CN117294698A - Remote access method, device, system, equipment and storage medium for application - Google Patents

Remote access method, device, system, equipment and storage medium for application Download PDF

Info

Publication number
CN117294698A
CN117294698A CN202210681197.4A CN202210681197A CN117294698A CN 117294698 A CN117294698 A CN 117294698A CN 202210681197 A CN202210681197 A CN 202210681197A CN 117294698 A CN117294698 A CN 117294698A
Authority
CN
China
Prior art keywords
client
application
security
edge node
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210681197.4A
Other languages
Chinese (zh)
Inventor
胡金涌
王琪琛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Yundun Information Technology Co ltd
Original Assignee
Shanghai Yundun Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Yundun Information Technology Co ltd filed Critical Shanghai Yundun Information Technology Co ltd
Priority to CN202210681197.4A priority Critical patent/CN117294698A/en
Publication of CN117294698A publication Critical patent/CN117294698A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application aims to provide a remote access method, a remote access device, a remote access system, remote access equipment and a remote access storage medium for an application. Specifically, the remote access method applied to the application of the drainage client comprises the following steps: receiving security configuration information sent by a management platform, wherein the security configuration information comprises connection configuration information, a security drainage policy and address information of a target edge node; establishing an association relation with the target edge node according to the connection configuration information and the address information of the target edge node; receiving an access request of an application client for a target application, and determining whether to stream the access request according to the security stream guidance strategy; and if so, the access request is guided to the target edge node through the association relation so as to respond to the access request based on the target edge node. The method and the device meet the requirement of the user for safely accessing the target application, and can provide good user experience.

Description

Remote access method, device, system, equipment and storage medium for application
Technical Field
The present disclosure relates to the field of information technologies, and in particular, to a method, an apparatus, a system, a device, and a storage medium for remote access of an application.
Background
In recent years, with the development of the internet, the IT infrastructure of enterprises has changed significantly, and the cloud trend on the business system brings fuzziness of the traditional security boundary, so that all key data are difficult to manage and control, and a management blind spot exists. Meanwhile, with the rise of remote office and BYOD (Bring Your Own Device, self-contained equipment), great change of working modes is brought. In this trend, employees may access any type of application system at any time using any terminal (e.g., PC, cell phone, tablet, etc.) to access any network.
However, staff use untrusted terminals to connect to an unsecure network, and there is a greater security risk. Based on the prior art, staff usually needs to log in a VPN (Virtual Private Network ) before accessing a service system, and this scheme has problems of difficult maintenance and poor user experience.
Disclosure of Invention
An object of the present application is to provide a remote access method, apparatus, system, device and storage medium for an application, so as to solve the security problem of application access.
According to one aspect of the present application, there is provided a remote access method of an application, applied to a drainage client, the method comprising:
receiving security configuration information sent by a management platform, wherein the security configuration information comprises connection configuration information, a security drainage policy and address information of a target edge node;
establishing an association relation with the target edge node according to the connection configuration information and the address information of the target edge node;
receiving an access request of an application client for a target application, and determining whether to stream the access request according to the security stream guidance strategy;
and if so, the access request is guided to the target edge node through the association relation so as to respond to the access request based on the target edge node.
Optionally, receiving the security configuration information sent by the management platform includes:
sending a login request to a management platform, wherein the login request comprises organization identification information corresponding to the drainage client;
receiving an identity authentication interface sent by the management platform, wherein the identity authentication interface is determined by the management platform according to the organization identification information, and the identity authentication interface comprises at least one identity authentication option;
Acquiring corresponding user identity information according to the selection information of the at least one identity authentication option, and transmitting the user identity information to the management platform;
and receiving the security configuration information sent by the management platform after the user identity information passes the security verification.
Optionally, receiving an access request of the application client for the target application, and determining whether to stream the access request according to the security stream policy includes:
receiving a domain name resolution request of an application client side aiming at a target application, and sending the domain name resolution request to the target edge node;
receiving a response message returned by the target edge node according to the security drainage policy, and returning the response message to the application client;
and receiving an access request of the application client for a target application, and determining whether to stream the access request or not based on the response message.
Optionally, receiving an access request of the application client for the target application, and determining whether to stream the access request according to the security stream policy includes:
and directly receiving an access request aiming at a target application, and determining whether to stream the access request according to the security stream-guiding strategy.
Optionally, the security drainage policy includes applying a protection policy or applying an exclusion protection policy;
determining whether to drain the access request according to the security drainage policy, including:
if the security drainage policy is an application protection policy, when the target application is determined to belong to a protected application in the application protection policy, the access request is drained;
and if the security application policy is an application exclusion protection policy, not draining the access request when the target application is determined to belong to the unprotected application in the application exclusion protection policy.
Optionally, after determining whether to drain the access request according to the security drainage policy, the method further includes:
and if the target application is determined to be the protected application, adding response information corresponding to the domain name resolution request into a local route, and draining according to the local route when the access request aiming at the same target application is subsequently received.
Optionally, the connection configuration information is tunnel configuration information;
establishing an association relationship with the target edge node according to the connection configuration information and the address information of the target edge node, including:
And establishing a drainage tunnel between the target edge node and the tunnel configuration information according to the tunnel configuration information and the address information of the target edge node.
Optionally, establishing a drainage tunnel with the target edge node according to the tunnel configuration information and the address information of the target edge node, including:
acquiring equipment identification information of a current client, wherein the equipment identification information comprises at least one of a client system type, a system version, a client software version, an equipment unique identifier or a client certificate;
generating a tunnel establishment request according to the equipment identification information and the tunnel configuration information;
and sending the tunnel establishment request to the target edge node according to the address information of the target edge node, so that the target edge node performs verification according to the equipment identification information in the tunnel establishment request, and establishes a drainage tunnel with the current client after the verification is passed.
According to another aspect of the present application, there is also provided a remote access method of an application, applied to an edge node, the method comprising:
receiving an association relation establishment request sent by a client, wherein the association relation establishment request comprises equipment identification information of the client;
Verifying according to the equipment identification information, and establishing an association relationship with the client after the verification is passed;
receiving an access request for a target application sent by the client, wherein the access request is sent through an association relationship between the client and a current edge node;
executing a security access control policy on the access request to determine whether the access request has access rights to access the target application;
and performing access control on the access request according to the determination result, wherein the access control comprises access refusal or access permission.
Optionally, the association relation establishment request is a tunnel establishment request, and the equipment identification information includes at least one of a client system type, a system version, a client software version, an equipment unique identifier or a client certificate;
verifying according to the equipment identification information, and establishing an association relationship with the client after the verification is passed, wherein the method comprises the following steps:
and verifying according to the equipment identification information, and establishing a drainage tunnel with the client after the verification is passed.
Optionally, the security access control policy includes an identity authentication policy and/or a rights authentication policy;
Before executing the security access control policy on the access request, further comprising:
and receiving and storing the security access control policy sent by the management platform.
According to still another aspect of the present application, there is also provided a remote access method of an application, applied to a management platform, the method including:
receiving a login request sent by a client, wherein the login request comprises organization identification information corresponding to the client;
verifying the organization identification information, and if the verification is passed, returning a corresponding identity authentication interface to the client based on the organization identification information;
receiving user identity information sent by the client and acquired through the identity authentication interface;
verifying based on the user identity information, and after the verification is passed, sending security configuration information corresponding to the organization identification information to the client, wherein the security configuration information comprises tunnel configuration information, a security drainage strategy and address information of a target edge node;
and sending a security access control strategy corresponding to the organization identification information to the target edge node so that the target edge node responds to the access request for the target application sent by the client according to the security access control strategy.
Optionally, the method further comprises:
displaying a configuration editing interface according to a received configuration request aiming at the security configuration information or the security access control strategy, wherein the configuration editing interface comprises at least one configuration editing option;
and generating and storing corresponding security configuration information or security access control strategies according to the editing information received by the at least one configuration editing option.
According to still another aspect of the present application, there is further provided a remote access device for an application deployed on a drainage client, the device including:
the first module is used for receiving security configuration information sent by the management platform, wherein the security configuration information comprises connection configuration information, a security drainage policy and address information of a target edge node;
the first module and the second module are used for establishing an association relation with the target edge node according to the connection configuration information and the address information of the target edge node;
the first module is used for receiving an access request of an application client for a target application, and determining whether to stream the access request according to the security stream-guiding strategy;
and the first four modules are used for draining the access request to the target edge node through the association relation if so, so that the target edge node responds to the access request.
According to still another aspect of the present application, there is also provided a remote access device for an application, deployed at an edge node, the device comprising:
the second module is used for receiving an association relation establishment request sent by a client, wherein the association relation establishment request comprises equipment identification information of the client;
the second module is used for verifying according to the equipment identification information, and establishing an association relation with the client after the verification is passed;
the second three modules are used for receiving an access request for a target application sent by the client, wherein the access request is sent through the association relation between the client and the current edge node;
a second fourth module, configured to execute a secure access control policy on the access request to determine whether the access request has access rights to access the target application;
and the second five modules are used for carrying out access control on the access request according to the determination result, wherein the access control comprises access refusal or access permission.
According to still another aspect of the present application, there is further provided a remote access device for an application deployed on a management platform, the device including:
A third module, configured to receive a login request sent by a client, where the login request includes organization identification information corresponding to the client;
the third module is used for verifying the organization identification information, and if the verification is passed, a corresponding identity authentication interface is returned to the client based on the organization identification information;
a third module, configured to receive user identity information sent by the client and obtained through the identity authentication interface;
a third fourth module, configured to perform verification based on the user identity information, and after the verification is passed, send security configuration information corresponding to the organization identification information to the client, where the security configuration information includes tunnel configuration information, a security drainage policy, and address information of a target edge node;
and a third fifth module, configured to send a security access control policy corresponding to the organization identification information to the target edge node, so that the target edge node responds to an access request sent by the client for a target application according to the security access control policy.
According to yet another aspect of the present application, there is also provided an electronic device, wherein the device comprises a memory for storing computer program instructions and a processor for executing the computer program instructions, wherein the computer program instructions, when executed by the processor, trigger the device to execute the remote access method of the application.
According to yet another aspect of the present application, there is also provided a computer readable storage medium having stored thereon computer program instructions executable by a processor to implement the remote access method of the application.
In an embodiment of the application, a remote access method of an application is provided, and the remote access method is applied to a drainage client and used for receiving security configuration information sent by a management platform, wherein the security configuration information comprises connection configuration information, a security drainage policy and address information of a target edge node; establishing an association relation with the target edge node according to the connection configuration information and the address information of the target edge node; receiving an access request of an application client for a target application, and determining whether to stream the access request according to the security stream guidance strategy; and if so, the access request is guided to the target edge node through the association relation so as to respond to the access request based on the target edge node. According to the method and the device for processing the access request, the association relation is established between the access request and the target edge node, the access request to be conducted is conducted to the target edge node, the requirement of safe access to the target application by a user is met, the technical problems of unsafe and poor network cartoon use experience caused by a traditional VPN scheme are solved, and good user experience can be provided for the user. The embodiment of the application can implement unified safety control on the management platform, so that the safety management cost is reduced.
Drawings
Other features, objects and advantages of the present application will become more apparent upon reading of the detailed description of non-limiting embodiments, made with reference to the following drawings, in which:
FIG. 1 is a flow chart of a remote access method for an application to a client-side of a client-server according to an embodiment of the present application;
FIG. 2 is a flow chart of a method of remote access of an application for an edge node according to an embodiment of the present application;
FIG. 3 is a flow chart of a method of remote access of an application for a management platform according to an embodiment of the present application;
FIG. 4 is a schematic diagram of a remote access device of an application deployed at a client for drainage according to an embodiment of the present application;
FIG. 5 is a schematic diagram of a remote access device of an application deployed at an edge node according to an embodiment of the present application;
FIG. 6 is a schematic diagram of a remote access device for an application deployed on a management platform according to an embodiment of the present application;
FIG. 7 is a schematic diagram of a remote access system for an application according to an embodiment of the present application;
FIG. 8 is a schematic diagram of a remote access system for an application according to an embodiment of the present application;
FIG. 9 is a flow scheduling diagram of a offload client in accordance with an embodiment of the present application;
Fig. 10 is a flow scheduling diagram of a offload client in accordance with an embodiment of the present application.
The same or similar reference numbers in the drawings refer to the same or similar parts.
Detailed Description
The present application is described in further detail below with reference to the accompanying drawings.
In one typical configuration of the present application, the terminal, the device of the service network, and the trusted party each include one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.
Computer-readable media include both permanent and non-permanent, removable and non-removable media, and information storage may be implemented by any method or technology. The information may be computer readable instructions, data structures, program devices, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape storage or other magnetic storage devices, or any other non-transmission medium which can be used to store information that can be accessed by a computing device.
Fig. 1 is a flowchart of a remote access method applied to an application of a client according to an embodiment of the present application, and the method may include step S101, step S102, step S103, and step S104.
Step S101, receiving security configuration information sent by a management platform, wherein the security configuration information comprises connection configuration information, a security drainage policy and address information of a target edge node.
For example, as shown in fig. 7, a user terminal device may be provided with a drainage client (APP), and after a user starts the drainage client and logs in, the drainage client obtains the security configuration information from the management platform (i.e., the cloud security management platform in the drawing) so as to establish an association relationship with a target edge node. The management platform can be used for a security administrator to configure security configuration information, and the security configuration information can comprise connection configuration information, a security drainage policy and address information of a target edge node.
Optionally, the security configuration information may further include information such as identity authentication mode information, configuration data necessary for establishing an association relationship with the target edge node, and parameters of a drainage tunnel that are sent to the drainage client after the management platform interacts with the drainage client. For example, a drainage client is operated on the user terminal equipment, after the drainage client is started, a login request is initiated to the management platform and identity authentication is performed, and if the identity authentication passes, configuration data necessary for establishing an association relationship with a target edge node can be obtained from the management platform; and the edge node establishes an association relation with a drainage client running on the user terminal equipment, receives an access request transmitted through the association relation, and processes the access request.
Alternatively, the user terminal device in the present embodiment may be a terminal device based on a system of Windows, macOS, linux, android, iOS or the like, which is not particularly limited herein.
In some embodiments, receiving security configuration information sent by the management platform may include: sending a login request to a management platform, wherein the login request comprises organization identification information corresponding to the drainage client; receiving an identity authentication interface sent by the management platform, wherein the identity authentication interface is determined by the management platform according to the organization identification information, and the identity authentication interface comprises at least one identity authentication option; acquiring corresponding user identity information according to the selection information of the at least one identity authentication option, and transmitting the user identity information to the management platform; and receiving the security configuration information sent by the management platform after the user identity information passes the security verification. The embodiment can ensure the safety of user login.
For example, after the user starts the drainage client, the drainage client displays a login interface, the user is required to input organization identification information, and after the user inputs the organization identification information based on the login interface, the drainage client forwards the received organization identification information to the management platform. The management platform can provide services for a plurality of tenants, and each tenant has organization identification information corresponding to each tenant; the manager of each tenant or other personnel with authority can use the general configuration of each tenant, and can also perform personalized configuration on the security configuration information in the embodiment according to the actual requirements; the user may include an employee or other recruiter of the tenant. Then, the management platform detects the received organization identification information, judges whether the tenant corresponding to the organization identification information exists or not, returns error information if the tenant does not exist, and leads the client to log in failure; if the user exists, a first profile (configuration structure file) is returned, and the first profile can comprise identity authentication mode information of the corresponding tenant, so that the user is required to provide identity information based on the drainage client to perform identity authentication. Here, the authentication mode information may include a plurality of types, so that the user can perform authentication by selecting one of the plurality of types of authentication mode information by himself. Alternatively, different tenants may use different identity authentication mode information, for example, tenant a uses enterprise WeChat as the identity authentication mode information, and tenant B uses spike as the identity authentication mode information. Further, after the user provides the identity information based on the drainage client, the drainage client sends the identity information provided by the user to the management platform for identity authentication, and after the identity authentication is passed, the management platform can return a second profile to the drainage client according to the organization identification information and the identity information submitted by the drainage client, wherein the second profile can comprise configuration data and security configuration information necessary for establishing an association relationship. For example, if the association relationship may be a drainage tunnel, the necessary configuration data may include a negotiation key, a tunnel private IP, a heartbeat time interval, and the like.
Step S102, establishing an association relationship with the target edge node according to the connection configuration information and the address information of the target edge node.
In some embodiments, the connection configuration information is tunnel configuration information; the step S102 includes: and establishing a drainage tunnel between the target edge node and the tunnel configuration information according to the tunnel configuration information and the address information of the target edge node. According to the embodiment, the drainage tunnel is established between the drainage client and the target edge node, so that a safe and efficient connection mode is provided.
For example, the drainage client establishes a drainage tunnel with the target edge node according to the tunnel configuration information, and a virtual network card is created on the drainage client after the tunnel is successfully created. The virtual network card is created based on the principle of VPN tunnel, so that the virtual network card simulates the function of a hub and realizes the function of VPN.
Alternatively, as shown in fig. 7, the edge nodes may include a primary edge node and a backup edge node. When the primary tunnel between the drainage client and the primary edge node is interrupted, the drainage client can also attempt to establish a standby tunnel with the standby edge node, so that high availability of the network from the client to the edge node can be ensured.
In some embodiments, establishing a drainage tunnel with the target edge node according to the tunnel configuration information and the address information of the target edge node may include: acquiring equipment identification information of a current client, wherein the equipment identification information comprises at least one of a client system type, a system version, a client software version, an equipment unique identifier or a client certificate; generating a tunnel establishment request according to the equipment identification information and the tunnel configuration information; and sending the tunnel establishment request to the target edge node according to the address information of the target edge node, so that the target edge node performs verification according to the equipment identification information in the tunnel establishment request, and establishes a drainage tunnel with the current client after the verification is passed. The embodiment can further ensure the connection safety of the drainage tunnel between the drainage client and the target edge node.
For example, as shown in fig. 8, after establishing a drainage tunnel between the drainage client and the target edge node, operations performed by the drainage client may include:
(1) A local DNS proxy is initiated for receiving a processing DNS request.
(2) Routing DNS related requests to a local proxy DNS to a drainage tunnel so as to control the behavior of the DNS, and transmitting the DNS requests to an edge node through the encrypted drainage tunnel to avoid possible hijacking and poisoning and ensure the safety of DNS analysis; the co-sampled DNS proxy may also forward DNS requests to the local DNS and/or public DNS.
(3) Adding the IP of the protected application into a system routing table to ensure that the access traffic of the IP of the protected application can enter a drainage tunnel; the IP of the unprotected application is added to the system routing table to ensure that access traffic to the unprotected application IP does not enter the drainage tunnel.
(4) And transmitting the user identity information and the client information to the edge node through the drainage tunnel. Wherein the client information may include, but is not limited to: such as client tunnel private IP, device fingerprint, security baseline, etc.
Step S103, an access request of an application client for a target application is received, and whether the access request is subjected to drainage is determined according to the security drainage policy.
For example, as shown in fig. 9 and fig. 10, when a user accesses a protected application, the application initiates a DNS resolution request, the request is routed to a virtual network card corresponding to a drainage tunnel, and a DNS packet is resolved to check whether a domain name is in a protected domain name list; if the domain name is in the protected domain name list, the domain name is the protected domain name, and before responding the analysis result to the application, the DNS analysis value is added into the system routing table, and the access request of the protected domain name is sent out through the virtual network card corresponding to the drainage tunnel and then is sent to the edge node; if the domain name is not in the protected domain name list, the analysis result is directly responded, so that unprotected access request traffic is sent out through a default network card on the client side.
In some embodiments, the step S103 includes: receiving a domain name resolution request of an application client side aiming at a target application, and sending the domain name resolution request to the target edge node; receiving a response message returned by the target edge node according to the security drainage policy, and returning the response message to the application client; and receiving an access request of the application client for a target application, and determining whether to stream the access request or not based on the response message. According to the embodiment, whether the received access request needs to be drained or not is judged, so that the drainage efficiency and effect can be further improved.
In some embodiments, the step S103 includes: and directly receiving an access request aiming at a target application, and determining whether to stream the access request according to the security stream-guiding strategy. According to the embodiment, whether the received access request needs to be drained is judged according to the security drainage strategy, so that the efficiency and the effect of drainage can be further improved.
For example, as shown in fig. 10, in the specific implementation of step S103, the flow scheduling procedure on the draining client may include:
(1) The access request is sent from an application (such as a browser and a client application in a CS mode) on the client, the data packet enters a routing processing module through a kernel protocol stack, and the data packet of the access request is determined to be sent to a virtual network card or a physical network card according to a system routing table on the client;
(2) When the access request needs protection, the access request is sent to the virtual network card;
(3) The flow guiding client receives the flow, and determines the sending mode of the data packet based on configuration strategies (such as IP, port, protocol and the like);
(4) The flow of the protected application is packaged by a drainage tunnel and sent from the physical network card to the edge node;
(5) And when the access request does not need protection, the access request is directly sent from the physical network card to a target application source station on the Internet.
In some embodiments, the security drainage policy includes applying a protection policy or applying an exclusion protection policy; determining whether to drain the access request according to the security drainage policy, including: if the security drainage policy is an application protection policy, when the target application is determined to belong to a protected application in the application protection policy, the access request is drained; and if the security application policy is an application exclusion protection policy, not draining the access request when the target application is determined to belong to the unprotected application in the application exclusion protection policy. According to the embodiment, the precise control of drainage can be realized according to whether the safety drainage policy is an application protection policy or an application exclusion protection policy.
For example, there may be many service applications on a ue, and only specific applications need to be protected at some times, and applications other than specific applications need to be protected at other times; here, the application protection policy may represent a policy of service request traffic to be protected, and the application exclusion protection policy may represent a policy of service request traffic not to be protected.
Optionally, the security administrator may configure the security drainage policy on the management platform, where the configured security drainage policy includes applying a protection policy, i.e. a protected domain name list or a protected IP list; alternatively, the configured security drainage policy may also include applying an exclusion protection policy, i.e., an unprotected domain name list or an unprotected IP list. As shown in fig. 9, if the security drainage policy is an application protection policy, an access request is sent from a user terminal device to an edge node, various security access controls are performed on the edge node, and the access request allowed by the security drainage policy is forwarded from the edge node to a target application server; if the security application policy is an application exclusion protection policy, the unprotected access request is sent directly to the target application server.
In some embodiments, after determining whether to drain the access request according to the secure drain policy, the method further comprises: and if the target application is determined to be the protected application, adding response information corresponding to the domain name resolution request into a local route, and draining according to the local route when the access request aiming at the same target application is subsequently received. The embodiment can further improve the speed and efficiency of drainage.
And step S104, if yes, the access request is guided to the target edge node through the association relation so as to respond to the access request based on the target edge node.
For example, the access request may be drained to the target edge node through the association relationship, and whether the access request has access authority is determined; and receiving a response of the target application server to the access request when the access right is provided.
Fig. 2 is a flowchart of a remote access method applied to an application of an edge node according to an embodiment of the present application, and the method may include step S201, step S202, step S203, step S204, and step S205.
The edge node in this embodiment may be understood as a cloud node, which refers to a resource that provides capabilities of storage, calculation, network, security, and the like in a service platform constructed near the network edge side of the user, and sinks a part of key service applications from the cloud to the edge of the access network, so as to reduce bandwidth and delay loss caused by network transmission and multistage forwarding.
Step S201, receiving an association relation establishment request sent by a client, wherein the association relation establishment request comprises equipment identification information of the client;
step S202, verifying according to the equipment identification information, and establishing an association relation with the client after the verification is passed;
step S203, receiving an access request for a target application sent by the client, wherein the access request is sent through an association relationship between the client and a current edge node;
step S204, executing a security access control strategy on the access request to determine whether the access request has access rights for accessing the target application;
step S205, according to the determined result, performing access control on the access request, wherein the access control comprises access refusal or access permission.
In some embodiments, the association relation establishment request is a tunnel establishment request, and the device identification information includes at least one of a client system type, a system version, a client software version, a device unique identifier, or a client certificate; the step S202 may include: and verifying according to the equipment identification information, and establishing a drainage tunnel with the client after the verification is passed. The embodiment further ensures the connection safety of the drainage tunnel between the drainage client and the target edge node.
In some embodiments, the secure access control policy includes an identity authentication policy and/or a rights authentication policy; before executing the security access control policy on the access request, it may further include: and receiving and storing the security access control policy sent by the management platform. The embodiment is beneficial to the security manager to realize the security management of the access request through the management platform.
For example, the edge node receives data sent by the client, where the data may include a client virtual tunnel IP, a client identity authentication identity, client terminal information (such as a system version, a security baseline, and a client software version for drainage), and stores the reported information by using the client virtual tunnel IP as a key; the edge node receives the access request data sent by the client through the established drainage tunnel, peels off the tunnel protocol header data and forwards the service data to an application layer (firewall, http, https, dns and the like); as shown in fig. 8, the application layer acquires the access control rule of the application from the configuration management, and performs three-layer to seven-layer access control on the access request based on the access control rule; if the access control rule also comprises configuration related to the identity, performing access control based on the identity information, acquiring the identity related information (the mapping relation between the client tunnel virtual IP and the reported information is stored before, so that the identity information of the user can be acquired according to the client tunnel virtual IP), matching the identity related information with the access control rule, and judging whether the current user has the authority to access the current application; if the authority is available, the application layer forwards the data packet to the target application, and the target application can be located on PaaS, an intranet data center (network connection is opened with the edge node through the drainage client side) and the Internet.
The access control rules may include, but are not limited to, an identity authentication policy and/or a rights authentication policy to determine whether to pass or deny the access traffic by an identity or corresponding rights. For example, access control may be performed based on user terminal device information, and whether access is allowed is determined according to the user terminal device information; typical control rules may include, but are not limited to: (1) system version based. If the system version is too low, the user terminal equipment is considered unsafe, and access to the application is forbidden; (2) whether a security update is installed. If the important security patch is not installed, the user terminal equipment is considered to be unsafe, and access to the application is forbidden; (3) whether the firewall is opened. If the firewall is not opened, the user terminal equipment is considered to be unsafe, and access to the application is forbidden.
It should be noted that, the present embodiment may be implemented in conjunction with any embodiment of a remote access method applied to an application of a client.
Fig. 3 is a flowchart of a remote access method applied to an application of a management platform according to an embodiment of the present application, and the method may include step S301, step S302, step S303, step S304, and step S305.
Step S301, receiving a login request sent by a client, wherein the login request comprises organization identification information corresponding to the client;
step S302, verifying the organization identification information, and if the verification is passed, returning a corresponding identity authentication interface to the client based on the organization identification information;
step S303, receiving user identity information which is sent by the client and obtained through the identity authentication interface;
step S304, verifying based on the user identity information, and after the verification is passed, sending security configuration information corresponding to the organization identification information to the client, wherein the security configuration information comprises tunnel configuration information, a security drainage policy and address information of a target edge node;
step S305, sending a security access control policy corresponding to the organization identification information to the target edge node, so that the target edge node responds to the access request for the target application sent by the client according to the security access control policy.
In some embodiments, the method may further comprise: displaying a configuration editing interface according to a received configuration request aiming at the security configuration information or the security access control strategy, wherein the configuration editing interface comprises at least one configuration editing option; and generating and storing corresponding security configuration information or security access control strategies according to the editing information received by the at least one configuration editing option. The embodiment can provide good use experience for a security administrator of the management platform.
For example, after the user starts the drainage client, the drainage client displays a login interface, requests the user to input organization identification information, and then forwards the organization identification information to the management platform. The management platform can provide services for a plurality of tenants, and each tenant has corresponding organization identification information. The management platform detects whether the organization identification information input by the user exists or not, if not, error information is returned, and the login of the drainage client fails; if yes, returning a first profile (configuration structure file), wherein the first profile comprises identity authentication mode information of the corresponding tenant. Here, different tenants may use different identity authentication mode information, for example, tenant a uses enterprise WeChat as the identity authentication mode information, and tenant B uses spike as the identity authentication mode information. After the drainage client receives the profile, the user is required to carry out identity authentication according to the identity authentication mode information in the profile, the identity information is provided, and the drainage client submits an identity authentication request to the management platform and passes the identity authentication. And the management platform returns a profile to the drainage client according to the organization identification information and the identity information submitted by the drainage client, wherein the profile comprises configuration parameters (such as a negotiation key, a tunnel private network IP, a heartbeat time interval and the like) and security configuration information required by establishing a tunnel.
It should be noted that, the present embodiment may be implemented in conjunction with any embodiment of a remote access method applied to an application of a client and a remote access method applied to an edge node.
Fig. 4 is a schematic diagram of a remote access device for an application, where the device is deployed on a drainage client and may include a first sub-module 401, a first second module 402, a first third module 403, and a first fourth module 404.
The first module 401 receives security configuration information sent by the management platform, where the security configuration information includes connection configuration information, a security drainage policy, and address information of a target edge node.
For example, as shown in fig. 7, a user terminal device may be provided with a drainage client (APP), and after a user starts the drainage client and logs in, the drainage client obtains the security configuration information from the management platform (i.e., the cloud security management platform in the drawing) so as to establish an association relationship with a target edge node. The management platform can be used for a security administrator to configure security configuration information, and the security configuration information can comprise connection configuration information, a security drainage policy and address information of a target edge node.
Optionally, the security configuration information may further include information such as identity authentication mode information, configuration data necessary for establishing an association relationship with the target edge node, and parameters of a drainage tunnel that are sent to the drainage client after the management platform interacts with the drainage client. For example, a drainage client is operated on the user terminal equipment, after the drainage client is started, a login request is initiated to the management platform and identity authentication is performed, and if the identity authentication passes, configuration data necessary for establishing an association relationship with a target edge node can be obtained from the management platform; and the edge node establishes an association relation with a drainage client running on the user terminal equipment, receives an access request transmitted through the association relation, and processes the access request.
Alternatively, the user terminal device in the present embodiment may be a terminal device based on a system of Windows, macOS, linux, android, iOS or the like, which is not particularly limited herein.
In some embodiments, receiving security configuration information sent by the management platform may include: sending a login request to a management platform, wherein the login request comprises organization identification information corresponding to the drainage client; receiving an identity authentication interface sent by the management platform, wherein the identity authentication interface is determined by the management platform according to the organization identification information, and the identity authentication interface comprises at least one identity authentication option; acquiring corresponding user identity information according to the selection information of the at least one identity authentication option, and transmitting the user identity information to the management platform; and receiving the security configuration information sent by the management platform after the user identity information passes the security verification. The embodiment can ensure the safety of user login.
For example, after the user starts the drainage client, the drainage client displays a login interface, the user is required to input organization identification information, and after the user inputs the organization identification information based on the login interface, the drainage client forwards the received organization identification information to the management platform. The management platform can provide services for a plurality of tenants, and each tenant has organization identification information corresponding to each tenant; the manager of each tenant or other personnel with authority can use the general configuration of each tenant, and can also perform personalized configuration on the security configuration information in the embodiment according to the actual requirements; the user may include an employee or other recruiter of the tenant. Then, the management platform detects the received organization identification information, judges whether the tenant corresponding to the organization identification information exists or not, returns error information if the tenant does not exist, and leads the client to log in failure; if the user exists, a first profile (configuration structure file) is returned, and the first profile can comprise identity authentication mode information of the corresponding tenant, so that the user is required to provide identity information based on the drainage client to perform identity authentication. Here, the authentication mode information may include a plurality of types, so that the user can perform authentication by selecting one of the plurality of types of authentication mode information by himself. Alternatively, different tenants may use different identity authentication mode information, for example, tenant a uses enterprise WeChat as the identity authentication mode information, and tenant B uses spike as the identity authentication mode information. Further, after the user provides the identity information based on the drainage client, the drainage client sends the identity information provided by the user to the management platform for identity authentication, and after the identity authentication is passed, the management platform can return a second profile to the drainage client according to the organization identification information and the identity information submitted by the drainage client, wherein the second profile can comprise configuration data and security configuration information necessary for establishing an association relationship. For example, if the association relationship may be a drainage tunnel, the necessary configuration data may include a negotiation key, a tunnel private IP, a heartbeat time interval, and the like.
The first second module 402 establishes an association relationship with the target edge node according to the connection configuration information and the address information of the target edge node.
In some embodiments, the connection configuration information is tunnel configuration information; the first second module 402 is configured to: and establishing a drainage tunnel between the target edge node and the tunnel configuration information according to the tunnel configuration information and the address information of the target edge node. According to the embodiment, the drainage tunnel is established between the drainage client and the target edge node, so that a safe and efficient connection mode is provided.
For example, the drainage client establishes a drainage tunnel with the target edge node according to the tunnel configuration information, and a virtual network card is created on the drainage client after the tunnel is successfully created. The virtual network card is created based on the principle of VPN tunnel, so that the virtual network card simulates the function of a hub and realizes the function of VPN.
Alternatively, as shown in fig. 7, the edge nodes may include a primary edge node and a backup edge node. When the primary tunnel between the drainage client and the primary edge node is interrupted, the drainage client can also attempt to establish a standby tunnel with the standby edge node, so that high availability of the network from the client to the edge node can be ensured.
In some embodiments, establishing a drainage tunnel with the target edge node according to the tunnel configuration information and the address information of the target edge node may include: acquiring equipment identification information of a current client, wherein the equipment identification information comprises at least one of a client system type, a system version, a client software version, an equipment unique identifier or a client certificate; generating a tunnel establishment request according to the equipment identification information and the tunnel configuration information; and sending the tunnel establishment request to the target edge node according to the address information of the target edge node, so that the target edge node performs verification according to the equipment identification information in the tunnel establishment request, and establishes a drainage tunnel with the current client after the verification is passed. The embodiment can further ensure the connection safety of the drainage tunnel between the drainage client and the target edge node.
For example, as shown in fig. 8, after establishing a drainage tunnel between the drainage client and the target edge node, operations performed by the drainage client may include:
(4) A local DNS proxy is initiated for receiving a processing DNS request.
(5) Routing DNS related requests to a local proxy DNS to a drainage tunnel so as to control the behavior of the DNS, and transmitting the DNS requests to an edge node through the encrypted drainage tunnel to avoid possible hijacking and poisoning and ensure the safety of DNS analysis; the co-sampled DNS proxy may also forward DNS requests to the local DNS and/or public DNS.
(6) Adding the IP of the protected application into a system routing table to ensure that the access traffic of the IP of the protected application can enter a drainage tunnel; the IP of the unprotected application is added to the system routing table to ensure that access traffic to the unprotected application IP does not enter the drainage tunnel.
(4) And transmitting the user identity information and the client information to the edge node through the drainage tunnel. Wherein the client information may include, but is not limited to: such as client tunnel private IP, device fingerprint, security baseline, etc.
The first three modules 403 receive an access request of an application client for a target application, and determine whether to stream the access request according to the security stream policy.
For example, as shown in fig. 9 and fig. 10, when a user accesses a protected application, the application initiates a DNS resolution request, the request is routed to a virtual network card corresponding to a drainage tunnel, and a DNS packet is resolved to check whether a domain name is in a protected domain name list; if the domain name is in the protected domain name list, the domain name is the protected domain name, and before responding the analysis result to the application, the DNS analysis value is added into the system routing table, and the access request of the protected domain name is sent out through the virtual network card corresponding to the drainage tunnel and then is sent to the edge node; if the domain name is not in the protected domain name list, the analysis result is directly responded, so that unprotected access request traffic is sent out through a default network card on the client side.
In some embodiments, the first third module 403 is configured to: receiving a domain name resolution request of an application client side aiming at a target application, and sending the domain name resolution request to the target edge node; receiving a response message returned by the target edge node according to the security drainage policy, and returning the response message to the application client; and receiving an access request of the application client for a target application, and determining whether to stream the access request or not based on the response message. According to the embodiment, whether the received access request needs to be drained or not is judged, so that the drainage efficiency and effect can be further improved.
In some embodiments, the first third module 403 is configured to: and directly receiving an access request aiming at a target application, and determining whether to stream the access request according to the security stream-guiding strategy. According to the embodiment, whether the received access request needs to be drained is judged according to the security drainage strategy, so that the efficiency and the effect of drainage can be further improved.
For example, as shown in fig. 10, in the specific execution of the first third module 403, the flow scheduling procedure on the draining client may include:
(1) The access request is sent from an application (such as a browser and a client application in a CS mode) on the client, the data packet enters a routing processing module through a kernel protocol stack, and the data packet of the access request is determined to be sent to a virtual network card or a physical network card according to a system routing table on the client;
(2) When the access request needs protection, the access request is sent to the virtual network card;
(3) The flow guiding client receives the flow, and determines the sending mode of the data packet based on configuration strategies (such as IP, port, protocol and the like);
(4) The flow of the protected application is packaged by a drainage tunnel and sent from the physical network card to the edge node;
(5) And when the access request does not need protection, the access request is directly sent from the physical network card to a target application source station on the Internet.
In some embodiments, the security drainage policy includes applying a protection policy or applying an exclusion protection policy; determining whether to drain the access request according to the security drainage policy, including: if the security drainage policy is an application protection policy, when the target application is determined to belong to a protected application in the application protection policy, the access request is drained; and if the security application policy is an application exclusion protection policy, not draining the access request when the target application is determined to belong to the unprotected application in the application exclusion protection policy. According to the embodiment, the precise control of drainage can be realized according to whether the safety drainage policy is an application protection policy or an application exclusion protection policy.
For example, there may be many service applications on a ue, and only specific applications need to be protected at some times, and applications other than specific applications need to be protected at other times; here, the application protection policy may represent a policy of service request traffic to be protected, and the application exclusion protection policy may represent a policy of service request traffic not to be protected.
Optionally, the security administrator may configure the security drainage policy on the management platform, where the configured security drainage policy includes applying a protection policy, i.e. a protected domain name list or a protected IP list; alternatively, the configured security drainage policy may also include applying an exclusion protection policy, i.e., an unprotected domain name list or an unprotected IP list. As shown in fig. 9, if the security drainage policy is an application protection policy, an access request is sent from a user terminal device to an edge node, various security access controls are performed on the edge node, and the access request allowed by the security drainage policy is forwarded from the edge node to a target application server; if the security application policy is an application exclusion protection policy, the unprotected access request is sent directly to the target application server.
In some embodiments, after determining whether to drain the access request according to the secure drain policy, the apparatus is further configured to: and if the target application is determined to be the protected application, adding response information corresponding to the domain name resolution request into a local route, and draining according to the local route when the access request aiming at the same target application is subsequently received. The embodiment can further improve the speed and efficiency of drainage.
And a first four module 404, if yes, for streaming the access request to the target edge node through the association relationship so as to respond to the access request based on the target edge node.
For example, the access request may be drained to the target edge node through the association relationship, and whether the access request has access authority is determined; and receiving a response of the target application server to the access request when the access right is provided.
Fig. 5 is a schematic diagram of a remote access device for an application, where the device is deployed at an edge node and may include a second first module 501, a second module 502, a second third module 503, a second fourth module 504, and a second fifth module 505, according to an embodiment of the present application.
The edge node in this embodiment may be understood as a cloud node, which refers to a resource that provides capabilities of storage, calculation, network, security, and the like in a service platform constructed near the network edge side of the user, and sinks a part of key service applications from the cloud to the edge of the access network, so as to reduce bandwidth and delay loss caused by network transmission and multistage forwarding.
A second module 501, configured to receive an association relationship establishment request sent by a client, where the association relationship establishment request includes device identification information of the client;
the second module 502 performs verification according to the equipment identification information, and establishes an association relationship with the client after the verification is passed;
a second three module 503, configured to receive an access request for a target application sent by the client, where the access request is sent through an association relationship between the client and a current edge node;
a second fourth module 504 that executes a secure access control policy on the access request to determine whether the access request has access rights to access the target application;
and a second fifth module 505, configured to perform access control on the access request according to the determination result, where the access control includes access rejection or access permission.
In some embodiments, the association relation establishment request is a tunnel establishment request, and the device identification information includes at least one of a client system type, a system version, a client software version, a device unique identifier, or a client certificate; the second module 502 may be configured to: and verifying according to the equipment identification information, and establishing a drainage tunnel with the client after the verification is passed. The embodiment further ensures the connection safety of the drainage tunnel between the drainage client and the target edge node.
In some embodiments, the secure access control policy includes an identity authentication policy and/or a rights authentication policy; before executing the security access control policy on the access request, it may further include: and receiving and storing the security access control policy sent by the management platform. The embodiment is beneficial to the security manager to realize the security management of the access request through the management platform.
For example, the edge node receives data sent by the client, where the data may include a client virtual tunnel IP, a client identity authentication identity, client terminal information (such as a system version, a security baseline, and a client software version for drainage), and stores the reported information by using the client virtual tunnel IP as a key; the edge node receives the access request data sent by the client through the established drainage tunnel, peels off the tunnel protocol header data and forwards the service data to an application layer (firewall, http, https, dns and the like); as shown in fig. 8, the application layer acquires the access control rule of the application from the configuration management, and performs three-layer to seven-layer access control on the access request based on the access control rule; if the access control rule also comprises configuration related to the identity, performing access control based on the identity information, acquiring the identity related information (the mapping relation between the client tunnel virtual IP and the reported information is stored before, so that the identity information of the user can be acquired according to the client tunnel virtual IP), matching the identity related information with the access control rule, and judging whether the current user has the authority to access the current application; if the authority is available, the application layer forwards the data packet to the target application, and the target application can be located on PaaS, an intranet data center (network connection is opened with the edge node through the drainage client side) and the Internet.
The access control rules may include, but are not limited to, an identity authentication policy and/or a rights authentication policy to determine whether to pass or deny the access traffic by an identity or corresponding rights. For example, access control may be performed based on user terminal device information, and whether access is allowed is determined according to the user terminal device information; typical control rules may include, but are not limited to: (1) system version based. If the system version is too low, the user terminal equipment is considered unsafe, and access to the application is forbidden; (2) whether a security update is installed. If the important security patch is not installed, the user terminal equipment is considered to be unsafe, and access to the application is forbidden; (3) whether the firewall is opened. If the firewall is not opened, the user terminal equipment is considered to be unsafe, and access to the application is forbidden.
Fig. 6 is a schematic diagram of a remote access device for an application according to an embodiment of the present application, where the device is deployed on a management platform and may include a third first module 601, a third second module 602, a third module 603, a third fourth module 604, and a third fifth module 605.
A third module 601, configured to receive a login request sent by a client, where the login request includes organization identification information corresponding to the client;
A third second module 602, configured to verify the organization identification information, and if the verification is passed, return a corresponding identity authentication interface to the client based on the organization identification information;
a third module 603, configured to receive user identity information sent by the client and acquired through the identity authentication interface;
a third fourth module 604, configured to perform verification based on the user identity information, and send security configuration information corresponding to the organization identification information to the client after the verification is passed, where the security configuration information includes tunnel configuration information, a security drainage policy, and address information of a target edge node;
and a third fifth module 605, configured to send, to the target edge node, a security access control policy corresponding to the organization identification information, so that the target edge node responds to an access request sent by the client for a target application according to the security access control policy.
In some embodiments, the apparatus may also be for: displaying a configuration editing interface according to a received configuration request aiming at the security configuration information or the security access control strategy, wherein the configuration editing interface comprises at least one configuration editing option; and generating and storing corresponding security configuration information or security access control strategies according to the editing information received by the at least one configuration editing option. The embodiment can provide good use experience for a security administrator of the management platform.
For example, after the user starts the drainage client, the drainage client displays a login interface, requests the user to input organization identification information, and then forwards the organization identification information to the management platform. The management platform can provide services for a plurality of tenants, and each tenant has corresponding organization identification information. The management platform detects whether the organization identification information input by the user exists or not, if not, error information is returned, and the login of the drainage client fails; if yes, returning a first profile (configuration structure file), wherein the first profile comprises identity authentication mode information of the corresponding tenant. Here, different tenants may use different identity authentication mode information, for example, tenant a uses enterprise WeChat as the identity authentication mode information, and tenant B uses spike as the identity authentication mode information. After the drainage client receives the profile, the user is required to carry out identity authentication according to the identity authentication mode information in the profile, the identity information is provided, and the drainage client submits an identity authentication request to the management platform and passes the identity authentication. And the management platform returns a profile to the drainage client according to the organization identification information and the identity information submitted by the drainage client, wherein the profile comprises configuration parameters (such as a negotiation key, a tunnel private network IP, a heartbeat time interval and the like) and security configuration information required by establishing a tunnel.
In summary, the embodiment of the application meets the requirement of the user for safely accessing the target application, solves the problems of unsafe and poor network blocking use experience caused by the traditional VPN scheme, and can provide good user experience for the user. The embodiment of the application can implement unified safety control on the management platform, so that the safety management cost is reduced.
Furthermore, portions of the present application may be implemented as a computer program product, such as computer program instructions, which when executed by a computer, may invoke or provide methods and/or techniques in accordance with the present application by way of operation of the computer. Program instructions for invoking the methods of the present application may be stored in fixed or removable recording media and/or transmitted via a data stream in a broadcast or other signal bearing medium and/or stored within a working memory of a computer device operating according to the program instructions. Some embodiments of the present application provide an electronic device comprising a memory for storing computer program instructions and a processor for executing the computer program instructions, wherein the computer program instructions, when executed by the processor, trigger the device to perform the methods and/or aspects of the various embodiments of the present application described previously.
Furthermore, some embodiments of the present application provide a computer readable storage medium having stored thereon computer program instructions executable by a processor to implement the methods and/or aspects of the various embodiments of the present application described above.
It should be noted that the present application may be implemented in software and/or a combination of software and hardware, for example, using Application Specific Integrated Circuits (ASIC), a general purpose computer or any other similar hardware device. In some embodiments, the software programs of the present application may be executed by a processor to implement the steps or functions described above. Likewise, the software programs of the present application (including associated data structures) may be stored on a computer readable recording medium, such as RAM memory, magnetic or optical drive or diskette and the like. In addition, some steps or functions of the present application may be implemented in hardware, for example, as circuitry that cooperates with the processor to perform various steps or functions.
It will be evident to those skilled in the art that the present application is not limited to the details of the foregoing illustrative embodiments, and that the present application may be embodied in other specific forms without departing from the spirit or essential characteristics thereof. The present embodiments are, therefore, to be considered in all respects as illustrative and not restrictive, the scope of the application being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned. Furthermore, it is evident that the word "comprising" does not exclude other elements or steps, and that the singular does not exclude a plurality. A plurality of units or means recited in the apparatus claims can also be implemented by means of one unit or means in software or hardware. The terms first, second, etc. are used to denote a name, but not any particular order.

Claims (18)

1. A remote access method for an application, the method being applied to a client for drainage, the method comprising:
receiving security configuration information sent by a management platform, wherein the security configuration information comprises connection configuration information, a security drainage policy and address information of a target edge node;
establishing an association relation with the target edge node according to the connection configuration information and the address information of the target edge node;
receiving an access request of an application client for a target application, and determining whether to stream the access request according to the security stream guidance strategy;
and if so, the access request is guided to the target edge node through the association relation so as to respond to the access request based on the target edge node.
2. The method of claim 1, wherein receiving security configuration information sent by the management platform comprises:
sending a login request to a management platform, wherein the login request comprises organization identification information corresponding to the drainage client;
receiving an identity authentication interface sent by the management platform, wherein the identity authentication interface is determined by the management platform according to the organization identification information, and the identity authentication interface comprises at least one identity authentication option;
Acquiring corresponding user identity information according to the selection information of the at least one identity authentication option, and transmitting the user identity information to the management platform;
and receiving the security configuration information sent by the management platform after the user identity information passes the security verification.
3. The method of claim 1, wherein receiving an access request for a target application from an application client, and determining whether to stream the access request according to the secure stream policy comprises:
receiving a domain name resolution request of an application client side aiming at a target application, and sending the domain name resolution request to the target edge node;
receiving a response message returned by the target edge node according to the security drainage policy, and returning the response message to the application client;
and receiving an access request of the application client for a target application, and determining whether to stream the access request or not based on the response message.
4. The method of claim 1, wherein receiving an access request for a target application from an application client, and determining whether to stream the access request according to the secure stream policy comprises:
And directly receiving an access request aiming at a target application, and determining whether to stream the access request according to the security stream-guiding strategy.
5. The method of claim 1, wherein the secure drainage policy comprises applying a protection policy or applying an exclusion protection policy;
determining whether to drain the access request according to the security drainage policy, including:
if the security drainage policy is an application protection policy, when the target application is determined to belong to a protected application in the application protection policy, the access request is drained;
and if the security application policy is an application exclusion protection policy, not draining the access request when the target application is determined to belong to the unprotected application in the application exclusion protection policy.
6. The method of claim 5, wherein after determining whether to stream the access request according to the secure stream policy, the method further comprises:
and if the target application is determined to be the protected application, adding response information corresponding to the domain name resolution request into a local route, and draining according to the local route when the access request aiming at the same target application is subsequently received.
7. The method according to any one of claims 1 to 6, wherein the connection configuration information is tunnel configuration information;
establishing an association relationship with the target edge node according to the connection configuration information and the address information of the target edge node, including:
and establishing a drainage tunnel between the target edge node and the tunnel configuration information according to the tunnel configuration information and the address information of the target edge node.
8. The method of claim 7, wherein establishing a drainage tunnel with the target edge node based on the tunnel configuration information and the address information of the target edge node comprises:
acquiring equipment identification information of a current client, wherein the equipment identification information comprises at least one of a client system type, a system version, a client software version, an equipment unique identifier or a client certificate;
generating a tunnel establishment request according to the equipment identification information and the tunnel configuration information;
and sending the tunnel establishment request to the target edge node according to the address information of the target edge node, so that the target edge node performs verification according to the equipment identification information in the tunnel establishment request, and establishes a drainage tunnel with the current client after the verification is passed.
9. A method for remote access of an application, applied to an edge node, the method comprising:
receiving an association relation establishment request sent by a client, wherein the association relation establishment request comprises equipment identification information of the client;
verifying according to the equipment identification information, and establishing an association relationship with the client after the verification is passed;
receiving an access request for a target application sent by the client, wherein the access request is sent through an association relationship between the client and a current edge node;
executing a security access control policy on the access request to determine whether the access request has access rights to access the target application;
and performing access control on the access request according to the determination result, wherein the access control comprises access refusal or access permission.
10. The method of claim 9, wherein the association request is a tunnel establishment request, and the device identification information includes at least one of a client system type, a system version, a client software version, a device unique identifier, or a client certificate;
verifying according to the equipment identification information, and establishing an association relationship with the client after the verification is passed, wherein the method comprises the following steps:
And verifying according to the equipment identification information, and establishing a drainage tunnel with the client after the verification is passed.
11. The method according to claim 9, wherein the secure access control policy comprises an identity authentication policy and/or a rights authentication policy;
before executing the security access control policy on the access request, further comprising:
and receiving and storing the security access control policy sent by the management platform.
12. A method for remote access of an application, the method comprising:
receiving a login request sent by a client, wherein the login request comprises organization identification information corresponding to the client;
verifying the organization identification information, and if the verification is passed, returning a corresponding identity authentication interface to the client based on the organization identification information;
receiving user identity information sent by the client and acquired through the identity authentication interface;
verifying based on the user identity information, and after the verification is passed, sending security configuration information corresponding to the organization identification information to the client, wherein the security configuration information comprises tunnel configuration information, a security drainage strategy and address information of a target edge node;
And sending a security access control strategy corresponding to the organization identification information to the target edge node so that the target edge node responds to the access request for the target application sent by the client according to the security access control strategy.
13. The method according to claim 12, wherein the method further comprises:
displaying a configuration editing interface according to a received configuration request aiming at the security configuration information or the security access control strategy, wherein the configuration editing interface comprises at least one configuration editing option;
and generating and storing corresponding security configuration information or security access control strategies according to the editing information received by the at least one configuration editing option.
14. A remote access device for an application, the device deployed at a drainage client, the device comprising:
the first module is used for receiving security configuration information sent by the management platform, wherein the security configuration information comprises connection configuration information, a security drainage policy and address information of a target edge node;
the first module and the second module are used for establishing an association relation with the target edge node according to the connection configuration information and the address information of the target edge node;
The first module is used for receiving an access request of an application client for a target application, and determining whether to stream the access request according to the security stream-guiding strategy;
and the first four modules are used for draining the access request to the target edge node through the association relation if so, so that the target edge node responds to the access request.
15. A remote access device for an application, deployed at an edge node, the device comprising:
the second module is used for receiving an association relation establishment request sent by a client, wherein the association relation establishment request comprises equipment identification information of the client;
the second module is used for verifying according to the equipment identification information, and establishing an association relation with the client after the verification is passed;
the second three modules are used for receiving an access request for a target application sent by the client, wherein the access request is sent through the association relation between the client and the current edge node;
a second fourth module, configured to execute a secure access control policy on the access request to determine whether the access request has access rights to access the target application;
And the second five modules are used for carrying out access control on the access request according to the determination result, wherein the access control comprises access refusal or access permission.
16. A remote access device for an application, the device deployed on a management platform, the device comprising:
a third module, configured to receive a login request sent by a client, where the login request includes organization identification information corresponding to the client;
the third module is used for verifying the organization identification information, and if the verification is passed, a corresponding identity authentication interface is returned to the client based on the organization identification information;
a third module, configured to receive user identity information sent by the client and obtained through the identity authentication interface;
a third fourth module, configured to perform verification based on the user identity information, and after the verification is passed, send security configuration information corresponding to the organization identification information to the client, where the security configuration information includes tunnel configuration information, a security drainage policy, and address information of a target edge node;
and a third fifth module, configured to send a security access control policy corresponding to the organization identification information to the target edge node, so that the target edge node responds to an access request sent by the client for a target application according to the security access control policy.
17. An electronic device, wherein the device comprises a memory for storing computer program instructions and a processor for executing the computer program instructions, wherein the computer program instructions, when executed by the processor, trigger the device to perform the method of any one of claims 1 to 13.
18. A computer readable storage medium having stored thereon computer program instructions executable by a processor to implement the method of any of claims 1 to 13.
CN202210681197.4A 2022-06-16 2022-06-16 Remote access method, device, system, equipment and storage medium for application Pending CN117294698A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210681197.4A CN117294698A (en) 2022-06-16 2022-06-16 Remote access method, device, system, equipment and storage medium for application

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210681197.4A CN117294698A (en) 2022-06-16 2022-06-16 Remote access method, device, system, equipment and storage medium for application

Publications (1)

Publication Number Publication Date
CN117294698A true CN117294698A (en) 2023-12-26

Family

ID=89252232

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210681197.4A Pending CN117294698A (en) 2022-06-16 2022-06-16 Remote access method, device, system, equipment and storage medium for application

Country Status (1)

Country Link
CN (1) CN117294698A (en)

Similar Documents

Publication Publication Date Title
US11190493B2 (en) Concealing internal applications that are accessed over a network
CN109076065B (en) System and method for providing network connectivity according to a secure resource-based policy
US7542468B1 (en) Dynamic host configuration protocol with security
US9781096B2 (en) System and method for out-of-band application authentication
US9491183B1 (en) Geographic location-based policy
WO2022247751A1 (en) Method, system and apparatus for remotely accessing application, device, and storage medium
US11405378B2 (en) Post-connection client certificate authentication
CN103404103A (en) System and method for combining an access control system with a traffic management system
US10595320B2 (en) Delegating policy through manufacturer usage descriptions
EP3545451B1 (en) Automatic forwarding of access requests and responses thereto
US11176239B2 (en) Systems and methods for integrating with a native component using a network interface
US20220191193A1 (en) Cross site request forgery (csrf) protection for web browsers
CN116319024A (en) Access control method and device of zero trust system and zero trust system
CN114500120A (en) Public cloud expansion method, device, system and storage medium
CN113872933B (en) Method, system, device, equipment and storage medium for hiding source station
CN114285821A (en) Domain name resolution method, device, electronic equipment, storage medium and product
US20220343028A1 (en) Application programming interface (api) call security
CN111726328A (en) Method, system and related device for remotely accessing a first device
US8087066B2 (en) Method and system for securing a commercial grid network
CN117294698A (en) Remote access method, device, system, equipment and storage medium for application
CN116938486A (en) Access control method, device, system, equipment and storage medium
US20240236069A9 (en) System and method for safely relaying and filtering kerberos authentication and authorization requests across network boundaries
US20240007462A1 (en) Connecting a software-defined data center to cloud services through an agent platform appliance
EP4358473A1 (en) System and method for safely relaying and filtering kerberos authentication and authorization requests across network boundaries
CN117834246A (en) Traffic identity identification method, traffic identity identification device, zero-trust control center and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination