system and apparatus belong to the same inventive concept as the foregoing proxy method for accessing a B/S application by using a zero trust system, and details that are not described in detail in the foregoing embodiment of a proxy system for accessing a B/S application by using a zero trust system may refer to the foregoing embodiment of a proxy method for accessing a B/S application by using a zero trust system.
The embodiment of the application also provides proxy equipment for accessing the B/S application by the zero trust system, which can comprise:
a memory for storing a computer program;
the processor, when executing the computer program stored in the memory, can implement the following steps:
acquiring behavior log data generated by a user logging system; detecting whether the user login behavior is abnormal or not based on the behavior log data and preset conditions, wherein the user login authentication behavior is analyzed through an isolated forest method, and whether the user has violent cracking, insomnia account or frequent login behavior is analyzed through a statistical method; and sending out early warning information when abnormal login behavior of the user is detected.
The embodiment of the application also provides a computer readable storage medium, wherein the computer readable storage medium stores a computer program, and the computer program can realize the proxy method of accessing the B/S application by the zero trust system when being executed by a processor.
The computer readable storage medium may include: a U-disk, a removable hard disk, a Read-only memory (ROM), a random access memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the application may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the application, various features of the application are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be construed as reflecting the intention that: i.e., the claimed application requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this application.
Those skilled in the art will appreciate that the modules in the apparatus of the embodiments may be adaptively changed and disposed in one or more apparatuses different from the embodiments. The modules or units or components of the embodiments may be combined into one module or unit or component and, furthermore, they may be divided into a plurality of sub-modules or sub-units or sub-components. Any combination of all features disclosed in this specification, and all processes or units of any method or apparatus so disclosed, may be employed, except that at least some of such features and/or processes or units are mutually exclusive. Each feature disclosed in this specification may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features but not others included in other embodiments, combinations of features of different embodiments are meant to be within the scope of the application and form different embodiments. For example, any of the claimed embodiments can be used in any combination.
Various component embodiments of the application may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that some or all of the functions of some or all of the components in accordance with embodiments of the present application may be implemented in practice using a microprocessor or Digital Signal Processor (DSP). The present application can also be implemented as an apparatus or device program (e.g., a computer program and a computer program product) for performing a portion or all of the methods described herein. Such a program embodying the present application may be stored on a computer readable medium, or may have the form of one or more signals. Such signals may be downloaded from an internet website, provided on a carrier signal, or provided in any other form. It should be noted that the above-mentioned embodiments illustrate rather than limit the application, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The application may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. Several of these means may be embodied by one and the same item of hardware. The use of the words first, second, third, etc. do not denote any order. These words may be interpreted as names.

Claims (10)

1. A proxy method for accessing B/S application by a zero trust system is used in a zero trust client and is characterized by comprising the following steps:
updating local PAC rule files and gateway connection information based on the obtained application strategy information, wherein the application strategy information is a plurality of application information which is determined according to trust evaluation results and can be accessed by a user and zero trust gateway information corresponding to each application;
the method comprises the steps that a socks connection is established between local browsers corresponding to monitoring addresses of local socks connection servers included in the PAC rule file;
analyzing the socks data from the monitoring address of the local socks connection server, and extracting the original access data of the local browser access target application;
encrypting and packaging the extracted original access data, and forwarding the encrypted and packaged tunnel encrypted data to a corresponding zero trust gateway according to the application strategy information;
and decrypting the received encrypted data from the zero trust gateway and then sending the decrypted data to a local browser initiating a request through a socks connection, wherein the encrypted data from the zero trust gateway is data obtained by encrypting response data from a target server by the zero trust gateway, the response data is data obtained by responding an access request of the zero trust gateway by the target server, and the access request comprises original access data obtained by decrypting the tunnel encrypted data by the zero trust gateway.
2. The method of claim 1, further comprising, before the step of updating the local PAC rules file and the gateway connection information based on the acquired application policy information:
and initiating authentication to the zero trust management platform to acquire the application strategy information.
3. A proxy method for accessing B/S application by a zero trust system is used in a zero trust gateway and is characterized by comprising the following steps:
decrypting tunnel encrypted data from a zero-trust client to obtain original access data, wherein the tunnel encrypted data from the zero-trust client is data generated by encrypting and packaging original access data obtained by analyzing the socks data from a monitoring address of a local socks connection server by the zero-trust client, and the original access data is data generated by accessing a target application by a local browser;
according to the address of the target application server in the original access data, an access request is initiated to the target application server; and
and encrypting and packaging response data from the target server and forwarding the response data to the zero-trust client.
4. The method of claim 3, wherein decrypting the tunnel encrypted data from the zero trust client, prior to the step of obtaining the original access data, further comprises:
and receiving a release notice from the zero-trust management platform, wherein the release notice comprises a source IP of a release zero-trust client.
5. A proxy device for a zero trust hierarchy to access a B/S application for use in a zero trust client, comprising:
the updating module is used for updating local PAC rule files and gateway connection information based on the acquired application strategy information, wherein the application strategy information is a plurality of application information which is determined according to trust evaluation results and can be accessed by a user and zero trust gateway information corresponding to each application, and the PAC rule files are used for designating monitoring addresses of local socks connection servers;
the socks connection establishment module is used for establishing socks connection with the local browser corresponding to the monitoring address of the local socks connection server;
the socks data analysis module is used for analyzing the socks data from the monitoring address of the local socks connection server and extracting the original access data of the local browser access target application;
the first data encryption module is used for encrypting and packaging the extracted original access data and forwarding the encrypted and packaged tunnel encrypted data to a corresponding zero trust gateway according to the application strategy information;
the first data decryption module is used for decrypting the received encrypted data from the zero trust gateway and then sending the decrypted data to the local browser initiating the request through the socks connection, wherein the encrypted data from the zero trust gateway is data obtained by encrypting response data from the target server by the zero trust gateway, the response data is data obtained by responding an access request of the zero trust gateway by the target server, and the access request comprises original access data obtained by decrypting the tunnel encrypted data by the zero trust gateway.
6. The apparatus as recited in claim 5, further comprising:
and the first authentication module is used for initiating authentication to the zero trust management platform and acquiring the application policy information.
7. A proxy device for accessing B/S applications with a zero trust hierarchy, for use in a zero trust gateway, comprising:
the second data decryption module is used for decrypting the tunnel encrypted data from the zero-trust client to obtain original access data, wherein the tunnel encrypted data from the zero-trust client is data generated by encrypting and packaging original access data obtained by analyzing the socks data from the local socks connection server by the zero-trust client, and the original access data is data generated by accessing a target application by a local browser;
the data forwarding module is used for initiating an access request to a target application server according to the target application server address in the original access data; and
and the second data encryption module is used for encrypting and packaging the response data from the target server and then forwarding the response data to the zero trust client.
8. The apparatus as recited in claim 7, further comprising:
and the second authentication module is used for receiving a release notice from the zero-trust management platform, wherein the release notice comprises the source IP of a release zero-trust client.
9. A proxy system for accessing B/S application by zero trust system is characterized by comprising a zero trust client, a zero trust management platform and a zero trust gateway,
the zero trust management platform is used for carrying out trust evaluation on the zero trust client, determining application strategy information of the zero trust client according to a trust evaluation result, wherein the application strategy information defines a plurality of application information which can be accessed by the zero trust client and zero trust gateway information corresponding to each application, and sending a release notification to the zero trust gateway, and the release notification comprises a source IP of the zero trust client which can be released;
the zero trust client is used for initiating authentication to the zero trust management platform, acquiring application policy information, updating a local PAC rule file and gateway connection information based on the acquired application policy information, establishing a socks connection with a local browser corresponding to a local socks connection server monitoring address included in the PAC rule file, analyzing socks data from the local socks connection server monitoring address, extracting original access data of the local browser for accessing a target application, encrypting and packaging the extracted original access data, and forwarding the encrypted and packaged tunnel encryption data to a corresponding zero trust gateway according to the application policy information;
the zero trust gateway is used for decrypting the tunnel encrypted data from the zero trust client to obtain original access data, initiating an access request to a target application server according to a target application server address in the original access data, and forwarding response data from the target server to the zero trust client after being encrypted and packaged;
the zero trust client is also used for decrypting the encrypted data from the zero trust gateway and then sending the decrypted data to the local browser initiating the request through the socks connection.
10. A computer readable storage medium, characterized in that the computer readable storage medium stores a computer program which, when executed by a processor, implements the steps of the zero trust hierarchy proxy method of accessing a B/S application according to any one of claims 1 and 2 and the zero trust hierarchy proxy method of accessing a B/S application according to any one of claims 3 and 4.
CN202311028783.XA 2023-08-15 2023-08-15 Proxy method and system for accessing B/S application by zero trust hierarchy Pending CN117081800A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311028783.XA CN117081800A (en) 2023-08-15 2023-08-15 Proxy method and system for accessing B/S application by zero trust hierarchy

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311028783.XA CN117081800A (en) 2023-08-15 2023-08-15 Proxy method and system for accessing B/S application by zero trust hierarchy

Publications (1)

Publication Number Publication Date
CN117081800A true CN117081800A (en) 2023-11-17

Family

ID=88703540

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311028783.XA Pending CN117081800A (en) 2023-08-15 2023-08-15 Proxy method and system for accessing B/S application by zero trust hierarchy

Country Status (1)

Country Link
CN (1) CN117081800A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117614752A (en) * 2024-01-24 2024-02-27 明阳点时科技(沈阳)有限公司 Double-layer zero-trust enterprise production network security ad hoc network method and system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117614752A (en) * 2024-01-24 2024-02-27 明阳点时科技(沈阳)有限公司 Double-layer zero-trust enterprise production network security ad hoc network method and system
CN117614752B (en) * 2024-01-24 2024-03-22 明阳点时科技(沈阳)有限公司 Double-layer zero-trust enterprise production network security ad hoc network method and system

Similar Documents

Publication Publication Date Title
CN111885123B (en) Construction method and device of cross-K8 s target service access channel
EP3453136B1 (en) Methods and apparatus for device authentication and secure data exchange between a server application and a device
JP5539335B2 (en) Authentication for distributed secure content management systems
US10021101B2 (en) Embedding security posture in network traffic
US10326730B2 (en) Verification of server name in a proxy device for connection requests made using domain names
US9473481B2 (en) Method and system for providing a virtual asset perimeter
US10257171B2 (en) Server public key pinning by URL
US10623446B1 (en) Multi-factor authentication for applications and virtual instance identities
US20200396259A1 (en) Cyber-Security in Heterogeneous Networks
US20190158497A1 (en) Securing Shared Components
Turab et al. Cloud computing challenges and solutions
US20220329585A1 (en) Utilizing endpoint security posture, identification, and remote attestation for restricting private application access
CN110311926A (en) A kind of application access control method, system and medium
Hossain et al. Survey of the Protection Mechanisms to the SSL-based Session Hijacking Attacks.
CN117081800A (en) Proxy method and system for accessing B/S application by zero trust hierarchy
CN113422768B (en) Application access method and device in zero trust and computing equipment
CN112291204B (en) Access request processing method and device and readable storage medium
CN112468476B (en) Equipment management system and method for different types of terminals to access application
US20220103526A1 (en) Policy integration for cloud-based explicit proxy
Sochor et al. Exploiting MQTT-SN for Distributed Reflection Denial-of-Service Attacks
Kumar Possible solutions on security and privacy issues in fog computing
Giribabu et al. Cybersecurity in webgis environment
US11695736B2 (en) Cloud-based explicit proxy with private access feature set
Pranav et al. Security in mobile cloud computing: A review
Sharma et al. Fog computing: An overview of IoT applications with security issues and challenges

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination