CN117097573B

CN117097573B - Firewall dynamic access control method and device under zero-trust security system

Info

Publication number: CN117097573B
Application number: CN202311354996.1A
Authority: CN
Inventors: 蔺鑫蕊; 何涛; 张立杰; 谢坚; 曾明
Original assignee: Shenzhen Zhuyun Technology Co ltd
Current assignee: Shenzhen Zhuyun Technology Co ltd
Priority date: 2023-10-19
Filing date: 2023-10-19
Publication date: 2024-01-30
Anticipated expiration: 2043-10-19
Also published as: CN117097573A

Abstract

The invention relates to the technical field of network information security and discloses a firewall dynamic access control method and device under a zero-trust security system. The invention completes the registration of the terminal by using the management control platform server and the control server, determines the load balancing address by using the access request of the terminal after the registration of the terminal is completed, and transmits the preset service data to the application server sequentially through the control server, the load balancing server and the gateway server according to the load balancing address, thereby improving the safety of the server in the firewall dynamic access control system under the zero trust safety system, reducing the manual operation and reducing the risk of the manual operation.

Description

Firewall dynamic access control method and device under zero-trust security system

Technical Field

The invention relates to the technical field of network information security, in particular to a firewall dynamic access control method and device under a zero trust security system.

Background

Second generation firewalls, also known as Next Generation Firewalls (NGFWs), possess stronger security check functions, finer granularity policy management functions, more efficient security management functions, better transparency, and more comprehensive security services than traditional firewalls.

Aiming at self business and background, each security manufacturer continuously perfects the capability of the second-generation firewall from different emphasis points. For traffic analysis, the second generation firewall focuses on deep packet inspection, not only to look at the protocol, source and destination, but also to analyze whether the traffic packet contains malicious components.

The second generation firewall products in the current market have no long-proven and widely used products at present, and each family perfects the firewall function aiming at different business backgrounds. And based on the firewall under SDP architecture, the policy needs to be flexibly and dynamically implemented for control: on the one hand, the cost of manual maintenance is reduced as much as possible, the complexity of operation is reduced, and the risk of manual operation is reduced; on the other hand, the firewall under the SDP architecture has higher performance requirements on the basis of light maintenance, and generally does not separately provide hardware server deployment projects. Therefore, for the second generation firewall products, the current firewall control method does not meet the service requirements. Accordingly, there is a need to provide a new firewall control method.

Disclosure of Invention

In view of this, the invention provides a firewall dynamic access control method, a firewall dynamic access control device, a firewall dynamic access control computer device and a firewall storage medium under a zero-trust security system, so as to solve the problems that the existing firewall control method cannot independently provide hardware server deployment projects, has higher manual maintenance cost, is complex to operate and has higher operation risk.

In a first aspect, the invention provides a firewall dynamic access control method under a zero trust security system, which is used for a firewall dynamic access control system under the zero trust security system, wherein the system comprises a terminal, a control server, a load balancing server, a gateway server, a management control platform server and an application server, and each server is loaded with a firewall; the firewall dynamic access control method under the zero trust security system comprises the following steps:

when a firewall dynamic access control system under a zero trust security system is started, respectively controlling a control server, a load balancing server and a gateway server to initialize and start an initial firewall strategy based on preset service data; when the initial firewall strategy is started, registering the terminal by using a management control platform server and a control server; after the registration is completed, the control server receives an access request sent by the terminal, determines a load balancing address based on the access request, and sends the load balancing address to the terminal; and the terminal sends preset service data to the application server through the control server, the load balancing server and the gateway server based on the load balancing address.

According to the firewall dynamic access control method under the zero trust security system, the management control platform server and the control server are utilized to finish the registration of the terminal, after the terminal is registered, the access request of the terminal is utilized to determine the load balancing address, and preset service data are sequentially transmitted to the application server through the control server, the load balancing server and the gateway server according to the load balancing address, so that the security of the server in the firewall dynamic access control system under the zero trust security system is improved, the manual operation is reduced, and the risk of the manual operation is reduced. Meanwhile, a hardware server does not need to be independently applied for deployment and maintenance, and the use cost is reduced.

In an alternative embodiment, when the initial firewall policy is turned on, registering the terminal with the management control platform server and the control server includes:

when the initial firewall policy is started, the management control platform server configures and sends a terminal registration policy to the control server; when a terminal registration strategy is received, a firewall in a control server opens a terminal registration port; when a terminal registration port is opened, a control server receives a terminal registration request sent by a terminal and sends the terminal registration request to a management control platform server; and the management control platform server determines an approval strategy based on the terminal registration strategy, and approves and registers the terminal registration request based on the approval strategy.

According to the invention, the terminal registration strategy is configured by the management control platform server to realize the opening of the terminal registration port of the firewall in the control server, so that the registration of the terminal is completed, the manual operation is reduced, the risk of the manual operation is reduced, and the security of the terminal registration is improved.

In an alternative embodiment, after registration is completed, the control server receives an access request sent by the terminal, determines a load balancing address based on the access request, and sends the load balancing address to the terminal, including:

after registration is completed, the terminal sends a first single-packet knocking request to a control server; the control server judges whether to open a general port in the protective wall or not based on the first single-packet door knocking request; when the universal port is opened, the terminal sends a connection request to the control server; when receiving a connection success instruction sent by the control server, the terminal sends a list Bao Jianquan request to the control server; the control server requests single-packet authentication based on the single Bao Jianquan, determines a load balancing address according to the single-packet authentication result, and sends the load balancing address to the terminal.

According to the invention, the firewall ports in each server in the firewall dynamic access control system under the zero trust security system are adjusted by using the access request of the terminal, so that the firewall ports can be dynamically and adaptively adjusted in a multi-link mode more flexibly, the security is higher, the all open of the upstream and downstream links can be ensured, the manual operation is reduced, the upstream and downstream multi-link firewall system is formed, and the boundary security is ensured.

In an optional implementation manner, the terminal sends the preset service data to the application server through the control server, the load balancing server and the gateway server based on the load balancing address, and the method includes:

the terminal sends a second single-packet knocking request to a load balancing server based on the load balancing address; the load balancing server sends a second single-packet knocking request to the gateway server based on a preset load balancing strategy; when a second single-packet knocking request is received, the gateway server sends a single-packet checking request to the control server; the control server performs single-packet verification based on the single-packet verification request, and sends an application port opening instruction to the load balancing server after the single Bao Jiaoyan passes, so that the load balancing server opens a first application port based on the application port opening instruction; when the first application port is opened, the load balancing server sends an application port opening instruction to the gateway server, so that the gateway server opens a second application port based on the application port opening instruction; when the second application port is opened, the gateway server sends an application port opening instruction to the application server, so that the application server opens a third application port based on the application port opening instruction; and when the third application port is opened, the terminal sends the preset service data to the application server through the load balancing server and the gateway server.

In an optional implementation manner, when the third application port is opened, the terminal sends the preset service data to the application server through the load balancing server and the gateway server, and the method includes:

when the third application port is opened, the terminal sends preset service data to the gateway server through the load balancing server; the gateway server processes the preset service data to obtain target service data, and sends the target service data to the application server.

The invention can ensure the safety and the credibility of the target service data sent to the application server by processing the preset service data in the gateway server.

In an alternative embodiment, the method further comprises: and inquiring the firewall state of each server in the firewall dynamic access control system under the zero trust security system by using the management control platform server.

According to the invention, the management control platform server can be utilized to timely inquire the current state of the firewall of each server in the firewall dynamic access control system under the zero trust security system, so that the convenience of firewall security management is improved.

In an alternative embodiment, the method further comprises:

when the control server receives an access disconnection request sent by the terminal, closing a general port in the protective wall; when the universal port is closed, the control server sends a port closing instruction to the load balancing server, so that the load balancing server closes a first application port in the protective wall based on the port closing instruction; when the first application port is closed, the load balancing server sends a port closing instruction to the gateway server, so that the gateway server closes a second application port in the protective wall based on the port closing instruction; when the second application port is closed, the gateway server sends a port closing instruction to the application server, so that the application server closes a third application port in the protection wall based on the port closing instruction.

In the invention, after the terminal is disconnected from access, other servers in the firewall dynamic access control system under the zero-trust security system close corresponding firewall ports, thereby realizing the multilink dynamic self-adaptive adjustment of the firewall and ensuring the security of each server in the firewall dynamic access control system under the zero-trust security system in the maximum range.

The invention provides a firewall dynamic access control device under a zero-trust security system, which is used for a firewall dynamic access control system under the zero-trust security system, wherein the system comprises a terminal, a control server, a load balancing server, a gateway server, a management control platform server and an application server, wherein each server is loaded with a firewall; the firewall dynamic access control device under the zero trust security system comprises:

the initialization module is used for respectively controlling the control server, the load balancing server and the gateway server to initialize and start an initial firewall strategy based on preset service data when the firewall dynamic access control system under the zero trust security system is started; the registration module is used for registering the terminal by using the management control platform server and the control server when the initial firewall policy is started; the receiving and determining module is used for controlling the server to receive the access request sent by the terminal after the registration is completed, determining a load balancing address based on the access request and sending the load balancing address to the terminal; the sending module is used for sending the preset service data to the application server through the control server, the load balancing server and the gateway server based on the load balancing address.

In a third aspect, the present invention provides a computer device comprising: the firewall dynamic access control method under the zero trust security system of the first aspect or any corresponding embodiment of the first aspect is implemented by the processor and the memory, the memory and the processor are in communication connection with each other, the memory stores computer instructions, and the processor executes the computer instructions.

In a fourth aspect, the present invention provides a computer readable storage medium, where computer instructions are stored on the computer readable storage medium, where the computer instructions are configured to cause a computer to perform a firewall dynamic access control method under the zero trust security system of the first aspect or any one of the embodiments corresponding to the first aspect.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the following description will briefly explain the drawings needed in the embodiments or the prior art, and it is obvious that the drawings in the following description are some embodiments of the present invention and that other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.

FIG. 1 is a block diagram of a firewall dynamic access control system under a zero trust security architecture in accordance with an embodiment of the invention;

FIG. 2 is a flow diagram of a firewall dynamic access control method under a zero trust security architecture according to an embodiment of the invention;

FIG. 3 is a flow diagram of a firewall dynamic access control method under another zero trust security architecture according to an embodiment of the invention;

FIG. 4 is a flow diagram of a firewall dynamic access control method under yet another zero trust security architecture according to an embodiment of the invention;

FIG. 5 is a flow diagram of a firewall dynamic access control method under yet another zero trust security architecture in accordance with an embodiment of the invention;

FIG. 6 is a flow diagram of a firewall dynamic access control method under yet another zero trust security architecture in accordance with an embodiment of the invention;

FIG. 7 is a flow diagram of a multi-link dynamically opening firewall according to an embodiment of the invention;

FIG. 8 is a flow diagram of dynamically closing firewall access rights for multiple links according to an embodiment of the invention;

FIG. 9 is a block diagram of a firewall dynamic access control device under a zero trust security architecture in accordance with an embodiment of the invention;

fig. 10 is a schematic diagram of a hardware structure of a computer device according to an embodiment of the present invention.

Detailed Description

For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

The embodiment of the invention provides a firewall dynamic access control method under a zero trust security system, which utilizes the access request of a terminal to dynamically and adaptively adjust the firewall port in each server in the firewall dynamic access control system under the zero trust security system so as to achieve the effects of higher security, more flexible port adjustment, no need of independently applying for a hardware server for deployment maintenance and reduced use cost.

According to an embodiment of the present invention, there is provided an embodiment of a firewall dynamic access control method under a zero trust security architecture, it being noted that the steps illustrated in the flowchart of the figures may be performed in a computer system such as a set of computer executable instructions, and that although a logical order is illustrated in the flowchart, in some cases the steps illustrated or described may be performed in an order different from that illustrated herein.

In this embodiment, a firewall dynamic access control method under a zero trust security system is provided, which can be used in a firewall dynamic access control system under a zero trust security system, as shown in fig. 1, where the firewall dynamic access control system 1 under the zero trust security system includes a terminal 11, a control server 12, a load balancing server 13, a gateway server 14, a management control platform server 15 and an application server 16. Each server is loaded with a firewall; fig. 2 is a flowchart of a firewall dynamic access control method under a zero trust security system according to an embodiment of the invention, and as shown in fig. 2, the flowchart includes the following steps:

step S201, when the firewall dynamic access control system under the zero trust security system is started, the control server, the load balancing server and the gateway server are respectively controlled to initialize and start an initial firewall strategy based on preset service data.

The initial firewall policy may include opening access rights of ports such as a single packet grant port, a udp port, a default ICMP protocol port, and an assigned intranet port.

Specifically, when the firewall dynamic access control system 1 under the zero-trust security system is started, the control server 12 and the gateway server 14 are controlled to perform an operation of initializing firewall policies based on preset service data, i.e., the initial firewall policies are respectively loaded to the control server 12 and the gateway server 14.

At the same time, the gateway server 14 notifies the load balancing server 13 to initiate firewall policy operations.

Further, the administrator may view, add, modify, and delete the initial firewall policy.

Step S202, when the initial firewall policy is started, the management control platform server and the control server are utilized to register the terminal.

Specifically, when the initial firewall policy is turned on, the firewall dynamic access control system 1 under the zero trust security system can be accessed. At this time, the terminal 11 needs to be registered first.

Specifically, registration of the terminal 11 may be completed by the management control platform server 15 and the control server 12.

In step S203, when the registration is completed, the control server receives the access request sent by the terminal, determines a load balancing address based on the access request, and sends the load balancing address to the terminal.

Specifically, when the registration of the terminal 11 is completed, the terminal 11 transmits an access request to the control server 12.

After receiving the access request, the control server 12 may determine an accessible load balancing address based on the access request, and send the load balancing address to the terminal.

Step S204, the terminal sends the preset service data to the application server through the control server, the load balancing server and the gateway server based on the load balancing address.

Specifically, after receiving the terminal sent by the control server 12, the terminal 11 may access the corresponding load balancing server and gateway server according to the load balancing address, and send the preset service data to the corresponding application server 16.

According to the firewall dynamic access control method under the zero-trust security system, the management control platform server and the control server are utilized to finish the registration of the terminal, after the terminal is registered, the access request of the terminal is utilized to determine the load balancing address, and preset service data are sequentially sent to the application server through the control server, the load balancing server and the gateway server according to the load balancing address, so that the security of the server in the firewall dynamic access control system under the zero-trust security system is improved, manual operation is reduced, and the risk of manual operation is reduced. Meanwhile, a hardware server does not need to be independently applied for deployment and maintenance, and the use cost is reduced.

In this embodiment, a firewall dynamic access control method under a zero trust security system is provided, which can be used in a firewall dynamic access control system under a zero trust security system, as shown in fig. 1, where the firewall dynamic access control system 1 under the zero trust security system includes a terminal 11, a control server 12, a load balancing server 13, a gateway server 14, a management control platform server 15 and an application server 16. Each server is loaded with a firewall; fig. 3 is a flowchart of a firewall dynamic access control method under a zero trust security system according to an embodiment of the invention, and as shown in fig. 3, the flowchart includes the following steps:

Step S301, when the firewall dynamic access control system under the zero trust security system is started, the control server, the load balancing server and the gateway server are respectively controlled to initialize and start an initial firewall strategy based on preset service data. Please refer to step S201 in the embodiment shown in fig. 2 in detail, which is not described herein.

Step S302, when the initial firewall policy is started, the management control platform server and the control server are utilized to register the terminal.

Specifically, the step S302 includes:

in step S3021, when the initial firewall policy is turned on, the management control platform server configures and sends the terminal registration policy to the control server.

Specifically, after the initialization is completed, that is, the initial firewall policy is opened, the administrator can log in to the Web interface configuration of the management control platform server 15 to determine whether to open the terminal registration function.

If the terminal registration function is started, the management control platform server 15 notifies the control server 12 that the terminal registration function has been started, i.e., the management control platform server 15 transmits a terminal registration policy to the control server.

In step S3022, when the terminal registration policy is received, the firewall in the control server opens the terminal registration port.

Specifically, after the control server 12 receives the terminal registration policy issued by the management control platform server 15, the access right of the terminal registration port may be opened, that is, the corresponding terminal registration port is opened in the firewall in the control server 12.

In step S3023, when the terminal registration port is turned on, the control server receives the terminal registration request sent by the terminal, and sends the terminal registration request to the management control platform server.

Wherein the terminal 11 is a user-installed zero-trust terminal.

Specifically, when the installation is completed, the external access address and the registration port of the control server 12 are input in the terminal 11 and registration is applied, that is, the terminal 11 transmits a terminal registration request to the control server 12.

Further, since the terminal registration port in the control server 12 is already opened, that is, the control server 12 may receive the terminal registration request sent by the terminal 11, further, send the received terminal registration request to the corresponding management control platform server 15.

In step S3024, the management control platform server determines an approval policy based on the terminal registration policy, and approves and registers the terminal registration request based on the approval policy.

Specifically, the management control platform server 15 may decide to perform a manual approval or an automatic approval process according to a pre-configured terminal registration policy, and whether the final approval passes.

Further, if the approval passes, the registration is indicated to be successful, and if the approval does not pass, the registration is indicated to be failed.

Further, the management control platform server 15 may also return the registration result to the control server 12 in synchronization.

In step S303, when the registration is completed, the control server receives the access request sent by the terminal, determines a load balancing address based on the access request, and sends the load balancing address to the terminal. Please refer to step S203 in the embodiment shown in fig. 2 in detail, which is not described herein.

And step S304, the terminal sends the preset service data to the application server through the control server, the load balancing server and the gateway server based on the load balancing address. Please refer to step S204 in the embodiment shown in fig. 2 in detail, which is not described herein.

According to the firewall dynamic access control method under the zero trust security system, the terminal registration strategy is configured by the management control platform server to control the opening of the terminal registration port of the firewall in the server, so that the registration of the terminal is completed, the risk of manual operation is reduced, and the security of terminal registration is improved. Further, the access request of the terminal is utilized to determine the load balancing address, and preset service data is sequentially sent to the application server through the control server, the load balancing server and the gateway server according to the load balancing address, so that the security of the server in the firewall dynamic access control system under the zero trust security system is improved.

In this embodiment, a firewall dynamic access control method under a zero trust security system is provided, which can be used in a firewall dynamic access control system under a zero trust security system, as shown in fig. 1, where the firewall dynamic access control system 1 under the zero trust security system includes a terminal 11, a control server 12, a load balancing server 13, a gateway server 14, a management control platform server 15 and an application server 16. Each server is loaded with a firewall; fig. 4 is a flowchart of a firewall dynamic access control method under a zero trust security system according to an embodiment of the invention, and as shown in fig. 4, the flowchart includes the following steps:

step S401, when the firewall dynamic access control system under the zero trust security system is started, the control server, the load balancing server and the gateway server are respectively controlled to initialize and start an initial firewall strategy based on preset service data. Please refer to step S201 in the embodiment shown in fig. 2 in detail, which is not described herein.

And step S402, when the initial firewall policy is started, registering the terminal by using the management control platform server and the control server. Please refer to step S302 in the embodiment shown in fig. 3 in detail, which is not described herein.

Step S403, when the registration is completed, the control server receives the access request sent by the terminal, determines a load balancing address based on the access request, and sends the load balancing address to the terminal.

Specifically, the step S403 includes:

in step S4031, after the registration is completed, the terminal sends a first single-packet knock request to the control server.

Specifically, after the registration of the terminal 11 is completed, a first one-pack knock request is transmitted to the control server 12.

In this case, since the control server has opened the initial firewall policy, i.e., has opened the access right of the single-packet authorized port in step S401, a single-packet request may be sent to the control server 12.

In step S4032, the control server determines whether to open the universal port in the protection wall based on the first single-packet knock request.

Specifically, after receiving the first single packet knock request, the control server 12 may determine whether the single packet is allowed to pass through based on the service. If allowed, the access rights of the universal port may be opened for the terminal 11, i.e. the universal port is opened in a protection wall in the control server 12.

Further, if the passage is not allowed, the access authority of the general port is not opened, and the control server 12 does not respond the single packet processing result to the terminal 11.

In step S4033, when the universal port is opened, the terminal sends a connection request to the control server.

Specifically, after the universal port is opened in the protection wall in the control server 12, the terminal 11 may send a connection request to the control server 12 to request the universal port opened in the control server 12.

In step S4034, when receiving the connection success instruction sent by the control server, the terminal sends a ticket Bao Jianquan request to the control server.

Specifically, after receiving the connection request sent by the terminal 11, the control server 12 processes the connection request, and sends a connection success instruction to the terminal 11 when the processing is completed, that is, the connection is successful.

Further, after receiving the connection success instruction, the terminal 11 continues to send a ticket Bao Jianquan request to the control server 12.

In step S4035, the control server requests single packet authentication based on the single Bao Jianquan, determines a load balancing address according to the single packet authentication result, and sends the load balancing address to the terminal.

Specifically, after receiving the request of the single Bao Jianquan, the control server 12 performs single packet authentication service processing, and returns the single packet authentication service processing to the load balancing service address that can be forwarded by the terminal 11.

And step S404, the terminal sends the preset service data to the application server through the control server, the load balancing server and the gateway server based on the load balancing address. Please refer to step S204 in the embodiment shown in fig. 2 in detail, which is not described herein.

According to the firewall dynamic access control method under the zero trust security system, the firewall ports in each server in the firewall dynamic access control system under the zero trust security system are adjusted by using the access request of the terminal, so that the firewall ports can be flexibly and dynamically adjusted in a self-adaptive mode in multiple links, the security is higher, all upstream and downstream links can be ensured to be opened, manual operation is reduced, an upstream and downstream multiple link firewall system is formed, and boundary security is ensured.

In this embodiment, a firewall dynamic access control method under a zero trust security system is provided, which can be used in a firewall dynamic access control system under a zero trust security system, as shown in fig. 1, where the firewall dynamic access control system 1 under the zero trust security system includes a terminal 11, a control server 12, a load balancing server 13, a gateway server 14, a management control platform server 15 and an application server 16. Each server is loaded with a firewall; fig. 5 is a flowchart of a firewall dynamic access control method under a zero trust security system according to an embodiment of the invention, and as shown in fig. 5, the flowchart includes the following steps:

Step S501, when the firewall dynamic access control system under the zero trust security system is started, the control server, the load balancing server and the gateway server are respectively controlled to initialize and start an initial firewall strategy based on preset service data. Please refer to step S201 in the embodiment shown in fig. 2 in detail, which is not described herein.

Step S502, when the initial firewall policy is started, the management control platform server and the control server are used for registering the terminal. Please refer to step S302 in the embodiment shown in fig. 3 in detail, which is not described herein.

In step S503, after the registration is completed, the control server receives the access request sent by the terminal, determines a load balancing address based on the access request, and sends the load balancing address to the terminal. Please refer to step S403 in the embodiment shown in fig. 4 in detail, which is not described herein.

Step S504, the terminal sends the preset service data to the application server through the control server, the load balancing server and the gateway server based on the load balancing address.

Specifically, the step S504 includes:

in step S5041, the terminal sends a second single-packet knock request to the load balancing server based on the load balancing address.

Specifically, after receiving the load balancing address that can be forwarded and sent by the control server 12, the terminal 11 may send a second single-packet knock request to the corresponding load balancing server 13 based on the load balancing address.

In step S501, the load balancing server already opens the initial firewall policy, that is, the access right of the single-packet authorized port is already opened, so that the single-packet request may be sent to the control load balancing server 13.

In step S5042, the load balancing server sends a second single-packet knock request to the gateway server based on a preset load balancing policy.

Specifically, the load balancing server 13 may forward the second single-packet knock request sent by the terminal 11 to the gateway server 14 based on a preset load balancing policy.

In step S5043, when receiving the second single-packet knock request, the gateway server sends a single-packet check request to the control server.

Specifically, after receiving the second single-packet knocking request forwarded by the load balancing server 13, the gateway server 14 continues to send a corresponding single-packet check request to the control server 12.

In step S5044, the control server performs single packet verification based on the single packet verification request, and sends an application port opening instruction to the load balancing server after the single packet Bao Jiaoyan passes, so that the load balancing server opens the first application port based on the application port opening instruction.

Specifically, after receiving the single packet verification request, the control server 12 performs single packet verification, and because the single packet data corresponding to the single packet request may carry the protected application information, when the single packet verification is passed, the control server 12 sends an application port opening instruction to the load balancing server 13.

After receiving the application port opening instruction, the load balancing server 13 opens the corresponding access right of the protected application port, namely opens the first application port in the firewall of the load balancing server 13.

In step S5045, when the first application port is opened, the load balancing server sends an application port opening instruction to the gateway server, so that the gateway server opens the second application port based on the application port opening instruction.

Specifically, after the first application port is opened in the firewall of the load balancing server 13, the load balancing server 13 forwards the received application port opening instruction to the corresponding gateway server 14.

Further, after receiving the application port opening instruction, the gateway server 14 opens the corresponding access right of the protected application port, that is, opens the second application port in the firewall of the gateway server 14.

In step S5046, when the second application port is opened, the gateway server sends an application port opening instruction to the application server, so that the application server opens the third application port based on the application port opening instruction.

Specifically, after opening the second application port in the firewall of the gateway server 14, the gateway server 14 continues to send the application port opening instruction to the corresponding application server 16.

Further, after receiving the application port opening instruction, the application server 16 opens the corresponding access right of the protected application port, that is, opens the third application port in the firewall of the application server 16.

In step S5047, when the third application port is opened, the terminal sends the preset service data to the application server through the load balancing server and the gateway server.

Specifically, after the third application port in the firewall of the application server 16 is opened, the terminal 11 may send the preset service data to the corresponding protected application service, i.e. the application server 16 through the load balancing server 13 and the gateway server 14.

In some alternative embodiments, step S5047 includes:

and a step a1, when the third application port is opened, the terminal sends preset service data to the gateway server through the load balancing server.

And a step a2, the gateway server processes the preset service data to obtain target service data, and sends the target service data to the application server.

Specifically, after the third application port in the firewall of the application server 16 is opened, the terminal 11 may send the preset service data to the gateway server 14 through the load balancing server 13.

Further, after receiving the preset service data, the gateway server 14 performs a service processing procedure, which may include policies such as Web application firewall, risk policy evaluation, intelligent IP blocking, etc., and through the service processing procedure, the security and credibility of the preset service data may be ensured.

Further, the gateway server 14 transmits the service-processed target service data to the corresponding application server 16.

In this embodiment, a firewall dynamic access control method under a zero trust security system is provided, which can be used in a firewall dynamic access control system under a zero trust security system, as shown in fig. 1, where the firewall dynamic access control system 1 under the zero trust security system includes a terminal 11, a control server 12, a load balancing server 13, a gateway server 14, a management control platform server 15 and an application server 16. Each server is loaded with a firewall; fig. 6 is a flowchart of a firewall dynamic access control method under a zero trust security architecture according to an embodiment of the invention, as shown in fig. 6, the flowchart includes the following steps:

step S601, when the firewall dynamic access control system under the zero trust security system is started, the control server, the load balancing server and the gateway server are respectively controlled to initialize and start an initial firewall strategy based on preset service data. Please refer to step S201 in the embodiment shown in fig. 2 in detail, which is not described herein.

Step S602, when the initial firewall policy is started, the management control platform server and the control server are used for registering the terminal. Please refer to step S302 in the embodiment shown in fig. 3 in detail, which is not described herein.

In step S603, after the registration is completed, the control server receives the access request sent by the terminal, determines a load balancing address based on the access request, and sends the load balancing address to the terminal. Please refer to step S403 in the embodiment shown in fig. 4 in detail, which is not described herein.

In step S604, the terminal sends the preset service data to the application server through the control server, the load balancing server and the gateway server based on the load balancing address. Please refer to step S504 in the embodiment shown in fig. 5 in detail, which is not described herein.

Step S605, the management control platform server is utilized to inquire the firewall state of each server in the firewall dynamic access control system under the zero trust security system.

Specifically, the opening and closing conditions of the firewall of each server in the firewall dynamic access control system 1 under the current zero-trust security system can be checked in the Web management interface of the management control platform server 15.

In step S606, when the control server receives the access disconnection request sent by the terminal, the universal port in the protection wall is closed.

Specifically, after the terminal 11 initiates the access disconnection request to the control server 12, the control server 12 may close the access right of the universal port of the terminal 11 in the control server 12, that is, close the universal port in the firewall of the control server 12, according to the received access disconnection request.

Further, when the general port is closed, the connection request, the first single-packet knock request, and the Shan Baojian right request sent by the terminal 11 cannot be sent to the control server 12.

In step S607, when the universal port is closed, the control server sends a port closing instruction to the load balancing server, so that the load balancing server closes the first application port in the protection wall based on the port closing instruction.

Specifically, after the universal port is closed, the control server 12 sends a port closing instruction to the load balancing server 13, and further, after the load balancing server 13 receives the port closing instruction, the first application port in the protection wall is closed.

In step S608, when the first application port is closed, the load balancing server sends a port closing instruction to the gateway server, so that the gateway server closes the second application port in the protection wall based on the port closing instruction.

Specifically, after closing the first application port in the protection wall, the load balancing server 13 continues to forward the port closing instruction to the corresponding gateway server 14.

Further, after receiving the port closing instruction, the gateway server 14 closes the second application port in the protection wall.

In step S609, when the second application port is closed, the gateway server sends a port closing instruction to the application server, so that the application server closes the third application port in the protection wall based on the port closing instruction.

Specifically, after the second application port is closed, gateway server 14 continues to forward the received port closing instruction to the corresponding application server 16.

Further, after receiving the port closing instruction, the application server 16 closes the third application port in the protection wall, and at this time, the terminal 11 cannot access the corresponding application server 16, that is, cannot send the preset service data to the application server 16.

According to the firewall dynamic access control method under the zero-trust security system, the management control platform server and the control server are utilized to finish the registration of the terminal, after the terminal is registered, the access request of the terminal is utilized to determine the load balancing address, and preset service data are sequentially sent to the application server through the control server, the load balancing server and the gateway server according to the load balancing address, so that the security of the server in the firewall dynamic access control system under the zero-trust security system is improved, manual operation is reduced, and the risk of manual operation is reduced. Meanwhile, a hardware server does not need to be independently applied for deployment and maintenance, and the use cost is reduced. Furthermore, the management control platform server can be utilized to timely inquire the current state of the firewall of each server in the firewall dynamic access control system under the zero trust security system, so that the convenience of firewall security management is improved. Meanwhile, after the terminal is disconnected from access, other servers in the firewall dynamic access control system under the zero-trust security system close corresponding firewall ports, so that the multilink dynamic self-adaptive adjustment of the firewall is realized, and the security of each server in the firewall dynamic access control system under the zero-trust security system is ensured in the maximum range.

In an example, a dynamic adaptive firewall admission control method based on user behavior under a zero trust security system is provided.

Specifically, for all software firewall rules executed in the method, the processing mode is divided into an initialization firewall policy and a dynamic firewall policy. The realization of the method consists of four parts of services, namely terminal service, controller service, gateway service and management and control console service.

The method realizes the effect of the dynamic self-adaptive firewall through the scheduling of a plurality of steps and a plurality of services. Specifically, as shown in fig. 7, the multi-link dynamic opening firewall flow includes:

1. initializing and opening a firewall: based on the business background, the controller service and the gateway service initialize the firewall policy when starting. Meanwhile, the controller service informs the gateway cluster load balancing service and initializes the firewall policy. Each service opens the access rights of a single packet grant port, a udp 7101 port, an icmp 22 port, and an intranet port. And preparing for the subsequent single-packet door knocking request of communication and management control platform server service among the intranet services.

2. Issuing a registration strategy: after each service is started, an administrator logs in a Web interface of the management console service, whether a registration strategy of the management control platform server is started or not can be configured, and if the registration function of the management control platform server is started, the management console service sends a request to the controller service to inform that the registration function is started. And after the controller service business processing is completed, opening the access right of the registration port of the management control platform server.

3. The management control platform server applies for registration: after the management control platform server user installs the management control platform server service, the external access address and the registration port of the controller service are input, the management control platform server registration is applied, and the 2 nd step management control platform service informs the controller service to start the registration access authority, so that the registration request applied by the management control platform server service can reach the controller service. After the controller service reports the registration information to the management and control platform service, the management and control platform service decides to execute a manual approval or automatic approval process and whether the final approval passes or not according to the registration strategy of the management and control platform server.

4. Single-pack knocking gate: after the management control platform server service registration is completed, a single-packet knocking request is sent to the controller service, and in the initialization firewall policy, the access right of the single-packet authorized port is opened, so that the single-packet request is reachable. And the controller judges whether the single packet is allowed to pass or not according to the service. If the single packet passes the verification, the access right of the universal port is opened for the management control platform server; if the verification is not passed, the access right of the universal port is not opened, and the single packet processing result does not respond to the service of the management control platform server. After this step, preparation is made for the subsequent connection request.

5. The management control platform server is connected with: the management control platform server service initiates a connection request to request a universal interface of the controller service, and the 4 th step opens the access right of the universal interface. The controller service processes and manages the service data of the connection request of the platform server and gives a response of successful processing.

6. Single Bao Jianquan: after the management control platform server takes over the traffic and recognizes that the application is protected, it sends a request of a ticket Bao Jianquan to the controller, and step 4 opens the access right of the universal interface. The controller service processes the single-packet authentication service and returns the single-packet authentication service to the gateway cluster load balancing service address which can be forwarded by the management control platform server service.

7. Single-packet knock request forwarding: after receiving the controller service response, the management control platform server service sends a single-packet knocking request to the recommended gateway cluster load balancing service, and in the process of initializing the firewall policy, the gateway cluster load balancing service opens the access right of the single-packet authorized port, so that the single-packet request is reachable. The gateway cluster forwards the request according to the self-configured load balancing strategy.

8. Gateway single-packet knocking gate: the gateway service opens the single-packet access permission when initializing, and after receiving the request forwarded by the gateway cluster, the gateway service sends a single-packet verification request to the controller service, and after the single-packet verification is passed, the gateway service opens the access permission of the protected application port because the single-packet data carries the protected application information.

9. The protected application host opens an application port: after the gateway service opens the access right of the protected application port, the gateway service notifies the protected application host service and opens the access right of the corresponding port.

10. Accessing an application: the management control platform server service forwards the protected traffic to the gateway service, and in step 8, the application access rights have been opened so that the request is reachable. And after the gateway service receives the traffic, carrying out a business processing flow. The main flow includes the strategies of Web application firewall, risk strategy evaluation, intelligent IP blocking and the like, and the safety and the credibility of the flow are ensured.

11. Forwarding traffic: after the gateway service is processed, the traffic is forwarded to the protected application host service, and in step 9, the protected application host service has opened access application rights, so the traffic is reachable.

12. View management: in the scheme, firewall policy results generated in each step are stored in the data storage service in real time, and an administrator can log in the management console service to check the firewall opening and closing conditions of each service currently from the Web management interface.

Further, an administrator can perform viewing, adding, modifying and deleting operations on the initialized firewall policies, but does not have permission to perform adding, modifying and deleting operations on the dynamic firewall policies, because the dynamic firewall is generated according to user behaviors and does not allow human intervention. The administrator only has the right to view dynamic firewall policies.

Further, as shown in fig. 8, the multilink dynamic closing access authority flow includes:

1. the management control platform server is disconnected: the management control platform server accesses the universal firewall port and applies for a disconnection request. And after the controller service business processing is completed, closing the access authority of the universal port of the management control platform server service in the controller service, and completing the disconnection of the management control platform server service.

2. Gateway cluster load balancing service closing rights: after the management control platform server service is disconnected, the controller service notifies the gateway cluster load balancing service which has opened the application access rights to the management control platform server service, and closes the corresponding application access rights. And the gateway cluster load balancing service closes the application access port authority corresponding to the management control platform server service.

3. Gateway service closing rights: and after the gateway cluster load balancing service closes the authority, notifying the gateway service and closing the corresponding application access authority.

4. Connection failure, single Bao Jianquan failure: since the controller has closed the universal access port rights in step 1, the management control platform server fails to service the connection, single Bao Jianquan.

Access application failure: because the gateway cluster load balancing service has closed the application port access rights in step 2, the management control platform server service fails if it wants to continue to access the application operation to the previously recommended gateway service.

Further, after the management control platform server service is disconnected, the controller service, the gateway cluster load balancing service, the gateway service and the protected application host service all close the corresponding access rights, so that the multi-link dynamic self-adaptive operation firewall is achieved.

Further, after the management control platform server service is disconnected from the controller service, the original connection and access are not required to be kept, because the multilink dynamic self-adaptive firewall is the authority control triggered according to the user behavior. When the management control platform server service and the controller service are already in a disconnected state, the scheme can self-adaptively close various access rights of the management control platform server service, and further the control of the minimum rights in the zero-trust service is met. If the management control platform server service wants to obtain the authority, the single-packet knock request needs to be resent.

The dynamic self-adaptive firewall access control method based on user behavior under the zero trust security system provided by the embodiment has the following advantages:

1. The method can be tightly combined with the zero-trust service, flexibly and dynamically control the access authority of the user with minimum granularity, has high adaptation degree with the zero-trust service, and meets the service scene requirement.

2. Under the service based on SDP architecture, the service end dynamically and adaptively adjusts firewall rules of self and gateway services according to the request sent by the management control platform server, so that the security is higher, and the rule adjustment is more flexible.

3. The method supports the multi-link dynamic self-adaptive firewall rules, ensures that all the upstream and downstream links are opened, reduces manual operation, forms an upstream and downstream multi-link firewall system, and ensures boundary safety.

4. The firewall policy is controlled by the program, so that the manual maintenance cost is reduced, and a visual interface is provided, so that an administrator can conveniently check and manage firewall rules of each service component, and the rules take effect in real time after the operation is completed. The authority control is performed on the operable range of the administrator, so that the complexity of manual maintenance can be reduced, and the risk brought by manual operation is reduced.

5. The management control platform server service does not sense the change of the firewall, for a user, from registration to connection, from access to disconnection, whether a port is opened or not is not required to be additionally paid attention to in the whole service flow, and the server side can dynamically adjust according to user behaviors and service processing, so that the safety in the maximum range is ensured through the minimum granularity operation.

6. The deployment maintenance is not required to be applied for a hardware server independently, and the use cost is reduced.

The embodiment also provides a firewall dynamic access control device under a zero trust security system, which is used for realizing the above embodiment and the preferred implementation manner, and the description is omitted. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. While the means described in the following embodiments are preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.

The embodiment provides a firewall dynamic access control device under a zero-trust security system, which can be used for a firewall dynamic access control system under the zero-trust security system, as shown in fig. 1, wherein the firewall dynamic access control system 1 under the zero-trust security system comprises a terminal 11, a control server 12, a load balancing server 13, a gateway server 14, a management control platform server 15 and an application server 16. Each server is loaded with a firewall; as shown in fig. 9, the firewall dynamic access control device under the zero trust security system includes:

The initialization module 901 is configured to, when the firewall dynamic access control system under the zero trust security system is started, respectively control the control server, the load balancing server and the gateway server to initialize and start an initial firewall policy based on preset service data.

And the registration module 902 is used for registering the terminal by using the management control platform server and the control server when the initial firewall policy is started.

The receiving and determining module 903 is configured to, when the registration is completed, control the server to receive an access request sent by the terminal, determine a load balancing address based on the access request, and send the load balancing address to the terminal.

And the sending module 904 is configured to send preset service data to the application server through the control server, the load balancing server and the gateway server based on the load balancing address.

In some alternative embodiments, registration module 902 includes:

and the configuration and sending unit is used for managing the configuration of the control platform server and sending the terminal registration strategy to the control server when the initial firewall strategy is started.

And the first opening unit is used for controlling the firewall in the server to open the terminal registration port when the terminal registration policy is received.

And the transmission unit is used for receiving the terminal registration request sent by the terminal by the control server and sending the terminal registration request to the management control platform server when the terminal registration port is opened.

The determining and approving unit is used for determining an approval strategy based on the terminal registration strategy by the management control platform server and approving and registering the terminal registration request based on the approval strategy.

In some alternative embodiments, the receiving and determining module 903 includes:

and the first sending unit is used for sending a first single-packet knocking request to the control server by the terminal after the registration is completed.

And the judging unit is used for controlling the server to judge whether to open the universal port in the protective wall based on the first single-packet knocking request.

And the second sending unit is used for sending a connection request to the control server by the terminal when the universal port is opened.

And a third sending unit, configured to send a list Bao Jianquan request to the control server when receiving a connection success instruction sent by the control server.

The first processing unit is used for controlling the server to request single-packet authentication based on the single Bao Jianquan, determining a load balancing address according to the single-packet authentication result and sending the load balancing address to the terminal.

In some alternative embodiments, the transmitting module 904 includes:

and the fourth sending unit is used for sending a second single-packet knocking request to the load balancing server by the terminal based on the load balancing address.

And the fifth sending unit is used for sending the second single-packet knocking request to the gateway server by the load balancing server based on a preset load balancing strategy.

And the sixth sending unit is used for sending a single-packet check request to the control server by the gateway server when receiving the second single-packet knocking request.

And the second processing unit is used for controlling the server to perform single-packet verification based on the single-packet verification request, and sending an application port opening instruction to the load balancing server after the single Bao Jiaoyan passes, so that the load balancing server opens the first application port based on the application port opening instruction.

The first sending and opening unit is used for sending an application port opening instruction to the gateway server by the load balancing server when the first application port is opened, so that the gateway server opens the second application port based on the application port opening instruction.

And the second sending and opening unit is used for sending an application port opening instruction to the application server by the gateway server when the second application port is opened, so that the application server opens a third application port based on the application port opening instruction.

And the seventh sending unit is used for sending the preset service data to the application server through the load balancing server and the gateway server when the third application port is opened.

In some alternative embodiments, the seventh transmitting unit includes:

and the sending subunit is used for sending the preset service data to the gateway server through the load balancing server when the third application port is opened.

The processing and transmitting subunit is used for processing the preset service data by the gateway server to obtain target service data and transmitting the target service data to the application server.

In some optional embodiments, the firewall dynamic access control device under the zero trust security system further includes:

and the inquiring module is used for inquiring the firewall state of each server in the firewall dynamic access control system under the zero trust security system by using the management control platform server.

the first closing module is used for closing the universal port in the protective wall when the control server receives the access disconnection request sent by the terminal.

And the first processing module is used for sending a port closing instruction to the load balancing server by the control server when the universal port is closed, so that the load balancing server closes a first application port in the protective wall based on the port closing instruction.

And the second processing module is used for sending a port closing instruction to the gateway server by the load balancing server when the first application port is closed, so that the gateway server closes a second application port in the protective wall based on the port closing instruction.

And the third processing module is used for sending a port closing instruction to the application server by the gateway server when the second application port is closed, so that the application server closes a third application port in the protective wall based on the port closing instruction.

Further functional descriptions of the above respective modules and units are the same as those of the above corresponding embodiments, and are not repeated here.

The firewall dynamic access control device under the zero trust security architecture in this embodiment is in the form of a functional unit, where the unit refers to an ASIC (Application Specific Integrated Circuit ) circuit, a processor and a memory executing one or more software or fixed programs, and/or other devices that can provide the above functions.

The embodiment of the invention also provides computer equipment, which is provided with the firewall dynamic access control device under the zero trust security system shown in the figure 9.

Referring to fig. 10, fig. 10 is a schematic structural diagram of a computer device according to an alternative embodiment of the present invention, as shown in fig. 10, the computer device includes: one or more processors 10, memory 20, and interfaces for connecting the various components, including high-speed interfaces and low-speed interfaces. The various components are communicatively coupled to each other using different buses and may be mounted on a common motherboard or in other manners as desired. The processor may process instructions executing within the computer device, including instructions stored in or on memory to display graphical information of the GUI on an external input/output device, such as a display device coupled to the interface. In some alternative embodiments, multiple processors and/or multiple buses may be used, if desired, along with multiple memories and multiple memories. Also, multiple computer devices may be connected, each providing a portion of the necessary operations (e.g., as a server array, a set of blade servers, or a multiprocessor system). One processor 10 is illustrated in fig. 10.

The processor 10 may be a central processor, a network processor, or a combination thereof. The processor 10 may further include a hardware chip, among others. The hardware chip may be an application specific integrated circuit, a programmable logic device, or a combination thereof. The programmable logic device may be a complex programmable logic device, a field programmable gate array, a general-purpose array logic, or any combination thereof.

Wherein the memory 20 stores instructions executable by the at least one processor 10 to cause the at least one processor 10 to perform a method for implementing the embodiments described above.

The memory 20 may include a storage program area that may store an operating system, at least one application program required for functions, and a storage data area; the storage data area may store data created according to the use of the computer device, etc. In addition, the memory 20 may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid-state storage device. In some alternative embodiments, memory 20 may optionally include memory located remotely from processor 10, which may be connected to the computer device via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

Memory 20 may include volatile memory, such as random access memory; the memory may also include non-volatile memory, such as flash memory, hard disk, or solid state disk; the memory 20 may also comprise a combination of the above types of memories.

The computer device also includes a communication interface 30 for the computer device to communicate with other devices or communication networks.

The embodiments of the present invention also provide a computer readable storage medium, and the method according to the embodiments of the present invention described above may be implemented in hardware, firmware, or as a computer code which may be recorded on a storage medium, or as original stored in a remote storage medium or a non-transitory machine readable storage medium downloaded through a network and to be stored in a local storage medium, so that the method described herein may be stored on such software process on a storage medium using a general purpose computer, a special purpose processor, or programmable or special purpose hardware. The storage medium can be a magnetic disk, an optical disk, a read-only memory, a random access memory, a flash memory, a hard disk, a solid state disk or the like; further, the storage medium may also comprise a combination of memories of the kind described above. It will be appreciated that a computer, processor, microprocessor controller or programmable hardware includes a storage element that can store or receive software or computer code that, when accessed and executed by the computer, processor or hardware, implements the methods illustrated by the above embodiments.

Although embodiments of the present invention have been described in connection with the accompanying drawings, various modifications and variations may be made by those skilled in the art without departing from the spirit and scope of the invention, and such modifications and variations fall within the scope of the invention as defined by the appended claims.

Claims

1. The firewall dynamic access control method under the zero trust security system is characterized by being used for a firewall dynamic access control system under the zero trust security system, wherein the system comprises a terminal, a control server, a load balancing server, a gateway server, a management control platform server and an application server, and each server is loaded with a firewall; the method comprises the following steps:

when a firewall dynamic access control system under the zero trust security system is started, respectively controlling the control server, the load balancing server and the gateway server to initialize and start an initial firewall strategy based on preset service data;

when the initial firewall policy is started, registering the terminal by using the management control platform server and the control server;

when registration is completed, the control server receives an access request sent by the terminal, determines a load balancing address based on the access request, and sends the load balancing address to the terminal, and the control server comprises:

After registration is completed, the terminal sends a first single-packet knocking request to the control server;

the control server judges whether to open a general port in the protective wall or not based on the first single-packet door knocking request;

when the universal port is opened, the terminal sends a connection request to the control server;

when receiving a connection success instruction sent by the control server, the terminal sends a list Bao Jianquan request to the control server;

the control server requests single-packet authentication based on the single Bao Jianquan, determines the load balancing address according to a single-packet authentication result, and sends the load balancing address to the terminal;

the terminal sends the preset service data to the application server through the control server, the load balancing server and the gateway server based on the load balancing address, and the method comprises the following steps:

the terminal sends a second single-packet knocking request to the load balancing server based on the load balancing address;

the load balancing server sends the second single-packet knocking request to the gateway server based on a preset load balancing strategy;

When the second single-packet knocking request is received, the gateway server sends a single-packet checking request to the control server;

the control server performs single-packet verification based on the single-packet verification request, and sends an application port opening instruction to the load balancing server after the single Bao Jiaoyan passes, so that the load balancing server opens a first application port based on the application port opening instruction;

when the first application port is opened, the load balancing server sends the application port opening instruction to the gateway server, so that the gateway server opens a second application port based on the application port opening instruction;

when the second application port is opened, the gateway server sends the application port opening instruction to the application server, so that the application server opens a third application port based on the application port opening instruction;

and when the third application port is opened, the terminal sends the preset service data to the application server through the load balancing server and the gateway server.

2. The method of claim 1, wherein registering the terminal with the management control platform server and the control server when the initial firewall policy is on, comprises:

When the initial firewall policy is started, the management control platform server configures and sends a terminal registration policy to the control server;

when the terminal registration strategy is received, a firewall in the control server opens a terminal registration port;

when the terminal registration port is opened, the control server receives a terminal registration request sent by the terminal and sends the terminal registration request to the management control platform server;

and the management control platform server determines an approval strategy based on the terminal registration strategy, and approves and registers the terminal registration request based on the approval strategy.

3. The method of claim 1, wherein when the third application port is opened, the terminal sends the preset service data to the application server through the load balancing server and the gateway server, including:

when the third application port is opened, the terminal sends the preset service data to the gateway server through the load balancing server;

and the gateway server processes the preset service data to obtain target service data and sends the target service data to the application server.

4. The method according to claim 1, wherein the method further comprises:

and inquiring the firewall state of each server in the firewall dynamic access control system under the zero trust security system by using the management control platform server.

5. The method according to claim 1, wherein the method further comprises:

when the control server receives an access disconnection request sent by the terminal, closing a general port in the protective wall;

when the universal port is closed, the control server sends a port closing instruction to the load balancing server, so that the load balancing server closes a first application port in the protective wall based on the port closing instruction;

when the first application port is closed, the load balancing server sends the port closing instruction to the gateway server, so that the gateway server closes a second application port in the protective wall based on the port closing instruction;

and when the second application port is closed, the gateway server sends the port closing instruction to the application server, so that the application server closes a third application port in the protective wall based on the port closing instruction.

6. The firewall dynamic access control device under the zero trust security system is characterized by being used for a firewall dynamic access control system under the zero trust security system, wherein the system comprises a terminal, a control server, a load balancing server, a gateway server, a management control platform server and an application server, and each server is loaded with a firewall; the device comprises:

the initialization module is used for respectively controlling the control server, the load balancing server and the gateway server to initialize and start an initial firewall strategy based on preset service data when the firewall dynamic access control system under the zero trust security system is started;

the registration module is used for registering the terminal by using the management control platform server and the control server when the initial firewall policy is started;

the receiving and determining module is used for receiving an access request sent by the terminal after the registration is completed, determining a load balancing address based on the access request and sending the load balancing address to the terminal;

the sending module is used for sending the preset service data to the application server through the control server, the load balancing server and the gateway server based on the load balancing address by the terminal;

The receiving and determining module includes:

the first sending unit is used for sending a first single-packet knocking request to the control server by the terminal after the registration is completed;

the judging unit is used for controlling the server to judge whether to open the universal port in the protective wall or not based on the first single-packet knocking request;

the second sending unit is used for sending a connection request to the control server when the universal port is opened;

a third sending unit, configured to send a list Bao Jianquan request to the control server when receiving a connection success instruction sent by the control server;

the first processing unit is used for controlling the server to carry out single-packet authentication based on the single Bao Jianquan request, determining a load balancing address according to the single-packet authentication result and sending the load balancing address to the terminal;

the sending module comprises:

the fourth sending unit is used for sending a second single-packet knocking request to the load balancing server by the terminal based on the load balancing address;

a fifth sending unit, configured to send, by the load balancing server, a second single-packet knock request to the gateway server based on a preset load balancing policy;

a sixth sending unit, configured to send a single packet verification request to the control server when receiving the second single packet knocking request;

The second processing unit is used for controlling the server to perform single-packet verification based on the single-packet verification request, and sending an application port opening instruction to the load balancing server after the single Bao Jiaoyan passes, so that the load balancing server opens the first application port based on the application port opening instruction;

the first sending and opening unit is used for sending an application port opening instruction to the gateway server by the load balancing server when the first application port is opened, so that the gateway server opens the second application port based on the application port opening instruction;

the second sending and opening unit is used for sending an application port opening instruction to the application server by the gateway server when the second application port is opened, so that the application server opens a third application port based on the application port opening instruction;

7. A computer device, comprising:

a memory and a processor, the memory and the processor are in communication connection, the memory stores computer instructions, and the processor executes the computer instructions, so as to execute the firewall dynamic access control method under the zero trust security system of any one of claims 1 to 5.

8. A computer-readable storage medium having stored thereon computer instructions for causing a computer to perform the firewall dynamic access control method under the zero trust security architecture of any one of claims 1 to 5.