CN117938544A

CN117938544A - Flow control method, device and equipment

Info

Publication number: CN117938544A
Application number: CN202410319848.4A
Authority: CN
Inventors: 王滨; 张峰; 夏松; 何承润; 万里; 周少鹏; 李超豪
Original assignee: Hangzhou Hikvision Digital Technology Co Ltd
Current assignee: Hangzhou Hikvision Digital Technology Co Ltd
Priority date: 2024-03-19
Filing date: 2024-03-19
Publication date: 2024-04-26
Anticipated expiration: 2044-03-19
Also published as: CN117938544B

Abstract

The application provides a flow control method, a flow control device and flow control equipment, wherein the flow control method comprises the following steps: receiving certificate information sent by identity authentication equipment, encrypting the certificate information by adopting a public key of a first key pair, checking the certificate information based on a private key of the first key pair, and acquiring the public key of a second key pair and a strategy identifier of the identity authentication equipment from the certificate information after the verification is passed; negotiating a symmetric key with the identity authentication device based on the public key of the second key pair; when receiving the encrypted traffic sent by the identity authentication equipment, acquiring a traffic control policy corresponding to the policy identifier; decrypting the encrypted flow by adopting the symmetric key to obtain decrypted flow; and performing flow control on the decrypted flow based on the flow control strategy. By the scheme of the application, the safety of the intranet equipment can be ensured, the data safety of the intranet equipment can be ensured, and legal equipment can normally access the intranet equipment.

Description

Flow control method, device and equipment

Technical Field

The present application relates to the field of network security, and in particular, to a flow control method, apparatus and device.

Background

With the rapid development of network technology, network-based applications are increasing and more complex, and a wide variety of applications are occupying more and more network resources, thereby causing the traffic of the network to rise sharply. In addition, with the widespread use of information networks, internet of things, and various large local area networks, strict control over devices and traffic accessing the network is required. For this reason, traffic control is required for traffic in the network.

In order to perform flow control on a flow in a network, address information (such as an IP address and/or an MAC address) of legal equipment is generally required to be maintained, and on the basis, if the address information of the flow is matched with the address information of the legal equipment, the flow is allowed to pass, and if the address information of the flow is not matched with the address information of the legal equipment, the flow is forbidden to pass (i.e. the flow is discarded), thereby achieving the purpose of flow control.

However, in the above manner, if an attacker impersonates the address information of a legal device, the traffic of the attacker is sent to the intranet device, and the security of the intranet device cannot be ensured. If the address information of the new online device is not recorded as the address information of the legal device, the traffic of the new online device cannot be sent to the intranet device even if the new online device is the legal device, so that the new online device cannot normally access the intranet device.

Disclosure of Invention

In view of the above, the present application provides a flow control method, apparatus and device, which can ensure the security of the intranet device, ensure the data security of the intranet device, and enable legal devices to access the intranet device normally.

The application provides a flow control method, which is applied to gateway equipment, and comprises the following steps:

Receiving certificate information sent by identity authentication equipment, encrypting the certificate information by adopting a public key of a first key pair, checking the certificate information based on a private key of the first key pair, and acquiring the public key of a second key pair and a strategy identifier of the identity authentication equipment from the certificate information after the verification is passed;

Negotiating a symmetric key with the authentication device based on the public key of the second key pair;

When the encrypted traffic sent by the identity authentication equipment is received, a traffic control policy corresponding to the policy identifier is obtained; the identity authentication equipment is deployed in the service equipment, and after receiving the traffic sent by the service equipment, the traffic is encrypted by adopting the symmetric key to obtain the encrypted traffic;

decrypting the encrypted flow by adopting the symmetric key to obtain decrypted flow;

And controlling the flow of the decrypted flow based on the flow control strategy.

The application provides a flow control device, which is applied to gateway equipment, and comprises:

the receiving module is used for receiving the certificate information sent by the identity authentication equipment, the certificate information is encrypted by adopting the public key of the first key pair, the certificate information is verified based on the private key of the first key pair, and after the verification is passed, the public key of the second key pair and the strategy identification of the identity authentication equipment are obtained from the certificate information;

A processing module, configured to negotiate a symmetric key with an identity authentication device based on a public key of the second key pair;

The acquisition module is used for acquiring a flow control strategy corresponding to the strategy identifier when receiving the encrypted flow sent by the identity authentication equipment; the identity authentication equipment is deployed in the service equipment, and after receiving the traffic sent by the service equipment, the traffic is encrypted by adopting the symmetric key to obtain encrypted traffic;

and the control module is used for decrypting the encrypted flow by adopting the symmetric key to obtain decrypted flow, and controlling the flow based on the flow control strategy.

The present application provides an electronic device including: a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor; the processor is configured to execute machine-executable instructions to implement the flow control method of the above-described example of the present application.

The present application provides a machine-readable storage medium storing machine-executable instructions executable by a processor; wherein the processor is configured to execute the machine executable instructions to implement the flow control method of the above example of the present application.

The present application provides a computer program, wherein the computer program is stored in a machine-readable storage medium, which when executed by a processor causes the processor to implement the flow control method of the above-described example of the present application.

According to the technical scheme, in the embodiment of the application, the method for controlling the flow based on the gateway equipment and the identity authentication equipment is provided, under the condition that the service equipment is not modified, the identity authentication equipment is deployed in the service equipment to encrypt and transmit the flow between the service equipment and the intranet equipment, and the forwarding control of the flow based on the self-defined strategy (such as the flow control strategy corresponding to the strategy identification) is supported, so that the safety of the intranet equipment can be ensured, the data safety of the intranet equipment is ensured, the legal equipment can normally access the intranet equipment, the safety of the flow transmission process of the service equipment is greatly improved, the service safety is effectively ensured, the encryption channel and the safety transmission are established for the flow, and the flow control capability and the network safety are improved.

Drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the following description will briefly describe the drawings required to be used in the embodiments of the present application or the description in the prior art, and it is obvious that the drawings in the following description are only some embodiments described in the present application, and other drawings may be obtained according to these drawings of the embodiments of the present application for a person having ordinary skill in the art.

FIG. 1 is a flow diagram of a flow control method in one embodiment of the application;

FIG. 2 is a schematic view of an application scenario in an embodiment of the present application;

FIG. 3 is a flow diagram of a flow control method in one embodiment of the application;

FIG. 4 is a schematic view of an application scenario in an embodiment of the present application;

FIG. 5 is a flow diagram of a flow control method in one embodiment of the application;

FIG. 6 is a schematic diagram of a flow control device in one embodiment of the present application;

Fig. 7 is a hardware configuration diagram of an electronic device in an embodiment of the application.

Detailed Description

The terminology used in the embodiments of the application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to any or all possible combinations including one or more of the associated listed items.

It should be understood that although the terms first, second, third, etc. may be used in embodiments of the present application to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the application. Depending on the context, furthermore, the word "if" used may be interpreted as "at … …" or "at … …" or "in response to a determination".

The embodiment of the application provides a flow control method, which can be applied to gateway equipment, and is shown in fig. 1, and is a flow diagram of the flow control method, and the method can include:

Step 101, receiving certificate information sent by identity authentication equipment, encrypting the certificate information by adopting a public key of a first key pair, checking the certificate information based on a private key of the first key pair, and acquiring the public key of a second key pair and a strategy identifier of the identity authentication equipment from the certificate information after the verification is passed.

Step 102, negotiating a symmetric key with the identity authentication device based on the public key of the second key pair.

Step 103, when the encrypted traffic sent by the identity authentication equipment is received, a traffic control policy corresponding to the policy identifier is obtained; the identity authentication equipment is deployed in the service equipment, and after receiving the traffic sent by the service equipment, the identity authentication equipment encrypts the traffic by adopting the symmetric key to obtain encrypted traffic.

And 104, decrypting the encrypted traffic by adopting the symmetric key to obtain decrypted traffic.

And 105, performing flow control on the decrypted flow based on the flow control strategy.

Illustratively, the credential information may further include a first random number, and negotiating a symmetric key with the authentication device based on the public key of the second key pair for step 102 may include, but is not limited to: generating key data and a second random number, and encrypting the first random number, the key data and the second random number by adopting a private key of a second key pair to obtain a symmetric key. And encrypting the key data by adopting the public key of the second key pair, and sending the encrypted key data and the second random number to the identity authentication equipment so that the identity authentication equipment decrypts the encrypted key data by adopting the private key of the second key pair to obtain the key data, and encrypts the first random number, the key data and the second random number by adopting the private key of the second key pair to obtain the symmetric key.

For each service scenario, the flow control policy corresponding to the service scenario and the policy identifier corresponding to the service scenario may also be obtained, and the mapping relationship between the flow control policy and the policy identifier may be recorded; for the service equipment matched with the service scene, when the service equipment deploys the identity authentication equipment, the certificate information of the identity authentication equipment can comprise a strategy identifier corresponding to the service scene. The flow control strategy may include, but is not limited to, at least one of: target traffic direction, target traffic type, target traffic bandwidth, target file type, target threat detection type, target anomaly detection type.

Illustratively, flow control of decrypted traffic based on a flow control policy may include, but is not limited to: if the flow control strategy comprises a target flow direction, and the flow direction of the decrypted flow is matched with the target flow direction, allowing the decrypted flow to be sent to the intranet equipment; and if the flow direction of the decrypted flow is not matched with the target flow direction, prohibiting the decrypted flow from being sent to the intranet equipment.

If the flow control strategy comprises a target flow type and the flow type of the decrypted flow is matched with the target flow type, allowing the decrypted flow to be sent to the intranet equipment; and if the traffic type of the decrypted traffic is not matched with the target traffic type, prohibiting the decrypted traffic from being sent to the intranet equipment.

If the flow control strategy comprises the target flow bandwidth, when the decrypted flow is sent to the intranet equipment, the actual flow bandwidth of the decrypted flow does not exceed the target flow bandwidth.

If the flow control strategy comprises a target file type, and the file type of the decrypted flow is matched with the target file type, allowing the decrypted flow to be sent to the intranet equipment; and if the file type of the decrypted flow is not matched with the target file type, prohibiting the decrypted flow from being sent to the intranet equipment.

If the flow control strategy comprises a target threat detection type, threat detection is carried out on the decrypted flow based on the target threat detection type; if the detection result shows that the threat does not exist, the decrypted flow is allowed to be sent to the intranet equipment; and if the detection result is that the threat exists, prohibiting the decrypted traffic from being sent to the intranet equipment.

For example, after the flow control policy corresponding to the service scenario and the policy identifier corresponding to the service scenario are obtained, the flow control policy may also be adjusted based on the flow operation condition of the gateway device. If the flow control policy does not include the target flow bandwidth and it is determined that the gateway device occupies a bandwidth greater than the threshold based on the flow operation condition, the target flow bandwidth may be added to the flow control policy. And/or if the flow control policy does not include the target file type, and it is determined that the gateway device transmits the flow corresponding to the specified file type based on the flow running condition, the target file type may be added to the flow control policy, and the target file type is the specified file type. And/or if the flow control policy does not include the target flow type and it is determined that the gateway device transmits the flow corresponding to the suspicious flow protocol type based on the flow operation condition, the target flow type may be added to the flow control policy, and the target flow type is the suspicious flow protocol type.

For an application scenario with a primary gateway and a secondary gateway, the primary gateway is close to the intranet equipment, and the secondary gateway is close to the service equipment; the intranet equipment stores sensitive data, and the business equipment accesses the sensitive data of the intranet equipment, or the business equipment sends the sensitive data to the intranet equipment for storage; the gateway device is a secondary gateway, the secondary gateway establishes a VPN channel with the primary gateway, and performs flow control on the decrypted flow based on a flow control policy, which may include, but is not limited to: and if the decrypted traffic is determined to be allowed to be sent to the intranet equipment based on the traffic control strategy, the decrypted traffic is sent to the main gateway based on the VPN channel, and the main gateway sends the decrypted traffic to the intranet equipment after receiving the decrypted traffic through the VPN channel.

Illustratively, the primary gateway may also statistics traffic information, which may include, but is not limited to, at least one of: the method comprises the steps of determining the number of auxiliary gateways accessed by a main gateway, the number of service devices accessed by the main gateway, the overall flow trend of the main gateway, the file trend of the main gateway, the threat trend of the main gateway, the flow bandwidth of the auxiliary gateway, the flow size of the auxiliary gateway, the number of service devices accessed by the auxiliary gateway, the offline condition of the service devices, the flow size trend of the service devices, the file type of the service devices and the protocol type of the service devices. The primary gateway may graphically present traffic information on the target page.

The flow control method according to the embodiment of the present application is described below with reference to a specific application scenario.

In the embodiment of the present application, a flow control method is provided, and referring to fig. 2, an application scenario diagram of the flow control method is shown. The flow control system may include a primary gateway (e.g., a primary gateway), a secondary gateway (e.g., a plurality of secondary gateways, one secondary gateway being illustrated in fig. 2 as an example), and a plurality of service devices.

Referring to fig. 2, compared with the secondary gateway, the primary gateway is close to the intranet device, for example, the primary gateway is directly connected with the intranet device, or the primary gateway is connected with the intranet device through network devices (such as a router, a switch, etc.). The secondary gateway is in close proximity to the service device as compared to the primary gateway, e.g., the secondary gateway is directly connected to the service device, or the secondary gateway is connected to the service device through a network device (e.g., router, switch, etc.).

Intranet devices are devices deployed in an intranet (such as an enterprise intranet, etc.), and are devices that need to perform data protection, such as servers, storage devices, etc. The service device is a device needing to access the intranet device, such as a host, an IPC, a smart phone, a notebook computer, etc., which does not limit the service device.

For example, the intranet device stores sensitive data (such as human body information, vehicle information, etc.), and the service device needs to access the sensitive data of the intranet device, for example, the service device sends an access request to the intranet device, and after receiving the access request, the intranet device sends the sensitive data of the intranet device to the service device.

For another example, when the service device is IPC, the service device may collect images of the target scene (such as a human body image, a vehicle image, and the like, which are sensitive data), send the images of the target scene to the intranet device, and store the images of the target scene by the intranet device.

Under the above application scenario, as shown in fig. 2, each service device needs to deploy an identity authentication device, where the identity authentication device may be a USBKey, or may be other devices with an identity authentication function, which is not limited, and is described in the following taking the USBKey as an example. The USBKey is a hardware device of a USB interface, is internally provided with an intelligent module and has a certain storage space, and can be used as login authentication.

In the above application scenario, a flow control method is provided in the embodiment of the present application, and referring to fig. 3, a flow diagram of the flow control method is shown, where the method may include the following steps:

step 301, for each service scenario, the primary gateway obtains a flow control policy corresponding to the service scenario and a policy identifier corresponding to the service scenario, and records a mapping relationship between the flow control policy and the policy identifier.

For example, the service scenario may be differentiated according to a network type, for example, the service scenario may include a service scenario of an information network, a service scenario of an internet of things, and a service scenario of a local area network. Or can distinguish business scenes according to enterprise types, such as business scenes of internet enterprises, business scenes of education enterprises and business scenes of medical enterprises. Of course, the above is only an example of dividing a plurality of service scenes, and the dividing manner of the service scenes is not limited, and the plurality of service scenes may be divided in any manner.

For each service scenario, the flow control policy corresponding to the service scenario and the policy identifier corresponding to the service scenario may be preconfigured. For example, the service scenario of the information network corresponds to the flow control policy a, the service scenario of the information network corresponds to the policy identifier 1, the service scenario of the internet of things corresponds to the flow control policy B, the service scenario of the internet of things corresponds to the policy identifier 2, the service scenario of the local area network corresponds to the flow control policy C, and the service scenario of the local area network corresponds to the policy identifier 3. On the basis, the main gateway can acquire a flow control strategy corresponding to the service scene and a strategy identifier corresponding to the service scene, and record the mapping relation between the flow control strategy and the strategy identifier. See table 1 for an example of this mapping relationship.

TABLE 1

For example, the flow control policies corresponding to different traffic scenarios may be the same, and the flow control policies corresponding to different traffic scenarios may be the same. For example, the flow control policy corresponding to each traffic scenario may include, but is not limited to, at least one of the following: target traffic direction, target traffic type, target traffic bandwidth, target file type, target threat detection type, target anomaly detection type.

For example, a flow control strategy may or may not include a flow direction dimension. If a flow control strategy is included in the flow direction dimension, the flow control strategy is referred to as a target flow direction, i.e., the flow control strategy includes a target flow direction. The target traffic direction may be to allow only upstream (i.e., to allow upstream traffic to pass through), or to allow only downstream (i.e., to allow downstream traffic to pass through), or to allow both upstream and downstream (i.e., to allow upstream traffic and downstream traffic to pass through).

For example, a flow control policy for a flow type dimension may or may not be included. If a flow control policy is included for the flow type dimension, the flow control policy is referred to as a target flow type, i.e., the flow control policy includes a target flow type. The target traffic type indicates a protocol type that allows traffic to pass (or a protocol type that prohibits traffic from passing), such as transport layer control TCP, UDP, ICMP, DNS (i.e., traffic that uses a protocol such as TCP, UDP, ICMP, DNS for which the transport layer allows traffic to pass, whereas traffic that does not use a protocol such as TCP, UDP, ICMP, DNS for which the transport layer does not allow traffic to pass), application layer control HTTP, SIP, GB/T28181, RTP, RTSP, and the like.

For example, a flow control policy for a flow bandwidth dimension may or may not be included. If a flow control policy for a flow bandwidth dimension is included, the flow control policy is referred to as a target flow bandwidth, i.e., the flow control policy includes the target flow bandwidth. The target traffic bandwidth represents the traffic bandwidth size allowed to pass, such as 10Mb/s, 100Mb/s, 1000Mb/s, etc. 10Mb/s means that only 10Mb of traffic is allowed to be transmitted per second, and that excess traffic needs to be queued.

For example, a flow control policy for a file type dimension may or may not be included. If a flow control policy of a file type dimension is included, the flow control policy is referred to as a target file type, i.e., the flow control policy includes a target file type. The target file type indicates the file type allowed in the flow, such as txt, docx, png, avi. When the target file type is txt file type, the content of txt file type in the flow is indicated, and the flow is allowed to pass.

For example, a flow control policy for the threat detection type dimension may or may not be included. If a flow control policy is included in the threat detection type dimension, the flow control policy is referred to as a target threat detection type, i.e., the flow control policy includes a target threat detection type. The target threat detection type indicates what threat detection mode is adopted to carry out threat detection on the traffic, such as DOS attack, SQL injection, worm virus, zombie virus and the like. For example, if the target threat detection type includes a DOS attack, it is necessary to detect whether there is a DOS attack on the traffic.

For example, a flow control policy for an anomaly detection type dimension may or may not be included. If a flow control policy of the anomaly detection type dimension is included, the flow control policy is referred to as a target anomaly detection type, i.e., the flow control policy includes a target anomaly detection type. The target anomaly detection type may be controlled in combination with the time and traffic type or in combination with the time and traffic bandwidth. For example, when RTP traffic at the middle 2o ' clock is likely to be video data leakage, the target anomaly detection type may be the middle 2o ' clock+rtp protocol type, i.e. traffic using the RTP protocol type at the middle 2o ' clock is not allowed to pass. For another example, when the traffic bandwidth at 8 am suddenly increases, the target anomaly detection type may be 8 am+10 Mb/s of traffic bandwidth, i.e. only 10Mb of traffic is allowed to be transmitted per second at 8 am, and the excess traffic needs to be queued.

Of course, the target traffic direction, the target traffic type, the target traffic bandwidth, the target file type, the target threat detection type, and the target anomaly detection type are just a few examples, and the traffic control policy is not limited, and the traffic control policy can be configured in a self-defined manner, i.e. any configuration of the traffic control policy is possible.

Step 302, the primary gateway obtains a first key pair and a second key pair. The first key pair includes a public key and a private key, and the second key pair includes a public key and a private key. For example, a first key pair is denoted as a key pair a, a public key of the first key pair is denoted as a public key A1, a private key of the first key pair is denoted as a private key A2, a second key pair is denoted as a key pair B, a public key of the second key pair is denoted as a public key B1, and a private key of the second key pair is denoted as a private key B2.

The first key pair may be an asymmetric key pair, or may be another type of key pair, for example, without limitation. The first key pair may be one, i.e. all traffic scenarios correspond to the same first key pair. The first key pair may be preconfigured in the primary gateway or may be generated by the primary gateway itself.

The second key pair may be an asymmetric key pair, or may be another type of key pair, for example, without limitation. The second key pair may be preconfigured in the primary gateway, or the second key pair may be generated by the primary gateway itself. The second key pairs may be multiple, that is, the multiple second key pairs are in one-to-one correspondence with multiple service scenarios, for example, the service scenario of the information network corresponds to one second key pair, the service scenario of the internet of things corresponds to one second key pair, the service scenario of the local area network corresponds to one second key pair, and so on. The second key pairs corresponding to different traffic scenarios may be the same or different.

Step 303, the primary gateway synchronizes the mapping relation between the flow control policy and the policy identifier to the secondary gateway, and synchronizes the first key pair and the second key pair to the secondary gateway. The secondary gateway receives and stores the mapping relation between the flow control strategy and the strategy identification, and the secondary gateway receives and stores the first key pair and the second key pair.

By way of example, the secondary gateway and the primary gateway may establish a VPN channel, and data (e.g., a mapping relationship between a flow control policy and a policy identifier, a first key pair, and a second key pair) is transmitted between the primary gateway and the secondary gateway through the VPN channel, where the data may not generate leakage risk when the data is transmitted through the VPN channel.

Step 304, the primary gateway or the secondary gateway synchronizes the policy identification to the authentication device and synchronizes the public key of the first key pair, the second key pair (e.g., the public key and the private key) to the authentication device.

For example, for an identity authentication device (USBKey), if the identity authentication device needs to be deployed to a service device accessing a certain service scenario, the primary gateway or the secondary gateway synchronizes a policy identifier corresponding to the service scenario to the identity authentication device. For example, if the identity authentication device needs to be deployed to a service device accessing the information network, the policy identifier 1 corresponding to the service scenario of the information network is synchronized to the identity authentication device. If the identity authentication equipment needs to be deployed to the business equipment accessing the Internet of things, synchronizing the strategy identifier 2 corresponding to the business scene of the Internet of things to the identity authentication equipment. If the identity authentication equipment needs to be deployed to the service equipment accessing the local area network, synchronizing the strategy identifier 3 corresponding to the service scene of the local area network to the identity authentication equipment.

For example, for an identity authentication device (USBKey), the primary gateway or the secondary gateway may synchronize the public key of the first key pair (e.g., public key A1) to the identity authentication device. For an identity authentication device (USBKey), if the identity authentication device needs to be deployed to a service device accessing a certain service scenario, the primary gateway or the secondary gateway synchronizes a second key pair (such as a public key B1 and a private key B2) corresponding to the service scenario to the identity authentication device. For example, if the identity authentication device needs to be deployed to a service device accessing the information network, the second key pair corresponding to the service scenario of the information network is synchronized to the identity authentication device. If the identity authentication equipment needs to be deployed to the business equipment accessing the Internet of things, synchronizing a second key pair corresponding to the business scene of the Internet of things to the identity authentication equipment. If the identity authentication equipment needs to be deployed to the service equipment accessing the local area network, synchronizing a second key pair corresponding to the service scene of the local area network to the identity authentication equipment.

The primary gateway may also obtain the first random number R1, where the first random number R1 may be preconfigured in the primary gateway or may be generated by the primary gateway itself. The first random number R1 may be plural, that is, plural first random numbers R1 are in one-to-one correspondence with plural service scenarios. For example, the service scene of the information network corresponds to a first random number R1, the service scene of the internet of things corresponds to a first random number R1, and the service scene of the local area network corresponds to a first random number R1. The first random numbers R1 corresponding to different traffic scenarios may be the same or different.

The primary gateway may synchronize the first random number R1 to the secondary gateway, which receives and stores the first random number R1. The primary gateway or the secondary gateway may synchronize the first random number R1 to the authentication device. For example, if the authentication device needs to be deployed to a service device accessing a certain service scenario, the primary gateway or the secondary gateway may synchronize the first random number R1 corresponding to the service scenario to the authentication device.

In summary, the authentication device may obtain the policy identifier, the public key of the first key pair (e.g., public key A1), the second key pair (e.g., public key B1 and private key B2), and the first random number R1, and store these information, and then may deploy the authentication device to the service device, e.g., insert the authentication device into the service device.

Illustratively, steps 301-304 are preparation procedures of the flow control method, steps 301-304 are performed once, and after the preparation procedure is finished, an identity authentication procedure may be performed, see the subsequent steps.

Step 305, after the service device deploys the identity authentication device, the identity authentication device encrypts the certificate information by using the public key of the first key pair, and sends the encrypted certificate information to the secondary gateway.

Illustratively, the credential information may include a public key of the second key pair (e.g., public key B1) and a policy identification of the identity authentication device, and optionally, the credential information may also include the first random number R1 (i.e., the credential information may or may not include the first random number R1).

For example, the identity authentication device may store a policy identifier, a public key A1 of the first key pair, a public key B1 and a private key B2 of the second key pair, and a first random number R1, and thus, the public key B1 of the second key pair, the policy identifier (for a service device matching a certain service scenario, the policy identifier is a policy identifier corresponding to the service scenario), and the first random number R1 may be used as certificate information. The certificate information may then be encrypted using the public key A1 of the first key pair and the encrypted certificate information sent to the secondary gateway.

Illustratively, after the identity authentication device (USBKey) is accessed to the service device, an automation policy of the identity authentication device is automatically triggered, and a client Agent is installed in the service device, where the client Agent is used for proxy traffic transceiving of the service device. The client Agent may acquire the certificate information and the public key A1 of the first key pair from the identity authentication device, and encrypt the certificate information using the public key A1 of the first key pair.

For example, the user may input a PIN code at the client Agent, and if the PIN code is correct, the client Agent obtains the certificate information and the public key A1 of the first key pair from the identity authentication device. If the PIN code is wrong or the user does not input the PIN code, the client Agent prohibits acquiring the certificate information and the public key A1 of the first key pair from the identity authentication equipment, and the identity authentication process is not executed. Or if the client Agent is expected to be fully automatically processed, the PIN code can be directly built into the client Agent, so that the user is prevented from inputting the PIN code, and the client Agent directly acquires the certificate information and the public key A1 of the first key pair from the identity authentication equipment.

After obtaining the certificate information and the public key A1 of the first key pair, the client Agent may perform an identity authentication process, that is, the client Agent encrypts the certificate information by using the public key A1 of the first key pair, and sends the encrypted certificate information to the secondary gateway, where the secondary gateway performs identity authentication.

Step 306, the secondary gateway receives the certificate information sent by the identity authentication device, verifies the certificate information based on the private key of the first key pair, and obtains the public key of the second key pair and the policy identifier of the identity authentication device from the certificate information after verification. Optionally, if the certificate information further includes the first random number R1, after the verification is passed, the first random number R1 may also be obtained from the certificate information.

Illustratively, the first key pair is used for verifying the validity of the certificate, so the identity authentication device may encrypt the certificate information by using the public key A1 of the first key pair, and the secondary gateway may decrypt the certificate information based on the private key A2 of the first key pair, and after the decryption is completed, perform validity verification on the certificate information, such as verifying the integrity of the certificate information, and the verification process is not limited.

If the verification of the certificate information fails, the identity authentication is failed, the auxiliary gateway can send the information of the identity authentication failure to the identity authentication equipment, and the identity authentication equipment re-initiates the identity authentication. Or if the verification of the certificate information is successful, namely the verification of the certificate information is passed, the identity authentication is successful.

After the verification is passed, if the certificate information includes the public key B1 of the second key pair, the policy identifier and the first random number R1, the secondary gateway obtains the public key B1 of the second key pair, the policy identifier and the first random number R1 from the certificate information. Or if the certificate information comprises the public key B1 and the policy identifier of the second key pair, the secondary gateway acquires the public key B1 and the policy identifier of the second key pair from the certificate information.

Step 307, the secondary gateway negotiates a symmetric key with the identity authentication device based on the public key of the second key pair.

For example, after the identity authentication of the identity authentication device is successful, the secondary gateway and the identity authentication device may establish an encryption channel, such as negotiating a symmetric key (hereinafter referred to as symmetric key C), and establish the encryption channel based on the symmetric key C, that is, all traffic (traffic device to secondary gateway) is encrypted by using the symmetric key C, and traffic device to secondary gateway transmits traffic encrypted by the symmetric key C.

Illustratively, the second key pair is used for symmetric key negotiations, and therefore the secondary gateway and the identity authentication device may negotiate the symmetric key C based on the second key pair. For example, the symmetric key C may be negotiated by the following steps, which are, of course, only examples herein, and the method of obtaining the symmetric key C is not limited.

Step 3071, the secondary gateway generates key data and a second random number R2.

For example, the secondary gateway may generate a random number, which is referred to as a second random number R2, and generate key data, which is data related to a symmetric key, without limitation.

In step 3072, the secondary gateway encrypts the first random number R1, the key data and the second random number R2 by using the private key B2 of the second key pair, to obtain a symmetric key C. Or the secondary gateway encrypts the key data and the second random number R2 by adopting the private key B2 of the second key pair to obtain a symmetric key C.

For example, the secondary gateway may store multiple sets of second key pairs (i.e., second key pairs corresponding to different service scenarios), and after the secondary gateway obtains the public key B1 of the second key pair from the certificate information, the secondary gateway may query the private key B2 corresponding to the public key B1 (i.e., the private key B2 of the second key pair) from the multiple sets of second key pairs.

On the basis, if the certificate information comprises a first random number R1, the secondary gateway encrypts the first random number R1, the key data and the second random number R2 by adopting a private key B2 of the second key pair to obtain a symmetric key C. Or if the certificate information does not comprise the first random number R1, the secondary gateway encrypts the key data and the second random number R2 by adopting the private key B2 of the second key pair to obtain a symmetric key C.

In step 3073, the secondary gateway may encrypt the key data with the public key B1 of the second key pair, and send the encrypted key data and the second random number R2 to the identity authentication device. Or the secondary gateway may encrypt the key data and the second random number R2 with the public key B1 of the second key pair and send the encrypted key data and the encrypted second random number R2 to the identity authentication device.

In step 3074, the identity authentication device decrypts the encrypted key data with the private key B2 of the second key pair to obtain key data, and obtains the second random number R2. Or the identity authentication equipment adopts the private key B2 of the second key pair to decrypt the encrypted key data to obtain the key data, and adopts the private key B2 of the second key pair to decrypt the encrypted second random number R2 to obtain the second random number R2.

Illustratively, since the identity authentication device has the private key B2 of the second key pair, for the key data (the second random number R2) encrypted with the public key B1 of the second key pair, the encrypted key data may be directly decrypted with the private key B2 of the second key pair, to obtain the key data.

In step 3075, the identity authentication device encrypts the first random number R1, the key data and the second random number R2 by using the private key B2 of the second key pair, to obtain a symmetric key C. Or the identity authentication equipment encrypts the key data and the second random number R2 by adopting the private key B2 of the second key pair to obtain a symmetric key C.

For example, if the identity authentication device locally stores the first random number R1, the key data and the second random number R2 may be encrypted by using the private key B2 of the second key pair to obtain the symmetric key C. Or if the identity authentication device does not store the first random number R1 locally, the private key B2 of the second key pair may be used to encrypt the key data and the second random number R2, so as to obtain the symmetric key C.

So far, the symmetric key C can be negotiated between the secondary gateway and the authentication device.

Illustratively, steps 305-307 are identity authentication procedures of the flow control method, after which the flow control procedure may be performed, see subsequent steps.

And 308, after receiving the traffic sent by the service equipment to the intranet equipment, the identity authentication equipment encrypts the traffic by adopting the symmetric key to obtain encrypted traffic, and sends the encrypted traffic to the auxiliary gateway.

For example, in this embodiment, the service device is not modified, so that the service device normally sends traffic to the intranet device, and the traffic sent by the service device to the intranet device is intercepted by the identity authentication device, after the identity authentication device obtains the traffic, the traffic is encrypted by using the symmetric key C to obtain encrypted traffic, and the encrypted traffic is sent to the secondary gateway, so that data security is ensured by sending the encrypted traffic.

And 309, when receiving the encrypted traffic sent by the identity authentication device, the secondary gateway decrypts the encrypted traffic by using the symmetric key to obtain decrypted traffic, and obtains a traffic control policy corresponding to the policy identifier.

For example, when the secondary gateway negotiates the symmetric key C with the identity authentication device, a session identifier may be allocated to the identity authentication device, and a mapping relationship between the session identifier and a policy identifier (obtained by the secondary gateway from certificate information) and the symmetric key C (obtained by negotiating the secondary gateway with the identity authentication device) may be recorded.

On the basis, when the identity authentication equipment sends the encrypted traffic to the secondary gateway, the encrypted traffic comprises the session identifier, so that the secondary gateway can inquire the policy identifier and the symmetric key C corresponding to the session identifier. And then, the secondary gateway decrypts the encrypted traffic by adopting the symmetric key C corresponding to the session identifier to obtain decrypted traffic, and obtains a traffic control policy corresponding to the policy identifier corresponding to the session identifier.

For example, the secondary gateway may query the mapping relationship shown in table 1 through the policy identifier corresponding to the session identifier, thereby obtaining the flow control policy corresponding to the policy identifier.

Step 310, the secondary gateway performs flow control on the decrypted flow based on the flow control policy.

Or the secondary gateway can also directly send the decrypted flow to the primary gateway, and the primary gateway performs flow control on the decrypted flow based on the flow control policy (the secondary gateway can send the policy identifier corresponding to the session identifier to the primary gateway, and the primary gateway obtains the flow control policy corresponding to the policy identifier).

Illustratively, the secondary gateway is used to perform flow control on the decrypted flow based on the flow control policy, where the flow control policy may include, but is not limited to, at least one of the following: the flow control strategy can be adopted to control the flow after decryption.

For example, if the flow control policy includes a target flow direction, and the flow direction of the decrypted flow matches the target flow direction (e.g., the target flow direction is an uplink direction and the decrypted flow is an uplink direction flow), the decrypted flow is allowed to be sent to the intranet device (where only the dimension of the target flow direction allows the decrypted flow to be sent to the intranet device, but other dimensions of the flow control policy need to be referenced, and when all dimensions allow the decrypted flow to be sent to the intranet device, the flow control result is that the decrypted flow is allowed to be sent to the intranet device, and when any dimension does not allow the decrypted flow to be sent to the intranet device, the flow control result is that the decrypted flow is forbidden to be sent to the intranet device). If the flow direction of the decrypted flow does not match the target flow direction (if the target flow direction is the downstream direction and the decrypted flow is the upstream direction), the decrypted flow is prohibited from being sent to the intranet device (i.e., the dimension of the target flow direction prohibits the decrypted flow from being sent to the intranet device, and at this time, no reference is required to be made to other dimensions of the flow control policy, and the flow control result is that the decrypted flow is prohibited from being sent to the intranet device).

For example, if the flow control policy includes a target flow type, and the flow type of the decrypted flow matches the target flow type (e.g., the target flow type is HTTP and the flow type of the decrypted flow is HTTP), the decrypted flow is allowed to be sent to the intranet device (the dimension of the target flow type allows the decrypted flow to be sent to the intranet device). If the traffic type of the decrypted traffic does not match the target traffic type (if the target traffic type is HTTP and the traffic type of the decrypted traffic is RTSP), sending the decrypted traffic to the intranet device is prohibited (the dimension of the target traffic type prohibits sending the decrypted traffic to the intranet device).

For example, if the flow control policy includes a target flow bandwidth, when the decrypted flow is sent to the intranet device, the actual flow bandwidth of the decrypted flow does not exceed the target flow bandwidth. For example, when the target traffic bandwidth is 10Mb/s, when the decrypted traffic is sent to the intranet device, the decrypted traffic with the size of 10Mb is allowed to be transmitted at most per second, and an excess part of the decrypted traffic needs to be queued.

For example, if the flow control policy includes a target file type, and the file type of the decrypted flow matches the target file type (e.g., the target file type is txt file type, and the file type of the decrypted flow is txt file type, that is, the data in the decrypted flow is txt file type), the decrypted flow is allowed to be sent to the intranet device (the dimension of the target file type allows the decrypted flow to be sent to the intranet device). If the file type of the decrypted traffic does not match the target file type (if the target file type is txt file type and the file type of the decrypted traffic is docx file type), the decrypted traffic is prohibited from being sent to the intranet device (the dimension of the target file type prohibits the decrypted traffic from being sent to the intranet device).

For example, if the traffic control policy includes a target threat detection type (including at least one threat detection type), threat detection is performed on the decrypted traffic based on the target threat detection type. For example, if the target threat detection type includes DOS attack, it is detected whether DOS attack exists in the decrypted traffic, if the target threat detection type includes SQL injection, it is detected whether SQL injection exists in the decrypted traffic, and so on. If the detection result is that no threat exists (i.e. all threat detection types do not exist), the decrypted traffic is allowed to be sent to the intranet equipment (the dimension of the target threat detection type allows the decrypted traffic to be sent to the intranet equipment). If the detection result is that a threat exists (i.e., any threat detection type has a threat, for example, DOS attack or SQL injection detection result is that a threat exists), sending the decrypted traffic to the intranet device is prohibited (the dimension of the target threat detection type prohibits sending the decrypted traffic to the intranet device).

Step 311, if it is determined that the decrypted traffic is allowed to be sent to the intranet device based on the traffic control policy, the secondary gateway sends the decrypted traffic to the primary gateway. Or if the decrypted traffic is determined to be forbidden to be sent to the intranet equipment based on the traffic control policy, the secondary gateway discards the decrypted traffic.

For example, if all dimensions of the flow control policy allow the decrypted flow to be sent to the intranet device, that is, if the flow control result is that the decrypted flow is allowed to be sent to the intranet device, the secondary gateway may send the decrypted flow to the primary gateway. Or if any dimension of the flow control policy does not allow the decrypted flow to be sent to the intranet equipment, that is, if the flow control result is that the decrypted flow is forbidden to be sent to the intranet equipment, the secondary gateway does not send the decrypted flow to the primary gateway, but directly discards the decrypted flow.

Illustratively, a VPN channel exists between the secondary gateway and the primary gateway, and the secondary gateway may send the decrypted traffic to the primary gateway based on the VPN channel, and the primary gateway receives the decrypted traffic through the VPN channel.

Step 312, after receiving the decrypted traffic, the primary gateway sends the decrypted traffic to the intranet device. So far, the flow transmission process from the business equipment to the intranet equipment is completed, and the flow is successfully sent to the intranet equipment.

In one possible implementation manner, the intranet device may further send a response flow (response service data) to the service device after receiving the decrypted flow, and the primary gateway may perform flow control on the response flow based on the flow control policy after receiving the response flow, and the flow control process may refer to step 310.

If all dimensions of the flow control policy allow the response traffic to be sent to the service device, i.e., the flow control result is that the response traffic is allowed to be sent to the service device, the primary gateway may send the response traffic to the secondary gateway (e.g., transmit the response traffic over the VPN channel). Or if any dimension of the flow control policy does not allow the response flow to be sent to the service device, that is, if the flow control result is that the response flow is forbidden to be sent to the service device, the main gateway does not send the response flow to the service device, but directly discards the response flow.

After receiving the response flow, the secondary gateway can encrypt the response flow by using the symmetric key C, and send the encrypted response flow to the identity authentication device, and the identity authentication device decrypts the encrypted response flow by using the symmetric key C and sends the decrypted response flow to the service device.

For the flow control process, the flow control policy includes a target flow direction, a target flow type, a target flow bandwidth, a target file type, a target threat detection type. For the flow sent to the intranet equipment by the service equipment, the flow control can be performed by adopting a target flow direction, a target flow type, a target flow bandwidth, a target file type and a target threat detection type, the flow control can be performed by adopting the target flow type, the target flow bandwidth and the target threat detection type, and the flow control is performed without adopting the target flow direction and the target file type, namely, the flow control is performed by adopting a partial-dimension flow control strategy. For the flow sent to the service device by the intranet device, the flow control can be performed by adopting a target flow direction, a target flow type, a target flow bandwidth, a target file type and a target threat detection type, the flow control can be performed by adopting the target flow direction, the target flow bandwidth and the target file type, and the flow control can be performed without adopting the target flow type and the target threat detection type, namely, the flow control is performed by adopting a partial-dimension flow control strategy.

The flow direction and the file type can not be limited for the flow sent to the intranet equipment by the service equipment, and the flow type and the threat detection type can not be limited for the flow sent to the service equipment by the intranet equipment.

In one possible implementation, the primary gateway or the secondary gateway may also make adaptive adjustments to the flow control policy, such as supporting the flow control policy for threat traffic, abnormal traffic, and the like. For example, the flow control strategy may be adjusted based on flow operating conditions. For example, if it is determined that there is a threat flow and/or an abnormal flow based on the flow operating conditions, then the flow control strategy is adaptively adjusted.

For example, if the flow control policy does not include the target flow bandwidth (i.e., the flow bandwidth is not limited by default), and the flow occupied bandwidth is determined to be greater than the threshold (i.e., the flow occupies a large amount of bandwidth, i.e., the flow is abnormal), based on the flow operation condition, the target flow bandwidth may be added to the flow control policy, i.e., the flow control policy is adaptively modified, and the flow bandwidth is limited.

For example, if the flow control policy does not include the target file type (i.e. the file type is not limited by default), and it is determined that the gateway device (e.g. the primary gateway or the secondary gateway) transmits the flow (i.e. transmits the flow of the abnormal file type (i.e. the flow is the abnormal flow) corresponding to the specified file type (e.g. the avi format or the mp4 format) based on the flow running condition, the target file type may be added in the flow control policy, and the target file type is the specified file type, i.e. the adaptive flow control policy is modified, and the file type is limited.

For example, if the flow control policy does not include the target flow type (i.e. the flow type/protocol type is not limited by default), and it is determined that the gateway device (e.g. the primary gateway or the secondary gateway) transmits the flow (i.e. transmits the flow of the abnormal flow protocol type (i.e. the flow is the abnormal flow) corresponding to the suspicious flow protocol type (e.g. the low version SSL or the low version TLS) based on the flow operation condition, the target flow type may be added to the flow control policy, and the target flow type is the suspicious flow protocol type (e.g. the low version SSL or the low version TLS), i.e. the adaptive flow control policy is modified to limit the flow type.

Of course, the foregoing are just a few examples of adaptive adjustment of the flow control policy, which is not limited thereto, and the adaptive adjustment of the flow control policy may assist the user in policy setting, thereby improving the usability of the system. The flow control strategy is modified based on the strategy identification, and the synchronization of the main gateway and the auxiliary gateway is required to be carried out on the modified content.

In one possible implementation manner, the primary gateway or the secondary gateway can also perform network state detection and visual display, and perform visual display on the transmitted traffic data. For example, the primary gateway may also count traffic information, which the primary gateway may graphically present on the target page.

By way of example, the traffic information may include, but is not limited to, at least one of:

Traffic information counted by the main gateway: the number of secondary gateways accessed by the primary gateway (i.e., the total number of secondary gateways), the number of service devices accessed by the primary gateway (i.e., the total number of service devices), the overall traffic trend of the primary gateway (i.e., the trend of the change in traffic size, such as from a large change in traffic to a small change in traffic), the file trend of the primary gateway (i.e., the trend of the change in file type, such as from a type a file to a type B file), the threat trend of the primary gateway (i.e., the trend of the change in threat type, such as from a type C threat to a type C threat).

Traffic information counted by the secondary gateway (traffic information counted by the secondary gateway needs to be sent to the primary gateway): the traffic bandwidth of the secondary gateway, the traffic size of the secondary gateway and the number of service devices accessed by the secondary gateway.

Traffic information counted by the service device (traffic information counted by the service device needs to be sent to the main gateway): the method comprises the steps of off-line condition of service equipment, traffic size of the service equipment (real-time traffic size, total traffic size, uplink traffic size, downlink traffic size and the like), traffic size trend of the service equipment (namely, change trend of the traffic size), file type of the service equipment and protocol type of the service equipment.

Of course, the above are just a few examples of traffic information, and there is no limitation on this traffic information.

In the embodiment of the present application, a flow control method is provided, and referring to fig. 4, an application scenario diagram of the flow control method is shown. The flow control system may include a gateway device and a plurality of traffic devices. In contrast to fig. 2, the primary gateway and the secondary gateway do not exist, but gateway devices are used, and the functions of the primary gateway and the secondary gateway are implemented by the gateway devices. Each service device needs to deploy an identity authentication device, which may be a USBKey. In the above application scenario, a flow control method is provided in the embodiment of the present application, and referring to fig. 5, a flow diagram of the flow control method is shown, where the method may include the following steps:

Step 501, for each service scenario, the gateway device obtains a flow control policy corresponding to the service scenario and a policy identifier corresponding to the service scenario, and records a mapping relationship between the flow control policy and the policy identifier.

Step 502, the gateway device obtains a first key pair and a second key pair.

Step 503, the gateway device synchronizes the policy identifier to the identity authentication device, and synchronizes the public key of the first key pair, the second key pair (e.g. the public key and the private key) to the identity authentication device.

Step 504, after the service device deploys the identity authentication device, the identity authentication device encrypts the certificate information by using the public key of the first key pair, and sends the encrypted certificate information to the gateway device.

Step 505, the gateway device receives the certificate information sent by the identity authentication device, verifies the certificate information based on the private key of the first key pair, and obtains the public key of the second key pair and the policy identifier of the identity authentication device from the certificate information after the verification is passed. Optionally, if the certificate information further includes the first random number R1, after the verification is passed, the first random number R1 may also be obtained from the certificate information.

Step 506, the gateway device negotiates a symmetric key with the identity authentication device based on the public key of the second key pair.

And step 507, after receiving the traffic sent by the service equipment to the intranet equipment, the identity authentication equipment encrypts the traffic by adopting the symmetric key to obtain encrypted traffic, and sends the encrypted traffic to the gateway equipment.

And step 508, when the gateway equipment receives the encrypted traffic sent by the identity authentication equipment, decrypting the encrypted traffic by adopting the symmetric key to obtain decrypted traffic, and obtaining a traffic control strategy corresponding to the strategy identifier.

Step 509, the gateway device performs flow control on the decrypted flow based on the flow control policy.

Step 510, if it is determined that the decrypted traffic is allowed to be sent to the intranet device based on the traffic control policy, the gateway device sends the decrypted traffic to the intranet device. Or if the decrypted traffic is determined to be forbidden to be sent to the intranet equipment based on the traffic control policy, the gateway equipment discards the decrypted traffic.

Illustratively, steps 501-510 are similar to those of fig. 3, except that the functions of the primary gateway and the secondary gateway are integrated into the gateway device, and the other processes are referred to in steps 301-312, which are not repeated here.

The flow control method based on gateway equipment, USBKey and custom strategy (flow control strategy) is constructed, the change to service equipment is small, multi-strategy parallel real-time control, multi-scene flow strategy configuration, service equipment automatic identity authentication, flow transmission security encryption and flow content fine-granularity control are supported, and the flow control capability and the network security are improved. And the method and the device provide for service equipment flow proxy forwarding based on the USBKey and Agent scheme, reduce the transformation cost of flow encryption transmission and complete the safety authentication and encryption transmission of the service equipment. The flow fine-grained control is performed based on the USBKey built-in certificate and the policy identifier, so that multi-policy parallel control of multiple gateways and multiple service devices can be completed, the limitation of policy control based on IP, MAC and asset information is broken through, and the flow control of the service devices can be completed without delay.

Based on the same application concept as the above method, an embodiment of the present application provides a flow control device applied to a gateway apparatus, and referring to fig. 6, a schematic structural diagram of the device is shown, where the device includes:

A receiving module 61, configured to receive credential information sent by an identity authentication device, where the credential information is encrypted using a public key of a first key pair, verify the credential information based on a private key of the first key pair, and obtain, after verification passes, a public key of a second key pair and a policy identifier of the identity authentication device from the credential information; a processing module 62 for negotiating a symmetric key with the identity authentication device based on the public key of the second key pair; an obtaining module 63, configured to obtain a flow control policy corresponding to the policy identifier when receiving the encrypted flow sent by the identity authentication device; the identity authentication equipment is deployed in the service equipment, and after receiving the traffic sent by the service equipment, the traffic is encrypted by adopting the symmetric key to obtain encrypted traffic; the control module 64 is configured to decrypt the encrypted traffic using the symmetric key to obtain decrypted traffic, and perform traffic control on the decrypted traffic based on the traffic control policy.

Illustratively, the certificate information includes a first random number, and the processing module 62 is specifically configured to, when negotiating a symmetric key with the authentication device based on the public key of the second key pair: generating key data and a second random number, and encrypting the first random number, the key data and the second random number by adopting a private key of the second key pair to obtain the symmetric key; and encrypting the key data by adopting the public key of the second key pair, transmitting the encrypted key data and the second random number to the identity authentication equipment, so that the identity authentication equipment decrypts the encrypted key data by adopting the private key of the second key pair to obtain the key data, and encrypting the first random number, the key data and the second random number by adopting the private key of the second key pair to obtain the symmetric key.

The obtaining module 63 is further configured to obtain, for each service scenario, a flow control policy corresponding to the service scenario and a policy identifier corresponding to the service scenario, and record a mapping relationship between the flow control policy and the policy identifier; the method comprises the steps that for business equipment matched with the business scene, when the business equipment deploys identity authentication equipment, certificate information of the identity authentication equipment comprises a strategy identifier corresponding to the business scene; wherein the flow control strategy comprises at least one of: target traffic direction, target traffic type, target traffic bandwidth, target file type, target threat detection type, target anomaly detection type.

Illustratively, the control module 64 is specifically configured to, when performing flow control on the decrypted flow based on the flow control policy: if the flow control strategy comprises a target flow direction, and the flow direction of the decrypted flow is matched with the target flow direction, allowing the decrypted flow to be sent to intranet equipment; if the flow direction of the decrypted flow is not matched with the target flow direction, the decrypted flow is forbidden to be sent to the intranet equipment; if the flow control strategy comprises a target flow type and the flow type of the decrypted flow is matched with the target flow type, allowing the decrypted flow to be sent to intranet equipment; if the traffic type of the decrypted traffic is not matched with the target traffic type, the decrypted traffic is forbidden to be sent to the intranet equipment; if the flow control strategy comprises a target flow bandwidth, when the decrypted flow is sent to the intranet equipment, the actual flow bandwidth of the decrypted flow does not exceed the target flow bandwidth; if the flow control strategy comprises a target file type and the file type of the decrypted flow is matched with the target file type, allowing the decrypted flow to be sent to intranet equipment; if the file type of the decrypted flow is not matched with the target file type, the decrypted flow is forbidden to be sent to the intranet equipment; if the flow control strategy comprises a target threat detection type, threat detection is carried out on the decrypted flow based on the target threat detection type; if the detection result shows that the threat does not exist, the decrypted flow is allowed to be sent to the intranet equipment; and if the detection result is that the threat exists, prohibiting the decrypted traffic from being sent to the intranet equipment.

The obtaining module 62 is further configured to, after obtaining the flow control policy corresponding to the service scenario and the policy identifier corresponding to the service scenario: adjusting a flow control strategy based on the flow operation condition of the gateway equipment; if the flow control strategy does not comprise the target flow bandwidth and the occupied bandwidth of the gateway equipment is determined to be larger than a threshold value based on the flow operation condition, adding the target flow bandwidth into the flow control strategy; if the flow control strategy does not comprise the target file type and the gateway equipment transmits the flow corresponding to the specified file type based on the flow running condition, adding the target file type into the flow control strategy and the target file type is the specified file type; and if the flow control strategy does not comprise a target flow type and the gateway equipment transmits the flow corresponding to the suspicious flow protocol type based on the flow operation condition, adding the target flow type into the flow control strategy and the target flow type is the suspicious flow protocol type.

For an application scenario with a primary gateway and a secondary gateway, the primary gateway is close to an intranet device, and the secondary gateway is close to a business device; the intranet equipment stores sensitive data, and the business equipment accesses the sensitive data of the intranet equipment, or the business equipment sends the sensitive data to the intranet equipment for storage; the gateway device is the secondary gateway, the secondary gateway establishes a VPN channel with the primary gateway, and the control module 64 is specifically configured to, when performing flow control on the decrypted flow based on the flow control policy: and if the decrypted traffic is determined to be allowed to be sent to the intranet equipment based on the traffic control policy, sending the decrypted traffic to a main gateway based on the VPN channel, and sending the decrypted traffic to the intranet equipment by the main gateway after receiving the decrypted traffic through the VPN channel.

Based on the same application concept as the above method, an embodiment of the present application proposes an electronic device (such as a gateway device), and referring to fig. 7, the electronic device may include a processor 71 and a machine-readable storage medium 72, where the machine-readable storage medium 72 stores machine-executable instructions that can be executed by the processor 71; wherein the processor 71 is configured to execute machine-executable instructions to implement the flow control method described above.

Based on the same application concept as the above method, the embodiment of the present application provides a machine-readable storage medium, where a plurality of computer instructions are stored, and when the computer instructions are executed by a processor, the flow control method of the above example can be implemented. Wherein the machine-readable storage medium is any electronic, magnetic, optical, or other physical storage device that can contain or store information, such as executable instructions, data, or the like. For example, a machine-readable storage medium may be: RAM (Radom Access Memory, random access memory), volatile memory, non-volatile memory, flash memory, a storage drive (e.g., hard drive), a solid state hard drive, any type of storage disk (e.g., optical disk, dvd, etc.), or similar storage medium.

The system, apparatus, module or unit set forth in the above embodiments may be implemented in particular by a computer entity or by an article of manufacture having some functionality. A typical implementation device is a computer, which may be in the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email device, game console, tablet computer, wearable device, or a combination of any of these devices.

For convenience of description, the above devices are described as being functionally divided into various units, respectively. Of course, the functions of each element may be implemented in the same piece or pieces of software and/or hardware when implementing the present application.

It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the application may take the form of a computer program product on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

Moreover, these computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

The foregoing is merely exemplary of the present application and is not intended to limit the present application. Various modifications and variations of the present application will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. which come within the spirit and principles of the application are to be included in the scope of the claims of the present application.

Claims

1. A method of flow control, for use with a gateway device, the method comprising:

2. The method of claim 1, wherein the credential information comprises a first random number, wherein negotiating a symmetric key with the authentication device based on the public key of the second key pair comprises:

Generating key data and a second random number, and encrypting the first random number, the key data and the second random number by adopting a private key of the second key pair to obtain the symmetric key;

Encrypting the key data by adopting the public key of the second key pair, and transmitting the encrypted key data and the second random number to the identity authentication equipment so as to ensure that

The identity authentication equipment adopts the private key of the second key pair to decrypt the encrypted key data to obtain the key data, and adopts the private key of the second key pair to encrypt the first random number, the key data and the second random number to obtain the symmetric key.

3. The method according to claim 1, wherein the method further comprises:

for each service scene, acquiring a flow control strategy corresponding to the service scene and a strategy identifier corresponding to the service scene, and recording the mapping relation between the flow control strategy and the strategy identifier;

The method comprises the steps that for business equipment matched with the business scene, when the business equipment deploys identity authentication equipment, certificate information of the identity authentication equipment comprises a strategy identifier corresponding to the business scene;

Wherein the flow control strategy comprises at least one of: target traffic direction, target traffic type, target traffic bandwidth, target file type, target threat detection type, target anomaly detection type.

4. A method according to claim 1 or 3, characterized in that,

The flow control for the decrypted flow based on the flow control policy includes:

if the flow control strategy comprises a target flow direction, and the flow direction of the decrypted flow is matched with the target flow direction, allowing the decrypted flow to be sent to intranet equipment; if the flow direction of the decrypted flow is not matched with the target flow direction, the decrypted flow is forbidden to be sent to the intranet equipment;

if the flow control strategy comprises a target flow type and the flow type of the decrypted flow is matched with the target flow type, allowing the decrypted flow to be sent to intranet equipment; if the flow type of the decrypted flow is not matched with the target flow type, the decrypted flow is forbidden to be sent to the intranet equipment;

if the flow control strategy comprises a target flow bandwidth, when the decrypted flow is sent to the intranet equipment, the actual flow bandwidth of the decrypted flow does not exceed the target flow bandwidth;

If the flow control strategy comprises a target file type and the file type of the decrypted flow is matched with the target file type, allowing the decrypted flow to be sent to intranet equipment; if the file type of the decrypted flow is not matched with the target file type, the decrypted flow is forbidden to be sent to the intranet equipment;

5. The method of claim 3, wherein after the obtaining the flow control policy corresponding to the service scenario and the policy identifier corresponding to the service scenario, the method further comprises:

Adjusting a flow control strategy based on the flow operation condition of the gateway equipment;

If the flow control strategy does not comprise the target flow bandwidth and the occupied bandwidth of the gateway equipment is determined to be larger than a threshold value based on the flow operation condition, adding the target flow bandwidth into the flow control strategy;

If the flow control strategy does not comprise the target file type, and the gateway equipment transmits the flow corresponding to the specified file type based on the flow running condition, adding the target file type into the flow control strategy, wherein the target file type is the specified file type;

If the flow control strategy does not include the target flow type and the gateway device transmits the flow corresponding to the suspicious flow protocol type based on the flow operation condition, adding the target flow type into the flow control strategy and the target flow type is the suspicious flow protocol type.

6. A method according to any one of claims 1-3, characterized in that for an application scenario in which there is a primary gateway and a secondary gateway, the primary gateway is close to an intranet device, the secondary gateway is close to a business device; the intranet equipment stores sensitive data, and the service equipment accesses the sensitive data of the intranet equipment, or the service equipment sends the sensitive data to the intranet equipment for storage;

The gateway device is the secondary gateway, the secondary gateway establishes a VPN channel with the primary gateway, and the flow control is performed on the decrypted flow based on the flow control policy, including:

And if the decrypted traffic is determined to be allowed to be sent to the intranet equipment based on the traffic control policy, sending the decrypted traffic to a main gateway based on the VPN channel, and sending the decrypted traffic to the intranet equipment by the main gateway after receiving the decrypted traffic through the VPN channel.

7. The method of claim 6, wherein the method further comprises:

The primary gateway counts traffic information, the traffic information including at least one of: the method comprises the steps of determining the number of auxiliary gateways accessed by a main gateway, the number of service devices accessed by the main gateway, the overall flow trend of the main gateway, the file trend of the main gateway, the threat trend of the main gateway, the flow bandwidth of the auxiliary gateway, the flow size of the auxiliary gateway, the number of service devices accessed by the auxiliary gateway, the off-line condition of the service devices, the flow size trend of the service devices, the file type of the service devices and the protocol type of the service devices;

and displaying the flow information in a graph form on a target page.

8. A flow control apparatus for use with a gateway device, the apparatus comprising:

9. The apparatus of claim 8, wherein the device comprises a plurality of sensors,

The certificate information comprises a first random number, and the processing module is specifically used for negotiating a symmetric key with the identity authentication device based on the public key of the second key pair: generating key data and a second random number, and encrypting the first random number, the key data and the second random number by adopting a private key of the second key pair to obtain the symmetric key; encrypting the key data by adopting the public key of the second key pair, transmitting the encrypted key data and the second random number to the identity authentication equipment, so that the identity authentication equipment adopts the private key of the second key pair to decrypt the encrypted key data to obtain the key data, and adopts the private key of the second key pair to encrypt the first random number, the key data and the second random number to obtain the symmetric key;

The acquiring module is further configured to acquire, for each service scenario, a flow control policy corresponding to the service scenario and a policy identifier corresponding to the service scenario, and record a mapping relationship between the flow control policy and the policy identifier; the method comprises the steps that for business equipment matched with the business scene, when the business equipment deploys identity authentication equipment, certificate information of the identity authentication equipment comprises a strategy identifier corresponding to the business scene; wherein the flow control strategy comprises at least one of: target traffic direction, target traffic type, target traffic bandwidth, target file type, target threat detection type, target anomaly detection type;

The control module is specifically configured to, when performing flow control on the decrypted flow based on the flow control policy: if the flow control strategy comprises a target flow direction, and the flow direction of the decrypted flow is matched with the target flow direction, allowing the decrypted flow to be sent to intranet equipment; if the flow direction of the decrypted flow is not matched with the target flow direction, the decrypted flow is forbidden to be sent to the intranet equipment; if the flow control strategy comprises a target flow type and the flow type of the decrypted flow is matched with the target flow type, allowing the decrypted flow to be sent to intranet equipment; if the traffic type of the decrypted traffic is not matched with the target traffic type, the decrypted traffic is forbidden to be sent to the intranet equipment; if the flow control strategy comprises a target flow bandwidth, when the decrypted flow is sent to the intranet equipment, the actual flow bandwidth of the decrypted flow does not exceed the target flow bandwidth; if the flow control strategy comprises a target file type and the file type of the decrypted flow is matched with the target file type, allowing the decrypted flow to be sent to intranet equipment; if the file type of the decrypted flow is not matched with the target file type, the decrypted flow is forbidden to be sent to the intranet equipment; if the flow control strategy comprises a target threat detection type, threat detection is carried out on the decrypted flow based on the target threat detection type; if the detection result shows that the threat does not exist, the decrypted flow is allowed to be sent to the intranet equipment; if the detection result is that the threat exists, the decrypted traffic is forbidden to be sent to the intranet equipment;

The acquiring module is further configured to, after acquiring the flow control policy corresponding to the service scenario and the policy identifier corresponding to the service scenario: adjusting a flow control strategy based on the flow operation condition of the gateway equipment; if the flow control strategy does not comprise the target flow bandwidth and the occupied bandwidth of the gateway equipment is determined to be larger than a threshold value based on the flow operation condition, adding the target flow bandwidth into the flow control strategy; if the flow control strategy does not comprise the target file type and the gateway equipment transmits the flow corresponding to the specified file type based on the flow running condition, adding the target file type into the flow control strategy and the target file type is the specified file type; if the flow control strategy does not comprise a target flow type and the gateway equipment transmits the flow corresponding to the suspicious flow protocol type based on the flow operation condition, adding the target flow type into the flow control strategy and the target flow type is the suspicious flow protocol type;

Aiming at an application scene with a main gateway and a secondary gateway, the main gateway is close to an intranet device, and the secondary gateway is close to a business device; the intranet equipment stores sensitive data, and the business equipment accesses the sensitive data of the intranet equipment, or the business equipment sends the sensitive data to the intranet equipment for storage; the gateway device is the secondary gateway, the secondary gateway establishes a VPN channel with the primary gateway, and the control module is specifically configured to: and if the decrypted traffic is determined to be allowed to be sent to the intranet equipment based on the traffic control policy, sending the decrypted traffic to a main gateway based on the VPN channel, and sending the decrypted traffic to the intranet equipment by the main gateway after receiving the decrypted traffic through the VPN channel.

10. An electronic device, comprising: a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor; the processor is configured to execute machine executable instructions to implement the method of any of claims 1-7.