CN118157864A - System and method for generating authorization list - Google Patents
System and method for generating authorization list Download PDFInfo
- Publication number
- CN118157864A CN118157864A CN202211586609.2A CN202211586609A CN118157864A CN 118157864 A CN118157864 A CN 118157864A CN 202211586609 A CN202211586609 A CN 202211586609A CN 118157864 A CN118157864 A CN 118157864A
- Authority
- CN
- China
- Prior art keywords
- public
- access
- user
- data
- area networks
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000013475 authorization Methods 0.000 title claims abstract description 89
- 238000000034 method Methods 0.000 title claims abstract description 25
- 238000012544 monitoring process Methods 0.000 claims description 40
- 238000013507 mapping Methods 0.000 claims description 16
- 238000012546 transfer Methods 0.000 claims description 3
- 241000204801 Muraenidae Species 0.000 description 12
- 238000010586 diagram Methods 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention is a system and method for generating an authorization list, the system for generating an authorization list can be connected with a plurality of Wide Area Networks (WANs), the system comprises: an access credential (accesstoken) generation module configured to identify one or more public IP (public IP) addresses provided to a user Device (DUT) by one or more Internet Service Providers (ISPs) and generate an identification result based on a preset gateway Media Access Control (MAC) address possessed by the DUT, and generate an access credential (accesstoken) based on the identification result of the one or more public IP (public IP) addresses, and then transmit the access credential to the user Device (DUT) to enable the user Device (DUT) to access one or more local area networks through the one or more public IP (public IP) addresses, wherein the one or more local area networks are in a firewall-enabled state and only allow access to subnets.
Description
Technical Field
The present invention relates to a system and method for generating an authorization list, and more particularly, to a system and method for generating an authorization list suitable for connecting to a plurality of Wide Area Networks (WANs).
Background
The network attached storage (NetworkAttachedStorage, NAS) device is a file-level computer data storage server that is connected to a computer network and provides data access to users of heterogeneous networks. Network Attached Storage (NAS) devices are network devices that include one or more storage drives, typically arranged as logical memory, redundant memory, or fault tolerant disk arrays (RedundantArrayofIndependentDisks, RAID), such as intelligent storage devices that can centrally store data such as photos, movies, music, and files. In daily life, the Network Additional Storage (NAS) device is connected with a network in a home or an office, so that a safe and easily-managed shared space can be established, data of a plurality of devices can be managed, shared and synchronized in a centralized way, and the data in the Network Additional Storage (NAS) device can be accessed remotely at any time through a mobile App on a computer or a mobile phone. Not unlike public cloud services, network Attached Storage (NAS) devices offer many convenient and interesting applications.
However, existing Network Attached Storage (NAS) devices have some problems. Referring to fig. 1, fig. 1 is a schematic diagram illustrating a system for generating an authorization list according to the prior art. As shown in fig. 1, in the prior art, the system 100 for generating the authorization list is mainly composed of one or more Network Attached Storage (NAS) devices 120, 130, wherein the number of Network Attached Storage (NAS) devices located on the internet 140 can be adjusted according to actual requirements. In addition, the system 100 for generating the authorization list further includes an authentication and authorization server 150, a user Device (DUT) 112, a person or company network 110, a data correlation table 122, and a data correlation table 152. The data association table 122 typically contains data such as user ID, device ID, IP address, etc., while the data association table 152 is, for example, a device access permission window. User Devices (DUTs) 112 are deployed in a personal or corporate network 110 and may establish network connectivity.
Generally, the system 100 for generating the authorization list is in an secure environment to effectively protect devices exposed to an extranet environment. When a user wants to access a device in an extranet environment, such as NAS device 120 or NAS device 130, through user Device (DUT) 112, the device to be accessed, such as NAS device 120 or NAS device 130, needs only to set a permission IP for the firewall. But typically the public IP (publicIP) address provided by an Internet Service Provider (ISP) behind a personal or corporate network 110 may be more than one set; as shown in fig. 1, if the source (i.e., the user Device (DUT) 112) has two public IP (public IP) addresses, after the public IP1 is authenticated and authorized by the authentication and authorization server 150 using the existing information security technology, the public IP1 is logged into the data association table 152 of the authentication and authorization server 150 and is also added into the white list of the data association table 122 of the NAS device 120, but in fact, the user Device (DUT) 112 may use the public IP2 to access the NAS device 120 in some cases, and the public IP2 is not in the white list of the NAS device 120, so that the user Device (DUT) 112 cannot access successfully.
Accordingly, there is a need for an improved system and method for generating an authorization list that addresses such issues.
Disclosure of Invention
In view of the foregoing problems, it is an object of the present invention to provide a user (or client) with access to a protected device using any public IP (public IP) address.
According to an object of the present invention, there is provided a system for generating an authorization list, which is connectable to a plurality of Wide Area Networks (WANs), the system comprising: an access credential (accesstoken) generation module configured to identify one or more public IP (public IP) addresses provided to a user Device (DUT) by one or more Internet Service Providers (ISPs) and generate an identification result based on a preset gateway Media Access Control (MAC) address possessed by the DUT, and generate an access credential (accesstoken) based on the identification result of the one or more public IP (public IP) addresses, and then transmit the access credential to the user Device (DUT) to enable the user Device (DUT) to access one or more local area networks through the one or more public IP (public IP) addresses, wherein the one or more local area networks are in a firewall-enabled state and only allow access to subnets.
Wherein the access credential (accesstoken) generation module includes: a zero trust server configured to identify the one or more public IP (publicIP) addresses provided by the one or more Internet Service Providers (ISPs) to the user Device (DUT) based on the preset gateway Media Access Control (MAC) address of the user Device (DUT) and to generate the identification result; and an authentication and authorization server configured to generate the access ticket (access token) according to the identification result of the one or more public IP (public IP) addresses, and transmit the access ticket to the user Device (DUT) so that the user Device (DUT) can access one or more local area networks through the one or more public IP (public IP) addresses, wherein the one or more local area networks are in a firewall open state and only allow access to the subnetwork.
Wherein the user Device (DUT) that acquired the access credentials also has access to one or more network monitoring cameras (networkbasedIPcamera) via the one or more public IP (public IP) addresses, and wherein the one or more network monitoring cameras (networkbasedIPcamera) are in a firewall on state and only allow subnet access.
Wherein the user Device (DUT) includes an authentication unit for logging into the access credential (accesstoken) generation module and obtaining the access credential (accesstoken) via the predetermined gateway Media Access Control (MAC) address such that the user Device (DUT) can access the one or more local area networks or one or more network monitoring cameras (networkbasedIPcamera) via the one or more public IP (public IP) addresses.
The system also includes a plurality of other user Devices (DUTs) each having a predetermined gateway Media Access Control (MAC) address.
Wherein each of the user Devices (DUTs) has a device ID, each of the device IDs being a universally unique identification code (UniversallyUniqueIdentifier, UUID).
According to the present invention, there is provided a method for generating an authorization list applicable to a system for generating an authorization list connected to a plurality of Wide Area Networks (WANs), wherein one or more network monitoring cameras (networkbasedIPcamera) or one or more local area networks in the system for generating an authorization list are in a firewall on state and only allow access to subnets, wherein the method for generating an authorization list comprises the following steps: identifying one or more public IP (publicIP) addresses provided by one or more Internet Service Providers (ISPs) to each user Device (DUT) according to a preset gateway Media Access Control (MAC) address of each user Device (DUT) and generating an identification result; and generating an access credential (accesstoken) according to the identification of the one or more public IP (public IP) addresses, and then transmitting the access credential to each of the user Devices (DUTs) to enable each of the user Devices (DUTs) to access the one or more network monitoring cameras (networkbasedIPcamera) or the one or more local area networks through the one or more public IP (public IP) addresses, wherein the one or more network monitoring cameras (networkbasedIP camera) or the one or more local area networks are in a firewall on state and only allow access to subnets.
Wherein the one or more network monitoring cameras (networkbasedIPcamera) or the one or more local area networks obtain the access credentials before each of the user Devices (DUTs) obtain the access credentials, and establish a first data-correlation table and a second data-correlation table; the first data association table is used for representing a mapping relation that each user Device (DUT) bound by an account number of a user is authorized to other users to access by other accounts; the second data correlation table is used to represent the mapping of the user to access the one or more network monitoring cameras (networkbasedIPcamera) or the one or more local area networks from each of the user Devices (DUTs).
Wherein the data of the first data-related table includes one or more user IDs and one or more device names, and wherein at least the one or more user IDs and the one or more device names have mapping relation to determine the transmission objects of the data; in addition, the data of the second data-association table includes the one or more user IDs, one or more device IDs, the default gateway Media Access Control (MAC) address, and the one or more public IP (public IP) addresses, wherein the access credential is linked to the one or more user IDs.
Wherein before each of the user Devices (DUTs) obtains the access ticket, the one or more network monitoring cameras (networkbasedIPcamera) or the one or more local area networks send a login and binding device request to an authentication and authorization server, and when the authentication and authorization server replies a message that the request is successful, a first data association table is established, and the one or more network monitoring cameras (network basedIPcamera) or the one or more local area networks obtain the access ticket; the one or more network monitoring cameras (networkbasedIPcamera) or the one or more local area networks then send a subscription request to a zero trust server, where the authentication and authorization server provides the data to the zero trust server according to the first data association table so that the zero trust server determines the transfer object of the data and replies with a successful request message, and the one or more network monitoring cameras (networkbased IPcamera) or the one or more local area networks establish the second data association table according to the data, wherein the content of the subscription request includes the access credential and the one or more device names.
Wherein after the first data correlation table and the second data correlation table are established, the user sends a request including the one or more user IDs and the one or more passwords to the authentication and authorization server via each of the user Devices (DUTs); if authentication is successful, the authentication and authorization server replies and verifies the access credentials to each of the user Devices (DUTs), wherein the access credentials correspond to the one or more user IDs.
Wherein after the authentication and authorization server replies and verifies the access credentials to each of the user Devices (DUTs), the user sends a request including the access credentials, the one or more device IDs, and the default gateway Media Access Control (MAC) address to the zero trust server through each of the user Devices (DUTs), and then when the zero trust server successfully obtains the first data association table from the authentication and authorization server, the zero trust server transmits specific ones of the user IDs, the one or more device IDs, the default gateway Media Access Control (MAC) address, and the one or more public IP (publicIP) addresses to specific ones of the device names according to mapping relationships of specific ones of the device names that the specific ones of the user IDs can access; when the user ID, the one or more device IDs, the default gateway Media Access Control (MAC) address are specified to be the same, but the one or more public IP (public IP) addresses are different, storing all of the different one or more public IP (public IP) addresses in the one or more network monitoring cameras (networkbasedIPcamera) or the second data-related table of the one or more local area networks, thereby extending the access list in the second data-related table instead of replacing the one or more public IP (public IP) addresses previously stored.
Wherein when each of the user Devices (DUTs) establishes network connectivity with the one or more network monitoring cameras (networkbased IPcamera) or the one or more local area networks, the one or more network monitoring cameras (networkbasedIPcamera) or the one or more local area networks may be accessed by the one or more public IP (publicIP) addresses on the extended access list in the second data-correlation table.
As described above, by the system and method for generating the authorization list according to the embodiments of the present invention, any user Device (DUT) having a plurality of public IP addresses can normally browse the NAS device protected in any one of the public security environments.
Drawings
FIG. 1 is a schematic diagram of a prior art system for generating an authorization list;
Fig. 2 to 5 are schematic diagrams illustrating a system for generating an authorization list and a method for generating an authorization list by using the system according to an embodiment of the invention.
[ Symbolic description ]
100: System for generating authorization list
110: Personal or corporate network
112: User equipment (DUT)
120. 130: NAS device
122: Data association table
140: Internet network
Authentication and authorization server: 150
Data association table: 152
Public IP 1
Public IP 2
200: System for generating authorization list
210: Personal or corporate network
212: User equipment (DUT)
214: Identity verification unit
220. 230: NAS device
222: Second data correlation table
240: Internet network
250: Authentication and authorization server
252: First data association table
S1A, S1B, S1C1, S1C2, S1D, S1E, S2A, S2B, S3A, S B, S3C, S4: step (a)
Detailed Description
The present invention will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present invention more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
First, the main terms used in the specification of the present application will be described below.
"Wide-AreaNetwork, WAN" refers to a remote network for connecting computers in local area networks or metropolitan area networks in different areas, and can be generally considered as a backbone for connecting local area networks and other various communication devices. Wide Area Networks (WANs) typically cover a wide geographic range, ranging from tens of kilometers to thousands of kilometers, and are capable of connecting multiple areas, cities and countries, or span several continents and provide long-range communications, forming an international remote network. Practically, it is generally classified into Public networks (Public networks) and Private networks (Private networks).
"MAC address (MEDIA ACCESS Control address, MAC ADDRESS)" refers to a medium access Control address, also referred to as a local area network address (LAN ADDRESS), an ethernet address (ETHERNET ADDRESS), or a physical address (PHYSICAL ADDRESS), which is an address used to identify the location of a network device.
"Preset gateway (defaultgateway)" refers to a device called a router through which a TCP/IP computer communicates with a host on another network. That is, the default gateway is a router designated on the host that can link the subnet of the host to other networks.
It is further noted that embodiments of the present invention provide a system for generating an authorization list, which is connectable to a plurality of Wide Area Networks (WANs), the system including an access credential (accesstoken) generation module. The access credential (accesstoken) generation module is capable of recognizing one or more public IP (public IP) addresses provided to a user Device (DUT) by one or more Internet Service Providers (ISPs) and generating a recognition result according to a preset gateway Media Access Control (MAC) address possessed by the user Device (DUT), and generating an access credential (accesstoken) according to the recognition result of the one or more public IP (public IP) addresses, and then transmitting the access credential to the user Device (DUT) to enable the user Device (DUT) to access one or more NAS devices through the one or more public IP (public IP) addresses, wherein the one or more NAS devices are in a firewall-on state and only allow access to a subnet. It is specifically noted herein that in embodiments of the present invention, the one or more NAS devices are, for example, one or more local area networks or one or more network monitoring cameras (networkbasedIPcamera).
In addition, the embodiment of the invention also provides a method for generating the authorization list, which is suitable for a system for generating the authorization list connected with a plurality of Wide Area Networks (WANs), wherein one or more network monitoring cameras (networkbasedIPcamera) or one or more local area networks in the system for generating the authorization list are in a firewall open state and only allow access to the subnets. The method for generating the authorization list comprises the following steps: identifying one or more public IP (publicIP) addresses provided by one or more Internet Service Providers (ISPs) to each user Device (DUT) according to a preset gateway Media Access Control (MAC) address of each user Device (DUT) and generating an identification result; and generating an access credential (accesstoken) based on the identification of the one or more public IP (public IP) addresses, and then transmitting the access credential to each of the user Devices (DUTs) to enable each of the user Devices (DUTs) to access the one or more network monitoring cameras (networkbasedIPcamera) or the one or more local area networks via the one or more public IP (public IP) addresses. Wherein the one or more network monitoring cameras (networkbasedIPcamera) or the one or more local area networks are in a firewall on state and only allow access to subnets.
The system for generating the authorization list in the embodiment of the present invention and the method for generating the authorization list by the system are described below with reference to the accompanying drawings. Referring to fig. 2 to 5, fig. 2 to 5 are schematic diagrams illustrating a system for generating an authorization list and a method for generating an authorization list by the system according to an embodiment of the invention.
First, as shown in fig. 2 to 5, the access credential (accesstoken) generating module in the authorization list generating system 200 according to one embodiment of the present invention includes a zero trust server 260 and an authentication and authorization server 250 that are independent from each other. In other embodiments of the present invention, the access ticket (access ticket) generation module may be an integrated server having both the functions of the zero trust server 260 and the authentication and authorization server 250. In addition, although the system 200 for generating the authorization list shown in FIGS. 2-5 is illustrated with only one user Device (DUT) 212, it is not intended to limit the invention; in other embodiments of the present invention, the system 200 for generating the authorization list may also include a plurality of other user Devices (DUTs) each having a predetermined gateway Media Access Control (MAC) address.
Next, as shown in fig. 2-5, the zero trust server 260 is configured to identify one or more public Internet Service Provider (ISP) addresses provided to the user Device (DUT) 212 by one or more ISP based on a predetermined gateway Media Access Control (MAC) address of the DUT 212 and generate an identification result. In addition, the authentication and authorization server 250 is configured to generate an access credential (accesstoken) according to the identification of the one or more public IP (public IP) addresses obtained from the zero trust server 260, and transmit the access credential to the user Device (DUT) 212, so that the user Device (DUT) 212 can access one or more network monitoring cameras (networkbasedIPcamera) or one or more local area networks through the one or more public IP (public IP) addresses, wherein the one or more network monitoring cameras (networkbasedIPcamera) or the one or more local area networks are in a firewall on state and only allow access to subnets. The one or more public IP (public IP) addresses are, for example, public IP1, public IP2, or other public IPN, where N is a natural number representing the number of public IPs provided by the one or more Internet Service Providers (ISPs).
In the embodiment of the present invention, the user Device (DUT) 212 has a predetermined gateway Media Access Control (MAC) address and a device ID in addition to being configured in a personal or corporate network 210 and establishing network connectivity. Thus, the user Device (DUT) 212 that acquired the access credentials is able to access one or more NAS devices 220, 230, such as one or more network monitoring cameras (network basedIPcamera) or the one or more local area networks, through the one or more public IP (public IP) addresses, and the one or more NAS devices 220, 230 are in a firewall on state and only sub-network access is allowed. In an embodiment of the present invention, each of the device IDs is a universal unique identification (universal UniqueIdentifier, UUID).
Next, a method of generating an authorization list using the authorization list generation system will be described on a graph-by-graph basis.
As shown in FIG. 2, in the embodiment of the present invention, before each of the user Devices (DUTs) 212 obtains the access credentials, a log-in and bind device request is sent by one or more NAS devices 220, 230 or other NAS devices to an authentication and authorization server 250, and a first data-association table 252 is established after the authentication and authorization server 250 replies with a message that the request was successful, and the one or more NAS devices 220, 230 or other NAS devices obtain the access credentials. The one or more NAS devices 220, 230 or other NAS devices send a subscription request to a zero trust server 260, where the authentication and authorization server 250 provides the data to the zero trust server 260 according to the first data association table 252, so that the zero trust server 260 determines the transfer object of the data and replies with a successful request message, and the one or more NAS devices 220, 230 or other NAS devices build a second data association table 222 according to the data, wherein the content of the subscription request includes the access credential and one or more device names. In the embodiment of the present invention, NAS device 220, NAS device 230, or other NAS devices refer to one or more network monitoring cameras (networkbasedIPcamera) or one or more local area networks, but the present invention is not limited thereto. Of course, in other embodiments of the present invention, the NAS device 220, the NAS device 230, or other NAS devices may be any devices providing network services or other hardware devices having network connection functions, which will not be described in detail later.
Further, as shown in fig. 2, in step S1A, the NAS device 220 (or the NAS device 230 or other NAS devices, hereinafter the same) sends a login and binding device request to the authentication and authorization server 250 through the internet 240, wherein the necessary information is a user ID, a password, and a device name. In an embodiment of the present invention, the device name is unique.
Then, in step S1B, the authentication and authorization server 250 returns a success or failure message to the NAS device 220 for the login and binding device request, and the NAS device 220 obtains an access credential when successful (accesstoken). In an embodiment of the invention, the access ticket (access ticket) is time-efficient, varying from hours to days.
Next, in step S1C1, the NAS device 220 sends a subscription request to the zero trust server 260, the requested content including the access ticket (accesstoken) and the device name mentioned in step S1A. In addition, in step S1C2, the zero trust server 260 transmits the subscription request to the authentication and authorization server 250.
Thereafter, in step S1D, the authentication and authorization server 250 creates a first data association table 252 and responds to the zero trust server 260 with the device name of a specific user ID image in the first data association table 252.
After the subscription request is successful, then in step S1E, the NAS device 220 (or the NAS device 230 or other NAS devices) will wait to receive the information from the zero trust server 260. It should be noted that, in step S1D, the object for which it has been determined that the zero trust server 260 is to transmit information is the NAS device 220, the NAS device 230, or another NAS device. In this way, the NAS device 220 (or the NAS device 230 or other NAS devices) creates a second data association table 222. In one embodiment of the present invention, the first data association table 252 is a mapping relationship that indicates that each user Device (DUT) 212 to which a user binds his own account is authorized to access other accounts by other users; the second data correlation table 222 is used to represent the mapping of the user accessing the NAS device 220 (or NAS device 230 or other NAS devices) from each of the user Devices (DUTs) 212. The NAS device 220 (or NAS device 230 or other NAS devices) is, for example, the one or more network monitoring cameras (network basedIPcamera) or the one or more local area networks, etc.
In addition, in the embodiment of the present invention, after verifying the authentication and authorization server 250, the access credential (accesstoken) and the so-called update credential (refreshtoken) may be obtained according to an open authorization (OAuth), which is a standard of openness, where the former is aged relatively short and the latter is aged relatively long. Assuming the access credential (accesstoken) expires, we can use the updated credential (refreshtoken) to call the authentication and authorization server 250 again to retrieve a new access credential (accesstoken).
In addition, in the embodiment of the present invention, the data in the first data-related table 252 includes one or more user IDs and one or more device names, and at least the one or more user IDs and the one or more device names have a mapping relationship therebetween to determine the transmission objects of the data. That is, the first data-association table 252 indicates which accounts are authorized for access by the device to which a certain account is bound. For example, NAS device 220 is bound by user a, and one device (unique) is named device a, user a may share device a to user B and user C.
In addition, the data of the second data-association table 222 includes the one or more user IDs, one or more device IDs, the default gateway Media Access Control (MAC) address, and the one or more public IP (publicIP) addresses, wherein the access credentials (accesstoken) are concatenated with the one or more user IDs. That is, the second data association table 222 indicates that a user accesses the mapping relationship between the devices to be protected from a user device.
That is, in embodiments of the present invention, the NAS device 220, the NAS device 230, or other NAS devices acquire the access credentials before each of the user Devices (DUTs) 212 acquire the access credentials, and create a first data-correlation table 252 and a second data-correlation table 222. The first data-correlation table 252 is a mapping that indicates that each user Device (DUT) 212 to which a user's own account is bound is authorized to access other accounts for other users. In addition, the second data correlation table 222 is used to represent the mapping of users accessing the NAS device 220, the NAS device 230, or other NAS devices from each of the user Devices (DUTs) 212. Similarly, NAS device 220, NAS device 230, or other NAS devices refer to one or more network monitoring cameras (networkbasedIPcamera), or the one or more local area networks, or any device providing network services or other hardware device with network connectivity.
In addition, it is specifically noted that in the embodiment of the present invention, when the user Device (DUT) 212 has network browsing capability, there will be a default gateway (defaultgateway), and the default gateway (default gateway) will have a corresponding default gateway Media Access Control (MAC) address. The default gateway Media Access Control (MAC) address may, for example, find a preset gateway IP through route tracking (traceroute) 8.8.8.8, and then find the Media Access Control (MAC) address corresponding to the IP through ARP.
Next, as shown in fig. 3, in the embodiment of the present invention, after the first data-correlation table 252 and the second data-correlation table 222 are established, the user sends a request including the one or more user IDs and the one or more passwords to the authentication and authorization server 250 through each of the user Devices (DUTs) 212. At this point, if authentication is successful, authentication and authorization server 250 replies and verifies the access credentials to each of the user Devices (DUTs) 212, where the access credentials correspond to one or more user IDs.
Further, as shown in fig. 3, in step S2A, a user sends a request to an authentication and authorization server 250 over the internet 240 on a user Device (DUT) 212, the requested content having a user ID and password. In one embodiment of the present invention, the user Device (DUT) 212 further comprises an authentication unit 214, and the authentication unit 214 is configured to log into the authentication and authorization server 250 and obtain the access credentials (accesstoken) through the predetermined gateway Media Access Control (MAC) address, so that the user Device (DUT) 212 can access the one or more NAS devices 220, 230 through the one or more public IP (public IP) addresses, wherein the one or more NAS devices 220, 230 are one or more local area networks or one or more network monitoring cameras (networkbasedIPcamera). In addition, in other embodiments of the present invention, the authentication unit 214 is configured to log in to the access credential (accesstoken) generation module and obtain the access credential (accesstoken) through the predetermined gateway Media Access Control (MAC) address, so that the user Device (DUT) 212 can access the one or more local area networks or the one or more network monitoring cameras (networkbased IPcamera) through the one or more public IP (public IP) addresses.
As shown in fig. 3, following step S2A, if the authentication is successful, then in step S2B, the authentication and authorization server 250 replies the access credential (accesstoken) to the user Device (DUT) 212, wherein the access credential (accesstoken) is followed by the corresponding user ID.
As shown in fig. 4, in an embodiment of the present invention, after the authentication and authorization server 250 replies and verifies the access credentials to each of the user Devices (DUTs) 212, the user sends a request including the access credentials, the one or more device IDs, and the preset gateway Media Access Control (MAC) address to the zero trust server 260 via each of the user Devices (DUTs) 212. Then, when the zero trust server 260 successfully obtains the first data association table 252 from the authentication and authorization server 250, the zero trust server 260 transmits the specific user IDs, the one or more device IDs, the default gateway Media Access Control (MAC) address, and the one or more public IP (public IP) addresses to the specific device names according to the mapping relationship of the specific device names that the specific user IDs can access. When the user ID, the one or more device IDs, the default gateway Media Access Control (MAC) address are the same for each particular user ID, but the one or more public IP (public IP) addresses are different, all of the different one or more public IP (public IP) addresses are stored in the second data-correlation table 222 of NAS device 220, NAS device 230, or other NAS devices, thereby extending the access list within second data-correlation table 222 instead of replacing the one or more public IP (public IP) addresses previously stored.
Further, as shown in fig. 4, after step S2B is completed, in step S3A, the user sends a request to the zero trust server 260 on the user Device (DUT) 212, the requested content including the access credentials (accesstoken), the device ID, the default gateway Media Access Control (MAC) address.
As shown in fig. 4, after the zero trust server 260 receives the request, in step S3B, the request in step S3A is sent to the authentication and authorization server 250 and a first data association table 252 is obtained, where the first data association table 252 has a device name that can be accessed by a specific user ID.
As shown in fig. 4, if step S3B is successful, then in step S3C, the zero trust server 260 sends the user ID, the device ID, the default gateway Media Access Control (MAC) address, and the IP address to a specific device name, and such data is built into the second data association table 222 in one of the one or more NAS devices 220, 230 or other NAS devices. In an embodiment of the present invention, the IP address is the public IP address of the user Device (DUT) 212 if sent to the NAS device 220. It is specifically noted herein that by means of the established mapping (e.g., the user ID, the device ID, the default gateway Media Access Control (MAC) address), the system 200 for generating the authorization list extends the access list in the user Device (DUT) 212 instead of overriding it when the user ID, the device ID, the default gateway Media Access Control (MAC) address are the same but the public IP (public IP) address is different; that is, in this case, if there is an array of public IP (public IP) addresses of the user Device (DUT) 212, these public IP (public IP) addresses are added to the second data correlation table 222, which is the access list of the user Device (DUT) 212.
Thereafter, as shown in fig. 5, in step S4, in the case where the preset gateway Media Access Control (MAC) address of the user Device (DUT) 212 is not changed, both public IP1 (publicIP 1) and public IP2 (publicIP 2) are added to the access list of the NAS device 220, that is, the second data association table 222. In this way, the user Device (DUT) 212 can normally browse the NAS device 220. Of course, similarly, in other embodiments of the present invention, such as multiple user Devices (DUTs), any user Device (DUT) having multiple public IP addresses may normally browse the NAS device protected in any one of the public IP environments by the system 200 and method of authority list generation of embodiments of the present invention.
In comparison with the prior art, the system 200 and method for generating the authorization list according to the embodiments of the present invention adds a predetermined gateway Media Access Control (MAC) address, so long as the gateway MAC address is unchanged, the network of the user (or client) to be accessed is not changed for the device to be protected, which means that there is more than one PublicIP in the network environment behind the user (or client), i.e. the public IP addresses are included in the list of the authorization permission list. Therefore, the embodiment of the present invention is different from the prior art in that the user (or client) can access the protected device using any public IP address, and the situation that the protected device cannot be accessed using public IP2 in the prior art of fig. 1 does not occur.
To sum up, in the embodiment of the present invention, when each of the user Devices (DUTs) 212 establishes a network connection with the NAS device 220, the NAS device 230, or other NAS devices, the NAS device 220, the NAS device 230, or other NAS devices may be accessed by the one or more public IP (public IP) addresses on the extended access list in the second data association table 222.
In addition, in the embodiment of the present invention, the internet 240 includes a public cloud, a private cloud, a community cloud, and a hybrid cloud.
The foregoing detailed description is directed to embodiments of the present invention and is not intended to limit the scope of the invention, but rather should be construed in view of the appended claims.
Claims (13)
1. A system for generating an authorization list capable of interfacing with a plurality of Wide Area Networks (WANs), the system comprising:
An access credential (accesstoken) generation module configured to identify one or more public IP (public IP) addresses provided to a user Device (DUT) by one or more Internet Service Providers (ISPs) and generate an identification result based on a preset gateway Media Access Control (MAC) address possessed by the DUT, and generate an access credential (accesstoken) based on the identification result of the one or more public IP (public IP) addresses, and then transmit the access credential to the user Device (DUT) to enable the user Device (DUT) to access one or more local area networks through the one or more public IP (public IP) addresses, wherein the one or more local area networks are in a firewall-enabled state and only allow access to subnets.
2. The system for generating an authorization list according to claim 1, wherein the access ticket (accesstoken) generation module comprises:
A zero trust server configured to identify the one or more public IP (publicIP) addresses provided by the one or more Internet Service Providers (ISPs) to the user Device (DUT) based on the preset gateway Media Access Control (MAC) address of the user Device (DUT) and to generate the identification result; and
An authentication and authorization server configured to generate the access credentials (accesstoken) based on the identification of the one or more public IP (public IP) addresses and to communicate the access credentials to the user Device (DUT) to enable the user Device (DUT) to access one or more local area networks through the one or more public IP (public IP) addresses, wherein the one or more local area networks are in a firewall on state and only allow access to subnets.
3. The system of claim 1 or 2, wherein the user Device (DUT) that obtains the access credentials also has access to one or more network monitoring cameras (networkbasedIPcamera) via the one or more public IP (public IP) addresses, and wherein the one or more network monitoring cameras (networkbasedIPcamera) are in a firewall on state and only allow subnet access.
4. The system for authorization list generation according to claim 1 or 2, characterized in that the user Device (DUT) comprises an authentication unit for logging in the access ticket (accesstoken) generation module and obtaining the access ticket (accesstoken) via the predetermined gateway Media Access Control (MAC) address, such that the user Device (DUT) can access the one or more local area networks or one or more network monitoring cameras (networkbasedIPcamera) via the one or more public IP (public IP) addresses.
5. The system for authorization list generation of claim 1 further comprising a plurality of other user Devices (DUTs) each having a predetermined gateway Media Access Control (MAC) address.
6. The system for generating an authorization list according to claim 1,2 or 5, wherein each of the user Devices (DUTs) has a device ID, each of the device IDs being a universal unique identification (universal UniqueIdentifier, UUID).
7. A method of generating an authorization list applicable to a system for generating an authorization list connected to a plurality of Wide Area Networks (WANs), wherein one or more network monitoring cameras (networkbasedIPcamera) or one or more local area networks in the system for generating an authorization list are in a firewall on state and only allow access to subnets, the method comprising the steps of:
Identifying one or more public IP (publicIP) addresses provided by one or more Internet Service Providers (ISPs) to each user Device (DUT) according to a preset gateway Media Access Control (MAC) address of each user Device (DUT) and generating an identification result; and
Generating an access credential (accesstoken) based on the identification of the one or more public IP (public IP) addresses, and then transmitting the access credential to each of the user Devices (DUTs) to enable each of the user Devices (DUTs) to access the one or more network monitoring cameras (networkbasedIPcamera) or the one or more local area networks via the one or more public IP (public IP) addresses, wherein the one or more network monitoring cameras (networkbasedIPcamera) or the one or more local area networks are in a firewall on state and only allow access to subnets.
8. The method of claim 7, wherein the one or more network monitoring cameras (networkbasedIP camera) or the one or more local area networks obtain the access ticket before each of the user Devices (DUTs) obtain the access ticket, and establish a first data correlation table and a second data correlation table; the first data association table is used for representing a mapping relation that each user Device (DUT) bound by an account number of a user is authorized to other users to access by other accounts; the second data correlation table is used to represent the mapping of the user to access the one or more network monitoring cameras (networkbasedIPcamera) or the one or more local area networks from each of the user Devices (DUTs).
9. The method of claim 8, wherein the data of the first data-related table includes one or more user IDs and one or more device names, and wherein at least the one or more user IDs and the one or more device names have a mapping relationship to determine the objects of the data; in addition, the data of the second data-association table includes the one or more user IDs, one or more device IDs, the default gateway Media Access Control (MAC) address, and the one or more public IP (public IP) addresses, wherein the access credential is linked to the one or more user IDs.
10. The method of claim 9, wherein prior to each of the user Devices (DUTs) obtaining the access ticket, sending a log-in and binding device request to an authentication and authorization server by the one or more webcam (network basedIPcamera) or the one or more local area networks, and establishing a first data-correlation table after the authentication and authorization server replies with a request success message, and the one or more webcam (networkbasedIPcamera) or the one or more local area networks obtaining the access ticket; the one or more network monitoring cameras (network basedIPcamera) or the one or more local area networks then send a subscription request to a zero trust server, where the authentication and authorization server provides the data to the zero trust server according to the first data association table so that the zero trust server determines the transfer object of the data and replies with a successful request message, and the one or more network monitoring cameras (networkbasedIPcamera) or the one or more local area networks establish the second data association table according to the data, wherein the content of the subscription request includes the access credential and the one or more device names.
11. The method of claim 10, wherein after the first data-correlation table and the second data-correlation table are established, the user sends a request including the one or more user IDs and the one or more passwords to the authentication and authorization server via each of the user Devices (DUTs); if authentication is successful, the authentication and authorization server replies and verifies the access credentials to each of the user Devices (DUTs), wherein the access credentials correspond to the one or more user IDs.
12. The method of claim 11, wherein after the authentication and authorization server replies and verifies the access credentials to each of the user Devices (DUTs), the user sends a request including the access credentials, the one or more device IDs, and the default gateway Media Access Control (MAC) address to the zero trust server via each of the user Devices (DUTs), and then when the zero trust server successfully retrieves the first data association table from the authentication and authorization server, the zero trust server transmits each of the user IDs, the one or more device IDs, the default gateway Media Access Control (MAC) address, and the one or more public IP (publicIP) addresses to each of the device names according to the mapping of each of the device names that each of the user IDs can access; when the user ID, the one or more device IDs, the default gateway Media Access Control (MAC) address are specified to be the same, but the one or more public IP (public IP) addresses are different, storing all of the different one or more public IP (public IP) addresses in the one or more network monitoring cameras (networkbased IPcamera) or the second data-related table of the one or more local area networks, thereby extending the access list in the second data-related table instead of replacing the one or more public IP (public IP) addresses previously stored.
13. The method of claim 12, wherein when each of the user Devices (DUTs) establishes a network connection with the one or more network monitoring cameras (networkbasedIPcamera) or the one or more local area networks, the one or more network monitoring cameras (networkbasedIPcamera) or the one or more local area networks are accessible via the one or more public IP (public IP) addresses on the extended access list in the second data-correlation table.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW111146640A TWI846184B (en) | 2022-12-05 | System and method for generating an authorization list | |
| TW111146640 | 2022-12-05 |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN118157864A true CN118157864A (en) | 2024-06-07 |
Family
ID=91284110
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211586609.2A Pending CN118157864A (en) | 2022-12-05 | 2022-12-09 | System and method for generating authorization list |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118157864A (en) |
-
2022
- 2022-12-09 CN CN202211586609.2A patent/CN118157864A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11936786B2 (en) | Secure enrolment of security device for communication with security server | |
| US8041815B2 (en) | Systems and methods for managing network connectivity for mobile users | |
| US6684243B1 (en) | Method for assigning a dual IP address to a workstation attached on an IP data transmission network | |
| JP3577067B2 (en) | Method and system for managing devices with dynamic IP address assignment | |
| US8627417B2 (en) | Login administration method and server | |
| CN102104592B (en) | Session migration between network policy servers | |
| US8522333B2 (en) | Client/server system for communicating according to the standard protocol OPC UA and having single sign-on mechanisms for authenticating, and method for performing single sign-on in such a system | |
| US8661158B2 (en) | Smart tunneling to resources in a network | |
| US8627410B2 (en) | Dynamic radius | |
| US20090299791A1 (en) | Method and system for management of licenses | |
| US20080276294A1 (en) | Legal intercept of communication traffic particularly useful in a mobile environment | |
| US20090132682A1 (en) | System and Method for Secure Configuration of Network Attached Devices | |
| US20030229689A1 (en) | Method and system for managing stored data on a computer network | |
| CA2228687A1 (en) | Secured virtual private networks | |
| WO2022247751A1 (en) | Method, system and apparatus for remotely accessing application, device, and storage medium | |
| KR102014807B1 (en) | An access control system of detecting and blocking roundabout access | |
| CN109218115B (en) | Customer Premise Equipment (CPE) management method, device and system | |
| US12034769B2 (en) | Systems and methods for scalable zero trust security processing | |
| CN111245791B (en) | Single sign-on method for realizing management and IT service through reverse proxy | |
| WO2013150543A2 (en) | Precomputed high-performance rule engine for very fast processing from complex access rules | |
| CN118157864A (en) | System and method for generating authorization list | |
| EP1530343B1 (en) | Method and system for creating authentication stacks in communication networks | |
| TWI846184B (en) | System and method for generating an authorization list | |
| US11064544B2 (en) | Mobile communication system and pre-authentication filters | |
| KR20180050181A (en) | Modem apparatus and system for providing static ip |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication |