CN117478392A - Software-defined boundary implementation method and system using client APP to scan QR codes - Google Patents

Abstract

The invention discloses a software definition boundary realization method and a system for scanning two-dimension codes by using a client APP, which only need to deploy an SDP system, realize SPA single-package authentication service logic by a specific authentication flow, and enable a user to conveniently access protected application services after rapidly completing SPA authentication by using a special client APP code scanning by using a browser without installing a client program on a computer. By adopting bypass deployment, the mirror images are accessed into the switch flow, data forwarding is not performed, the performance is high, only the mirror image flow related to the protected application service is monitored, and the unauthorized flow is blocked, so that the problems of single-point deployment performance and normal access error interception can be effectively solved, and the situation that once single-point faults occur, the application service protected by an SDP system is inaccessible is avoided; the control end of the SDP system does not need to establish pre-connection with the client end, and further does not need to expose the Internet, so that any user is authorized to access after the control end is prevented from being controlled by attack.

Description

Software-defined boundary implementation method and system using client APP to scan QR codes

Technical field

The present invention relates to the technical field of data secure transmission, and specifically relates to a software-defined boundary implementation method and system that uses a client APP to scan a QR code.

Background technique

Software Defined Perimeter (SDP) is a network security architecture used to provide secure access and connections to cloud environments and mobile devices. The main goal of SDP is to protect network resources and applications from external attacks while providing more flexible, scalable and customizable security.

SDP implements a "Zero Trust" security model that only allows authenticated users and devices to connect to network resources. In an SDP architecture, network resources and applications are invisible and only authorized users and devices can access them. In addition, SDP also provides some other security features, such as dynamic access control, encrypted communication and threat detection.

Software Defined Perimeter (SDP) is an innovative network security solution proposed by the Cloud Security Alliance (CSA). It controls user access to resources based on their identity and uses secure invisibility to replace security protection to protect targets. The core idea is to create a logical access boundary based on identity and context around an application or a group of applications. Applications protected by SDP are hidden and cannot be directly discovered and accessed, and access is restricted to a group of designated entities through trust agents or devices. ;Each entity must pass Single Packet Authentication (SPA) before access is allowed. The solution hides application resources so that attackers cannot see the target in cyberspace and cannot attack it. The agent or device verifies the identity, context and policy compliance of the designated visitor to protect application resources. Significantly reduces the attack surface.

The architecture of the traditional SDP software-defined boundary is shown in Figure 1:

(1) The SDP controller is responsible for establishing and maintaining access rules for clients and protected application services, and opening policies for authorized clients and services. Access rules include keys and policies. Access rules are dynamically generated and are only available once use;

(2) The SDP gateway is responsible for controlling and maintaining network access between clients and protected application services;

(3) The SDP client is responsible for initiating SPA authentication. After completing the authentication, it establishes a connection with the SDP gateway and communicates normally with the protected application service.

Through this form of access control, network access by unauthorized users is blocked and denied during the TCP three-way handshake stage, and network connections cannot be established. The traditional SDP architecture uses a single access control method to completely shield protected application services from unauthorized users. It can resist DDoS denial-of-service attacks, APT attacks, vulnerability exploitation attacks, scanning detection, etc., effectively reducing the exposure surface of the network.

However, the SDP client only supports executable client programs, and users must install the corresponding client programs on their computers to use SDP services. Secondly, the SDP gateway is deployed in series at a single point in the network. As a unified traffic entrance for protected application services, it forwards all network traffic. The network performance is under great pressure. Once it goes down, the application services it protects will be inaccessible. In addition, the SDP controller serves as the SPA control center. Both the client and protected application services need to be connected to the SDP controller. Therefore, the SDP controller needs to be exposed to the Internet and is vulnerable to hacker attacks. Once controlled, it can target any user. Authorization threatens the security of the protected application service; if it is maliciously shut down, the protected application service cannot be accessed normally. Moreover, due to the serial deployment scheme, the SDP gateway can only defend against external network attacks and cannot effectively defend against attacks from the internal network.

Contents of the invention

In view of the shortcomings of the existing technology, the present invention aims to provide a software-defined boundary implementation method and system that uses a client APP to scan a QR code.

In order to achieve the above objects, the present invention adopts the following technical solutions:

The software-defined boundary implementation method using client APP to scan QR codes includes the following steps:

(1) Generate dedicated registration information for each protected application service in the SDP system. The dedicated registration information includes service IP, service port, SPA authentication port, service binding verification code, single authentication validity period, public and private key pair and symmetric encryption keys;

(2) The user accesses the protected target application service through the browser;

(3) The SDP system detects unauthenticated user browser access traffic, intercepts the access, and returns a QR code generated based on the access service to the user's browser;

(4) The user installs the client APP on the mobile device, and the client APP obtains the service authentication information including the SPA authentication port, service binding verification code and public key;

(5) The user uses the client APP to scan the QR code loaded by the browser in step (3);

(6) The client APP parses the information of the QR code, constructs an authentication token using the service binding verification code obtained in step (4), and sends a SPA single-packet authentication data packet containing the authentication token to the target application service;

(7) The SDP system monitors traffic in real time. When the SPA single-packet authentication data packet is detected, if it can successfully parse the SPA single-packet authentication data packet and complete the verification of the authentication token, it will pass the SPA single-packet authentication;

(8) After passing the SPA single package authentication, the SDP system will bind the accessing user's IP to the service IP and service port of the target application service, add the user's IP and the target application service to the paired whitelist, and complete the SPA authentication process. After authorizing the user, during subsequent network traffic monitoring, if it is detected that the currently authorized user's IP accesses the protected application service, the access packet will be passed to the target application service.

Furthermore, in the above method, for user browser access traffic that has not passed SPA single-packet authentication, when the SDP system detects that the user's browser that has not passed SPA single-packet authentication attempts to establish a connection with the target application service and perform a TCP three-way handshake, The SDP system will simultaneously send reset packets to the user's browser and target application service that have not passed SPA single packet authentication, blocking network connections.

Further, in step (1), the process of generating special registration information for protected application services in the SDP system is:

1) Create a new protected application service in the SDP system, enter the service name, service IP, service port, SPA authentication port, service binding verification code and single authentication validity period;

2) Generate an asymmetric encryption public and private key pair and a symmetric encryption key for the protected application service; the public key will be passed to the client APP for storage and used for the client APP to generate an authentication token; the private key is saved by the SDP system , used to decrypt the received authentication token and obtain the plaintext data of the authentication token; both the SDP system and the client APP must save the symmetric encryption key, in which the SDP system generates unique verification data and uses a symmetric encryption algorithm Encryption, the client APP uses a symmetric encryption algorithm to decrypt and obtain the verification data to confirm the authenticity of the QR code;

3) After the protected application service information is entered, the SDP system begins to monitor all SPA single-packet authentication data packets sent to the service IP and SPA authentication port of the protected application service.

Further, in step (4), the user obtains the service IP, service port, public key, service binding verification code, and SPA authentication port from the SDP system administrator through offline or online methods. The client APP must obtain The above information can only be used.

Further, in step (6), after the client APP uses the built-in token algorithm to calculate and generate an authentication token, it assembles the token into a SPA single-packet authentication data packet, and authenticates to the service IP and SPA of the protected application service. The port sends the SPA single packet authentication data packet.

Furthermore, the authentication token is ciphertext data encrypted by the client APP with the public key, and its content includes timestamp, service binding verification code and verification data.

Further, in step (7), the specific process of the SDP system verifying the authentication token is as follows:

After the SDP system monitors the SPA single-packet authentication data packets in the network traffic, it filters the matching SPA single-packet authentication data packets based on the service IP and the corresponding SPA authentication port in the configuration list, and obtains the SPA single-packet authentication data packets. Authentication token in and confirm the public and private key pair used;

Then, the SDP system uses the private key to decrypt the authentication token. If the decryption fails, the current SPA single-packet authentication data packet is discarded. If the decryption is successful, the plaintext data of the authentication token can be obtained. At this time, the verification in the authentication token can be further verified. Verify the verification data, service binding verification code and timestamp. If the verification data is incorrect, the service binding verification code is incorrect, and the difference between the timestamp in the authentication token and the current system timestamp is greater than or equal to the preset In any case of the difference threshold, the verification fails, otherwise the verification passes.

Further, in step (8), after the authentication is successful, the user's browser can normally access the protected application service. The SDP system continues to monitor the traffic and will let go of the user's browser IP's request to the protected application server. The data is normal. Interaction; after the single authentication validity period exceeds, the paired whitelist of the user's browser and the target application service becomes invalid, and the SDP system will block access to the user's browser IP, and the user needs to use the client APP to scan the code again. Re-authenticate the SPA single package.

The present invention also provides a system for implementing the above method, including an SDP system, a switch, an application service, a user browser and a client APP; the SDP system, the application service, the user browser and the client APP interact through the switch;

The SDP system is used to generate special registration information for protected application services, monitor access requests of unauthenticated user browsers to protected application services, and follow steps (3), (7) and (8) Authentication and authorization for unauthenticated user browsers, allowing authorized user browsers to access protected application services, and blocking unauthorized user browsers from accessing protected application services;

The client APP is installed on the user's mobile device and is used in steps (4)-(6) of the above method to complete the authentication of the user's browser through interaction with the SDP system.

The beneficial effects of the present invention are: the present invention only needs to deploy the SDP system and implement the SPA single-package authentication business logic through a specific authentication process, which has the following advantages:

(1) By using a dedicated client APP to scan the code, users can quickly complete SPA authentication through the browser and easily access protected application services. Users do not need to install client programs on their computers;

(2) Bypass deployment, mirroring access switch traffic, no data forwarding, strong performance, only monitoring the mirrored traffic involving protected application services, and blocking unauthenticated traffic, which can effectively solve single points Deployment performance issues and misinterpretation of normal access can prevent application services protected by the SDP system from being inaccessible in the event of a single point of failure;

(3) In the present invention, the control end of the SDP system does not need to establish a pre-connection with the client, and does not need to be exposed to the Internet to avoid being controlled by attacks and authorizing any user to access;

(4) The SDP system can not only mirror the traffic from the external network to the internal network to protect the internal network from the external network, but also mirror the traffic from the internal network to the internal network to realize the SDP function when internal users access internal applications. Service protection to effectively resist internal attacks;

(5) The SDP system only needs to connect switches in parallel and mirror access traffic to achieve protection functions. It does not change the user's network structure or modify the protected application services, and can achieve transparent deployment.

Description of the drawings

Figure 1 is the architecture diagram of traditional SDP software-defined boundaries;

Figure 2 is a flow chart of the method of Embodiment 1 of the present invention;

Figure 3 is a flow chart of the method in Embodiment 2 of the present invention;

Figure 4 is an architecture diagram of the method in Embodiment 3 of the present invention;

Figure 5 is a flow chart of the method in Embodiment 3 of the present invention.

Detailed ways

The present invention will be further described below in conjunction with the accompanying drawings. It should be noted that this embodiment is based on the technical solution and provides detailed implementation modes and specific operating processes. However, the protection scope of the present invention is not limited to this invention. Example.

Example 1

This embodiment provides a software-defined boundary implementation method that uses a client APP to scan QR codes, protects applications and services through the SDP system, and realizes the invisibility of protected applications and services. The user performs authorization authentication, and the SDP system confirms that the requester is legitimate. Once identified, authorize them to access applications and services. As shown in Figure 2, it includes the following steps:

(1) Generate dedicated registration information for each protected application service in the SDP system. The dedicated registration information includes service IP, service port, SPA authentication port, service binding verification code, single authentication validity period, public and private key pair and symmetric encryption keys. In this embodiment, the SDP system is an integrated hardware that adopts a parallel bypass access switch to access mirrored traffic.

(2) The user accesses the protected target application service through the browser.

(3) The SDP system detects unauthenticated user browser access traffic, intercepts the access, and returns a QR code generated based on the access service to the user's browser.

(4) The user installs the client APP on the mobile device, and the client APP obtains the service authentication information including the SPA authentication port, service binding verification code and public key.

(5) The user uses the client APP to scan the QR code loaded by the browser in step (3).

(6) The client APP parses the information of the QR code, constructs an authentication token using the service binding verification code obtained in step (4), and sends a SPA single-packet authentication data packet containing the authentication token to the target application service.

(7) The SDP system monitors traffic in real time. When the SPA single-packet authentication data packet is detected, if it can successfully parse the SPA single-packet authentication data packet and complete the verification of the authentication token, it will pass the SPA single-packet authentication.

(8) After passing the SPA single package authentication, the SDP system will bind the accessing user's IP to the service IP and service port of the target application service, add the user's IP and the target application service to the paired whitelist, and complete the SPA authentication process. After authorizing the user, during subsequent network traffic monitoring, if it is detected that the currently authorized user's IP accesses the protected application service, the access packet will be passed to the target application service.

For user browser access traffic that has not passed SPA single packet authentication, when the SDP system detects that the user's browser that has not passed SPA single packet authentication attempts to establish a connection with the target application service for a TCP three-way handshake, the SDP system will simultaneously The user's browser and the target application service that pass SPA single-packet authentication send reset packets respectively to block network connections.

Any unauthorized user browser access will be blocked directly.

In this embodiment, in step (1), the process of generating special registration information for protected application services in the SDP system is:

1) Create a new protected application service in the SDP system, enter the service name, service IP, service port, Internet mapping IP, Internet mapping port, SPA authentication port, interface jump URL, service binding verification code, single authentication is valid Duration, creation time, notes and status.

2) Generate an asymmetric encryption public and private key pair and a symmetric encryption key for the protected application service; the public key will be passed to the client APP for storage and used for the client APP to generate an authentication token; the private key is saved by the SDP system , used to decrypt the received authentication token and obtain the plaintext data of the authentication token; both the SDP system and the client APP must save the symmetric encryption key, in which the SDP system generates unique verification data and uses a symmetric encryption algorithm Encryption, the client APP uses a symmetric encryption algorithm to decrypt and obtain the verification data to confirm the authenticity of the QR code.

3) After the protected application service information is entered, the SDP system begins to monitor all UDP packets sent to the service IP and SPA authentication port of the protected application service.

More specifically, the client APP is a mobile application that can run on the user's mobile phone, PAD and other mobile devices.

In this embodiment, in step (4), the user can obtain the service IP, Service port, public key, service binding verification code, SPA authentication port and other information, the client APP must obtain the above information before it can be used.

Further, in step (6), after the client APP uses the built-in token algorithm to calculate and generate an authentication token, it assembles the token into a SPA single-packet authentication data packet, and authenticates to the service IP and SPA of the protected application service. The port sends the SPA single-packet authentication data packet, specifically a UDP authentication data packet.

Through source code obfuscation, packaging, etc., the client APP can effectively resist reverse analysis, avoid source code leakage, and protect the security of the client authentication process.

In this embodiment, in step (3), the data returned by the QR code is ciphertext encrypted by the SM4 symmetric encryption algorithm. The decrypted structure is: IP version|verification data|authentication IP|authentication port|service port .

In this embodiment, the authentication token (Token) is ciphertext data encrypted by the client APP with a public key. Its content includes a timestamp (the local system timestamp when the client APP initiates the SPA authentication request), service binding verification The code and check data are asymmetrically encrypted using the SM2 algorithm.

Specifically, the calculation formula of the authentication token is: Token=PublicKeyEncrypt (timestamp-service binding verification code-verification data).

In this embodiment, in step (7), the specific process of the SDP system verifying the authentication token is as follows:

After the SDP system monitors the SPA single-packet authentication data packets in the network traffic, it filters the matching SPA single-packet authentication data packets based on the service IP and the corresponding SPA authentication port in the configuration list, and obtains the SPA single-packet authentication data packets. Authentication token in and confirm the public and private key pair used;

Then, the SDP system uses the private key to decrypt the authentication token (Token). If the decryption fails, the current SPA single-packet authentication data packet is discarded. If the decryption is successful, the plaintext data of the authentication token can be obtained, and the authentication token can be further verified. The correctness of the verification data in the verification token. If it is incorrect, the current SPA single-packet authentication data packet is discarded. If the verification is successful, the SDP system takes out the timestamp in the authentication token and calculates the difference with the current timestamp of the system. If it is less than 10 minutes, the authentication token is considered valid, and the service binding verification code is further verified, otherwise the current SPA single-packet authentication data packet is discarded; when verifying the service binding verification code, the SDP system uses the locally saved recipient The service binding verification code of the protected application service is compared with the service binding verification code in the authentication token sent by the client APP. If they are the same, the verification is considered passed.

It should be noted that the verification order of the verification data, timestamp, and service binding verification code can be exchanged. This embodiment only provides one implementation of the verification order.

Further, in this embodiment, in step (8), after the authentication is successful, the user's browser can normally access the protected application service. The SDP system continues to monitor the traffic and will let the user's browser IP access the protected application. Server requests and data interact normally; after the single authentication validity period exceeds, the paired whitelist of the user's browser and the target application service becomes invalid, and the SDP system will block access to the user's browser IP, and the user needs to use it again. Scan the QR code on the client APP and re-authenticate the SPA single package.

Example 2

This embodiment provides a specific application example of the method described in Embodiment 1, as shown in Figure 3, including the following steps:

Step 1: No verification is performed. The browser initiates a connection to the server. After the connection is successfully established and the request is received, the SDP system blocks the connection, that is, sends a blocking packet to the server. .

Step 2: While blocking the server side, if the detected protocol is HTTP, the source IP, destination IP, destination port, authentication IP, authentication port, and service port will be requested (when deployed on a core switch, the destination IP and destination port Generate a QR code image for the intranet IP and port) and other information, construct a response packet and return it to the Brower.

Step 3: The Brower receives the data returned by K01 and starts to make regular requests to the Server. At this time, the access fails without adding white.

Step 4: At the same time, the Brower page displays the QR code. Scan the QR code through the mobile client APP and decrypt it to obtain the verification data (including source IP, destination IP and port), authentication IP, authentication port, and business port.

Step 5: The mobile phone constructs a UDP authentication packet, and then sends the authentication packet to the authentication port of the authentication IP. The K01 device verifies it. After the verification is successful, the source IP is whitened.

Step 6: Brower makes another request, this time carrying the characteristics for judging the QR code request. If whitening is hit and contains this characteristic and the policy configures the jump URL, a response packet of a redirect URL needs to be returned to Brower.

Step 7: If the redirect URL is returned, Brower will access the redirected URL.

Example 3

This embodiment takes the scenario of database and VPN access to the SDP system as an example to provide an application example of the SDP system performing SPA single packet authentication and access control, as shown in Figures 4 and 5.

Step 1: The SDP system continuously monitors network traffic and determines the user's network access rights based on the access control list: 1) If the user's network access traffic matches the allowed access rules, the SDP system will grant access; 2) If the user If the user's network access traffic matches the access prohibition rule, the SDP system directly blocks access; 3) If the user's network access traffic does not match the rules in the access control list, perform the second step.

Step 2: When the SDP system continuously monitors the network traffic of the mirrored access, when a UDP packet is detected, it detects whether the destination port of the UDP packet matches the SPA authentication port: if it matches, proceed to step 3; if it does not match, proceed to step 3. Discard the UDP packet.

Step 3: The SDP system matches the corresponding private key based on the destination address and authentication port of the UDP message, and uses the private key to decrypt the data part of the UDP message: If the decryption is successful, the plaintext authentication token is obtained, and the execution of step 1 continues. Four steps; if decryption fails, discard the UDP message.

Step 4: The SDP system obtains the authentication timestamp, service binding verification code and verification data from the clear text authentication token. The SDP system verifies the verification code: if the verification passes, proceed to step five; If the verification fails, the UDP packet is discarded.

Step 5: The SDP system verifies the verification data: if the verification passes, step 6 is performed; if the verification fails, the UDP message is discarded.

Step 6: The SDP system verifies whether the authentication timestamp contained in the UDP packet is within the valid authentication time: If the authentication packet is valid, single-packet authentication is completed, and an access control is added to the source IP, destination IP and destination port of the UDP packet. Rules to implement paired whitening of clients and services; if the authentication timestamp has expired, the UDP packet will be discarded.

For those skilled in the art, various corresponding changes and modifications can be made based on the above technical solutions and concepts, and all these changes and modifications should be included in the protection scope of the claims of the present invention.

Claims (9)

1. A software-defined boundary implementation method using client APP to scan QR codes, which is characterized by including the following steps: (1) Generate dedicated registration information for each protected application service in the SDP system. The dedicated registration information includes service IP, service port, SPA authentication port, service binding verification code, single authentication validity period, public and private key pair and symmetric encryption keys; (2) The user accesses the protected target application service through the browser; (3) The SDP system detects unauthenticated user browser access traffic, intercepts the access, and returns a QR code generated based on the access service to the user's browser; (4) The user installs the client APP on the mobile device, and the client APP obtains the service authentication information including the SPA authentication port, service binding verification code and public key; (5) The user uses the client APP to scan the QR code loaded by the browser in step (3); (6) The client APP parses the information of the QR code, constructs an authentication token using the service binding verification code obtained in step (4), and sends a SPA single-packet authentication data packet containing the authentication token to the target application service; (7) The SDP system monitors traffic in real time. When the SPA single-packet authentication data packet is detected, if it can successfully parse the SPA single-packet authentication data packet and complete the verification of the authentication token, it will pass the SPA single-packet authentication; (8) After passing the SPA single package authentication, the SDP system will bind the accessing user's IP to the service IP and service port of the target application service, add the user's IP and the target application service to the paired whitelist, and complete the SPA authentication process. After authorizing the user, during subsequent network traffic monitoring, if it is detected that the currently authorized user's IP accesses the protected application service, the access packet will be passed to the target application service. 2. The method according to claim 1, characterized in that, for user browser access traffic that has not passed SPA single-package authentication, the SDP system detects that the user's browser that has not passed SPA single-packet authentication attempts to communicate with the target application service. When establishing a connection and performing a TCP three-way handshake, the SDP system will simultaneously send reset packets to the user's browser and target application service that have not passed SPA single-packet authentication, blocking the network connection. 3. The method according to claim 1, characterized in that, in step (1), the process of generating special registration information for protected application services in the SDP system is: 1) Create a new protected application service in the SDP system, enter the service name, service IP, service port, SPA authentication port, service binding verification code and single authentication validity period; 2) Generate an asymmetric encryption public and private key pair and a symmetric encryption key for the protected application service; the public key will be passed to the client APP for storage and used for the client APP to generate an authentication token; the private key is saved by the SDP system , used to decrypt the received authentication token and obtain the plaintext data of the authentication token; both the SDP system and the client APP must save the symmetric encryption key, in which the SDP system generates unique verification data and uses a symmetric encryption algorithm Encryption, the client APP uses a symmetric encryption algorithm to decrypt and obtain the verification data to confirm the authenticity of the QR code; 3) After the protected application service information is entered, the SDP system begins to monitor all SPA single-packet authentication data packets sent to the service IP and SPA authentication port of the protected application service. 4. The method according to claim 1, characterized in that, in step (4), the user obtains the service IP, service port, public key, and service binding verification from the SDP system administrator through offline mode or online mode. code, SPA authentication port, the client APP must obtain the above information before it can be used. 5. The method according to claim 1, characterized in that, in step (6), after the client APP uses the built-in token algorithm to calculate and generate the authentication token, it assembles the token into an SPA single-package authentication data package, and Send the SPA single-packet authentication data packet to the service IP and SPA authentication port of the protected application service. 6. The method according to claim 1, characterized in that the authentication token is ciphertext data encrypted by the client APP with a public key, and its content includes a timestamp, service binding verification code and verification data. 7. The method according to claim 6, characterized in that, in step (7), the specific process of the SDP system verifying the authentication token is: After the SDP system monitors the SPA single-packet authentication data packets in the network traffic, it filters the matching SPA single-packet authentication data packets based on the service IP and the corresponding SPA authentication port in the configuration list, and obtains the SPA single-packet authentication data packets. Authentication token in and confirm the public and private key pair used; Then, the SDP system uses the private key to decrypt the authentication token. If the decryption fails, the current SPA single-packet authentication data packet is discarded. If the decryption is successful, the plaintext data of the authentication token can be obtained. At this time, the verification in the authentication token can be further verified. Verify the verification data, service binding verification code and timestamp. If the verification data is incorrect, the service binding verification code is incorrect, and the difference between the timestamp in the authentication token and the current system timestamp is greater than or equal to the preset In any case of the difference threshold, the verification fails, otherwise the verification passes. 8. The method according to claim 1, characterized in that, in step (8), after the authentication is successful, the user's browser can normally access the protected application service, and the SDP system continues to monitor the traffic and will let the user's browser go. IP requests to the protected application server, the data interacts normally; after the single authentication validity period exceeds, the paired whitelist of the user's browser and the target application service becomes invalid, and the SDP system will block access to the user's browser IP. If it is interrupted, the user needs to use the client APP to scan the code again and perform SPA single package authentication again. 9. A system that implements the method of any one of claims 1 to 8, including an SDP system, a switch, an application service, a user browser and a client APP; between the SDP system, the application service, the user browser and the client APP Interaction is carried out through switches; the SDP system uses parallel bypass access to switches to access mirrored traffic; The SDP system is used to generate special registration information for protected application services, monitor access requests from unauthenticated user browsers to protected application services, and follow the steps of the method described in any one of claims 1-8 (3), (7) and (8) authenticate and authorize unauthenticated user browsers, allow authorized user browsers to access protected application services, and block unauthorized user browsers from accessing protected application services. Access to application services; The client APP is installed on the user's mobile device and is used to complete authentication of the user's browser through interaction with the SDP system according to steps (4)-(6) of the method described in any one of claims 1-8.