CN117336269A - Resource access method, device, electronic equipment and storage medium - Google Patents
Resource access method, device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN117336269A CN117336269A CN202311346295.3A CN202311346295A CN117336269A CN 117336269 A CN117336269 A CN 117336269A CN 202311346295 A CN202311346295 A CN 202311346295A CN 117336269 A CN117336269 A CN 117336269A
- Authority
- CN
- China
- Prior art keywords
- address
- request
- packet
- address packet
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 95
- 238000001914 filtration Methods 0.000 claims abstract description 100
- 238000006243 chemical reaction Methods 0.000 claims abstract description 97
- 230000004044 response Effects 0.000 claims description 161
- 238000004891 communication Methods 0.000 claims description 86
- 230000008569 process Effects 0.000 claims description 25
- 238000004590 computer program Methods 0.000 claims description 16
- 238000011161 development Methods 0.000 abstract description 15
- 230000003993 interaction Effects 0.000 description 28
- 238000013519 translation Methods 0.000 description 19
- 238000012545 processing Methods 0.000 description 17
- 230000006870 function Effects 0.000 description 16
- 230000005540 biological transmission Effects 0.000 description 13
- 238000010586 diagram Methods 0.000 description 7
- 238000012546 transfer Methods 0.000 description 7
- 230000004048 modification Effects 0.000 description 6
- 238000012986 modification Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 5
- 238000004458 analytical method Methods 0.000 description 4
- 239000003795 chemical substances by application Substances 0.000 description 4
- 238000005538 encapsulation Methods 0.000 description 3
- 238000007726 management method Methods 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000013461 design Methods 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000011521 glass Substances 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/66—Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Abstract
The invention discloses a resource access method, a resource access device, electronic equipment and a storage medium. The method comprises the following steps: acquiring a resource access request through a network layer filtering module, and resolving a request address packet contained in the resource access request to obtain a source address and a destination address; obtaining an encryption drainage list through a network layer filtering module; intercepting the request address packet when the destination address of the request address packet exists in the encryption drainage list through the network layer filtering module, and forwarding the request address packet to the network address conversion module; modifying a source address contained in the request address packet into a virtual address through a network address conversion module; and the modified request address packet is sent to a first follow-up module through the network address conversion module, so that the application server responds to the resource access request. The technical scheme of the embodiment of the invention reduces the development difficulty, avoids the tampering risk of the routing information and the attack risk of the network sniffing tool, and realizes the access to the resources.
Description
Technical Field
The present invention relates to the field of network information security technologies, and in particular, to a method and apparatus for accessing resources, an electronic device, and a storage medium.
Background
Currently, a virtual private network (Layer 3 Virtual Private Network, L3 VPN) based on a three-Layer network is widely used in the field of remote office and access. The L3VPN mainly adopts a tunnel technology, an encryption technology, a key management technology and a user and equipment identity authentication technology, and the use of the L3VPN can greatly provide Internet surfing security.
The L3VPN works at the third layer of the network level, and at present, a mode of combining a virtual network card and a system route is mainly adopted to direct a destination route corresponding to the resource to the virtual network card, so that the access to the resource in the application server is realized. The workflow of the L3VPN generally includes that after data of a request address packet is read from a virtual network card, the data is packaged by a custom protocol and then sent to an application server, and after the received data of the request address packet is obtained from the application server, the data is written into the virtual network card, so that the data is returned to an operating system.
However, the resource access mode of combining the virtual network card and the system route has the problem of great development difficulty, and also has the risk of easy tampering of the route information and easy attack by a network sniffing tool.
Disclosure of Invention
The invention provides a resource access method, a device, electronic equipment and a storage medium, which reduce development difficulty, avoid the risk of tampering of routing information and the risk of attack of a network sniffing tool, and realize the access to resources.
According to an aspect of the present invention, there is provided a resource access method applied to a security gateway, including:
acquiring a resource access request through a network layer filtering module, and analyzing a request address packet contained in the resource access request to obtain a source address and a destination address contained in the request address packet;
the method comprises the steps of obtaining an encryption drainage list through a network layer filtering module, and detecting whether a destination address of a request address packet exists in the encryption drainage list;
intercepting the request address packet when the destination address of the request address packet exists in the encryption drainage list through the network layer filtering module, and forwarding the request address packet to the network address conversion module;
modifying a source address contained in the request address packet into a virtual address through a network address conversion module;
and the modified request address packet is sent to a first follow-up module through the network address conversion module, so that the application server responds to the resource access request.
According to another aspect of the present invention, there is provided a resource access device applied to a security gateway, including:
the network layer filtering module is used for acquiring a resource access request, analyzing a request address packet contained in the resource access request, and obtaining a source address and a destination address contained in the request address packet;
The network layer filtering module is used for acquiring a drainage list and detecting whether a destination address of a request address packet exists in the drainage list;
the network layer filtering module is used for intercepting the request address packet when the destination address of the request address packet exists in the drainage list and forwarding the request address packet to the network address conversion module;
the network address conversion module is used for modifying the source address contained in the request address packet into a virtual address;
and the network address conversion module is used for sending the modified request address packet to the first follow-up module so as to realize the response of the application server to the resource access request.
According to another aspect of the present invention, there is provided an electronic apparatus including:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the resource access method of any one of the embodiments of the present invention.
According to another aspect of the present invention, there is provided a computer readable storage medium storing computer instructions for causing a processor to perform the resource access method of any of the embodiments of the present invention.
According to the technical scheme, the network layer filtering module is used for acquiring the resource access request, analyzing the request address packet contained in the resource access request to obtain the source address and the destination address contained in the request address packet, the network layer filtering module is used for acquiring the encryption drainage list, detecting whether the destination address of the request address packet exists in the encryption drainage list, intercepting the request address packet when the destination address of the request address packet exists in the encryption drainage list, and forwarding the request address packet to the network address conversion module, modifying the source address contained in the request address packet into the virtual address through the network address conversion module, and sending the modified request address packet to the first follow-up module through the network address conversion module, so that the application server is used for responding to the resource access request, the problem that the development difficulty is high is solved, the risk that the routing information is easy to tamper is also present, the risk that the routing information is easy to attack by a network sniffing tool is easy to attack is reduced, and the risk that the routing information is easy to tamper and the network sniffing tool is easy to attack is avoided, and the resource access based on the security gateway is realized.
It should be understood that the description in this section is not intended to identify key or critical features of the embodiments of the invention or to delineate the scope of the invention. Other features of the present invention will become apparent from the description that follows.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a method for accessing resources according to a first embodiment of the present invention;
FIG. 2 is a flowchart of a method for accessing resources according to a second embodiment of the present invention;
FIG. 3 is a block diagram of a resource access method applicable according to a third embodiment of the present invention;
FIG. 4 is a flow chart of a method for accessing resources according to a third embodiment of the present invention;
FIG. 5 is a flow chart of a method for accessing resources according to a third embodiment of the present invention;
fig. 6 is a schematic structural diagram of a resource access device according to a fourth embodiment of the present invention;
Fig. 7 is a schematic structural diagram of an electronic device implementing a resource access method according to an embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example 1
Fig. 1 is a flowchart of a resource access method according to a first embodiment of the present invention. The embodiment of the invention is applicable to the condition of accessing the resource, the method can be executed by a resource access device, the resource access device can be realized in the form of hardware and/or software, and the resource access device can be configured in an electronic device carrying the resource access function.
Referring to the resource access method shown in fig. 1, the resource access method is applied to a security gateway and comprises the following steps:
s110, acquiring a resource access request through a network layer filtering module, and analyzing a request address packet contained in the resource access request to obtain a source address and a destination address contained in the request address packet.
The network layer filtering module may be configured to intercept and forward a request address packet included in the resource access request. The network layer filtering module may be configured in the internet layer of the kernel-mode WFP (Windows Filtering Platform, filtering platform) framework. The kernel mode may include a kernel network protocol stack and a WFP framework, among other things. The WFP framework may be a network layer filter layer framework provided by the Windows operating system. The WFP framework may penetrate into all layers of the kernel network protocol stack of the kernel mode of the operating system. Illustratively, the kernel network protocol stack may be a TCP/IP (Transmission Control Protocol/Internet Protocol ) protocol stack. The TCP/IP protocol stack may include an application layer, a transport layer, an internet layer, and a data link layer. Accordingly, the WFP framework is also divided into four layers of fixed filter layers according to the TCP/IP protocol stack, i.e., the WFP framework may include an application layer, a transport layer, an internet layer, and a link layer, and all four layers of the WFP framework are infiltrated into the four layers of the TCP/IP protocol stack. The application layer of the TCP/IP protocol stack corresponds to the higher layer of the OSI (Open System Interconnect, open systems interconnection) reference model, and provides various services required for the user, for example: http (Hyper Text Transfer Protocol ), https (Hyper Text Transfer Protocol over Secure Socket Laye, hypertext transfer security protocol), FTP (File Transfer Protocol ), telnet (Teletype Network, telnet), DNS (Domain Name System, domain name resolution protocol), SMTP (Simple Mail Transfer Protocol ), and the like. The transport layer of the TCP/IP protocol stack may correspond to the transport layer of the OSI reference model, providing end-to-end communication functions for the application layer entity, ensuring sequential delivery of data packets and integrity of the data. It defines two main protocols: TCP protocol and UDP protocol. The TCP protocol provides a reliable data transfer service that is connected by a "three-way handshake", while the UDP protocol provides a data transfer service that is not guaranteed to be reliable and connectionless. The internet layer of the TCP/IP protocol stack may correspond to the network layer of the OSI reference model, mainly solving host-to-host communication problems. The protocol design data packet contained in the system is logically transmitted over the whole network, and focuses on reassigning an IP (Internet Protocol ) address to the host to complete the addressing of the host. It is also responsible for routing data packets in various networks. The internet layer of the TCP/IP protocol stack may include three main protocols: internet Protocol (IP), internet Group Management Protocol (IGMP) and Internet Control Message Protocol (ICMP). The data link layer of the TCP/IP protocol stack corresponds to the physical layer and the data link layer in the OSI reference model. It is responsible for monitoring the exchange of data between the host and the network and then making connections with the network access layer of TCP/IP. The Address Resolution Protocol (ARP) works at this layer, the data link layer of the OSI reference model. Accordingly, the application layer of the WFP framework may include a control information layer (ALE) and a Data Stream layer (Stream Data). Wherein the control information layer may include at least one of Bind function, connect function, accept function, and list function, etc. The data stream layer may receive the original data packet of the application layer. Wherein the original data packet has removed various header information of TCP/IP. The transport layer of the WFP framework may be used for receiving and sending TCP or UDP packets, which already contain header information such as TCP or UDP. The internet layer of the WFP framework may be used to receive and transmit IP packets. The network layer filtering module is located at the layer. The link layer of the WFP framework may contain link layer packets of ethernet card MAC (Media Access Control, local area network) addresses.
The resource access request may be a request to access a resource in the application server. Alternatively, the resource in the application server may be a resource that requires encrypted access. Alternatively, the resource access request may be sent by the resource demander through the application end. The resource access request may be issued by an application or browser at the application end, for example. The request address packet may be an address packet contained in the resource access request. The request address packet may be a data packet transmitted by a third layer of the kernel network protocol stack, i.e. an internet layer of the kernel network protocol stack. The request address packet may be an IP packet, for example. The request address packet may include, but is not limited to, quintuple information, i.e., the request address packet may include a Source address (Source IP), a Source Port (Source Port), a destination address (Dest IP), a destination Port (Dest Port), and a communication Protocol (Protocol). Wherein the source address may be an address from which a resource access request is issued. It is understood that the source address may be an address of an application (or browser) at the application end. The source port may be a port corresponding to the source address. The destination address may be an address where the resource corresponding to the resource access request is located. It is understood that the destination address may be the address of the application server where the resource is located. The destination port may be a port corresponding to the destination address. The communication protocol may be a communication protocol of a kernel network protocol stack. By way of example, the communication protocol may include a TCP/IP protocol. The security gateway may be a gateway for encrypted transmissions.
Specifically, a network layer filtering module can be used for acquiring a resource access request sent by a resource requiring party through an application program (or browser) of an application end, and resolving a request address packet contained in the resource access request to obtain a source address and a destination address contained in the request address packet.
S120, acquiring an encryption drainage list through a network layer filtering module, and detecting whether a destination address of a request address packet exists in the encryption drainage list.
The encryption drainage list may be used to record destination addresses for which encrypted transmissions are required. Optionally, the L3VPN application may obtain the encrypted drainage list in advance and set in the WFP driver module. The destination address of the request address packet exists in the encryption drainage list, which can be understood that the destination address needs to be encrypted and transmitted; the destination address of the request address packet does not exist in the encryption and drainage list, and it is understood that encryption transmission of the destination address is not required.
Specifically, an encryption drainage list set in the WFP driving module can be obtained through the network layer filtering module, and whether a destination address of a request address packet exists in the encryption drainage list is detected.
S130, intercepting the request address packet and forwarding the request address packet to the network address conversion module when the destination address of the request address packet exists in the encryption drainage list through the network layer filtering module.
The request address packet is intercepted, namely, the request address packet is essentially drained, and the request address packet is drained to a channel needing encryption transmission, so that the encryption transmission of the request address packet is realized. The network address translation module may be used to translate addresses to other addresses. The network address conversion module can modify the source address contained in the request address packet into a virtual address, so that the security in the transmission process of the request address packet is enhanced. The network address translation module may be configured in a kernel mode. The network address translation module may be, for example, a NAT (Network Address Translation ) translation module.
Specifically, when the destination address of the request address packet exists in the encryption and drainage list, that is, when the destination address needs to be encrypted and transmitted, the request address packet can be intercepted by the network layer filtering module, and the request address packet is forwarded to the network address conversion module.
S140, modifying the source address contained in the request address packet into a virtual address through a network address conversion module.
The virtual address may be used to access an application server. The virtual address corresponding to the source address has uniqueness. Optionally, the virtual address may be a virtual address allocated by a server acquired in advance by the L3VPN application, and is set in the WFP driving module.
Specifically, the source address contained in the request address packet can be modified into a virtual address preset in the WFP driving module through the network address conversion module.
And S150, transmitting the modified request address packet to a first follow-up module through a network address conversion module, so as to realize that the application server responds to the resource access request.
The first subsequent module may be configured to transmit the modified request address packet. Optionally, the first subsequent module may include a kernel mode data communication module, a user mode L3VPN data interaction module, an L3VPN application, and the like. Wherein the kernel mode data communication module may be configured in a kernel mode. The kernel mode data communication module can be used for interacting with the user mode data communication module and transmitting a request address packet. Specifically, the kernel mode data communication module may be configured to write the received request address packet into the network address conversion module, and forward the request address packet read in the network address conversion module to the user mode. The user mode data interaction module may be configured in a user mode. The user mode data interaction module can be used for interacting with the kernel mode and transmitting a request address packet. The user state data interaction module can be used for writing the request address packet received by the user state L3VPN data interaction module into the kernel state and forwarding the request address packet read by the kernel state into the user state L3VPN data interaction module. The user mode L3VPN data interaction module may be configured in a user mode. The user mode L3VPN data interaction module can be used for carrying out data interaction with the L3VPN application and reading and writing request address packet data. Specifically, the user mode L3VPN data interaction module may include request address packet reading, request address packet writing, and the like. The L3VPN application may be configured to receive and transmit the request address packet data and to secure tunnel encapsulate the request address packet data.
Specifically, the modified request address packet may be sent to the first subsequent module by the network address translation module. And the request address packet packaged by the secure tunnel can be sent to the application server through the first subsequent module so as to realize the response of the application server to the resource access request. The application server may be an L3VPN server.
The modified request address packet may be sent to the kernel mode data communication module by way of the network address translation module, for example. The received request address packet may be sent to the user mode data communication module by the kernel mode data communication module. The received request address packet can be sent to the user state L3VPN data interaction module through the user state data communication module. The received request address packet can be sent to the L3VPN application through the user mode L3VPN data interaction module. And the received request address packet can be subjected to subsequent secure tunnel encapsulation through the L3VPN application and then sent to an L3VPN server, so that the response of the application server to the resource access request is realized.
In the prior art, the L3VPN works at the third layer of the network layer, mainly adopts a mode of combining the virtual network card and the system route, directs the destination route corresponding to the resource to the virtual network card, and then filters the acquired request address packet by the virtual network card to intercept or release, thereby realizing access to the resource in the application server. Third party software may modify system routing through system interfaces or commands, resulting in virtual network card drainage failure. Meanwhile, because the virtual network card is developed based on NDIS (Network Driver Interface Specification ) driver, the development difficulty is high, and the problem is difficult to modify. Moreover, the network sniffing tool can grab the virtual network card of the local operating system, namely sniffing the request address packet responded by the original resource access request, so that subsequent analysis and attack are performed, and the risk of being easily attacked by the sniffing tool exists. The NDIS is a specification of a Windows virtual network card interface, forms a part of a logic link control sublayer in a kernel network protocol stack, is used as a connection layer between an operating system and a network card, is downward connected with a Medium Access Control (MAC) sublayer, and is upward connected with a network layer. NDIS drivers mainly include NDIS micro-port drivers, NDIS middle layer drivers, NDIS filter drivers, and NDIS protocol drivers. The NDIS micro-port driver works at the lowest layer and directly processes data received by the network card; the virtual network card is generally developed based on NDSI micro-port drivers.
At present, the Windows operating system does not use a virtual network card mode, and the network data is generally drained through the following scheme, which comprises the following steps: scheme (1) uses layered service using layered service provider (LSP/NSP) to intercept or forward packets to achieve the effect of specific network traffic steering. For example, the locks (locks: protocol for sessions traversal across firewall securely, firewall secure session conversion protocol) operating functions are Hook (intervened), forwarding and connecting packets using the layered services of the LSP (Layered Service Provider ). The scheme (2) uses a system proxy (Http/Socks 5, etc.) to set the proxy server address to be connected in the system proxy configuration through an operating system, and after the proxy server address is started, the network drainage of browser common software can be realized. However, the drawbacks of the common alternatives are as follows: in the scheme (1), because of being realized in an application layer, the protocol compatibility is poor, effective application of mechanisms such as asynchronous communication of an application program itself or Input/Output Completion Port (Input/output completion port) cannot be ensured, and meanwhile, the phenomenon of blocking and the like during the running of the application program can be caused; in addition, the solution processes Socket (network operation) data of the fourth layer of the network hierarchy, and cannot meet the drainage requirement of the request address packet of the L3 VPN. After the system agent is set, not all applications in the operating system are validated, and the system agent cannot be covered comprehensively; meanwhile, the system agent configuration is easy to be tampered, so that the system agent is invalid or abnormal; in addition, the solution processes Socket (network operation) data of the fourth layer of the network hierarchy, and cannot meet the drainage requirement of the request address packet of the L3 VPN.
According to the technical scheme, a network layer filtering module is used for acquiring a resource access request, analyzing that the resource access request contains a request address packet to obtain a source address and a destination address contained in the request address packet, the network layer filtering module is used for acquiring an encryption drainage list, detecting whether the destination address of the request address packet exists in the encryption drainage list, intercepting the request address packet when the destination address of the request address packet exists in the encryption drainage list, and forwarding the request address packet to a network address conversion module, modifying the source address contained in the request address packet to be a virtual address through the network address conversion module, and sending the modified request address packet to a first follow-up module through the network address conversion module, so that an application server responds to the resource access request, and the replacement of a resource access mode combining a virtual network card and a system route is realized. Meanwhile, as the network layer filtering module is configured in the kernel state of the operating system, correspondingly, the routing information configuration of the network layer filtering module is also kept in the kernel state, and the routing information of the kernel state cannot be modified by the third party software, so that the risk of tampering of the routing information is avoided, and the stability of resource access based on the security gateway is improved; in addition, the technical scheme of the embodiment of the invention does not construct a virtual network card, so that the network sniffing tool is prevented from capturing packets of the virtual network card of the local operating system fundamentally, the network sniffing tool cannot carry out subsequent analysis and attack, the attack risk of the network sniffing tool is avoided, and the security of the resource access process based on the security gateway is improved.
In an alternative embodiment of the present invention, after sending the modified request address packet to the first subsequent module, the method further includes: receiving a response address packet fed back by the first follow-up module through the network address conversion module, and analyzing the response address packet to obtain a source address and a destination address contained in the response address packet; modifying a destination address contained in the response address packet into a real destination address through a network address conversion module, and sending the modified response address packet to a network layer filtering module; and the modified response address packet is sent to a second subsequent module through the network layer filtering module, so that the resource access of the application server by the application terminal is realized.
The response address packet may be an address packet that responds to a resource access request. The response address packet may be a data packet transmitted by a third layer of the kernel network protocol stack, i.e. an internet layer of the kernel network protocol stack. Illustratively, the response address packet may be an IP packet. The response address packet may include, but is not limited to, five-tuple information, i.e., the response address packet may include, but is not limited to, a source address, a source port, a destination address, a destination port, and a communication protocol. Wherein the source address in the response address packet may be the destination address in the request address packet. The source port in the response address packet may be the destination port in the request address packet. The destination address in the response address packet may be the source address, i.e. the virtual address, in the modified request address packet. The destination port of the response address packet may be the source port in the modified request address packet. The communication protocol in the response address packet may be the same as the communication protocol in the request address packet. The real destination address may be the source address in the request address packet, i.e. the address of the local device to which the request address packet actually corresponds.
The first successor module may be configured to transmit the request address packet from the network address translation module to the application server. The second subsequent module may be configured to transmit the response address packet. Optionally, the second subsequent module may include a WFP driver layer and a kernel network protocol stack. Wherein the WFP driver layer may be configured to transmit the response address packet. The kernel network protocol stack can be used for processing the response address packet and sending the processed response address packet to an application program (or browser) of the application end, so that the application end can access resources of the application server. Optionally, the application end may perform content display or subsequent operations on the resource.
Specifically, after the modified request address packet is sent to the first subsequent module, the response address packet fed back by the first subsequent module can be received through the network address conversion module, and the response address packet is resolved to obtain a source address and a destination address contained in the response address packet. The destination address contained in the response address packet can be modified into a real destination address by the network address conversion module, and the modified response address packet is sent to the network layer filtering module. The modified response address packet may be sent to the second subsequent module by the network layer filtering module. The modified response address packet can be processed through a second subsequent module and sent to the application end. After the application receives the modified response address packet, the application can perform content display or subsequent operation on the resource.
By way of example, the response address packet fed back by the L3VPN server may be obtained by the L3VPN application and by using a private encryption protocol of the secure tunnel, and forwarded to the L3VPN data interaction module. The received response address packet can be sent to the user mode data communication module through the L3VPN data interaction module. The received response address packet can be sent to the kernel mode data communication module through the user mode data interaction module. The response address packet may be sent to the kernel-mode network address translation module by the kernel-mode data communication module. And receiving the response data packet through the kernel-state network address conversion module, and analyzing the response address packet to obtain quintuple information contained in the response address packet. The destination address contained in the response address packet can be modified into a real destination address by the network address conversion module, and the modified response address packet is sent to the network layer filtering module. The modified response address packet may be injected into the WFP driver layer by the network layer filtering module. The modified response address packet can be returned to the kernel network protocol stack in the operating system through the WFP driver layer. The received response address packet can be processed through the kernel network protocol stack and sent to the application end. And the application program (or browser) of the application end can perform content display and subsequent operation on the received response address packet, so that the resource access of the application end to the application server is realized.
The method and the device realize modification of the destination address contained in the response address packet, send the modified response address packet to the second subsequent module, realize processing of the modified response address packet, further realize resource access of an application server by an application end, reduce development difficulty, improve development efficiency, avoid tampering of routing information and attack risks of a network sniffing tool, improve safety and stability of resource access, and only slightly change an original L3VPN system, newly add a network layer filtering module, a first subsequent module and a second subsequent module under a WFP framework, namely, complete replacement of a resource access mode combining a virtual network card and a system route, and consider the safety and development efficiency of a resource access process.
In an alternative embodiment of the invention, the security gateway comprises a VPN gateway or an SDP gateway.
The VPN gateway is a virtual private network (Virtual Private Network) gateway. When the security gateway is a VPN gateway, the drainage mode of combining the original virtual network card of the L3VPN with the system route can be replaced by adding a network layer driving module under the WFP framework. The SDP gateway is a software defined boundary (Software Defined Perimeter) gateway. When the security gateway is an SDP gateway, the drainage mode of combining the original virtual network card of the L3SDP with the system route can be replaced by adding a network layer driving module under the WFP framework. For specific alternatives, reference may be made to the description of the above technical solutions, which are not described herein.
According to the scheme, the security gateway is embodied as the VPN gateway or the SDP gateway, the application range of a resource access method is enlarged, the functions of the VPN gateway or the SDP gateway are perfected, the scheme of replacing the virtual network card based on WFP driving (namely, a network layer driving module under a WFP framework) is provided, the development difficulty of the virtual network card is greatly reduced, the workload of the virtual network card is reduced, the falsification risk of routing information and the attack risk of a network sniffing tool can be effectively prevented, and the security and stability of the resource access process based on the VPN gateway or the SDP gateway are further improved.
Example two
Fig. 2 is a flowchart of a resource access method according to a second embodiment of the present invention. On the basis of the embodiment, the embodiment of the invention further adds a 'through network layer filtering module' after acquiring the encryption drainage list and detecting whether the destination address of the request address packet exists in the encryption drainage list, and detects the type of the request address packet when the destination address does not exist in the encryption drainage list; intercepting the request address packet when the type of the request address packet is a domain name server address packet through a network layer filtering module, and forwarding the request address packet to a network address conversion module; modifying a source address contained in the request address packet into a virtual address and modifying a destination address contained in the request address packet into a domain name server address through a network address conversion module; the modified request address packet is sent to the first follow-up module through the network address conversion module, so that the application server can respond to the resource access request, interception and drainage of the domain name server address packet are considered, and the comprehensiveness, accuracy and safety of resource access based on the security gateway are improved. In the embodiments of the present invention, the descriptions of other embodiments may be referred to in the portions not described in detail.
Referring to the resource access method shown in fig. 2, the method includes:
s210, acquiring a resource access request through a network layer filtering module, and analyzing a request address packet contained in the resource access request to obtain a source address and a destination address contained in the request address packet.
S220, acquiring an encryption drainage list through a network layer filtering module, and detecting whether a destination address of a request address packet exists in the encryption drainage list.
S230, detecting the type of the request address packet when the destination address does not exist in the encryption drainage list through the network layer filtering module.
Besides the drainage mode of the encryption drainage list, whether encryption drainage is performed or not can be determined according to different types of request address packets. The types of request address packets may include types that require encryption importation and types that do not. Further, the type of encryption drainage required may be a domain name server address packet; the type that does not need to be encrypted and drained can be a non-domain name server address packet so as to realize the encrypted and drained of the domain name server address. The domain name server address packet may be a request address packet of a domain name server for a server corresponding to the destination address. The non-domain name server address packet may be a request address packet for which the server corresponding to the destination address is not a domain name server. Alternatively, the type of the request address packet may be determined by detecting the communication protocol and the destination port in the request address packet. Illustratively, the communication protocol in the request address packet is detected to be the UDP protocol, the destination port is 53, and accordingly, the type of the request address packet is a domain name server address packet. Optionally, the communication protocol and the destination port corresponding to the address packet of the domain name server may be stored in the WFP driving module in advance.
Specifically, when the destination address does not exist in the encryption drainage list, the network layer filtering module can detect whether the communication protocol and the destination port contained in the request address packet exist in the WFP driving module, if yes, the type of the request address packet is a domain name server address packet; if not, the type of the request address packet is a non-domain name server address packet.
S240, intercepting the request address packet and forwarding the request address packet to the network address conversion module when the type of the request address packet is a domain name server address packet through the network layer filtering module.
Specifically, when the type of the request address packet is a domain name server address packet, that is, the request address packet needs to be encrypted and transmitted, the request address packet can be intercepted by the network layer filtering module, and the request address packet is forwarded to the network address conversion module.
S250, modifying a source address contained in the request address packet into a virtual address and modifying a destination address contained in the request address packet into a domain name server address through a network address conversion module.
The domain name server address may be used to access a corresponding domain name server. The domain name server address may be a DNS (Domain Name System ) server address, for example. Access to domain name server addresses requires internet quarantine. Optionally, the L3VPN application may obtain the domain name server address in advance and set in the WFP driving module. Modifying the source address contained in the request address packet to a virtual address, it can be understood that encrypting the source address contained in the request address packet can avoid an attack on the local device corresponding to the source address. The destination address contained in the request address packet is modified to be a domain name server address, so that access to the domain name server address can be realized.
Specifically, the source address contained in the request address packet can be modified into a virtual address through the network address conversion module, and the destination address contained in the request address packet can be modified into a domain name server address.
And S260, the modified request address packet is sent to a first follow-up module through the network address conversion module, so that the application server responds to the resource access request.
Specifically, the modified request address packet may be sent to the first subsequent module by the network address translation module. And the request address packet packaged by the secure tunnel can be sent to the application server through the first subsequent module so as to realize the response of the application server to the resource access request.
According to the technical scheme, after the drainage list is obtained, whether the destination address exists in the drainage list or not is detected, the type of the request address packet is detected when the destination address does not exist in the encryption drainage list through the network layer filtering module, the request address packet is intercepted when the type of the request address packet is the domain name server address packet through the network layer filtering module, the source address contained in the request address packet is modified into the virtual address through the network address conversion module, the destination address contained in the request address packet is modified into the domain name server address, the modified request address packet is sent to the first follow-up module through the network address conversion module, the response of the application server to the resource access request is realized, the interception drainage of the domain name server address packet is considered, and the comprehensiveness, the accuracy and the safety of the resource access based on the security gateway are improved.
In an alternative embodiment of the present invention, after sending the modified request address packet to the first subsequent module, the method further includes: receiving a response address packet fed back by the first follow-up module through the network address conversion module, and analyzing the response address packet to obtain a source address and a destination address contained in the response address packet; modifying a destination address contained in the response address packet into a real destination address through a network address conversion module, modifying a source address into an original source address, and transmitting the modified response address packet to a network layer filtering module; and the modified response address packet is sent to a second subsequent module through the network layer filtering module, so that the resource access of the application server by the application terminal is realized.
The response address packet may be an address packet that responds to a resource access request. The response address packet may include, but is not limited to, five-tuple information, i.e., the response address packet may include, but is not limited to, a source address, a source port, a destination address, a destination port, and a communication protocol. The source address in the response address packet may be a modified domain name server address in the request address packet. The destination address in the response address packet may be the source address, i.e. the virtual address, in the modified request address packet. The destination port of the response address packet may be the source port in the modified request address packet. The communication protocol in the response address packet may be the same as the communication protocol in the request address packet. The real destination address may be the source address in the request address packet, i.e. the address of the local device to which the request address packet actually corresponds. The original source address may be a destination address in the request address packet, i.e. an unmodified destination address in the request address packet.
The first successor module may be configured to transmit the request address packet from the network address translation module to the application server. The second subsequent module may be configured to transmit the response address packet. Optionally, the second subsequent module may include a WFP driver layer and a kernel network protocol stack. Wherein the WFP driver layer may be configured to transmit the response address packet. The kernel network protocol stack can be used for processing the response address packet and sending the processed response address packet to an application (or browser) of the application end, so that the application end can access resources of the application server. Optionally, the application end may perform content display or subsequent operations on the resource.
Specifically, after the modified request address packet is sent to the first subsequent module, the response address packet fed back by the first subsequent module can be received through the network address conversion module, and the response address packet is resolved to obtain a source address and a destination address contained in the response address packet. The destination address contained in the response address packet can be modified to a real destination address by the network address conversion module, the source address is modified to an original source address, and the modified response address packet is sent to the network layer filtering module. The modified response address packet may be sent to the second subsequent module by the network layer filtering module. The modified response address packet can be processed through a second subsequent module and sent to the application end. After the application receives the modified response address packet, the application can perform content display or subsequent operation on the resource.
According to the method and the system, the destination address and the destination address contained in the response address packet are modified, the modified response address packet is sent to the second subsequent module, the response of the domain name server address packet is introduced, the resource access of the application end to the application server is realized, the development difficulty is reduced, the development efficiency is improved, the tampering of routing information and the attack risk of a network sniffing tool are avoided, and the comprehensiveness, the accuracy and the safety of the resource access based on the security gateway are improved.
In an alternative embodiment of the present invention, resolving a request address packet included in a resource access request to obtain a source address and a destination address included in the request address packet includes: resolving a request address packet contained in a resource access request to obtain a source port, a source address, a destination address and a communication protocol contained in the request address packet; the method also comprises the following steps of sending the modified response address packet to the network layer filtering module: the method comprises the steps of using a source port as a key, using a source address and a destination address as values, using a communication protocol as a distinguishing mark and storing the distinguishing mark into a key value pair set through a network address conversion module; analyzing the response address packet to obtain a source address and a destination address contained in the response address packet, including: analyzing the response address packet to obtain a source address, a destination port, a destination address and a communication protocol contained in the response address packet; before the destination address contained in the response address packet is modified to be the real destination address and the source address is modified to be the original source address by the network address conversion module, the method further comprises: and the network address conversion module is used for inquiring the key value pair set by taking a destination port contained in the response address packet as a key and adopting a communication protocol as a distinguishing identifier to obtain a real destination address and an original source address.
The distinguishing mark can be used as an auxiliary mark for distinguishing key value pairs. It will be appreciated that for key-value pairs where both keys and values are the same, if the communication protocols are different, a distinction can be made between sets of key-value pairs using the communication protocols. The set of key-value pairs may be used to store the source address and destination address in the pre-modification request address packet. Wherein, the keys in the key value pair set can be source ports in the request address packet; the values in the set of key-value pairs may be a source address in the request address packet and a destination address in the request address packet. The source port in the request address packet may be the destination port in the response address packet. The source address in the request address packet may be the modified real destination address in the response address packet. The destination address in the request address packet may be the modified original source address in the corresponding address packet. Therefore, the source address and the destination address in the request address packet before modification can be queried based on the source port, and network address conversion is realized.
Specifically, in the process of sending the request address packet, the request address packet included in the resource access request may be parsed, so as to obtain the source port, the source address, the destination port and the communication protocol included in the request address packet. The network address conversion module can store the key value pairs in the key value pair set by taking the source port as a key, taking the source address and the destination address as values and adopting a communication protocol as a distinguishing mark. In the process of receiving the request address packet, the response address packet can be parsed to obtain the source address, the destination port, the destination address and the communication protocol contained in the response address packet. The network address conversion module can be used for inquiring the key value pair set by taking the destination port contained in the response address packet as a key and adopting a communication protocol as a distinguishing identifier to obtain a real destination address and an original source address.
Optionally, in the resource access scheme of intercepting the request address through the encryption list, in the process of sending the request address packet, the request address packet included in the resource access request may be parsed to obtain the source port, the source address and the communication protocol included in the request address packet. The key value pairs can be stored in the key value pair set by using the network address conversion module, using the source port as a key, the source address as a value and a communication protocol as a distinguishing identifier. In the process of receiving the request address packet, the response address packet can be parsed to obtain a destination port, a destination address and a communication protocol contained in the response address packet. The network address conversion module can be used for inquiring the key value pair set by taking the destination port contained in the response address packet as a key and adopting a communication protocol as a distinguishing identifier to obtain a real destination address.
According to the scheme, the source port is used as a key, the source address and the destination address are used as values, the communication protocol is used as a distinguishing identifier, the key value pairs are stored in the key value pair set, network address conversion is facilitated, the conversion efficiency and the conversion accuracy of the network address are further improved, and the efficiency and the accuracy of resource access based on the security gateway are further improved.
In an alternative embodiment of the present invention, after detecting the type of the request address packet, the method further includes: when the type of the request address packet is a non-domain name server address packet, the request address packet is released, and the request address packet is sent to the physical gateway, so that the physical gateway processes the request address packet and sends the request address packet to the application server, and the application server responds to the resource access request.
The non-domain name server address packet may be a request address packet for which the server corresponding to the destination address is not a domain name server. The destination address does not exist in the encryption drainage list, and the type of the request address packet is a non-domain name server address packet, which can be understood that the request address packet can be released without encryption transmission of the destination address. The physical gateway may be a gateway that performs normal transmission, i.e., a gateway that does not need to perform encrypted transmission. The physical gateway may transmit and process the request address packet.
Specifically, after the type of the request address packet is detected, when the type of the request address packet is a non-domain name server address packet, the request address packet can be released through the network layer filtering module, and the request address packet is sent to the physical gateway. The request address packet can be processed through the physical gateway and sent to the application server, so that the response of the application server to the resource access request is realized.
The scheme realizes the determination of the transmission mode of the request address packet based on the type of the request address packet and the encryption drainage list, can realize the normal transmission of the request address packet, and improves the flexibility of resource access.
Example III
Fig. 3 is a schematic diagram of a resource access method according to a third embodiment of the present invention. As shown in fig. 3, the architecture of the resource access method may include a kernel mode and a user mode. Wherein, the user mode can be a user mode program; the kernel mode may be a kernel mode driver. The file format in user state is ". Dll". The kernel mode may be a kernel network driver layer. The file format in kernel mode is ". Sys". The user mode is connected with the upper layer application upwards, the user mode is connected with the kernel mode downwards, and the kernel mode is connected with the WFP framework of the Windows operating system downwards.
Optionally, the user mode may include an L3VPN control module, an L3VPN data interaction module, a policy setting module, and a data communication module. The L3VPN control module is configured in a user mode program dll and used for exchanging control information or configuration information with the L3VPN application. Specifically, the functions of the L3VPN control module may include starting, closing, setting an encryption drainage list, setting a DNS server address (i.e., a domain name server address) required for the L3VPN, setting a virtual address allocated by the server, and the like. The L3VPN data interaction module is configured in a user mode program dll and is used for carrying out interaction with the L3VPN application to read and write data of an address packet (namely an IP packet). Specifically, the functions of the L3VPN data interaction module may include address packet reading, address packet writing, and the like. The policy setting module is configured in the user mode program dll and is used for interacting control information or configuration information with the kernel mode driver, setting the configuration information transmitted by the L3VPN control module in the kernel mode driver, and returning a result. The data communication module is configured in the user mode program dll and is used for carrying out data of the interaction address packet with the kernel mode driver. Specifically, the functions of the data communication module may include writing the address packet received by the L3VPN data interaction module into the kernel-mode driver, forwarding the address packet read in the kernel-mode driver to the L3VPN data interaction module, and so on.
Optionally, the kernel mode may include a policy receiving module, a data communication module, a network layer data filtering module, and a NAT translation module (i.e., a network address translation module). The policy receiving module is configured in the kernel network driving layer, receives the L3VPN related configuration policy transmitted by the user mode program in sys, and returns a processing result. The functions of the policy receiving module may include starting, closing, setting up an encryption drainage list, setting up a DNS server address list required for the L3VPN, setting up virtual IP assigned by the server, and so on. The data communication module is configured in the kernel network driving layer, and is used for interacting data packet information with the user state data communication module. The functions of the data communication module may include writing the received address packet into the NAT translation module and forwarding the address packet read in the NAT translation module to the user mode.
The network layer filter module is configured in the kernel network driver layer sys. In the process of sending the request address packet, the processing procedure of the network layer filtering module for the request address packet is as follows:
and a, monitoring a request address packet in a resource access request sent by an upper layer application, and obtaining quintuple information. Matching the target address contained in the request address packet with the encryption drainage list, and if so, intercepting and forwarding the request address packet to the kernel-mode NAT conversion module; if the two are not matched, the normal release is carried out.
B, monitoring a DNS type request address packet sent by an operating system, detecting a communication protocol and a target port, and intercepting and forwarding the request address packet to a NAT conversion module if the communication protocol is UDP and the target port is 53; if the two are not matched, the normal release is carried out.
In the process of receiving the response address packet, the processing procedure of the network layer filtering module for the response address packet is as follows:
and acquiring a response address packet received by the L3VPN application transmitted by the NAT conversion module, and injecting the response address packet into the WFP driving layer, so that the response address packet is returned to the kernel network protocol stack of the operating system for processing.
The NAT conversion module is configured in the kernel network driving layer. In the process of sending the request address packet, the processing procedure of the NAT conversion module for the response address packet is as follows:
and receiving a response data packet transmitted by the network layer filtering module, and modifying the source address of the response address packet into a virtual address. If the received response address packet is of DNS type (i.e. a domain name server address packet), the destination address of the response address packet is also modified to be the DNS server address (i.e. domain name server address) required by the L3 VPN. And the TCP protocol or the UDP protocol (i.e. the communication protocol) is distinguished from the source address and the destination address (i.e. the value) by taking the source port as a key (i.e. a key), and is stored in the Map (i.e. the set of key-value pairs). And then the modified request address packet is sent to the data communication module.
In the process of receiving the response address packet, the processing procedure of the NAT conversion module for the response address packet is as follows: and analyzing the received response address packet to obtain quintuple information. And (3) taking the destination port as a key (i.e. a key), distinguishing a TCP protocol or a UDP protocol (i.e. a communication protocol), inquiring a Map (i.e. a key value pair set) to obtain a real destination address, and modifying the destination address into the real destination address. If the received response data packet is of DNS type (i.e. domain name server address packet), the source address is modified to the original source address, and the modified response address packet is sent to the network layer filtering module
The network layer filtering module is developed based on the WFP framework, so that an alternative scheme of combining a virtual network card and system routing is realized, and the method is specifically described as follows:
the method comprises the steps that under the precondition, an L3VPN application obtains an encryption drainage list and sets the encryption drainage list to a WFP driving module; the L3VPN application acquires a DNS server IP required by the L3VPN and sets the DNS server IP into a WFP driving module; the L3VPN application obtains the virtual address distributed by the server and sets the virtual address to the WFP driving module.
For the upper layer application to send data, the kernel-mode WFP network layer filtering module is used for intercepting and acquiring quintuple information, the IP packet with the destination address matched with the drainage address list is intercepted and forwarded to the kernel-mode NAT conversion module, and other request address packets are normally released. The kernel mode NAT conversion module can modify the source address of the request address packet as a virtual address, takes a source port as a key, takes the source address as a value, and distinguishes the communication protocol to be stored in the key value pair set. And then the data is sent to a user interface of the drainage module, and further forwarded to an L3VPN application for subsequent security tunnel encapsulation and transmission.
For the upper layer application to receive data, the L3VPN application acquires a response address packet responded by the secure tunnel, writes the response address packet into a user interface of the drainage module, and then forwards the response address packet to the kernel-mode NAT conversion module. The NAT module analyzes the response address packet to obtain five-tuple information, and distinguishes the communication protocol query key value pair set by taking the destination port as a key to obtain a real destination address. The destination address can be modified to be a real destination address, and the modified request address packet is sent to the kernel-mode WFP network layer filtering module. The kernel-mode WFP network layer filtering module can re-inject the response address packet into a kernel network protocol stack of an operating system, and an upper layer application receives data and executes an application self-processing flow.
According to the scheme, only the original L3VPN system is slightly changed, and the network layer filtering module, the first follow-up module and the second follow-up module are newly added under the WFP framework, so that the replacement of a resource access scheme combining the virtual network card and the system route is completed, and the safety and the development efficiency of the resource access process are considered.
Fig. 4 is a flowchart of a resource access method according to a third embodiment of the present invention. Referring to fig. 4, the resource access method is applied to a VPN gateway, and includes:
S401, an application end (such as a browser) sends a resource access request, and a kernel-state network layer filtering module analyzes a request address packet contained in the resource access request to obtain quintuple information of the request address packet.
The port rules for the operating system are 0-65535.IP address rules may include IPV4 and IPV6. Illustratively, IPV4 may be "192.168.1.1" or "192.168.1.0/24". IPV6 may include "2001:DB8:0:0:8:800:200C:417A", "2001:DB8:8:200 C:417A (compressed)", or "234 e:0:4567:3 d/64". The kernel-mode network LAYER filtering module can monitor the request address packet through the FWPM_LAYER_OUTBOUND_TRANSPORT_V4/FWPM_LAYER_OUTBO UND_TRANSPORT_V6 LAYER of the WFP framework. Quintuple information of the request address packet can be obtained.
S402, according to the matching of the destination address of the request address packet and the encryption drainage list, detecting whether the destination address of the request address packet exists in the L3VPN encryption drainage list, if yes, intercepting the request address packet, and forwarding the request address packet to a kernel-mode NAT conversion module; if not, the operation is normally released.
S403, the kernel mode network layer filtering module monitors and detects the type of the request address packet, if the request address packet is a domain name server address packet, the request address packet is intercepted and forwarded to the kernel mode NAT conversion module; if not, the operation is normally released.
Wherein the communication protocol of the domain name server address packet is UDP, and the destination port is 53.
S404, the kernel-mode NAT conversion module receives a request address packet transmitted by the kernel-mode network layer filtering module, and modifies the source address of the request address packet into an allocated virtual address; if the received request address packet is a domain name server address packet, the destination address of the request address packet is a DNS server address required by the L3VPN, a source port is used as a key, the source address and the destination address are used as values, a communication protocol is distinguished, the communication protocol is stored in a key value pair set, and then the modified request address packet is sent to a kernel-mode data communication module.
S405, the kernel mode data communication module transmits the received request address packet to the user mode data communication module.
S406, the user state data communication module transmits the received request address packet data to the user state L3VPN data interaction module.
S407, the user mode L3VPN data interaction module acquires the request address packet data and then transmits the request address packet data to the L3VPN application.
And S408, after the L3VPN application performs subsequent secure tunnel encapsulation, the request address packet is sent to the L3VPN server, and a normal L3VPN sending flow is executed.
Fig. 5 is a flowchart of a resource access method according to a third embodiment of the present invention. Referring to fig. 5, the resource access method is applied to a VPN gateway, and includes:
s501, after the L3VPN application obtains a response address packet fed back by the L3VPN server through a private encryption protocol, the response address packet is forwarded to the L3VPN data interaction module.
S502, the L3VPN data interaction module transmits the received response address packet data to the user state data communication module.
S503, the user mode data communication module transmits the received response address packet data to the kernel mode data communication module.
S504, the kernel mode data communication module transmits the received response address packet data to the kernel mode NAT conversion module.
S505, the kernel mode NAT conversion module analyzes the received response address packet to obtain five-tuple information, takes the destination port as a key, distinguishes the communication protocol query key value pair set to obtain the obtained real destination address, and modifies the destination address into the real destination address. If the received response address packet is a domain name server address packet, the source address needs to be modified to be the original source address, and then the modified response address packet is sent to the kernel-state network layer filtering module.
S506, the kernel mode network layer filtering module injects the received response address packet into the WFP driving layer, so as to return to the kernel network protocol stack processing of the operating system.
S507, the application end (such as a browser) performs content display and subsequent operation on the received response address packet.
The scheme realizes the replacement of the resource access mode combining the virtual network card and the system route, adopts WFP drive, has relatively small development difficulty compared with NDIS drive, has easier problem modification, and improves the development efficiency and the practicability of the resource access method based on the security gateway; meanwhile, as the network layer filtering module is configured in the kernel state of the operating system, correspondingly, the routing information configuration of the network layer filtering module is also kept in the kernel state, and the routing information of the kernel state cannot be modified by the third party software, so that the risk of tampering of the routing information is avoided, and the stability of resource access based on the security gateway is improved; in addition, the technical scheme of the embodiment of the invention does not construct a virtual network card, so that the network sniffing tool is radically prevented from grabbing the virtual network card of the local operating system, the network sniffing tool cannot carry out subsequent analysis and attack, the attack risk of the network sniffing tool is avoided, and the safety of the resource access process based on the safety gateway is improved; the network layer filtering module, the first follow-up module and the second follow-up module are newly added under the WFP framework only by slightly changing the original L3VPN system, namely, the replacement of the resource access scheme combining the virtual network card and the system route is completed, and the safety and the development efficiency of the resource access process are considered.
Example IV
Fig. 6 is a schematic structural diagram of a resource access device according to a fourth embodiment of the present invention. The embodiment of the invention is applicable to the condition of accessing the resource, the device can execute the resource access method, the device can be realized in the form of hardware and/or software, and the device can be configured in the electronic equipment carrying the resource access function.
Referring to the resource access device shown in fig. 6, comprising: a network layer filtering module 610 and a network address translation module 620. The network layer filtering module 610 is configured to obtain a resource access request, and parse a request address packet included in the resource access request to obtain a source address and a destination address included in the request address packet; the network layer filtering module 610 is configured to obtain a drainage list, and detect whether a destination address of a request address packet exists in the drainage list; the network layer filtering module 610 is configured to intercept the request address packet and forward the request address packet to the network address conversion module when the destination address of the request address packet exists in the drainage list; a network address translation module 620, configured to modify a source address included in the request address packet into a virtual address; the network address conversion module 620 is configured to send the modified request address packet to the first subsequent module, so as to implement the response of the application server to the resource access request.
According to the technical scheme, a network layer filtering module is used for acquiring a resource access request, analyzing that the resource access request contains a request address packet to obtain a source address and a destination address contained in the request address packet, the network layer filtering module is used for acquiring an encryption drainage list, detecting whether the destination address of the request address packet exists in the encryption drainage list, intercepting the request address packet when the destination address of the request address packet exists in the encryption drainage list, and forwarding the request address packet to a network address conversion module, modifying the source address contained in the request address packet to be a virtual address through the network address conversion module, and sending the modified request address packet to a first follow-up module through the network address conversion module, so that an application server responds to the resource access request, and the replacement of a resource access mode combining a virtual network card and a system route is realized. Meanwhile, as the network layer filtering module is configured in the kernel state of the operating system, correspondingly, the routing information configuration of the network layer filtering module is also kept in the kernel state, and the routing information of the kernel state cannot be modified by the third party software, so that the risk of tampering of the routing information is avoided, and the stability of resource access based on the security gateway is improved; in addition, the technical scheme of the embodiment of the invention does not construct a virtual network card, so that the network sniffing tool is prevented from capturing packets of the virtual network card of the local operating system fundamentally, the network sniffing tool cannot carry out subsequent analysis and attack, the attack risk of the network sniffing tool is avoided, and the security of the resource access process based on the security gateway is improved.
In an alternative embodiment of the invention, the apparatus further comprises: the network layer filtering module 610 is configured to detect a type of a request address packet when the destination address does not exist in the encrypted drainage list after acquiring the encrypted drainage list and detecting whether the destination address of the request address packet exists in the encrypted drainage list; the network layer filtering module 610 is configured to intercept the request address packet and forward the request address packet to the network address conversion module when the type of the request address packet is a domain name server address packet; a network address conversion module 620, configured to modify a source address included in the request address packet into a virtual address, and modify a destination address included in the request address packet into a domain name server address; the network address conversion module 620 is configured to send the modified request address packet to the first subsequent module, so as to implement the response of the application server to the resource access request.
In an alternative embodiment of the invention, the apparatus further comprises: the network address conversion module 620 is configured to receive a response address packet fed back by the first subsequent module after sending the modified request address packet to the first subsequent module, and parse the response address packet to obtain a source address and a destination address included in the response address packet; the network address conversion module 620 is configured to modify a destination address included in the response address packet into a real destination address, modify a source address into an original source address, and send the modified response address packet to the network layer filtering module; the network layer filtering module 610 is configured to send the modified response address packet to the second subsequent module, so as to implement resource access of the application server by the application end.
In an alternative embodiment of the present invention, the network layer filtering module 610 is specifically configured to: resolving a request address packet contained in a resource access request to obtain a source port, a source address, a destination address and a communication protocol contained in the request address packet; the network address translation module 620 is further configured to: the modified response address packet is sent to the network layer filtering module, a source port is used as a key, a source address and a destination address are used as values, a communication protocol is used as a distinguishing mark, and the distinguishing mark is stored in a key value pair set; the network layer filtering module 610 is specifically configured to: analyzing the response address packet to obtain a source address, a destination port, a destination address and a communication protocol contained in the response address packet; the network address translation module 620 is further configured to: before the destination address contained in the response address packet is modified to be a real destination address and the source address is modified to be an original source address, the destination port contained in the response address packet is used as a key, a communication protocol is used as a distinguishing identifier, and the key value pair set is inquired to obtain the real destination address and the original source address.
In an alternative embodiment of the present invention, the network layer filtering module 610 is further configured to: after the type of the request address packet is detected, when the type of the request address packet is a non-domain name server address packet, the request address packet is released, and the request address packet is sent to the physical gateway, so that the physical gateway processes the request address packet and sends the request address packet to the application server, and the application server responds to the resource access request.
In an alternative embodiment of the invention, the apparatus further comprises: the network address conversion module 620 is configured to receive a response address packet fed back by the first subsequent module after sending the modified request address packet to the first subsequent module, and parse the response address packet to obtain a source address and a destination address included in the response address packet; the network address conversion module 620 is configured to modify a destination address included in the response address packet into a real destination address, and send the modified response address packet to the network layer filtering module; the network layer filtering module 610 is configured to send the modified response address packet to the second subsequent module, so as to implement resource access of the application server by the application end.
In an alternative embodiment of the invention, the security gateway comprises a VPN gateway or an SDP gateway.
The resource access device provided by the embodiment of the invention can execute the resource access method provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
In the technical scheme of the embodiment of the invention, the related resource access request, the acquisition, storage, application and the like of the encryption drainage list and the like all meet the requirements of related laws and regulations, and the public sequence is not violated.
Example five
Fig. 7 shows a schematic diagram of an electronic device 700 that may be used to implement an embodiment of the invention. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. Electronic equipment may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices (e.g., helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.
As shown in fig. 7, the electronic device 700 includes at least one processor 701, and a memory, such as a Read Only Memory (ROM) 702, a Random Access Memory (RAM) 703, etc., communicatively connected to the at least one processor 701, in which the memory stores a computer program executable by the at least one processor, and the processor 701 may perform various suitable actions and processes according to the computer program stored in the Read Only Memory (ROM) 702 or the computer program loaded from the storage unit 708 into the Random Access Memory (RAM) 703. In the RAM 703, various programs and data required for the operation of the electronic device 700 may also be stored. The processor 701, the ROM 702, and the RAM 703 are connected to each other through a bus 704. An input/output (I/O) interface 705 is also connected to bus 704.
Various components in the electronic device 700 are connected to the I/O interface 705, including: an input unit 706 such as a keyboard, a mouse, etc.; an output unit 707 such as various types of displays, speakers, and the like; a storage unit 708 such as a magnetic disk, an optical disk, or the like; and a communication unit 709 such as a network card, modem, wireless communication transceiver, etc. The communication unit 709 allows the electronic device 700 to exchange information/data with other devices through a computer network, such as the internet, and/or various telecommunication networks.
The processor 701 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of processor 701 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various processors running machine learning model algorithms, digital Signal Processors (DSPs), and any suitable processor, controller, microcontroller, etc. The processor 701 performs the various methods and processes described above, such as resource access methods.
In some embodiments, the resource access method may be implemented as a computer program tangibly embodied on a computer-readable storage medium, such as storage unit 708. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 700 via the ROM 702 and/or the communication unit 709. When a computer program is loaded into RAM 703 and executed by processor 701, one or more steps of the resource access method described above may be performed. Alternatively, in other embodiments, processor 701 may be configured to perform the resource access method by any other suitable means (e.g., by means of firmware).
Various implementations of the systems and techniques described here above can be implemented in digital electronic circuitry, integrated circuit systems, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems On Chip (SOCs), complex Programmable Logic Devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.
A computer program for carrying out methods of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be implemented. The computer program may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. The computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) through which a user can provide input to the electronic device. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), blockchain networks, and the internet.
The computing system may include clients and servers. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical host and VPS (Virtual Private Server ) service are overcome.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps described in the present invention may be performed in parallel, sequentially, or in a different order, so long as the desired results of the technical solution of the present invention are achieved, and the present invention is not limited herein.
The above embodiments do not limit the scope of the present invention. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the scope of the present invention.
Claims (10)
1. A method for accessing resources, applied to a security gateway, comprising:
acquiring a resource access request through a network layer filtering module, and analyzing a request address packet contained in the resource access request to obtain a source address and a destination address contained in the request address packet;
acquiring an encryption drainage list through the network layer filtering module, and detecting whether a destination address of the request address packet exists in the encryption drainage list;
Intercepting the request address packet and forwarding the request address packet to a network address conversion module when the destination address of the request address packet exists in the encryption drainage list through the network layer filtering module;
modifying a source address contained in the request address packet into a virtual address through the network address conversion module;
and sending the modified request address packet to a first subsequent module through the network address conversion module, so as to realize that the application server responds to the resource access request.
2. The method of claim 1, further comprising, after said obtaining, by said network layer filtering module, an encrypted drainage list and detecting whether a destination address of said request address packet exists in said encrypted drainage list:
detecting the type of the request address packet when the destination address does not exist in the encryption drainage list through the network layer filtering module;
intercepting the request address packet when the type of the request address packet is a domain name server address packet through the network layer filtering module, and forwarding the request address packet to the network address conversion module;
Modifying a source address contained in the request address packet into a virtual address and modifying a destination address contained in the request address packet into a domain name server address through the network address conversion module;
and sending the modified request address packet to a first subsequent module through the network address conversion module, so as to realize that the application server responds to the resource access request.
3. The method of claim 2, further comprising, after said sending the modified request address packet to the first subsequent module:
receiving a response address packet fed back by the first follow-up module through the network address conversion module, and analyzing the response address packet to obtain a source address and a destination address contained in the response address packet;
modifying a destination address contained in the response address packet into a real destination address through the network address conversion module, modifying the source address into an original source address, and sending the modified response address packet to the network layer filtering module;
and sending the modified response address packet to a second subsequent module through the network layer filtering module, so as to realize the resource access of the application end to the application server.
4. A method according to claim 3, wherein said parsing the request for access to the resource includes parsing a request address packet to obtain a source address and a destination address included in the request address packet, including:
resolving a request address packet contained in the resource access request to obtain a source port, a source address, a destination address and a communication protocol contained in the request address packet;
and sending the modified response address packet to the network layer filtering module, and simultaneously, further comprising:
the network address conversion module takes the source port as a key, takes the source address and the destination address as values, adopts the communication protocol as a distinguishing mark, and stores the distinguishing mark into a key value pair set;
the step of resolving the response address packet to obtain a source address and a destination address contained in the response address packet includes:
analyzing the response address packet to obtain a source address, a destination port, a destination address and a communication protocol contained in the response address packet;
before the network address conversion module modifies the destination address contained in the response address packet into a real destination address and modifies the source address into an original source address, the method further comprises:
And the network address conversion module is used for inquiring the key value pair set by taking the destination port contained in the response address packet as a key and adopting the communication protocol as a distinguishing identifier to obtain a real destination address and an original source address.
5. The method of claim 2, further comprising, after said detecting the type of the request address packet:
and when the type of the request address packet is a non-domain name server address packet, releasing the request address packet, and sending the request address packet to a physical gateway so that the physical gateway processes the request address packet and sends the request address packet to an application server to realize that the application server responds to the resource access request.
6. The method of claim 1, further comprising, after said sending the modified request address packet to the first subsequent module:
receiving a response address packet fed back by the first follow-up module through the network address conversion module, and analyzing the response address packet to obtain a source address and a destination address contained in the response address packet;
Modifying a destination address contained in the response address packet into a real destination address through the network address conversion module, and sending the modified response address packet to the network layer filtering module;
and sending the modified response address packet to a second subsequent module through the network layer filtering module, so as to realize the resource access of the application end to the application server.
7. The method of claim 1, wherein the security gateway comprises a VPN gateway or an SDP gateway.
8. A resource access device, for use in a security gateway, comprising:
the network layer filtering module is used for acquiring a resource access request, and resolving a request address packet contained in the resource access request to obtain a source address and a destination address contained in the request address packet;
the network layer filtering module is used for acquiring a drainage list and detecting whether a destination address of the request address packet exists in the drainage list;
the network layer filtering module is used for intercepting the request address packet and forwarding the request address packet to the network address conversion module when the destination address of the request address packet exists in the drainage list;
The network address conversion module is used for modifying the source address contained in the request address packet into a virtual address;
the network address conversion module is used for sending the modified request address packet to the first follow-up module, so that the application server can respond to the resource access request.
9. An electronic device, the electronic device comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the resource access method of any one of claims 1-7.
10. A computer readable storage medium storing computer instructions for causing a processor to implement the resource access method of any one of claims 1-7 when executed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311346295.3A CN117336269A (en) | 2023-10-17 | 2023-10-17 | Resource access method, device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311346295.3A CN117336269A (en) | 2023-10-17 | 2023-10-17 | Resource access method, device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117336269A true CN117336269A (en) | 2024-01-02 |
Family
ID=89295129
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311346295.3A Pending CN117336269A (en) | 2023-10-17 | 2023-10-17 | Resource access method, device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117336269A (en) |
-
2023
- 2023-10-17 CN CN202311346295.3A patent/CN117336269A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11824879B2 (en) | Rule-based network-threat detection for encrypted communications | |
| US7716369B2 (en) | Data transmission system with a mechanism enabling any application to run transparently over a network address translation device | |
| US8547874B2 (en) | Method and system for learning network information | |
| CN110086798B (en) | Method and device for communication based on public virtual interface | |
| CN115022281B (en) | NAT penetration method, client and system | |
| CN111158864A (en) | Data processing method, device, system, medium, and program | |
| CN117336269A (en) | Resource access method, device, electronic equipment and storage medium | |
| CN110071905A (en) | For providing method, border networks and the IP server of connection | |
| CN112291243A (en) | Method, system medium and equipment for transparently transmitting data packet in routing mode | |
| CN115022280B (en) | NAT detection method, client and system | |
| CN113067908B (en) | NAT (network Address translation) traversing method and device, electronic equipment and storage medium | |
| CN115834291B (en) | Distributed intranet service data acquisition method, device, equipment and storage medium | |
| CN117596220A (en) | Transmission method and system for shadow flow of bare metal server | |
| Sansa-Otim et al. | IPv4 to IPv6 transition strategies for enterprise networks in developing countries | |
| CN116366351A (en) | Data packet transmission method, device, equipment and medium | |
| Pandya | Transmission Control Protocol/Internet Protocol Packet Analysis | |
| CN114726824A (en) | Wireless broadband router, message processing and domain name resolution method and device | |
| Jiang et al. | Study and implement of VPN penetrating NAT based on IPSec protocol | |
| CN114513387A (en) | Tunnel establishment method, device and equipment | |
| CN115914425A (en) | Network bridge transparent proxy method, device, storage medium and equipment | |
| EP2940944B1 (en) | Method and device for processing packet in trill network | |
| CN116074368A (en) | Network switching device, method, electronic equipment and storage medium | |
| Bansal et al. | Network Firewall System | |
| Pandya | TCP/IP Packet Analysis | |
| Žagar et al. | Testing the tools for IPv6 traffic tunneling |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |