CN117834246A - Traffic identity identification method, traffic identity identification device, zero-trust control center and storage medium - Google Patents

Traffic identity identification method, traffic identity identification device, zero-trust control center and storage medium Download PDF

Info

Publication number
CN117834246A
CN117834246A CN202311855020.2A CN202311855020A CN117834246A CN 117834246 A CN117834246 A CN 117834246A CN 202311855020 A CN202311855020 A CN 202311855020A CN 117834246 A CN117834246 A CN 117834246A
Authority
CN
China
Prior art keywords
zero trust
identity
zero
client
control center
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311855020.2A
Other languages
Chinese (zh)
Inventor
王燃
郭炳梁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Shenxinfu Information Security Co ltd
Original Assignee
Shenzhen Shenxinfu Information Security Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Shenxinfu Information Security Co ltd filed Critical Shenzhen Shenxinfu Information Security Co ltd
Priority to CN202311855020.2A priority Critical patent/CN117834246A/en
Publication of CN117834246A publication Critical patent/CN117834246A/en
Pending legal-status Critical Current

Links

Abstract

The embodiment of the invention is suitable for the technical field of computers, and provides a method and a device for identifying traffic, a zero-trust control center and a storage medium, wherein the method is applied to the zero-trust control center, and the traffic identification comprises the following steps: receiving an online authentication request sent by a zero trust client; after the authentication of the zero trust client passes, generating an identity of the zero trust client; returning an online success message to the zero trust client, wherein the online success message comprises the identity of the zero trust client; the online success message is used for indicating that the zero trust client carries an identity in an access request sent to the zero trust proxy gateway.

Description

Traffic identity identification method, traffic identity identification device, zero-trust control center and storage medium
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method and an apparatus for traffic identification, a zero trust control center, and a storage medium.
Background
The related art uses a source internet protocol (IP, internetProtocol) address, a source port, a destination IP address, a destination port and a protocol in a network five-tuple to identify the identity of the network traffic, but in the whole life cycle of the user, the IP and the port may change, the identity based on the IP and the port will fail, and the identity of the full-link network traffic cannot be unified.
Disclosure of Invention
In order to solve the above problems, embodiments of the present invention provide a method, an apparatus, a device, and a storage medium for traffic identification, which can implement identity unification of all-link network traffic.
The technical scheme of the invention is realized as follows:
in one aspect, an embodiment of the present invention provides a method for identifying traffic, which is applied to a zero trust control center, and the method includes:
receiving an online authentication request sent by a zero trust client;
after the authentication of the zero trust client passes, generating an identity of the zero trust client;
returning an online success message to the zero trust client, wherein the online success message comprises an identity of the zero trust client; the online success message is used for indicating that the zero trust client carries the identity in an access request sent to the zero trust proxy gateway.
In the above scheme, the method further comprises:
receiving a verification request sent by the zero trust proxy gateway, wherein the verification request comprises an identity in an access request; the zero trust proxy gateway sends the verification request to the zero trust control center after receiving the access request of the zero trust client to the application server;
Carrying out validity check on the identity mark in the check request;
if the identity in the verification request passes the validity verification, sending a verification success message to the zero trust proxy gateway; the verification success message comprises the identity.
In the above scheme, the verifying the validity of the identity in the verification request includes:
determining whether the identity in the verification request is consistent with the prestored identity of the zero-trust client;
if the identity identification in the verification request is consistent, the identity identification in the verification request passes the validity verification.
In the above scheme, the method further comprises:
and if the identity in the verification request fails to pass the validity verification, sending a verification failure message to the zero trust proxy gateway, wherein the verification failure message is used for indicating the zero trust proxy gateway to refuse to forward the access request to the application server.
On the other hand, the embodiment of the invention also provides a flow identity identification method which is applied to the zero trust client, and the method comprises the following steps:
sending an online authentication request to a zero trust control center;
receiving an online success message sent by the zero trust control center, wherein the online success message comprises an identity of the zero trust client generated by the zero trust control center;
And storing the identity mark so as to add the identity mark in the subsequently transmitted access request.
On the other hand, the embodiment of the invention also provides a flow identity identification method which is applied to the zero trust proxy gateway and comprises the following steps:
receiving an access request sent by a zero trust client for accessing an application server; the access request comprises the identity of the zero trust client;
sending a verification request to a zero trust control center, wherein the verification request comprises an identity in the access request;
and if the verification success message sent by the zero trust control center is received, forwarding the access request to the application server.
In the above scheme, the method further comprises:
and if the verification failure message sent by the zero trust control center is received, refusing to forward the access request to the application server.
In the above scheme, the method further comprises:
receiving response data sent by the application server;
adding the identity of the zero trust client in the response data;
and sending the response data comprising the identity mark to the zero trust client.
In another aspect, an embodiment of the present invention provides a traffic identity device, including:
The first receiving module is used for receiving an online authentication request sent by the zero trust client;
the generation module is used for generating the identity of the zero trust client after the authentication of the zero trust client is passed;
the return module is used for returning an online success message to the zero trust client, wherein the online success message comprises the identity of the zero trust client; the online success message is used for indicating that the zero trust client carries the identity in an access request sent to the zero trust proxy gateway.
On the other hand, the embodiment of the invention also provides a flow identity identification device, which comprises:
the first sending module is used for sending an online authentication request to the zero trust control center;
the second receiving module is used for receiving an online success message sent by the zero trust control center, wherein the online success message comprises the identity of the zero trust client generated by the zero trust control center;
and the storage module is used for storing the identity mark so as to add the identity mark into the subsequently transmitted access request.
On the other hand, the embodiment of the invention also provides a flow identity identification device, which comprises:
The third receiving module is used for receiving an access request which is sent by the zero trust client and is used for accessing the application server; the access request comprises the identity of the zero trust client;
the second sending module is used for sending a verification request to the zero trust control center, wherein the verification request comprises an identity identifier in the access request;
and the forwarding module is used for forwarding the access request to the application server if the verification success message sent by the zero trust control center is received.
In another aspect, an embodiment of the present invention provides a computer-readable storage medium, including: the computer readable storage medium stores a computer program. The steps of the traffic identification method provided by the embodiment of the invention are realized when the computer program is executed by a processor.
In the embodiment provided by the application, the zero trust control center receives an online authentication request sent by the zero trust client, and generates the identity of the zero trust client after the zero trust client passes the authentication. And returning an online success message to the zero trust client, wherein the online success message comprises the identity of the zero trust client, and the online success message is used for indicating that the zero trust client carries the identity in an access request sent to the zero trust proxy gateway. When the zero trust client is online, the zero trust control center generates the identity of the zero trust client, and the zero trust client carries the identity in the follow-up online access request to indicate the identity of the access flow. According to the embodiment of the application, identity unification of all-link traffic is realized in the zero-trust system, for example, when a system fails, the failure can be rapidly checked and traced according to the identity in the traffic. And through the identity unification of the flow, the enterprise can be helped to know the user behavior and the system operation condition.
Drawings
FIG. 1 is a schematic diagram of a zero trust system architecture according to an embodiment of the present invention;
fig. 2 is a schematic implementation flow chart of a flow identification method provided in an embodiment of the present invention;
FIG. 3 is a schematic flow chart of another implementation of a method for identifying traffic according to an embodiment of the present invention;
FIG. 4 is a schematic flow chart of another implementation of a method for identifying traffic according to an embodiment of the present invention;
fig. 5 is a schematic diagram of a full link id transfer procedure according to an embodiment of the present invention;
FIG. 6 is a schematic diagram of a flow of transferring full-link identity between zero-trust internal services according to an embodiment of the present invention;
FIG. 7 is a schematic diagram of a flow identification device according to an embodiment of the present invention;
FIG. 8 is a schematic diagram of another flow identification device according to an embodiment of the present invention;
FIG. 9 is a schematic diagram of another flow identification device according to an embodiment of the present invention;
FIG. 10 is a schematic diagram of a zero trust control center provided by an embodiment of the present invention;
FIG. 11 is a schematic diagram of a zero trust client provided by an embodiment of the invention;
fig. 12 is a schematic diagram of a zero trust proxy gateway according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Zero trust is a network architecture whose core idea is "never trusted, always verified," i.e., the enterprise should not trust anyone, devices and systems inside and outside the network, and should verify any people, devices and systems attempting to access the enterprise system before authorization.
The zero trust system comprises a zero trust client, a zero trust control center and a zero trust proxy gateway.
Wherein, zero trust client: providing terminal security detection capability, collecting and reporting the current environment (such as an operating system, a firewall, antivirus software and an application process) of the accessed terminal, and reporting to a zero-trust control center for policy management of trust evaluation; when the terminal user is online, the zero trust client establishes a virtual tunnel with the zero trust proxy gateway, and forwards the user service access request to the zero trust proxy gateway to realize user service access.
Zero trust control center: the system is responsible for authentication, authorization and policy management and issuing of users, and is an integral dispatching and management center; is responsible for controlling the establishment of the connection and the disconnection of the communication connection between the host (user) and the object (application) (by sending control commands to the gateway).
Zero trust proxy gateway: is responsible for establishing, monitoring and cutting off the connection between the accessing host (user) and the object (application). It communicates with a zero trust control center from which policies and instructions are received.
In the zero trust system architecture scenario, the system provides various access protocol types for the zero trust client, including: such as single packet authorization authentication (Single Packet Authorization, SPA) protocols (including user datagram protocol (UDP, user Datagram Protocol) and transmission control protocol (TCP, transmission Control Protocol)), tunneling protocols, hypertext transfer security protocol (Hypertext Transfer Protocol Secure, HTTPS) interface protocols, internal remote procedure call (Remote Procedure Call, RPC) interfaces, and the like; the protocol flows are initiated from the client and transmitted to the zero trust system through the network, and then forwarded to component facilities, upstream systems and the like in the system; this includes both intra-device north-south link traffic as well as east-west link traffic between devices (e.g., proxy gateway to control center, proxy gateway to upstream traffic system).
As shown in fig. 1, fig. 1 is a schematic architecture diagram of a zero trust system according to an embodiment of the present invention. The zero trust system comprises a zero trust client, a zero trust control center and a zero trust proxy gateway.
From a traffic scenario, the protocol traffic includes:
1) Authenticating the traffic of the uplink (e.g.: SPA protocol, HTTPS interface authentication protocol, etc.), after being processed by the zero trust control center, responds to the zero trust client.
2) Traffic of the resource access link (e.g.: tunnel protocol, HTTPS interface reporting protocol, etc.), proxy by the zero trust proxy gateway to the upstream system (e.g., application server), and then the upstream system response traffic returns to the zero trust client through the zero trust proxy gateway.
Wherein, the traffic among the internal services of the zero trust system is as follows: RPC calls also correspond to link traffic belonging to 1) and 2) above.
Under the zero trust flexible deployment scene (such as multi-activity and multi-data center in different places), the full service flow agent and other scenes, various complex and unordered protocol flows naturally exist; this causes the following problems:
1) Barrier removing difficulty after zero trust system fault
2) Difficult to trace after security event occurs
3) The zero trust system has poor visualization of the overall attack defense effect.
The related art uses a source internet protocol (IP, internet Protocol) address, a source port, a destination IP address, a destination port, and a protocol of a network quintuple to identify the identity of the network traffic, where the identity of the network quintuple depends on the IP, the port, and the protocol, and the IP and the port may change in the full life cycle of the user; and the identity of the IP and the port is lost after the traffic is transferred by the network and is converted by the network address; and after the zero trust proxy gateway is proxy, the identity based on IP and port will be invalid for the upstream server.
In addition, the related art uses a log traceID (tracking number) to identify the identity of the network traffic, and the zero trust device identifies the traceID for the request from the client, and passes the traceID between services, serially connecting the contexts of the traffic through the log. The log traceID has the following drawbacks: 1. lacking the identity of the flow level, the third party device cannot make the association analysis. 2. The zero trust system comprises a zero trust client, a zero trust control center and a zero trust proxy gateway, and cannot unify the identities of all links. 3. It is more difficult to support the transfer of east-west traffic identities, such as: there may be a loss of identity from the control center to the proxy gateway, and from the proxy gateway to the upstream system.
Aiming at the defects of the related technology, the embodiment of the invention provides a flow identity identification method which can realize the identity unification of the full link flow. In order to illustrate the technical scheme of the invention, the following description is made by specific examples.
Fig. 2 is a schematic implementation flow chart of a flow identification method provided by an embodiment of the present invention, where the flow identification method is applied to a zero trust control center, which may be a server. Referring to fig. 2, the traffic identification method includes:
s201, receiving an online authentication request sent by a zero trust client.
In practical application, when a user logs in a zero-trust client, the zero-trust client needs to perform SPA door knocking with a zero-trust control center, a sent door knocking packet contains random id (temporary) produced by the zero-trust client, and after the door knocking is successful, the zero-trust control center returns an SPA door knocking success message to the zero-trust client. The zero trust client can then send an online authentication request to the zero trust control center.
The online authentication request sent by the zero-trust client also comprises a random id, the online authentication request can comprise terminal information and user information (such as an account number and a password) of the zero-trust client, and the zero-trust control center authenticates the online authentication request, for example, whether the account number and the password are correct, whether the account number and the password are matched with the user identity or not can be verified, and the like.
S202, after the authentication of the zero trust client passes, the identity of the zero trust client is generated.
If the zero-trust client passes authentication, the zero-trust control center generates a unique identity for the zero-trust client, for example, the zero-trust control center can use the unique identity of the terminal as an important factor of an identity generation algorithm and establish association storage with a user session of the zero-trust client.
S203, returning an online success message to the zero trust client, wherein the online success message comprises the identity of the zero trust client; the online success message is used for indicating that the zero trust client carries the identity in an access request sent to the zero trust proxy gateway.
The zero trust control center returns an online success message to the zero trust client, the zero trust client is informed to replace the initial random id, the zero trust client stores the identification in a local way in an encrypted manner, and the user is requested to use in the period of online.
For example, when a user accesses an application by zero trust client, the transmitted application access request needs to carry the identity. The zero trust proxy gateway receives an application access request sent by the zero trust client, acquires the identity mark therein, and sends the identity mark to the zero trust control center for verification, thereby verifying the validity of the identity mark. After the verification is passed, the zero trust proxy gateway can forward the application service request to the application server.
The scheme marks the identity ID (identity identifier) on the protocol, realizes the identity of the full link flow, accords with the concept of zero trust identity, and can further increase the competitiveness of the product.
In the embodiment provided by the application, the zero trust control center receives an online authentication request sent by the zero trust client, and generates the identity of the zero trust client after the zero trust client passes the authentication. And returning an online success message to the zero trust client, wherein the online success message comprises the identity of the zero trust client, and the online success message is used for indicating that the zero trust client carries the identity in an access request sent to the zero trust proxy gateway. When the zero trust client is online, the zero trust control center generates the identity of the zero trust client, and the zero trust client carries the identity in the follow-up online access request to indicate the identity of the access flow. According to the embodiment of the application, identity unification of all-link traffic is realized in the zero-trust system, and when the system fails, failure tracing can be rapidly performed according to the identity in the traffic. Through the identification of the flow, the enterprise can be helped to know the user behavior and the system operation condition.
In an embodiment, the method further comprises:
receiving a verification request sent by the zero trust proxy gateway, wherein the verification request comprises an identity in an access request; the zero trust proxy gateway sends the verification request to the zero trust control center after receiving the access request of the zero trust client to the application server;
carrying out validity check on the identity mark in the check request;
if the identity in the verification request passes the validity verification, sending a verification success message to the zero trust proxy gateway; the verification success message comprises the identity.
Here, the zero trust proxy gateway receives an access request of the zero trust client for accessing the application server, where the access request carries an identity identifier of the zero trust client, and sends a verification request to the zero trust control center based on the identity identifier, where the zero trust control center performs validity verification on the identity identifier in the verification request, and the identity identifier in the access request is not necessarily legal and has risks of forging and falsification. Therefore, it is necessary to check the validity of the data sent to the zero trust control center. If the identity passes the validity check, a check success message is sent to the zero trust proxy gateway, and the zero trust proxy gateway is informed of forwarding the access request to the application server.
In an embodiment, if the identity in the verification request fails the validity verification, a verification failure message is sent to the zero trust proxy gateway, where the verification failure message is used to instruct the zero trust proxy gateway to refuse to forward the access request to the application server.
And if the identity mark is verified and fails the validity verification, sending a verification failure message to the zero trust proxy gateway, and informing the zero trust proxy gateway to reject forwarding the access request to the application server.
According to the embodiment, the identity in the access request is checked through the zero trust control center, so that malicious attack behaviors can be identified, and the system safety is enhanced.
In an embodiment, the verifying the validity of the identity in the verification request includes:
determining whether the identity in the verification request is consistent with the prestored identity of the zero-trust client;
if the identity identification in the verification request is consistent, the identity identification in the verification request passes the validity verification.
Fig. 3 is a schematic implementation flow chart of a flow identification method according to an embodiment of the present invention, where the flow identification method is applied to a zero trust client. Referring to fig. 3, the traffic identification method includes:
S301, sending an online authentication request to a zero trust control center.
Here, the online authentication request may include a temporary identity id.
S302, receiving an online success message sent by the zero trust control center, wherein the online success message comprises the identity of the zero trust client generated by the zero trust control center.
S303, the identity is saved, so that the identity is added in a subsequently sent access request.
The online success message sent by the zero trust control center comprises the identity of the zero trust client generated by the zero trust control center, the zero trust client stores the identity in a local way in an encrypted manner, and the user is requested to use in the period of online.
Fig. 4 is a schematic implementation flow chart of a flow identification method according to an embodiment of the present invention, where the flow identification method is applied to a zero trust proxy gateway. Referring to fig. 4, the traffic identification method includes:
s401, receiving an access request for accessing an application server sent by a zero trust client; the access request comprises the identity of the zero trust client;
s402, sending a verification request to a zero trust control center, wherein the verification request comprises an identity in the access request;
S403, if a verification success message sent by the zero trust control center is received, forwarding the access request to the application server.
Before sending an access request, a user needs to perform SPA knocking to the zero trust gateway, and the knocking package carries the identity of the zero trust client. After receiving the successful knocking message sent by the zero trust gateway, the access request can be sent.
The zero trust proxy gateway receives an access request of the zero trust client for accessing the application server, the access request carries an identity mark of the zero trust client, the zero trust proxy gateway sends a verification request to a zero trust control center based on the identity mark, the zero trust control center performs validity verification on the identity mark in the verification request, the identity mark in the access request is not necessarily legal, and the risk of counterfeiting and falsification exists. Therefore, it is necessary to check the validity of the data sent to the zero trust control center. If the identity passes the validity check, a check success message is sent to the zero trust proxy gateway, and the zero trust proxy gateway is informed of forwarding the access request to the application server.
In an embodiment, the method further comprises:
And if the verification failure message sent by the zero trust control center is received, refusing to forward the access request to the application server.
By checking the identity in the access request through the zero trust control center, malicious attack behaviors can be identified, and the system security is enhanced.
In an embodiment, the method further comprises:
receiving response data sent by the application server;
adding the identity of the zero trust client in the response data;
and sending the response data comprising the identity mark to the zero trust client.
The response data sent by the application server do not carry the identity of the zero-trust client, in order to realize the identity id unification of the full link, the proxy gateway adds the identity of the zero-trust client in the response data of the application server, and then sends the response data to the zero-trust client.
In one embodiment, after the end user logs off (down): the zero trust control center clears the end user session, the full link identity is cleared, and the corresponding end user clears the locally stored full link identity.
The protocol is marked with the identity ID, so that the identity of the full-link traffic is realized, and the concept of zero trust identity is met; the competitiveness of the product can be further increased, the problem under the zero trust architecture is solved, and the method comprises the following steps:
1) When the system fails, the marking of the full link identity can help a developer analyze the complete path of the request and quickly locate the cause and specific module of the failure.
2) Through the identification and visualization of the flow, the enterprise is helped to analyze the data to know the user behavior and the system operation condition.
3) If a security event occurs, the audit and tracing of an upstream system and the audit and tracing of the zero trust equipment are also facilitated.
For adding an identity in traffic, for the TCP protocol: the Option field in the TCP protocol is used to transfer some optional information in the TCP header, and this field can be used to transfer the identity of the link. For the HTTP/HTTPs protocol: the identification is inserted based on the protocol header of HTTP.
Embodiments of the present application may be applied to various types of products including, but not limited to, zero trust control access (Software Defined Perimeter, SDP), zero trust network access (Zero TrustNetworkAccess, ZTNA) type products, virtual network (Virtual Private Network, VPN) type products.
Fig. 5 is a schematic diagram of a full-link id transfer procedure provided in an embodiment of the present invention, where, as shown in fig. 5, the full-link id transfer procedure includes two phases of user login client and user access application.
The user login client stage comprises the following steps:
1. the zero trust client performs SPA knocking to the zero trust control center (the protocol comprises terminal random id 1);
2. the zero trust control center returns an SPA knocking success message;
3. the zero trust client sends a user authentication online request (the protocol comprises a terminal random id 1) to a zero trust control center;
4. after the user passes the authentication, generating the end user link id2, and locally maintaining the relation between the user session and the user link id 2;
5. returning successful information of user online (protocol includes end user link id 2) to zero trust client;
the user access application phase comprises the steps of:
1. the zero trust client performs SPA knocking to the zero trust proxy gateway (the protocol comprises an end user link id 2);
2. the zero trust proxy gateway returns an SPA knocking success message;
3. user access application a (protocol includes end user link id 2);
4. the zero trust proxy gateway performs user application a authentication (the protocol includes end user link id 2) to the zero trust control center;
5. the zero trust control center sends a user application A authentication passing message (the protocol comprises an end user link id 2) to the zero trust proxy gateway;
here, authentication is a check in the above embodiment to verify the validity of the end user link id 2.
6. The zero trust proxy gateway forwards the traffic of the user accessing the application a to the application server a (the protocol includes the end user link id 2);
7. the application server A responds to the data;
8. the zero trust proxy gateway acquires a terminal user link id2;
9. the zero trust proxy gateway forwards the response data of the application server a to the zero trust client (the protocol includes end user link id 2).
Fig. 6 is a schematic diagram of a transfer flow of full-link identity identifiers between zero-trust internal services according to an embodiment of the present invention, where, as shown in fig. 6, the transfer flow includes:
the service process A sends RPC call (protocol contains end user link id 2) to the service process B;
and the service process B sends the RPC call response result to the service process A.
Therefore, the scheme marks the identity id on the protocol to realize the identity of the full link flow, accords with the concept of zero trust identity, and can further increase the competitiveness of the product.
It should be understood that the sequence number of each step in the foregoing embodiment does not mean that the execution sequence of each process should be determined by the function and the internal logic, and should not limit the implementation process of the embodiment of the present invention.
It should be understood that the terms "comprises" and "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
The technical schemes described in the embodiments of the present invention may be arbitrarily combined without any collision.
In addition, in the embodiments of the present invention, "first", "second", etc. are used to distinguish similar objects and are not necessarily used to describe a particular order or precedence.
Fig. 7 is a schematic diagram of a traffic identity identifier device according to an embodiment of the present invention, where the device includes:
the first receiving module is used for receiving an online authentication request sent by the zero trust client;
the generation module is used for generating the identity of the zero trust client after the authentication of the zero trust client is passed;
the return module is used for returning an online success message to the zero trust client, wherein the online success message comprises the identity of the zero trust client; the online success message is used for indicating that the zero trust client carries the identity in an access request sent to the zero trust proxy gateway.
In an embodiment, the device further comprises:
the verification request receiving module is used for receiving a verification request sent by the zero trust proxy gateway, wherein the verification request comprises an identity identifier in an access request; the zero trust proxy gateway sends the verification request to the zero trust control center after receiving the access request of the zero trust client to the application server;
the validity checking module is used for carrying out validity checking on the identity mark in the checking request;
the verification message sending module is used for sending a verification success message to the zero trust proxy gateway if the identity in the verification request passes the validity verification; the verification success message comprises the identity.
In an embodiment, the validity checking module is specifically configured to: determining whether the identity in the verification request is consistent with the prestored identity of the zero-trust client; if the identity identification in the verification request is consistent, the identity identification in the verification request passes the validity verification.
In an embodiment, the verification message sending module is further configured to send a verification failure message to the zero trust proxy gateway if the identity in the verification request fails to pass the validity verification, where the verification failure message is used to instruct the zero trust proxy gateway to refuse to forward the access request to the application server.
Fig. 8 is a schematic diagram of another traffic identity device according to an embodiment of the present invention, where the device includes:
the first sending module is used for sending an online authentication request to the zero trust control center;
the second receiving module is used for receiving an online success message sent by the zero trust control center, wherein the online success message comprises the identity of the zero trust client generated by the zero trust control center;
and the storage module is used for storing the identity mark so as to add the identity mark into the subsequently transmitted access request.
Fig. 9 is a schematic diagram of another traffic identity device according to an embodiment of the present invention, where the device includes:
the third receiving module is used for receiving an access request which is sent by the zero trust client and is used for accessing the application server; the access request comprises the identity of the zero trust client;
the second sending module is used for sending a verification request to the zero trust control center, wherein the verification request comprises an identity identifier in the access request;
and the forwarding module is used for forwarding the access request to the application server if the verification success message sent by the zero trust control center is received.
In an embodiment, the device further comprises:
and the rejecting module is used for rejecting forwarding the access request to the application server if the check failure message sent by the zero trust control center is received.
In an embodiment, the device further comprises:
the response data receiving module is used for receiving response data sent by the application server;
the identification adding module is used for adding the identification of the zero trust client in the response data;
and the response data sending module is used for sending the response data comprising the identity mark to the zero trust client.
In practice, the first receiving module, the generating module and the accessing module may be implemented by a processor in a zero-trust control center, such as a central processing unit (CPU, central ProcessingUnit), a digital signal processor (DSP, digital Signal Processor), a micro control unit (MCU, microcontroller Unit) or a programmable gate array (FPGA, field-Programmable GateArray). The first sending module, the second sending module, the first receiving module, the second receiving module and the third receiving module may be implemented by a processor in a zero trust control center.
It should be noted that: in the flow identification device provided in the above embodiment, when performing flow identification, only the division of the modules is used for illustration, and in practical application, the processing and distribution may be completed by different modules according to needs, that is, the internal structure of the device is divided into different modules, so as to complete all or part of the processing described above. In addition, the flow identification device provided in the above embodiment and the flow identification method embodiment belong to the same concept, and the specific implementation process is detailed in the method embodiment, which is not repeated here.
The flow identification device can be in the form of an image file, and the image file can be operated in the form of a container or a virtual machine after being executed so as to realize the flow identification method. Of course, the method is not limited to the image file form, and any software form capable of implementing the flow identification method described in the application is within the protection scope of the application.
Based on the hardware implementation of the program modules, and in order to implement the method of the embodiment of the application, the embodiment of the application also provides a zero trust control center. Fig. 10 is a schematic diagram of a hardware composition structure of a zero trust control center according to an embodiment of the present application, where, as shown in fig. 10, the zero trust control center includes:
A communication interface capable of information interaction with other devices such as a zero trust client;
and the processor is connected with the communication interface to realize information interaction with other equipment and is used for executing the method provided by one or more technical schemes on the zero trust control center side when running the computer program. And the computer program is stored on the memory.
The memory in the embodiments of the present application is used to store various types of data to support the operation of a zero trust control center. Examples of such data include: any computer program for operating on a zero trust control center.
Of course, in practice, the various components in the zero trust control center are coupled together by a bus system. It will be appreciated that a bus system is used to enable connected communications between these components. The bus system includes a power bus, a control bus, and a status signal bus in addition to the data bus. But for clarity of illustration the various buses are labeled as bus systems in fig. 10.
The embodiment of the application further provides a zero-trust client, fig. 11 is a schematic diagram of a hardware composition structure of the zero-trust client in the embodiment of the application, and as shown in fig. 11, the zero-trust client includes:
A communication interface capable of information interaction with other devices such as a zero trust control center;
and the processor is connected with the communication interface to realize information interaction with other equipment and is used for executing the method provided by one or more technical schemes on the zero trust client side when the computer program is run. And the computer program is stored on the memory.
Of course, in actual practice, the components in the zero trust client are coupled together by a bus system. It will be appreciated that a bus system is used to enable connected communications between these components. The bus system includes a power bus, a control bus, and a status signal bus in addition to the data bus. But for clarity of illustration the various buses are labeled as bus systems in fig. 11.
The embodiment of the present application further provides a zero trust proxy gateway, and fig. 12 is a schematic diagram of the zero trust proxy gateway provided by an embodiment of the present invention, as shown in fig. 12, where the zero trust proxy gateway includes:
a communication interface capable of information interaction with other devices such as a zero trust control center;
and the processor is connected with the communication interface to realize information interaction with other equipment and is used for executing the method provided by one or more technical schemes on the zero trust proxy gateway side when running the computer program. And the computer program is stored on the memory.
Of course, in practical application, the components in the zero trust proxy gateway are coupled together by a bus system. It will be appreciated that a bus system is used to enable connected communications between these components. The bus system includes a power bus, a control bus, and a status signal bus in addition to the data bus. But for clarity of illustration the various buses are labeled as bus systems in fig. 12.
The zero trust control center can be in a cluster form, for example, a cloud computing platform form, wherein the cloud computing platform is a service form for organizing a plurality of independent server physical hardware resources into pooled resources by adopting a computing virtualization technology, a network virtualization technology and a storage virtualization technology, and the cloud computing platform is a structure for defining resources based on software on the development of virtualization technology and can provide resource capacity in forms of virtual machines, containers and the like. The method and the system have the characteristics of flexibility, elasticity, distribution, multiple tenants, on demand and the like, and are a novel IT (information technology) and software delivery mode by eliminating the fixed relation between hardware and an operating system, relying on the communication uniform resource scheduling of a network and then providing needed virtual resources and services.
Current cloud computing platforms support several service modes:
SaaS (Software as a Service ): the cloud computing platform user does not need to purchase the software, but rents the software deployed on the cloud computing platform instead, the user does not need to maintain the software, and the software service provider can manage and maintain the software in full right;
PaaS (Platform as a Service ): a cloud computing platform user (typically a software developer at this time) may build new applications on the architecture provided by the cloud computing platform or extend existing applications without having to purchase development, quality control, or production servers;
IaaS (Infrastructure as a Service ): the cloud computing platform provides data centers, infrastructure hardware and software resources through the internet, and the cloud computing platform in the IaaS mode can provide servers, operating systems, disk storage, databases and/or information resources.
It will be appreciated that the memory can be either volatile memory or nonvolatile memory, and can include both volatile and nonvolatile memory. The nonvolatile Memory may be a Read Only Memory (ROM), a programmable Read Only Memory (PROM, programmable Read-Only Memory), an erasable programmable Read Only Memory (EPROM, erasable Programmable Read-Only Memory), an electrically erasable programmable Read Only Memory (EEPROM, electrically Erasable Programmable Read-Only Memory), a magnetic random access Memory (FRAM, ferromagnetic random access Memory), a Flash Memory (Flash Memory), a magnetic surface Memory, an optical disk, or a compact disk Read-Only Memory (CD-ROM, compactDisc Read-Only Memory); the magnetic surface memory may be a disk memory or a tape memory. The volatile Memory may be a random access Memory (RAM, randomAccess Memory) that acts as an external cache. By way of example, and not limitation, many forms of RAM are available, such as static random access memory (SRAM, static RandomAccess Memory), synchronous static random access memory (SSRAM, synchronous Static RandomAccess Memory), dynamic random access memory (DRAM, dynamic RandomAccess Memory), synchronous dynamic random access memory (SDRAM, synchronous Dynamic RandomAccess Memory), double data rate synchronous dynamic random access memory (ddr SDRAM, double DataRate Synchronous Dynamic RandomAccess Memory), enhanced synchronous dynamic random access memory (ESDRAM, enhanced Synchronous Dynamic RandomAccess Memory), synchronous link dynamic random access memory (SLDRAM, syncLink Dynamic RandomAccess Memory), direct memory bus random access memory (DRRAM, direct Rambus RandomAccess Memory). The memory described in the embodiments of the present application is intended to comprise, without being limited to, these and any other suitable types of memory.
The method disclosed in the embodiments of the present application may be applied to a processor or implemented by a processor. The processor may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware in a processor or by instructions in the form of software. The processor may be a general purpose processor, DSP, or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. The processor may implement or perform the methods, steps, and logic blocks disclosed in embodiments of the present application. The general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiments of the present application may be directly embodied in a hardware decoding processor or implemented by a combination of hardware and software modules in the decoding processor. The software modules may be located in a storage medium having a memory, and the processor reads the program in the memory and performs the steps of the method in combination with its hardware.
Optionally, when the processor executes the program, a corresponding flow implemented by the zero trust control center in each method of the embodiments of the present application is implemented, and for brevity, a description is omitted herein.
In an exemplary embodiment, a storage medium, i.e. a computer storage medium, in particular a computer readable storage medium, is provided, for example, including a first memory storing a computer program, where the computer program is executable by a processor to perform the steps of the foregoing traffic identification method.
The embodiment of the application also provides a computer storage medium, which comprises a second memory for storing a computer program, wherein the computer program can be executed by a processor to complete the steps of the flow identification method.
The computer readable storage medium may be FRAM, ROM, PROM, EPROM, EEPROM, flash Memory, magnetic surface Memory, optical disk, or CD-ROM.
In the several embodiments provided in this application, it should be understood that the disclosed apparatus, device, and method may be implemented in other manners. The above described device embodiments are only illustrative, e.g. the division of the units is only one logical function division, and there may be other divisions in practice, such as: multiple units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. In addition, the various components shown or discussed may be coupled or directly coupled or communicatively coupled to each other via some interface, whether indirectly coupled or communicatively coupled to devices or units, whether electrically, mechanically, or otherwise.
The units described as separate units may or may not be physically separate, and units displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units; some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may be separately used as one unit, or two or more units may be integrated in one unit; the integrated units may be implemented in hardware or in hardware plus software functional units.
Those of ordinary skill in the art will appreciate that: all or part of the steps for implementing the above method embodiments may be implemented by hardware associated with program instructions, where the foregoing program may be stored in a computer readable storage medium, and when executed, the program performs steps including the above method embodiments; and the aforementioned storage medium includes: a removable storage device, ROM, RAM, magnetic or optical disk, or other medium capable of storing program code.
Alternatively, the integrated units described above may be stored in a computer readable storage medium if implemented in the form of software functional modules and sold or used as a stand-alone product. Based on such understanding, the technical solutions of the embodiments of the present application may be essentially or partially contributing to the related art, and the computer software product may be stored in a storage medium, and include several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a removable storage device, ROM, RAM, magnetic or optical disk, or other medium capable of storing program code.
The technical solutions described in the embodiments of the present application may be arbitrarily combined without any conflict.
In addition, in the examples of this application, "first," "second," etc. are used to distinguish similar objects and not necessarily to describe a particular order or sequence.
The foregoing is merely specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes and substitutions are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (15)

1. The traffic identification method is applied to a zero trust control center and is characterized by comprising the following steps:
receiving an online authentication request sent by a zero trust client;
after the authentication of the zero trust client passes, generating an identity of the zero trust client;
returning an online success message to the zero trust client, wherein the online success message comprises an identity of the zero trust client; the online success message is used for indicating that the zero trust client carries the identity in an access request sent to the zero trust proxy gateway.
2. The method of claim 1, wherein the method further comprises:
receiving a verification request sent by the zero trust proxy gateway, wherein the verification request comprises an identity in an access request; the zero trust proxy gateway sends the verification request to the zero trust control center after receiving the access request of the zero trust client to the application server;
carrying out validity check on the identity mark in the check request;
if the identity in the verification request passes the validity verification, sending a verification success message to the zero trust proxy gateway; the verification success message comprises the identity.
3. The method of claim 2, wherein the verifying the identity in the verification request comprises:
determining whether the identity in the verification request is consistent with the prestored identity of the zero-trust client;
if the identity identification in the verification request is consistent, the identity identification in the verification request passes the validity verification.
4. The method of claim 2, wherein the method further comprises:
and if the identity in the verification request fails to pass the validity verification, sending a verification failure message to the zero trust proxy gateway, wherein the verification failure message is used for indicating the zero trust proxy gateway to refuse to forward the access request to the application server.
5. A traffic identification method applied to a zero-trust client, comprising:
sending an online authentication request to a zero trust control center;
receiving an online success message sent by the zero trust control center, wherein the online success message comprises an identity of the zero trust client generated by the zero trust control center;
and storing the identity mark so as to add the identity mark in the subsequently transmitted access request.
6. A traffic identification method applied to a zero trust proxy gateway, comprising:
receiving an access request sent by a zero trust client for accessing an application server; the access request comprises the identity of the zero trust client;
sending a verification request to a zero trust control center, wherein the verification request comprises an identity in the access request;
and if the verification success message sent by the zero trust control center is received, forwarding the access request to the application server.
7. The method of claim 6, wherein the method further comprises:
and if the verification failure message sent by the zero trust control center is received, refusing to forward the access request to the application server.
8. The method of claim 6, wherein the method further comprises:
receiving response data sent by the application server;
adding the identity of the zero trust client in the response data;
and sending the response data comprising the identity mark to the zero trust client.
9. A traffic identification device, comprising:
the first receiving module is used for receiving an online authentication request sent by the zero trust client;
The generation module is used for generating the identity of the zero trust client after the authentication of the zero trust client is passed;
the return module is used for returning an online success message to the zero trust client, wherein the online success message comprises the identity of the zero trust client; the online success message is used for indicating that the zero trust client carries the identity in an access request sent to the zero trust proxy gateway.
10. A traffic identification device, comprising:
the first sending module is used for sending an online authentication request to the zero trust control center;
the second receiving module is used for receiving an online success message sent by the zero trust control center, wherein the online success message comprises the identity of the zero trust client generated by the zero trust control center;
and the storage module is used for storing the identity mark so as to add the identity mark into the subsequently transmitted access request.
11. A traffic identification device, comprising:
the third receiving module is used for receiving an access request which is sent by the zero trust client and is used for accessing the application server; the access request comprises the identity of the zero trust client;
The second sending module is used for sending a verification request to the zero trust control center, wherein the verification request comprises an identity identifier in the access request;
and the forwarding module is used for forwarding the access request to the application server if the verification success message sent by the zero trust control center is received.
12. A zero trust control center comprising a memory, a processor, a communication interface, and a computer program stored in the memory and executable on the processor, wherein the processor implements the traffic identification method of any one of claims 1 to 4 when the computer program is executed by the processor.
13. A zero trust client comprising a memory, a processor, a communication interface, and a computer program stored in the memory and executable on the processor, wherein the processor implements the traffic identification method of claim 5 when the computer program is executed by the processor.
14. A zero trust proxy gateway comprising a memory, a processor, a communication interface and a computer program stored in the memory and executable on the processor, wherein the processor implements the traffic identification method of any one of claims 6 to 8 when the computer program is executed by the processor.
15. A computer readable storage medium, characterized in that the computer readable storage medium stores a computer program comprising program instructions which, when executed by a processor, cause the processor to perform the traffic identification method according to any of claims 1 to 8.
CN202311855020.2A 2023-12-29 2023-12-29 Traffic identity identification method, traffic identity identification device, zero-trust control center and storage medium Pending CN117834246A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311855020.2A CN117834246A (en) 2023-12-29 2023-12-29 Traffic identity identification method, traffic identity identification device, zero-trust control center and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311855020.2A CN117834246A (en) 2023-12-29 2023-12-29 Traffic identity identification method, traffic identity identification device, zero-trust control center and storage medium

Publications (1)

Publication Number Publication Date
CN117834246A true CN117834246A (en) 2024-04-05

Family

ID=90516785

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311855020.2A Pending CN117834246A (en) 2023-12-29 2023-12-29 Traffic identity identification method, traffic identity identification device, zero-trust control center and storage medium

Country Status (1)

Country Link
CN (1) CN117834246A (en)

Similar Documents

Publication Publication Date Title
US8799641B1 (en) Secure proxying using network intermediaries
US10419431B2 (en) Preventing cross-site request forgery using environment fingerprints of a client device
WO2022247751A1 (en) Method, system and apparatus for remotely accessing application, device, and storage medium
CN110198297B (en) Flow data monitoring method and device, electronic equipment and computer readable medium
CN104580553B (en) Method and device for identifying network address translation equipment
US10595320B2 (en) Delegating policy through manufacturer usage descriptions
US20230171285A1 (en) Edge network-based account protection service
US10341286B2 (en) Methods and systems for updating domain name service (DNS) resource records
CN112491776B (en) Security authentication method and related equipment
CN113472758B (en) Access control method, device, terminal, connector and storage medium
CN108900324B (en) Method and device for checking communication performance of virtual machine
CN111182537A (en) Network access method, device and system for mobile application
CN111726328B (en) Method, system and related device for remotely accessing a first device
CN102045310B (en) Industrial Internet intrusion detection as well as defense method and device
CN113194099B (en) Data proxy method and proxy server
CN113472545B (en) Equipment network access method, device, equipment, storage medium and communication system
CN113872933B (en) Method, system, device, equipment and storage medium for hiding source station
CN117834246A (en) Traffic identity identification method, traffic identity identification device, zero-trust control center and storage medium
US10530635B2 (en) Pluggable control system for fallback website access
CN113179253B (en) Method for deploying zero trust network and proxy server
CN113872953B (en) Access message processing method and device
CN108632090B (en) Network management method and system
CN116781289A (en) Method, device, system and computer readable medium for defending DDOS attacks
CN117061140A (en) Penetration defense method and related device
CN114745138A (en) Equipment authentication method, device, control platform and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination