CN117640211A - Trusted security network system, session establishment method and related equipment - Google Patents

Trusted security network system, session establishment method and related equipment Download PDF

Info

Publication number
CN117640211A
CN117640211A CN202311638731.4A CN202311638731A CN117640211A CN 117640211 A CN117640211 A CN 117640211A CN 202311638731 A CN202311638731 A CN 202311638731A CN 117640211 A CN117640211 A CN 117640211A
Authority
CN
China
Prior art keywords
session
security
session request
client
secure
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311638731.4A
Other languages
Chinese (zh)
Inventor
陈文华
王爱宝
徐勇
李澄宇
王凯平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Technology Innovation Center
China Telecom Corp Ltd
Original Assignee
China Telecom Technology Innovation Center
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Technology Innovation Center, China Telecom Corp Ltd filed Critical China Telecom Technology Innovation Center
Priority to CN202311638731.4A priority Critical patent/CN117640211A/en
Publication of CN117640211A publication Critical patent/CN117640211A/en
Pending legal-status Critical Current

Links

Abstract

The disclosure provides a trusted security network system, a session establishment method and related equipment, and relates to the technical field of network security. The trusted security network system comprises: the system comprises a security client, a security network and a zero trust policy control server; the secure client is used for initiating a session request, wherein the session request is used for requesting to establish a session between the secure client and the opposite terminal equipment; the security gateway is connected with the security client and used for forwarding the session request to the zero trust policy control server; the zero trust policy control server is used for carrying out security verification on the session request; the security gateway is further configured to forward a session request initiated by the secure client to the peer device to establish a session between the secure client and the peer device if the session request passes security verification and/or the peer device allows the session of the session request to be established. The method and the device can realize peer-to-peer protection of the whole network and ensure that the network safety protection has no dead angle.

Description

Trusted security network system, session establishment method and related equipment
Technical Field
The disclosure relates to the technical field of network security, and in particular relates to a trusted security network system, a session establishment method and related equipment.
Background
In a traditional IP network, the network layer is only responsible for forwarding IP packets, and communication between any two terminals is achieved by enabling TCP processes on the system of the two terminals, and the network has no other security-related control. Thus, in theory, any two terminals in the IP network can access each other, which provides a convenient network connection for hacking.
Currently, the security scheme provided in the related art is to set up a trust domain and set up security devices such as firewalls at the boundaries of the trust domain. However, because the devices in the domain always keep trust, there may be a risk of livestocks or meat machines; for the IP packets outside the trust domain, filtering is performed based on the information such as the address, the characteristics and the like of the IP packets, but this method can only discard the IP packets with determined harm, and cannot sense the security holes which are not found or disclosed (such as "zero day holes", also called "0day holes").
It should be noted that the information disclosed in the above background section is only for enhancing understanding of the background of the present disclosure and thus may include information that does not constitute prior art known to those of ordinary skill in the art.
Disclosure of Invention
The disclosure provides a trusted security network system, a session establishment method and related equipment, which at least overcome the technical problem that the network security scheme in the related technology has potential safety hazards to a certain extent.
Other features and advantages of the present disclosure will be apparent from the following detailed description, or may be learned in part by the practice of the disclosure.
According to one aspect of the present disclosure, there is provided a trusted security network system comprising: the system comprises a security client, a security gateway and a zero trust policy control server; the secure client is used for initiating a session request, wherein the session request is used for requesting to establish a session between the secure client and the opposite terminal equipment; the security gateway is connected with the security client and used for forwarding the session request to the zero trust policy control server; the zero trust policy control server is used for carrying out security verification on the session request; the security gateway is further configured to forward a session request initiated by the secure client to a peer device to establish a session between the secure client and the peer device, where the session request passes security verification and/or the peer device allows the session of the session request to be established.
In some embodiments, the trusted security network system further comprises: the application server is used for providing application services and is directly connected with the security gateway through a physical line or connected with the security gateway through an encryption channel; the security gateway and the zero trust policy control server are connected through an encryption channel; the security gateways are connected through an encryption channel; and establishing connection between the security gateway and the security client based on a single-packet authorization SPA authentication mechanism.
According to another aspect of the present disclosure, there is also provided a trusted secure session establishment method, the method including: receiving a session request initiated by a secure client, wherein the session request is used for requesting to establish a session between the secure client and a peer device; forwarding the session request to a zero-trust policy control server so that the zero-trust policy control server performs security verification on the session request; and forwarding the session request initiated by the secure client to the opposite terminal equipment to establish the session between the secure client and the opposite terminal equipment under the condition that the session request passes the secure authentication and/or the opposite terminal equipment allows the session of the session request to be established.
In some embodiments, before forwarding the session request to the zero trust policy control server to cause the zero trust policy control server to securely verify the session request, the method further comprises: receiving terminal environment information reported by the secure client, wherein the terminal environment information is communication environment information of a terminal for installing the secure client; and forwarding the terminal environment information to the zero trust policy control server so that the zero trust policy control server performs security verification on the session request according to the terminal environment information.
In some embodiments, before receiving the terminal environment information reported by the secure client, the method further includes: receiving an SPA authentication data packet sent by the secure client, wherein the SPA authentication data packet is used for performing SPA authentication on the secure client by a zero trust policy control server; under the condition that the secure client passes SPA authentication, a gateway service port is opened for the secure client, and a secure channel is established with the secure client; receiving user identity authentication information sent by the secure client through the secure channel; forwarding user identity authentication information of the secure client to the zero trust policy control server so that the zero trust policy control server performs identity authentication on the secure client; and receiving an identity verification result returned by the zero trust policy control server, and forwarding the identity verification result to the security client so that the security client reports the terminal environment information under the condition that the identity verification result is verified.
In some embodiments, prior to receiving the secure client initiated session request, the method further comprises: receiving a domain name resolution request initiated by the secure client; forwarding the domain name resolution request to the zero trust policy control server; receiving a domain name resolution result returned by the zero trust policy control server; and forwarding the domain name resolution result to the secure client, wherein the domain name resolution result is used for the secure client to initiate a session request for establishing a session with the opposite terminal equipment.
In some embodiments, after receiving the secure client initiated session request, the method further comprises: judging whether the session request is a new session request or not; forwarding the session request to a zero trust policy control server under the condition that the session request is a new session request, so that the zero trust policy control server performs security verification on the session request; generating session mapping information and forwarding items under the condition that the session request passes the security verification; and forwarding the data packet of the corresponding session according to the session mapping information and the forwarding item.
In some embodiments, after generating the session mapping information and the forwarding entries, the method further comprises: and deleting the session mapping information and forwarding items when the session between the secure client and the opposite terminal equipment is ended.
In some embodiments, the peer device is a server or other secure client that provides application services.
According to another aspect of the present disclosure, there is also provided a security gateway including: a session request receiving module, configured to receive a session request initiated by a secure client, where the session request is used to request to establish a session between the secure client and a peer device; the session request verification module is used for forwarding the session request to a zero trust policy control server so that the zero trust policy control server can perform security verification on the session request; and the session request forwarding module is used for forwarding the session request initiated by the secure client to the opposite terminal equipment so as to establish the session between the secure client and the opposite terminal equipment under the condition that the session request passes the secure authentication and/or the opposite terminal equipment allows the session of the session request to be established.
According to another aspect of the present disclosure, there is also provided an electronic apparatus including: a processor; and a memory for storing executable instructions of the processor; wherein the processor is configured to perform the trusted security session establishment method of any one of the above via execution of the executable instructions.
According to another aspect of the present disclosure, there is also provided a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the trusted security session establishment method of any one of the above.
According to another aspect of the present disclosure, there is also provided a computer program product comprising a computer program which, when executed by a processor, implements a trusted secure session establishment method of any one of the above.
The trusted security network system, the session establishment method and the related equipment provided in the embodiments of the present disclosure, when a security client initiates a session request for requesting to establish between the security client and an opposite terminal device, a security gateway forwards the session request to a zero-trust policy control server, so that the zero-trust policy control server performs security verification on the session request, and when the session request passes the security verification and/or the opposite terminal device allows the session of the session request to be established, the security gateway forwards the session request initiated by the security client to the opposite terminal device, so as to establish a session between the security client and the opposite terminal device. The method and the device can realize peer-to-peer protection of the whole network and ensure that the network safety protection has no dead angle.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the disclosure and together with the description, serve to explain the principles of the disclosure. It will be apparent to those of ordinary skill in the art that the drawings in the following description are merely examples of the disclosure and that other drawings may be derived from them without undue effort.
FIG. 1 illustrates a schematic diagram of a trusted security network system architecture in an embodiment of the present disclosure;
FIG. 2 illustrates a flow chart of a trusted secure session establishment method in an embodiment of the present disclosure;
FIG. 3 illustrates an alternative trusted secure session establishment method flow diagram in an embodiment of the present disclosure;
FIG. 4 illustrates a flow chart of a terminal attaching a secure network through a secure client in an embodiment of the present disclosure;
FIG. 5 illustrates a session flow diagram based on a trusted security network in an embodiment of the present disclosure;
FIG. 6 shows a schematic diagram of the constituent modules of a security gateway in an embodiment of the present disclosure;
FIG. 7 shows a block diagram of an electronic device in an embodiment of the disclosure;
fig. 8 shows a schematic diagram of a computer-readable storage medium in an embodiment of the disclosure.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. However, the exemplary embodiments may be embodied in many forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of the example embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.
Furthermore, the drawings are merely schematic illustrations of the present disclosure and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and thus a repetitive description thereof will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in software or in one or more hardware modules or integrated circuits or in different networks and/or processor devices and/or microcontroller devices.
The following detailed description of embodiments of the present disclosure refers to the accompanying drawings.
Fig. 1 shows a schematic diagram of a trusted security network system architecture based on a zero-trust access policy. As shown in fig. 1, the system trusted security network system includes: secure client 10, secure gateway 20, and zero trust policy control server 30.
The secure client 10 is configured to initiate a session request, where the session request is used to request to establish a session between the secure client and the peer device; a security gateway 20 connected to the security client for forwarding the session request to the zero trust policy control server; a zero trust policy control server 30 for security verification of session requests; wherein the security gateway 20 is further configured to forward the session request initiated by the secure client to the peer device for establishing a session between the secure client 10 and the peer device in case the session request passes the security authentication and/or the peer device allows the session of the session request to be established.
In the embodiment of the disclosure, the opposite terminal device may be a server providing various application services or service resources, or may be another secure client different from the secure client initiating the session request.
It should be noted that, the secure client 10 in the embodiment of the present disclosure may be a software client for implementing secure network communication, and is configured to verify a bootstrap program, an operating system program or an application program on a terminal, and report various environmental or status information of the terminal; the security gateway 20 is a key network device for implementing a trusted security network, and performs session control and maintenance functions, and is generally located at an access port of a terminal and at an outlet of a (cloud) server (providing various service resources); the zero trust policy control server 30 is a backbone for implementing a trusted security network, and is used for implementing continuous authentication and authority verification of users, terminals and applications, performing analysis decision on received information, issuing related instructions and other functions.
The trusted security network system provided in the embodiment of the present disclosure is formed by interconnecting a plurality of security gateways 20, and forming a stable security core network with a zero-trust policy control server 30, and various service resources (i.e., servers) providing instant messaging service, mail service, OA service or directory service are directly connected with the security gateways in a system or a partition cluster respectively, and registered to the zero-trust policy control server. The security client can be connected to the security gateway to form an access network of the peripheral dynamic part in a dialing mode after the authentication and evaluation of the real-name identity of the control server through the zero trust strategy. The terminal at this time can only use the control and message system. The security gateway is network stealth, and a security client which wants to access the security gateway only opens a corresponding service port to the security client after passing SPA single packet authentication. This may combat DDOS attacks.
If the secure client accessing the secure gateway wants to access the service resource or other online clients, the gateway can establish a corresponding access connection for the secure client through user authority verification of the policy control server or agreement of the opposite end, and then the access terminal can contact the service resource system or the opposite end. Therefore, anonymous connection attacks can be stopped, illegal attacks and terminal penetration suffered by a protected system due to zero-Day loopholes (also called 0Day loopholes) can be stopped basically, and the source can be better.
In some embodiments, the trusted security network system in embodiments of the present disclosure may further comprise: an application server providing various application services, the application server being directly connected to the security gateway 20 through a physical line or being connected to the security gateway 20 through an encrypted channel; the security gateway 20 establishes connection with the zero trust policy control server 30 through an encrypted channel; the security gateway 20 establishes a connection therebetween through an encrypted channel; a connection is established between the secure gateway 20 and the secure client 10 based on a single packet authorized SPA authentication mechanism.
In the embodiment of the disclosure, the zero trust policy controller is connected with each security gateway through an encryption channel and is used for transmitting instructions and messages between the zero trust policy controller and each security gateway; the connection between the safety gateways is established through an encryption channel, the zero trust strategy controller and the safety gateways form a core network of a trusted safety network, the application servers are directly connected through a physical line or are connected with the safety gateways through the encryption channel, the terminal is connected with the safety gateways through a safety client (software client) through an SPA authentication mechanism, and the terminal is attached to the safety gateways to access the trusted safety network after the authentication by multiple factors is successful. Each access to the application server or the peer device by the terminal is then an overall process of an authentication-controlled secure session.
The trusted security network system provided by the embodiment of the disclosure can realize full compatibility without changing resources or the original software application system of the application system. In the related art, by defining a security protection scheme of a trust domain boundary, a protected object is a service resource, and network security protection for a visitor is lacking. The trusted security network system provided by the embodiment of the disclosure not only can realize security verification and evaluation control by the security control server (namely the zero trust policy control server), but also can realize control of whether the opposite terminal equipment evaluates the verified access or not, can realize peer-to-peer protection of the whole network, and ensures that the network security protection has no dead angle.
In principle, the secure network communication provided in the embodiments of the present disclosure may be implemented by installing a secure client on any device on the network; it should be noted that, in theory, the device on which the secure client is installed may be a terminal or a server, and since the server side usually has many security protections, the embodiments of the present disclosure are described by taking the installation of the secure client on the terminal as an example.
The network for communication among the secure client 10, the secure gateway 20, the zero trust policy control server 30, and the peer devices in the embodiments of the present disclosure may be a wired network or a wireless network.
Alternatively, the wireless network or wired network described above uses standard communication techniques and/or protocols. The network is typically the Internet, but may be any network including, but not limited to, a local area network (Local Area Network, LAN), metropolitan area network (Metropolitan Area Network, MAN), wide area network (Wide Area Network, WAN), mobile, wired or wireless network, private network, or any combination of virtual private networks. In some embodiments, data exchanged over a network is represented using techniques and/or formats including HyperText Mark-up Language (HTML), extensible markup Language (Extensible MarkupLanguage, XML), and the like. All or some of the links may also be encrypted using conventional encryption techniques such as secure sockets layer (Secure Socket Layer, SSL), transport layer security (Transport Layer Security, TLS), virtual private network (Virtual Private Network, VPN), internet security protocol (Internet Protocol Security, IPSec), etc. In other embodiments, custom and/or dedicated data communication techniques may also be used in place of or in addition to the data communication techniques described above.
In the disclosed embodiments, the terminal may be a variety of electronic devices including, but not limited to, smartphones, tablet computers, laptop portable computers, desktop computers, smart speakers, smart watches, wearable devices, augmented reality devices, virtual reality devices, and the like.
Alternatively, the clients of the applications installed in different terminals are the same or clients of the same type of application based on different operating systems. The specific form of the application client may also be different based on the different terminal platforms, for example, the application client may be a mobile phone client, a PC client, etc.
In the embodiment of the present disclosure, the server may be a server providing various services, such as a background management server providing support for a device operated by a user using a terminal. The background management server can analyze and process the received data such as the request and the like, and feed back the processing result to the terminal equipment. Optionally, the server may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDNs (Content Delivery Network, content delivery networks), basic cloud computing services such as big data and artificial intelligence platforms, and the like.
In some embodiments, in the case that the secure client is installed on the terminal, the secure client is further configured to report terminal environment information of the terminal; the security gateway is also used for forwarding the terminal environment information reported by the security client to the zero trust policy control server; the zero trust policy control server is also used for carrying out security verification on the session request initiated by the security client according to the terminal environment information reported by the security client.
In some embodiments, the secure client is further configured to initiate an SPA authentication data packet to the secure gateway, where the SPA authentication data packet is used by the zero trust policy control server to perform SPA authentication on the secure client; the security gateway is further used for sending the SPA authentication data packet sent by the security client to the zero trust policy control server, and opening a security service port to the security client under the condition that the security client passes the SPA authentication, so that the security gateway establishes a security channel with the security client through the security service port.
In some embodiments, the secure client is further configured to send user identity authentication information of the secure client to the secure gateway through the secure channel, where the user identity authentication information is used for authenticating the secure client by the zero trust policy control server; the security gateway is further configured to send user identity authentication information of the security client to the zero trust policy control server, receive an identity verification result returned by the zero trust policy control server, and forward the identity verification result to the security client, so that the security client reports terminal environment information of the terminal when the identity verification result is verified.
In some embodiments, the security client is further configured to initiate a domain name resolution request to the security gateway; the security gateway is further used for forwarding a domain name resolution request initiated by the security client to the zero trust policy control server, receiving a domain name resolution result returned by the zero trust policy control server and forwarding the domain name resolution result to the security client; the secure client is also used for initiating a session request according to the domain name resolution result.
In some embodiments, the security gateway is further configured to determine whether a session request initiated by the security client is a new session request, and generate session mapping information and a forwarding item when the session request is the new session request and passes security verification, so that the security gateway forwards a data packet of a corresponding session according to the session mapping information and the forwarding item, where the session forwarding item includes mapping relationship information between the security client and the peer device.
In some embodiments, the security gateway is further to: in case the session between the secure client and the peer device ends, the session mapping information and the forwarding item are deleted.
Those skilled in the art will appreciate that the number of secure clients 10, secure gateways 20, zero trust policy control servers 30 shown in fig. 1 is merely illustrative, and that any number of secure clients 10, secure gateways 20, zero trust policy control servers 30 may be provided as desired. The embodiments of the present disclosure are not limited in this regard.
Under the system architecture described above, a trusted secure session establishment method is provided in the embodiments of the present disclosure, and the method may be performed by any electronic device having computing processing capabilities. In some embodiments, the trusted security session establishment method provided in the embodiments of the present disclosure may be performed by the security gateway of the system architecture described above; in other embodiments, the trusted security session establishment method provided in the embodiments of the present disclosure may be implemented by the security gateway in the system architecture and the security client, the zero trust policy control server, the peer device, or the like through interaction.
Fig. 2 shows a flowchart of a trusted secure session establishment method in an embodiment of the present disclosure, and as shown in fig. 2, the trusted secure session establishment method provided in the embodiment of the present disclosure includes the following steps:
s202, receiving a session request initiated by the secure client, wherein the session request is used for requesting to establish a session between the secure client and the opposite terminal equipment.
In some embodiments, before receiving the session request initiated by the secure client, the trusted secure session establishment method provided in the embodiments of the present disclosure may further include the steps of: receiving a domain name resolution request initiated by a secure client; forwarding the domain name resolution request to a zero trust policy control server; receiving a domain name resolution result returned by the zero trust policy control server; and forwarding the domain name resolution result to the secure client so that the secure client initiates a session request to the opposite terminal equipment according to the domain name resolution result.
S204, the session request is forwarded to the zero trust policy control server, so that the zero trust policy control server performs security verification on the session request.
In specific implementation, when a session request is initiated, the secure client may carry relevant information (terminal environment information) of a user, a terminal, an application and the like that initiate the session request, so that the zero-trust policy control server performs security verification on the session request according to the information. For example, the zero trust policy control server may determine whether the user, terminal, or application that initiated the session request is a user, terminal, or application in a preset whitelist (a preconfigured whitelist that allows establishment of a related session) to determine whether access is allowed, and if access is not allowed, interrupt the session establishment procedure of the session request; if access is allowed, the session establishment procedure of the session request is continued.
S206, in the case that the session request passes the security verification and/or the opposite terminal device allows the session of the session request to be established, forwarding the session request initiated by the security client to the opposite terminal device so as to establish the session between the security client and the opposite terminal device.
The peer device may be a server providing the application service, or may be another secure client (a secure client different from the secure client that initiates the session request).
As can be seen from the above, when the secure client initiates a session request for requesting to establish a session between the secure client and the peer device, the secure gateway forwards the session request to the zero-trust policy control server, so that the zero-trust policy control server performs security verification on the session request, and when the session request passes the security verification and/or the peer device allows the session of the session request to be established, the secure gateway forwards the session request initiated by the secure client to the peer device, so as to establish the session between the secure client and the peer device. The method and the device can realize peer-to-peer protection of the whole network and ensure that the network safety protection has no dead angle.
It should be noted that, the gateway generally forwards according to the forwarding item, and does not perform any forwarding if there is no corresponding forwarding item. Thus, in some embodiments, after receiving a session request initiated by a secure client, the trusted secure session establishment method provided in embodiments of the present disclosure may further comprise the steps of: judging whether the session request is a new session request or not; if the session request is a new session request, forwarding the session request to the zero trust policy control server so that the zero trust policy control server performs security verification on the session request; under the condition that the session request passes the security verification, generating session mapping information and forwarding items; and forwarding the data packet of the corresponding session according to the session mapping information and the forwarding item.
In one embodiment, the session mapping information in the embodiments of the present disclosure may be five-tuple session mapping information including a mapping relationship between a secure client initiating a session request, a peer device, a secure gateway, a zero-trust policy control server, and a current session. In the embodiment of the disclosure, the identification information of the secure client, the peer device, the secure gateway and the zero trust policy control server in the session mapping information may be, but is not limited to, IP address information and port information; the port information of the secure client and the opposite terminal device may be a port value or a port range value.
Through the above embodiment, after the security gateway receives the session request initiated by the security client to the peer device, it is determined whether the session request is a new session request, when the session request is a new session request, the new session request is forwarded to the zero trust policy control server for security verification, and if the new session request passes the security verification, corresponding session mapping information and forwarding items are generated, so that data packets of the corresponding session are forwarded according to the generated session mapping information and the forwarding items.
Further, in some embodiments, after generating the session mapping information and the forwarding item, the trusted secure session establishment method provided in the embodiments of the present disclosure may further include the steps of: in case the session between the secure client and the peer device ends, the session mapping information and the forwarding item are deleted.
In some embodiments, before forwarding the session request to the zero trust policy control server to enable the zero trust policy control server to securely verify the session request, the trusted security session establishment method provided in the embodiments of the present disclosure may further include the steps of: receiving terminal environment information reported by a security client, wherein the terminal environment information is communication environment information of a terminal provided with the security client; and forwarding the terminal environment information to the zero trust policy control server so that the zero trust policy control server performs security verification on the session request according to the terminal environment information.
In some embodiments, before receiving the terminal environment information reported by the secure client, as shown in fig. 3, the trusted secure session establishment method provided in the embodiments of the present disclosure may further implement authentication of the secure client by:
S302, receiving an SPA authentication data packet sent by a secure client, wherein the SPA authentication data packet is used for performing SPA authentication on the secure client by a zero trust policy control server;
s304, under the condition that the secure client passes SPA authentication, a gateway service port is opened for the secure client, and a secure channel is established with the secure client;
s306, receiving user identity authentication information sent by a secure client through a secure channel;
s308, forwarding the user identity authentication information of the secure client to a zero trust policy control server so that the zero trust policy control server performs identity authentication on the secure client;
and S310, receiving an authentication result returned by the zero trust policy control server, and forwarding the authentication result to the secure client so that the secure client reports the terminal environment information under the condition that the authentication result is passed.
Fig. 4 shows a flowchart of a terminal attaching to a secure network through a secure client in an embodiment of the disclosure, as shown in fig. 4, specifically including the following steps:
s402, the security gateway receives an SPA authentication data packet sent by a security client on the terminal;
s404, the security gateway requests the zero trust policy control server to perform SPA authentication;
S406, the zero trust policy control server returns an SPA authentication passing result to the security gateway;
s408, the security gateway opens a service port for the security client;
s410, the secure client establishes a secure channel with the secure gateway;
s412, the security client sends MFA authentication information to the security gateway;
s414, the security gateway forwards the MFA authentication information to the zero trust policy control server;
s416, the zero trust policy control server returns an authentication confirmation result to the security gateway;
s418, the security gateway forwards the authentication confirmation result to the security client;
s420, the security client reports terminal environment information to the security gateway;
s422, the security gateway forwards the terminal environment information to the zero trust policy control server;
s424, the zero trust policy control server records the online information and the associated identification of the user, the terminal ID, the network location and the like, and the terminal dynamic access is successful.
Fig. 5 shows a session flow chart based on a trusted security network in an embodiment of the disclosure, as shown in fig. 5, specifically including the following steps:
s502, the security gateway receives a DNS analysis request sent by a security client on the terminal;
s504, the security gateway forwards the forwarding DNS request to a zero trust policy control server;
S506, the zero trust policy control server preliminarily judges whether the application is a white list or not, whether the application is accessible or not, and the like, otherwise, the session is blocked;
s508, the zero trust policy control server returns a DNS analysis result to the security gateway;
s510, the security gateway forwards the DNS analysis result to the security client;
s512, the secure client initiates a session (TCP connection) request;
s514, the security gateway confirms and establishes an end-to-end session (TCP connection);
s516, the security gateway judges whether the current session request is a new session request, if so, the security gateway requests the zero trust policy control server to perform security verification;
s518, the zero trust policy control server judges whether the user, the terminal and the application are white lists, accessible or not and the like; otherwise, blocking the session;
s520, the zero trust policy control server returns a verification result of passing verification to the security gateway, and continues the session;
s522, the security gateway establishes five-tuple session mapping information to generate a forwarding item;
s524, allowing the session request initiated by the secure client on the terminal to directly reach the opposite terminal equipment;
s526, the terminal realizes end-to-end data packet transmission through the secure client and the opposite terminal equipment;
s528, the session between the secure client on the terminal and the opposite terminal equipment is ended, and the end-to-end TCP connection is released;
S530, the security client on the terminal notifies the security gateway that the current session is ended;
s532, the security gateway deletes the five-tuple session mapping information and the forwarding item.
It should be noted that, the five-tuple session mapping information in the embodiment of the present disclosure includes: session initiator IP address, session initiator port information, session receiver IP address, session receiver port information, and protocol information employed between the session initiator and the session receiving method.
Based on the same inventive concept, a security gateway is also provided in the embodiments of the present disclosure, as described in the following embodiments. Since the principle of the security gateway embodiment for solving the problem is similar to that of the method embodiment, the implementation of the security gateway embodiment can be referred to the implementation of the method embodiment, and the repetition is omitted.
Fig. 6 illustrates a schematic diagram of a security gateway in an embodiment of the disclosure, as shown in fig. 6, which may include: a session request receiving module 601, a session request verifying module 602, and a session request forwarding module 603.
The session request receiving module 601 is configured to receive a session request initiated by a secure client, where the session request is used to request to establish a session between the secure client and a peer device; a session request verification module 602, configured to forward the session request to the zero trust policy control server, so that the zero trust policy control server performs security verification on the session request; a session request forwarding module 603, configured to forward, to the peer device, a session request initiated by the secure client to establish a session between the secure client and the peer device, in a case where the session request passes the security verification and/or the peer device allows the session of the session request to be established.
In some embodiments, the security gateway provided in embodiments of the present disclosure may further include: the terminal environment information obtaining module 604 is configured to receive terminal environment information reported by the secure client, where the terminal environment information is communication environment information of a terminal installed with the secure client; and forwarding the terminal environment information to the zero trust policy control server so that the zero trust policy control server performs security verification on the session request according to the terminal environment information.
In some embodiments, the security gateway provided in embodiments of the present disclosure may further include: the secure client identity verification module 605 is configured to receive an SPA authentication data packet sent by the secure client, where the SPA authentication data packet is used for performing SPA authentication on the secure client by the zero trust policy control server; under the condition that the secure client passes SPA authentication, a gateway service port is opened for the secure client, and a secure channel is established with the secure client; receiving user identity authentication information sent by a secure client through a secure channel; forwarding the user identity authentication information of the security client to a zero trust policy control server so that the zero trust policy control server performs identity authentication on the security client; and receiving an authentication result returned by the zero trust policy control server, and forwarding the authentication result to the security client so that the security client reports the terminal environment information under the condition that the authentication result is passing authentication.
In some embodiments, the security gateway provided in embodiments of the present disclosure may further include: a domain name resolution module 606, configured to receive a domain name resolution request initiated by the secure client; forwarding the domain name resolution request to a zero trust policy control server; receiving a domain name resolution result returned by the zero trust policy control server; forwarding the domain name resolution result to the secure client, wherein the domain name resolution result is used for the secure client to initiate a session request for establishing a session with the opposite terminal equipment.
In some embodiments, the security gateway provided in embodiments of the present disclosure may further include: a session forwarding item generating module 607, configured to determine whether the session request is a new session request; if the session request is a new session request, forwarding the session request to the zero trust policy control server so that the zero trust policy control server performs security verification on the session request; under the condition that the session request passes the security verification, generating session mapping information and forwarding items; and forwarding the data packet of the corresponding session according to the session mapping information and the forwarding item.
In some embodiments, the security gateway provided in embodiments of the present disclosure may further include: a session forwarding item deleting module 608, configured to delete the session mapping information and the forwarding item when the session between the secure client and the peer device ends.
It should be noted that the above modules are the same as examples and application scenarios implemented by the corresponding steps, but are not limited to what is disclosed in the above method embodiments. The modules described above may be executed as part of an apparatus in a computer system, such as a set of computer-executable instructions.
Those skilled in the art will appreciate that the various aspects of the present disclosure may be implemented as a system, method, or program product. Accordingly, various aspects of the disclosure may be embodied in the following forms, namely: an entirely hardware embodiment, an entirely software embodiment (including firmware, micro-code, etc.) or an embodiment combining hardware and software aspects may be referred to herein as a "circuit," module "or" system.
An electronic device 700 according to such an embodiment of the present disclosure is described below with reference to fig. 7. The electronic device 700 shown in fig. 7 is merely an example and should not be construed to limit the functionality and scope of use of embodiments of the present disclosure in any way.
As shown in fig. 7, the electronic device 700 is embodied in the form of a general purpose computing device. Components of electronic device 700 may include, but are not limited to: the at least one processing unit 710, the at least one memory unit 720, and a bus 730 connecting the different system components, including the memory unit 720 and the processing unit 710.
Wherein the storage unit stores program code that is executable by the processing unit 710 such that the processing unit 710 performs steps according to various exemplary embodiments of the present disclosure described in the above-described "exemplary methods" section of the present specification. For example, the processing unit 710 may perform the following steps of the method embodiment described above: receiving a session request initiated by a secure client, wherein the session request is used for requesting to establish a session between the secure client and a peer device; forwarding the session request to a zero trust policy control server so that the zero trust policy control server performs security verification on the session request; in the event that the session request passes the security verification and/or the peer device allows a session of the session request to be established, forwarding the session request initiated by the secure client to the peer device to establish the session between the secure client and the peer device.
The memory unit 720 may include readable media in the form of volatile memory units, such as Random Access Memory (RAM) 7201 and/or cache memory 7202, and may further include Read Only Memory (ROM) 7203.
The storage unit 720 may also include a program/utility 7204 having a set (at least one) of program modules 7205, such program modules 7205 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment.
Bus 730 may be a bus representing one or more of several types of bus structures including a memory unit bus or memory unit controller, a peripheral bus, an accelerated graphics port, a processing unit, or a local bus using any of a variety of bus architectures.
The electronic device 700 may also communicate with one or more external devices 740 (e.g., keyboard, pointing device, bluetooth device, etc.), one or more devices that enable a user to interact with the electronic device 700, and/or any device (e.g., router, modem, etc.) that enables the electronic device 700 to communicate with one or more other computing devices. Such communication may occur through an input/output (I/O) interface 750. Also, electronic device 700 may communicate with one or more networks such as a Local Area Network (LAN), a Wide Area Network (WAN) and/or a public network, such as the Internet, through network adapter 760. As shown, network adapter 760 communicates with other modules of electronic device 700 over bus 730. It should be appreciated that although not shown, other hardware and/or software modules may be used in connection with electronic device 700, including, but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, data backup storage systems, and the like.
From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or may be implemented in software in combination with the necessary hardware. Thus, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.) or on a network, including several instructions to cause a computing device (may be a personal computer, a server, a terminal device, or a network device, etc.) to perform the method according to the embodiments of the present disclosure.
In particular, according to embodiments of the present disclosure, the process described above with reference to the flowcharts may be implemented as a computer program product comprising: a computer program which, when executed by a processor, implements the trusted secure session establishment method described above.
In an exemplary embodiment of the present disclosure, a computer-readable storage medium, which may be a readable signal medium or a readable storage medium, is also provided. Fig. 8 illustrates a schematic diagram of a computer-readable storage medium in an embodiment of the present disclosure, where a program product capable of implementing the method of the present disclosure is stored on the computer-readable storage medium 800 as illustrated in fig. 8. In some possible implementations, various aspects of the disclosure may also be implemented in the form of a program product comprising program code for causing a terminal device to carry out the steps according to the various exemplary embodiments of the disclosure as described in the "exemplary methods" section of this specification, when the program product is run on the terminal device.
More specific examples of the computer readable storage medium in the present disclosure may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
In this disclosure, a computer readable storage medium may include a data signal propagated in baseband or as part of a carrier wave, with readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Alternatively, the program code embodied on a computer readable storage medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
In particular implementations, the program code for carrying out operations of the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
It should be noted that although in the above detailed description several modules or units of a device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit in accordance with embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into a plurality of modules or units to be embodied.
Furthermore, although the steps of the methods in the present disclosure are depicted in a particular order in the drawings, this does not require or imply that the steps must be performed in that particular order or that all illustrated steps be performed in order to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step to perform, and/or one step decomposed into multiple steps to perform, etc.
From the description of the above embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or may be implemented in software in combination with the necessary hardware. Thus, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.) or on a network, including several instructions to cause a computing device (may be a personal computer, a server, a mobile terminal, or a network device, etc.) to perform the method according to the embodiments of the present disclosure.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This disclosure is intended to cover any adaptations, uses, or adaptations of the disclosure following the general principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.

Claims (12)

1. A trusted security network system, comprising: the system comprises a security client, a security gateway and a zero trust policy control server;
the secure client is used for initiating a session request, wherein the session request is used for requesting to establish a session between the secure client and the opposite terminal equipment;
the security gateway is connected with the security client and used for forwarding the session request to the zero trust policy control server;
the zero trust policy control server is used for carrying out security verification on the session request;
the security gateway is further configured to forward a session request initiated by the secure client to a peer device to establish a session between the secure client and the peer device, where the session request passes security verification and/or the peer device allows the session of the session request to be established.
2. The trusted security network system of claim 1, wherein said trusted security network system further comprises: the application server is used for providing application services and is directly connected with the security gateway through a physical line or connected with the security gateway through an encryption channel; the security gateway and the zero trust policy control server are connected through an encryption channel; the security gateways are connected through an encryption channel; and establishing connection between the security gateway and the security client based on a single-packet authorization SPA authentication mechanism.
3. A method for establishing a trusted secure session, comprising:
receiving a session request initiated by a secure client, wherein the session request is used for requesting to establish a session between the secure client and a peer device;
forwarding the session request to a zero-trust policy control server so that the zero-trust policy control server performs security verification on the session request;
and forwarding the session request initiated by the secure client to the opposite terminal equipment to establish the session between the secure client and the opposite terminal equipment under the condition that the session request passes the secure authentication and/or the opposite terminal equipment allows the session of the session request to be established.
4. A trusted security session establishment method as claimed in claim 3, wherein before forwarding the session request to a zero trust policy control server for the zero trust policy control server to securely verify the session request, the method further comprises:
receiving terminal environment information reported by the secure client, wherein the terminal environment information is communication environment information of a terminal for installing the secure client;
And forwarding the terminal environment information to the zero trust policy control server so that the zero trust policy control server performs security verification on the session request according to the terminal environment information.
5. The method for establishing a trusted security session as claimed in claim 4, wherein prior to receiving the terminal environment information reported by the secure client, the method further comprises:
receiving an SPA authentication data packet sent by the secure client, wherein the SPA authentication data packet is used for performing SPA authentication on the secure client by a zero trust policy control server;
under the condition that the secure client passes SPA authentication, a gateway service port is opened for the secure client, and a secure channel is established with the secure client;
receiving user identity authentication information sent by the secure client through the secure channel;
forwarding user identity authentication information of the secure client to the zero trust policy control server so that the zero trust policy control server performs identity authentication on the secure client;
and receiving an identity verification result returned by the zero trust policy control server, and forwarding the identity verification result to the security client so that the security client reports the terminal environment information under the condition that the identity verification result is verified.
6. A trusted secure session establishment method as claimed in claim 3, wherein prior to receiving a secure client initiated session request, the method further comprises:
receiving a domain name resolution request initiated by the secure client;
forwarding the domain name resolution request to the zero trust policy control server;
receiving a domain name resolution result returned by the zero trust policy control server;
and forwarding the domain name resolution result to the secure client, wherein the domain name resolution result is used for the secure client to initiate a session request for establishing a session with the opposite terminal equipment.
7. A trusted secure session establishment method as claimed in claim 3, wherein after receiving a secure client initiated session request, the method further comprises:
judging whether the session request is a new session request or not;
forwarding the session request to a zero trust policy control server under the condition that the session request is a new session request, so that the zero trust policy control server performs security verification on the session request;
generating session mapping information and forwarding items under the condition that the session request passes the security verification;
And forwarding the data packet of the corresponding session according to the session mapping information and the forwarding item.
8. The trusted security session establishment method of claim 7, wherein after generating the session mapping information and the forwarding item, the method further comprises:
and deleting the session mapping information and forwarding items when the session between the secure client and the opposite terminal equipment is ended.
9. A trusted security session establishment method according to any one of claims 3 to 8, wherein said peer device is a server or other secure client providing application services.
10. A security gateway, comprising:
a session request receiving module, configured to receive a session request initiated by a secure client, where the session request is used to request to establish a session between the secure client and a peer device;
the session request verification module is used for forwarding the session request to a zero trust policy control server so that the zero trust policy control server can perform security verification on the session request;
and the session request forwarding module is used for forwarding the session request initiated by the secure client to the opposite terminal equipment so as to establish the session between the secure client and the opposite terminal equipment under the condition that the session request passes the secure authentication and/or the opposite terminal equipment allows the session of the session request to be established.
11. An electronic device, comprising:
a processor; and
a memory for storing executable instructions of the processor;
wherein the processor is configured to perform the trusted security session establishment method of any one of claims 3 to 8 via execution of the executable instructions.
12. A computer readable storage medium having stored thereon a computer program, wherein the computer program, when executed by a processor, implements the trusted security session establishment method of any one of claims 3 to 8.
CN202311638731.4A 2023-12-01 2023-12-01 Trusted security network system, session establishment method and related equipment Pending CN117640211A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311638731.4A CN117640211A (en) 2023-12-01 2023-12-01 Trusted security network system, session establishment method and related equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311638731.4A CN117640211A (en) 2023-12-01 2023-12-01 Trusted security network system, session establishment method and related equipment

Publications (1)

Publication Number Publication Date
CN117640211A true CN117640211A (en) 2024-03-01

Family

ID=90028403

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311638731.4A Pending CN117640211A (en) 2023-12-01 2023-12-01 Trusted security network system, session establishment method and related equipment

Country Status (1)

Country Link
CN (1) CN117640211A (en)

Similar Documents

Publication Publication Date Title
JP5714078B2 (en) Authentication for distributed secure content management systems
US20150188779A1 (en) Split-application infrastructure
US20150295892A1 (en) Automatic certificate enrollment in a special-purpose appliance
JP2016530814A (en) Gateway device to block a large number of VPN connections
US20180145837A1 (en) Establishing a secure connection across secured environments
US20180375648A1 (en) Systems and methods for data encryption for cloud services
CN110198297B (en) Flow data monitoring method and device, electronic equipment and computer readable medium
CN112437100A (en) Vulnerability scanning method and related equipment
US20110154469A1 (en) Methods, systems, and computer program products for access control services using source port filtering
US11838323B2 (en) Server-initiated secure sessions
US20210377239A1 (en) Method for distributed application segmentation through authorization
CN114661485A (en) Application program interface access control system and method based on zero trust architecture
CN116633562A (en) Network zero trust security interaction method and system based on WireGuard
EP4160986A1 (en) Improved management, diagnostics, and security for network communications
CN117640211A (en) Trusted security network system, session establishment method and related equipment
CN114301967A (en) Narrow-band Internet of things control method, device and equipment
US11611541B2 (en) Secure method to replicate on-premise secrets in a cloud environment
CN113271285B (en) Method and device for accessing network
CN111988319B (en) Access control method and device
US11757839B2 (en) Virtual private network application platform
Heo et al. Vulnerability of information disclosure in data transfer section for constructing a safe smart work infrastructure
CN113691545B (en) Routing control method and device, electronic equipment and computer readable medium
EP3051770A1 (en) User opt-in computer implemented method for monitoring network traffic data, network traffic controller and computer programs
CN117014216A (en) E-mail service method based on zero trust access control and related equipment
Ogala & Mughele, SE (2022)

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination