CN118157967A - Remote access system and method - Google Patents

Remote access system and method Download PDF

Info

Publication number
CN118157967A
CN118157967A CN202410322627.2A CN202410322627A CN118157967A CN 118157967 A CN118157967 A CN 118157967A CN 202410322627 A CN202410322627 A CN 202410322627A CN 118157967 A CN118157967 A CN 118157967A
Authority
CN
China
Prior art keywords
client
access
intranet
authentication
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410322627.2A
Other languages
Chinese (zh)
Inventor
黄英盾
牛碧诺
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202410322627.2A priority Critical patent/CN118157967A/en
Publication of CN118157967A publication Critical patent/CN118157967A/en
Pending legal-status Critical Current

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application provides a remote access system and a remote access method, and relates to the field of information security. The remote access system includes: a proxy gateway, a virtual private network gateway, a honey pot system; the virtual special network gateway is respectively connected with the proxy gateway and the intranet; the proxy gateway is used for verifying the legitimacy of the client requesting to access the intranet, opening the access right of the virtual special network gateway for the client passing the verification, and opening the access right of the honey pot system for the client failing the legitimacy verification; the virtual special network gateway is used for carrying out user identity authentication and terminal authentication of the client side passing the validity verification and carrying out intranet access authority authorization on the client side passing the intranet access authority authentication; and the honey pot system is used for positioning the network attack mode adopted by the client which fails to verify the validity. The remote access system and the method reduce the risk of the attack of the intranet resources and improve the safety protection capability of the intranet resources.

Description

Remote access system and method
Technical Field
The application relates to the field of information security, in particular to a remote access system and a method.
Background
With the rapid development of the internet and the acceleration of global informatization, the remote office scale and the scene are more and more complex, and the network security problem is gradually highlighted. At present, a network is divided into an external network and an internal network through a network boundary, and core services and core data are deployed in the internal network. The user remotely accesses the business and data in the intranet by a static authentication mode of inputting an account number and a password at the client side in the external network, the authentication mode is single, and the account number and the password are easy to crack. There is the safety protection problem of intranet resource.
Disclosure of Invention
The application provides a remote access system and a remote access method, which are used for solving the problem of safety protection of intranet resources.
In a first aspect, the present application provides a remote access system comprising: a proxy gateway, a virtual private network gateway, a honey pot system; the virtual special network gateway is respectively connected with the proxy gateway and the intranet, and the proxy gateway is also connected with the honey pot system;
The proxy gateway is used for verifying the legitimacy of the client side requesting to access the intranet in a single-packet authorization mode, opening the access right of the virtual private network gateway for the verified client side, and opening the access right of the honey pot system for the client side failing in the legitimacy verification;
the virtual private network gateway is used for carrying out user identity authentication and terminal authentication of the client side passing the validity verification and carrying out intranet access authority authorization on the client side passing the intranet access authority authentication;
the honey pot system is used for locating a network attack mode adopted by the client which fails to verify the validity.
Optionally, the virtual private network gateway is specifically configured to:
Acquiring static identity authentication information, dynamic identity authentication information, identity information of terminal equipment and running environment information of the terminal equipment of the client;
Interacting with a unified identity authentication system to acquire a first authentication result of the unified identity authentication system based on the static identity authentication information;
interacting with a dynamic password authentication system to acquire a second authentication result of the dynamic password authentication system based on the dynamic identity authentication information;
Interacting with an asset management platform to acquire a third authentication result of the asset management platform for authentication based on the identity information of the terminal equipment;
based on the running environment information of the terminal equipment, authenticating the running environment of the terminal equipment to obtain a fourth authentication result;
if the authentication results indicate that the authentication passes, determining that the intranet access authority authentication of the client passes;
If any authentication result represents authentication failure, determining that the intranet access authority of the client fails to authenticate.
Optionally, the virtual private network gateway is further configured to:
constructing a service proxy gateway between a client terminal passing through the authentication of the intranet access authority and the intranet resources which can be accessed remotely; the service agent is used for forwarding the interaction information between the client and the corresponding intranet resources.
Optionally, the system further comprises: a security access control center; the security access control center is used for:
Monitoring intranet access data of a client accessing an intranet;
Carrying out trust evaluation on the client according to the monitored intranet access data;
And performing intranet access authorization control on the client with the trust evaluation failure.
Optionally, the security access control center is specifically configured to:
Acquiring intranet access behaviors of clients accessing the intranet according to the intranet access data;
If the intranet access behavior of the client accessing the intranet is inconsistent with the access behavior portrait of the client, judging that the client has abnormal access behavior;
and carrying out trust evaluation on the client with abnormal access behaviors.
Optionally, the intranet access behavior includes at least one of:
access frequency, time on-line and off-line, traffic trend.
Optionally, the security access control center is specifically configured to:
acquiring network security information related to the client from a security operation center and/or a network abnormal behavior threat sensing system;
And carrying out trust evaluation on the client according to the acquired network security information related to the client and the abnormal access behavior of the client.
Optionally, the security access control center is specifically configured to:
acquiring the risk level of a client with failed trust evaluation;
Performing intranet access authorization control on the client with trust evaluation failure according to intranet access authorization control operation corresponding to the risk level; the intranet access authorization control operation comprises any one of the following steps: reauthentication, termination of access, disconnection of network connection, rights reclamation.
Optionally, the security access control center is further configured to:
and adding the mapping relation of the client with the trust evaluation failure and the corresponding intranet access authorization control operation to a monitoring list.
Optionally, the security access control center is further configured to:
When the client in the monitoring list is identified to be accessed to the network again, the client is subjected to intranet access authorization control according to intranet access authorization control operation recorded in the monitoring list.
Optionally, the security access control center is further configured to:
receiving complaint information of a client with failed trust evaluation;
Updating the trust evaluation result of the client according to the complaint information, and updating the access behavior portrait of the client according to the intranet access data of the client;
And/or from the monitoring list.
Optionally, the secure access control center is further configured to synchronize an identification of the client that fails the trust evaluation to the honeypot system;
The honey pot system is also used for positioning a network attack mode adopted by the client with failed trust evaluation.
In a second aspect, the present application provides a remote access method, the method being applied to a remote access system, the remote access system comprising: a proxy gateway, a virtual private network gateway, a honey pot system; the virtual private network gateway is respectively connected with the proxy gateway and the intranet;
The proxy gateway performs validity verification on the client side requesting to access the intranet in a single-packet authorization mode, opens the access right of the virtual private network gateway for the client side passing the verification, and opens the access right of the honey pot system for the client side failing the validity verification;
The virtual special network gateway performs user identity authentication and terminal authentication of the client passing the validity verification, and performs intranet access authority authorization on the client passing the intranet access authority authentication;
and the honey pot system locates a network attack mode adopted by the client which fails to verify the validity.
According to the remote access system and the method, through the port stealth mode, the remote access entrance confusion mode and the like, an attacker cannot identify the remote access entrance through the port scanning mode and the like, and through the multi-dimensional main authentication method, the authorization control of the intranet access authority is enhanced, and the safety protection capability of intranet resources is improved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application.
Fig. 1 is a schematic structural diagram of a remote access system according to an embodiment of the present application;
fig. 2 is a schematic flow chart of a remote access method according to an embodiment of the present application;
FIG. 3 is a schematic diagram of another remote access system according to an embodiment of the present application;
Fig. 4 is a schematic flow chart of security access control according to an embodiment of the present application.
Specific embodiments of the present application have been shown by way of the above drawings and will be described in more detail below. The drawings and the written description are not intended to limit the scope of the inventive concepts in any way, but rather to illustrate the inventive concepts to those skilled in the art by reference to the specific embodiments.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the application. Rather, they are merely examples of apparatus and methods consistent with aspects of the application as detailed in the accompanying claims.
It should be noted that, the user information (including but not limited to user equipment information, user personal information, etc.) and the data (including but not limited to data for analysis, stored data, displayed data, etc.) related to the present application are information and data authorized by the user or fully authorized by each party, and the related data are collected, used, processed, transmitted, provided, disclosed, applied, etc. processed, all obeys the related laws and regulations and standards of the related country and region, necessary security measures are taken, no prejudice to the public order colloquial is provided, and corresponding operation entrance is provided for the user to select authorization or rejection.
It should be noted that the remote access system and method of the present application may be used in the field of information security, and may be used in any field other than information security.
Networks are typically divided into extranets and intranets. An intranet, also called a local area network (Local Area Network, LAN), is a network composed of multiple computers and network devices in a certain area, such as a campus network, an enterprise network, etc., and generally has a coverage of several kilometers. The external network, also known as a wide area network (Wide Area Network, WAN), covers a range from tens of kilometers to thousands of kilometers, and provides long-range communications.
The core service and the core data are generally deployed in an intranet, and a user located in an external network can remotely access intranet resources through a virtual private network (Virtual Private Network, VPN).
If a network attacker in the external network invades the internal network remotely through a network attack method such as phishing attack and vulnerability exploitation, malicious software such as Trojan software and lux virus can be implanted into the internal network resource. Malware may spread rapidly in an intranet. The network attacker can acquire important data of the intranet resources through malicious software, and encrypt and even destroy the intranet resources such as a database, a server and the like.
Currently, a user remotely accesses intranet resources by inputting an account number and a static authentication of a password at a client in an external network. However, the authentication mode is single, the account number and the password are easy to crack, and the protection problem of the security of the intranet resources exists.
In view of this, the application provides a remote access system and a method, in which, through the ways of port stealth and confusion of remote access portals, an attacker cannot identify the remote access portals through the ways of port scanning, etc., and through the multi-dimensional main authentication method, the authorization control of the intranet access authority is strengthened, the risk of the intranet resource being attacked is reduced, and the security protection capability of the intranet resource is improved.
Fig. 1 is a schematic structural diagram of a remote access system according to an embodiment of the present application. As shown in fig. 1, the remote access system may include, for example: proxy gateway, virtual private network gateway, and honeypot system. The virtual special network gateway is connected with the proxy gateway and the intranet respectively, and the proxy gateway is also connected with the honey pot system.
The client of the external network may request access to the intranet resources, for example, by sending a request to access the intranet to the proxy gateway. The client may be, for example, any type of client: web page clients, applet clients, mobile Application (APP) clients, etc. For example, a configuration server in an intranet may generate a built-in private key for each authorized client that characterizes the identity information of the client. The private key may be stored, for example, in a secure medium, which may be, for example, any of: user credentials, electronic ciphers, password cards, etc.
The proxy gateway is a gateway exposed on the public network, is positioned in front of the virtual private network gateway, and authenticates with the client of the external network in a single-packet authorization mode, so that an attacker is prevented from identifying the entrance of the virtual private network gateway in a port scanning domain name blasting and other sniffing modes, and the purpose of stealth of the virtual private network gateway is achieved.
The virtual private network establishes temporary and safe virtual private network connection on the public network, and the client is connected with the virtual private network through the external network and then connected with the internal network through the virtual private network. And the encryption communication is carried out between the virtual private network and the client, so that the safe transmission of data between the client and the intranet resource is realized.
The honey pot system is linked with the proxy gateway and responds to a malicious door knocking packet constructed by an attacker to further finish attack trapping.
It should be noted that the honey pot system may be deployed on one electronic device in any environment (e.g., on one edge server in an edge environment), may be deployed in a cloud environment, or may be deployed in a distributed manner in different environments.
For example, a honey pot system may be logically divided into multiple parts, each part having a different function. The parts in the honey pot system may be respectively deployed in any two or three of the electronic device (located on the user side), the edge environment, and the cloud environment. An edge environment is an environment that includes a collection of edge electronic devices that are closer to the electronic device, the edge electronic device comprising: edge servers, edge kiosks with computational power, etc. The various parts of the honey pot system deployed in different environments or devices cooperate to perform the functions of the honey pot system.
It should be understood that the application does not carry out restrictive division on what part of the honey pot system is deployed in what environment, and the application can carry out adaptive deployment according to the computing capacity of the electronic equipment, the resource occupation situation of the edge environment and the cloud environment or the specific application requirement in practical application.
The following describes the technical scheme of the present application and how the technical scheme of the present application solves the above technical problems in detail with specific embodiments. The following embodiments may be combined with each other, and the same or similar concepts or processes may not be described in detail in some embodiments. Embodiments of the present application will be described below with reference to the accompanying drawings.
Fig. 2 is a schematic flow chart of a remote access method according to an embodiment of the present application. As shown in fig. 2, the method may for example comprise the steps of:
s201, the client sends an intranet access request to the proxy gateway.
Accordingly, the proxy gateway receives the intranet access request.
Illustratively, the client is located in the external network and may contain a private key. When the client needs to access the intranet resource, the request for accessing the intranet can be sent to the proxy gateway through the extranet, and the request information can be, for example, a single knock data packet. The data packet may be, for example, a transmission control protocol (Transmission Control Protocol, TCP) packet or a user datagram protocol (User Datagram Protocol, UDP) packet. The data packet may contain a client's private key, as well as an identification of the client. The identification of the client may include, for example: one or more of an internet protocol (Internet Protocol, IP) Address of the client, a media access Control Address (MEDIA ACCESS Control Address, MAC) of the client, and the like.
S202, the proxy gateway performs validity verification on the client side requesting to access the intranet in a single-packet authorization mode, opens the access right of the virtual private network gateway for the client side passing verification, and opens the access right of the honey pot system for the client side failing validity verification.
The proxy gateway can perform validity verification on the client according to the received knock data packet: if the proxy gateway verifies that the data packet file contains the exclusive key and the mapping relationship between the exclusive key and the client is correct, the client is a client authorized to access the intranet resources, and the validity verification of the client can be considered to pass. For such clients, the access rights of the virtual private network gateway can be opened, so that the clients and the virtual private network gateway perform further authentication operation of intranet access.
If the proxy gateway verifies that the data packet file does not contain the exclusive key, or the mapping relation between the exclusive key and the client is wrong, which means that the client is a client without authorization to access intranet resources, the validity verification of the client can be considered to be failed. For such clients, the access rights of the honey pot system may be opened, and such clients may misuse the honey pot system as a virtual private network gateway, thereby enabling such clients to access the honey pot system. The proxy gateway may also send an identification of such clients, such as the IP address of the client, to the honeypot system so that the honeypot system may identify such clients from the client identification, thereby proactively responding to access and various aggression of such clients.
The proxy gateway verifies the legitimacy of the client before allowing the client to access the virtual private network gateway, and the client is authorized to establish a secure connection with the proxy gateway after successful authentication by single data packet tapping. Otherwise, the proxy gateway defaults to discard all unverified data packets and does not respond to those connection requests, so that the unauthorized client cannot perceive the existence of valid IP and ports of the virtual private network gateway. The proxy gateway simplifies the client-side knocking flow through a single-packet authorization mode, and can block the client-side failing in validity verification before connection, thereby achieving the purpose that the port of the virtual special network gateway is stealth, and enabling an attacker to be unable to find the service address and the port of the virtual special network gateway.
And S203, the virtual special network gateway performs user identity authentication and terminal authentication of the client which passes the validity verification, and performs intranet access authority authorization on the client which passes the intranet access authority authentication.
The virtual private network gateway may authenticate the client, for example, by means of user identity authentication, for example, by means of at least one user identity authentication: static password verification, dynamic password verification, face recognition and the like.
The virtual private network gateway may also authenticate the client by means of terminal authentication to which the client belongs, for example, by at least one terminal authentication method: checking the MAC address of the terminal, checking the IP address of the terminal, and the like.
The virtual gateway can also authenticate the client through a mode of combining user identity authentication and terminal authentication of the client, the mode can confirm the credibility of the user using the client and the terminal equipment of the client, the accuracy of the authentication result of the client is improved, and the security of remote access can be further confirmed.
The virtual private network gateway can acquire the intranet access right corresponding to the client by authenticating the client. For example, different clients may have different intranet access rights. For example, the client a may only have the data query authority of the intranet resource S; the client B may have both the data query rights and the data modification rights of the intranet resource S.
After the intranet access authority authentication of the client passes, the virtual private network gateway can authorize the intranet access authority of the client according to the intranet access authority of the client, open the authorized port of the intranet resource, and keep the unauthorized port closed, so as to realize the minimum authorized access principle. The client can only access the authorized intranet resources, obtain corresponding intranet data, but cannot access the unauthorized intranet resources and the corresponding intranet data.
If the intranet access authority authentication of the client fails, the virtual private network gateway does not authorize the intranet access authority to the client.
By the method, the virtual private network gateway authenticates the client, the credibility of the user and the terminal equipment can be confirmed, then the intranet access authority authorization is carried out on the client according to the intranet access authority of the client, malicious attacks can be blocked timely, the client can only execute corresponding operations within the authorization range, corresponding data are acquired, the intranet resource opening port is minimized, and the risk of the intranet resource being attacked is reduced.
S204, the honey pot system locates a network attack mode adopted by the client with failed validity verification.
The honey pot system can induce clients with failed validity verification to attack by arranging a host computer, network service or information serving as baits, and actively respond to the accesses of the clients and various attack behaviors, so that the attack behaviors can be captured and analyzed, tools and methods used by an attacker can be known, and the attack intention and motivation can be presumed.
By locating the network attack mode adopted by the client with failed verification of validity, network management personnel can clearly know the security threat of the client to the intranet resources, and the security protection capability of the intranet resources is enhanced by the technology and the management means, so that the coping capability of the intranet resources to the network attack is improved.
According to the method provided by the embodiment of the application, the attacker cannot identify the remote access portal through the modes of port stealth, confusion of the remote access portal and the like, and the security protection capability of the intranet resources is improved by strengthening the authorization control of the intranet access rights through the multi-dimensional main authentication method.
Fig. 3 is a schematic structural diagram of another remote access system according to an embodiment of the present application. As shown in fig. 3, the virtual private network gateway may also be respectively connected with a unified identity authentication system, a dynamic password authentication system and an asset management platform, so as to implement authentication on a client requesting access to intranet resources.
The unified identity authentication system, the dynamic password authentication system and the asset management platform are located in an intranet, and can be part of a remote access system or independent of a system outside the remote access system.
The following describes how the virtual private network gateway performs user identity authentication on the client that passes the validity verification, and terminal authentication to which the client belongs.
Firstly, static identity authentication information, dynamic identity authentication information, identity information of terminal equipment and running environment information of the terminal equipment of a client are obtained.
The static identity authentication information may be, for example, a user name and a password of the client.
The dynamic identity authentication information may be, for example, a dynamic password, for example, any item: hardware-based dynamic password, software-based dynamic password, and SMS-based dynamic password. Hardware-based dynamic password: for example, a dedicated hardware device, such as a dynamic password token, a universal serial bus (Universal Serial Bus, USB) token, or the like, may be used to generate the dynamic password. Software-based dynamic password: for example, a mobile phone APP, computer software, etc. may be used to generate the dynamic password. Dynamic password based on short message: for example, the dynamic password can be sent to the mobile phone of the user by means of a short message.
The identity information of the terminal device may be, for example, a hardware code of the terminal device, for example, a MAC address of the terminal device.
The running environment information of the terminal device may be, for example, a running state of security software of the terminal device, and may include any item: the client manages the running state of the software, the running state of the patch management software, the running state of the antivirus software, and the like.
For example, the client passing the validity verification may send an authentication request packet to the virtual private network gateway to perform the authentication operation of intranet access. The authentication request packet may include, for example, the client identifier, and four types of information. The virtual private network gateway can acquire the four kinds of information by extracting the related information in the authentication request data packet.
Then, the virtual private network gateway obtains four authentication results according to the four information respectively, as follows:
(1) And interacting with the unified identity authentication system to acquire a first authentication result of the unified identity authentication system for authentication based on the static identity authentication information.
For example, the unified identity authentication system may store all static identity information in a database.
The virtual private network gateway may send the obtained static identity authentication information to the unified identity authentication system.
The unified identity authentication system compares and verifies the static identity authentication information with the static identity information stored in the database.
And if the verification is passed, outputting a first authentication result representing the passing of authentication.
If the verification fails, a first authentication result representing authentication failure is output.
(2) And interacting with the dynamic password authentication system to acquire a second authentication result of the dynamic password authentication system based on the dynamic identity authentication information.
For example, the dynamic password authentication system may store the transmitted dynamic password information and a mapping relationship of the dynamic password information and a client requesting dynamic password authentication in a database.
The virtual private network gateway can send the acquired dynamic password authentication information and the identification of the client to the dynamic password authentication system. The dynamic password authentication system compares and verifies the dynamic password authentication information, the mapping relation between the dynamic password information and the client side and the information stored in the database. And if the verification is passed, outputting a second authentication result representing the authentication pass. And if the verification fails, outputting a second authentication result representing authentication failure.
(3) And interacting with the asset management platform to acquire a third authentication result of the asset management platform for authentication based on the identity information of the terminal equipment.
For example, the asset management platform may store in the database identity information of the terminal device that allows remote access to the intranet, and a mapping relationship of the terminal device to the client.
The virtual private network gateway may send the obtained identity information of the terminal device and the identification of the client to the asset management platform. The asset management platform compares and checks the identity information of the terminal equipment, the mapping relation between the identity information of the terminal equipment and the client side and the information stored in the database. If the verification is passed, the terminal equipment is indicated to be the asset in the main body to which the intranet belongs, and a third authentication result representing that the authentication is passed is output. If the verification fails, indicating that the terminal equipment is not the asset in the main body to which the intranet belongs, outputting a third authentication result representing authentication failure.
(4) And authenticating the operation environment of the terminal equipment based on the operation environment information of the terminal equipment to obtain a fourth authentication result.
For example, the virtual private network gateway analyzes whether the operating environment of the terminal device is safe or not according to the acquired operating environment information of the terminal device. The analysis may be performed, for example, by network operating environment analysis software.
And if the analysis result shows that the running environment of the terminal equipment is safe, outputting a fourth authentication result which represents that the authentication passes.
And if the analysis result shows that the running environment of the terminal equipment has risks, outputting a fourth authentication result representing authentication failure.
Finally, according to the authentication result, determining the authentication result of the client, as follows:
And if the authentication results indicate that the authentication passes, determining that the intranet access authority authentication of the client passes. If any authentication result represents authentication failure, determining that the intranet access authority of the client fails to authenticate.
Through the steps, the virtual special network gateway can determine whether the intranet access authority of the client passing the validity verification passes the authentication, and the intranet access authority is authorized for the client passing the authentication of the intranet access authority. By using the authentication method combining multiple authentication modes, the virtual private network gateway reduces the risk of misjudgment on the authentication result of the client side, which is possibly caused by attack of authentication information in a single authentication mode, and strengthens the authorization control of the access authority of the intranet.
Further, for the client through which the intranet access authority authentication passes, the virtual private network gateway can directly open the access authority of the intranet resource which can be accessed remotely to the client. The client can directly send interaction information with the intranet resources.
The virtual private network gateway can also construct a service proxy gateway between the client and the remotely accessible intranet resources. The client does not directly access the intranet resources, and the client transmits information to the service proxy gateway and forwards the interaction information between the client and the corresponding intranet resources by the service proxy gateway. By constructing the service proxy gateway, a virtual tunnel can be constructed between the client and the intranet resources, and the data stream is transmitted through the virtual tunnel, so that the real IP address of the intranet resources is hidden, and the IP address of the virtual private network gateway is used for providing data service for the client.
For example, when the client needs to remotely access the intranet resource, a resource access request may be sent to the service proxy gateway first. And then the service proxy gateway forwards the resource access request to the intranet resource. Similarly, when the data information of the intranet resource is sent to the client, the data information may be sent to the service proxy gateway first. And the service proxy gateway forwards the data information to the client.
By constructing the service proxy gateway, the client can be isolated from the IP address and port of the intranet resource. The client cannot directly connect the IP address and port of the intranet resource, and the intranet resource can only see the access request from the service proxy gateway, but cannot see the access request from the client. The intranet resources are not directly exposed on the network any more, a malicious attacker cannot scan and sniff the intranet resources, and the attacker can be prevented from directly scanning and acquiring the IP addresses of the intranet resources by using the client after the client is attacked, so that the safety protection of the intranet resources is improved.
With continued reference to fig. 3, further, the system may further include: and the security access control center. The secure access control center may be located in an intranet, for example. An exemplary description is given below of how the security access control center implements the above-described security access control function.
Fig. 4 is a schematic flow chart of security access control according to an embodiment of the present application. As shown in fig. 4, the method may comprise, for example, the steps of:
s401, monitoring intranet access data of a client accessing an intranet.
Information in the data may be accessed, for example, by identifying and recording the intranet, including, for example, at least one of: packets, protocols, IP addresses, etc. Constructing a big data analysis model according to information in the intranet access data to obtain monitored intranet access data, wherein the monitored intranet access data can comprise any one of the following items: login time, accessed website, application program, file transfer, etc.
S402, carrying out trust evaluation on the client according to the monitored intranet access data.
When the client is authorized to access the intranet, the security control center performs trust evaluation on the operation of the client so as to ensure the credibility of the identity and the compliance of the business behavior of the client accessing the intranet. For example, the trust evaluation may be performed on the client by analyzing the intranet access data, or may be performed on the client by forming an intranet access behavior portrait on the intranet client.
The following illustrates an example of trust evaluation of a client in a manner that forms an intranet access behavior portrayal for an intranet client.
The security access control center can obtain the intranet access behavior of the client accessing the intranet according to the intranet access data. The intranet access behavior of the client accessing the intranet may, for example, include at least one of: access frequency, time on-line and off-line, traffic trend. The access frequency refers to the number of times of the intranet access request sent by the client in a certain period of time, and may be obtained, for example, according to the accumulated number of times of the intranet access request sent by the client in a certain period of time. The online time and the offline time refer to the time when the client logs in and out of the intranet, and can be obtained according to the time when the client logs in and out of the intranet, for example. The flow trend refers to a change condition of the flow of accessing the intranet in a certain period of time, and can be obtained by clustering intranet access data in a certain period of time. The clustering may be performed by a model, or may be performed by a tool for flow analysis, etc., without limitation.
Then, the security access control center can judge whether the intranet access behavior of the client accessing the intranet is consistent with the access behavior portrait of the client, and if not, the security access control center can judge that the client has abnormal access behavior. For example, the security access control center may employ a big data algorithm to compare the intranet access behavior of a client accessing the intranet with the access behavior representation of the client. The big data algorithm may be any of the following, for example: naive bayes, nearest neighbor algorithms, etc.
For example, taking the access frequency of the client as an example, the judgment logic may be, for example: if the time frequency of remote access of a certain client is 10 times within one week, but the time frequency of remote access of the last week is found to be up to 100 times at a certain moment, a suspected attacker uses an automation tool to frequently perform remote access, so that the intranet access behavior abnormality of the client can be primarily determined.
Taking the time of the client going on-line and off-line as an example, the judgment logic may be: if the client logs in a period of time within one month is often distributed in a non-working time such as 21:00-23:00, but the client suddenly logs in at 12:00 on a certain day, the abnormal behavior deviating from the normal access time can be judged.
Taking the traffic trend of the client as an example, the judging logic may be: if one client only accesses a mailbox, an office platform and the like to process daily business at ordinary times, the average value of the access flow is about 500M, and the access flow for uploading and downloading on a certain day is up to 10G, the abnormal behavior of triggering a large amount of uploading and downloading data and the like can be judged.
The above access behavior portrayal is used to describe the network behavior of the client when accessing the intranet in a normal case, and may include any one of the following: browsing habits of the user, access duration, frequency of use, access records, like preferences, behavior tracks, etc. The access behavior portrayal may be an access behavior portrayal for the client or an access behavior portrayal for a client having the same access authority. Taking the access behavior portrayal as an example, the access behavior portrayal for the client can construct a big data analysis model according to the intranet access behavior of the client in a period of time, analyze the intranet access behavior of the client and form the access behavior portrayal for the client. The big data analysis model may be any of the following, for example: association rule mining, cluster analysis, and the like.
After identifying the clients with abnormal access behaviors, trust evaluation can be performed on the clients with abnormal access behaviors. For example, a client with abnormal access behaviors may be subjected to trust evaluation by using the abnormal behaviors, and may be further subjected to trust evaluation by combining network security information acquired from a security operation center and/or a network abnormal behavior sensing system.
The security operation center and the network abnormal behavior threat sensing system are located in an intranet, and can be part of a remote access system or can be a system independent of the remote access system.
The safety operation center can monitor and manage the running state of the intranet in real time, collect the safety information of intranet resources, analyze, count and correlate various safety events, and generate network safety information. The secure operation center may store the network security information and the mapping relationship between the network security information and the client in a database, for example.
The network abnormal behavior perception system can collect and store security related data such as intranet running state, loopholes, security configuration, logs, traffic and the like, and generate network security information. The network abnormal behavior perception system may store the network security information and the mapping relationship between the network security information and the client in a database, for example.
And acquiring the network security information related to the client from the security operation center and/or the network abnormal behavior threat perception system. For example, may include at least one of: network threat intelligence, network security events, and the like. The cyber threat intelligence may include, for example, at least one of: malware intelligence, vulnerability intelligence, attack intelligence, malicious domain name and/or IP address intelligence, etc., the network security event may include, for example, at least one of: network attack events, network virus events, malware events, data leakage events, etc. The information of the network security event may be obtained, for example, by information such as a network attack log, a network virus log, a malicious program log, a data leakage log, and the like.
And carrying out trust evaluation on the client according to the acquired network security information related to the client and the abnormal access behavior of the client. For example, a qualitative analysis method, a quantitative analysis method, a comprehensive analysis method, a special network behavior analysis tool, etc. may be used to analyze the network security information and the abnormal access behavior of the client, and judge whether the abnormal access behavior of the client affects the intranet and the degree of the influence.
If analysis shows that the abnormal access behavior of the client does not affect the intranet, the trust evaluation of the client is represented to pass.
If analysis shows that the abnormal access behavior of the client side can influence the intranet, the trust evaluation of the client side is represented to be failed. The risk level of the client with failed trust evaluation can be divided into: low risk, medium risk, high risk.
The risk client can be accurately identified through trust evaluation on the client, and the security protection capability of the intranet resource is improved through information sharing with the security operation center and/or the network abnormal behavior threat sensing system, so that joint prevention and joint control with the existing protection system are realized.
S403, performing intranet access authorization control on the client with the trust evaluation failure.
For the clients with failed trust evaluation, intranet access authorization control can be performed, so that the safety of intranet resources is ensured in the process that the clients access the intranet.
For example, a preset intranet access authorization control can be performed on the client with the trust evaluation failure. And the intranet access authorization control can be performed on the client according to the reason of the trust evaluation failure. And the intranet access authorization control can be performed according to the risk level of the client with failed trust evaluation.
The following description will take as an example intranet access authorization control according to the risk level of the client that fails the trust evaluation.
The security access control center may obtain the risk level of the client that failed the trust evaluation. For example, the risk level of the client that fails the trust evaluation may be obtained according to the result of the trust evaluation performed by the client, and may be any one of the following: low risk, medium risk, high risk.
And then, the security access control center can carry out intranet access authorization control on the client with failed trust evaluation according to intranet access authorization control operation corresponding to the risk level.
For example, the security control center may store the security control policy of the client in the internal memory, where the security control policy may include, for example, intranet access authorization control operations, and different risk levels correspond to different intranet access authorization control operations, for example, any one of the following may be: reauthentication, termination of access, disconnection of network connections, rights reclamation, etc. The security access control center can implement a corresponding security control policy for the client according to the risk level of the client, and perform intranet access authorization control for the client with failed trust evaluation according to intranet access authorization control operation corresponding to the risk level.
The intranet access authorization control is carried out on the client with the trust evaluation failure according to the risk level, so that the client can be maximally authorized under the premise of ensuring the intranet resource security.
Further, the security access control center may further add the mapping relationship between the client with failed trust evaluation and the corresponding intranet access authorization control operation to the monitoring list. The client with failed trust evaluation does not need to monitor in the way of trust evaluation, but can access and monitor through the monitoring list, thereby improving the monitoring efficiency. For example, a monitoring list is set in the internal memory of the security access control center, and is used for monitoring the clients with failed trust evaluation. The monitoring list can be a database or other files capable of storing data. And the mapping relation of the client and the corresponding intranet access authorization control operation is stored in the monitoring list. For example, the client identifier and the corresponding intranet access authorization control operation may be used.
Further, when the client in the monitoring list is identified to access the network again, the client can be directly subjected to intranet access authorization control according to intranet access authorization control operation recorded in the monitoring list. For example, the information of the intranet access authorization control operation for the client can be quickly called according to the client identifier by reading the information in the monitoring list, so that the intranet access authorization control is performed on the client. The process of trust evaluation does not need to be repeatedly executed, and the efficiency of intranet access authorization control can be improved.
Further, the security access control center may also receive complaint information of clients whose trust evaluation fails. For example, when any situation occurs in the client, such as requiring reauthentication, access termination, network connection disconnection, no authority, etc., the client may submit complaint information to the security access control center for requesting restoration of normal operation and opening of corresponding authority, where the complaint information may include, for example, a client identifier, and at least one of, for example, reauthentication information, request information, access log when trust evaluation fails, etc., and the request information may be, for example, any one of: open rights, network connections, etc.
And the security access control center updates the trust evaluation result of the client according to the complaint information. After receiving the complaint information, the security control center can submit the client of the network manager to be manually processed so as to determine whether to re-open the intranet access right. Or if the complaint information carries an access log, the security control center can also determine whether the corresponding abnormal access behavior is the operation harmless to the intranet when the trust evaluation of the client fails based on the access log, and update the trust evaluation result of the client when no harm is determined.
The security access control center can update the access behavior portraits of the client according to the intranet access data of the client, so that the access behavior portraits of the client can reflect the actual access behaviors of the client more truly. How to update the access behavior portraits of the client based on the intranet access data can be referred to the way in which the portraits are generated, and will not be described in detail herein.
And/or the security access control center can also remove the client from the monitoring list to avoid miscontrol of the client. Further, the secure access control center may also synchronize the identification of the client that failed the trust evaluation to the honeypot system. For example, the identification of the client may be any of: IP address, MAC address, etc. The honey pot system can identify the corresponding client according to the identification of the client and interact with the client so as to locate the network attack mode adopted by the client. By locating the network attack mode adopted by the client with failed trust evaluation, network management personnel can clearly know the security threat of the client to the intranet resources, and the security protection capability of the intranet resources is enhanced by technology and management means. The coping capability of the intranet resources to network attacks is improved.
According to the method provided by the embodiment of the application, the client which fails to verify the validity can be blocked before connection by verifying the validity of the client which requests to access the intranet; the method comprises the steps that a plurality of authentication modes are combined, user identity authentication and terminal authentication are carried out on a client which passes through validity verification, authentication results represent authentication, intranet access authority authorization is carried out on the client after authentication is passed, and intranet resource opening ports are minimized; monitoring intranet access data of a client accessing the intranet, carrying out trust evaluation, and confirming the continuous credibility of the authorized client accessing the intranet; constructing a service proxy gateway between a client passing through the authentication of the intranet access authority and the intranet resources capable of being accessed remotely, so that the intranet resources are not directly exposed on the network, are invisible to an attacker, and actively identify the information of the attacker by locating a network attack mode for the client with failed validity verification and/or trust evaluation; and meanwhile, information sharing is carried out with a safety operation center and/or a network abnormal behavior threat sensing system, so that joint prevention and joint control with the existing protection system are realized. The risk of the intranet resource being attacked is reduced, and the safety protection capability of the intranet resource is improved.
Other embodiments of the application will be apparent to those skilled in the art from consideration of the specification and practice of the application disclosed herein. This application is intended to cover any variations, uses, or adaptations of the application following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the application pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims.
It is to be understood that the application is not limited to the precise arrangements and instrumentalities shown in the drawings, which have been described above, and that various modifications and changes may be effected without departing from the scope thereof. The scope of the application is limited only by the appended claims.

Claims (13)

1. A remote access system, comprising: a proxy gateway, a virtual private network gateway, a honey pot system; the virtual special network gateway is respectively connected with the proxy gateway and the intranet, and the proxy gateway is also connected with the honey pot system;
The proxy gateway is used for verifying the legitimacy of the client side requesting to access the intranet in a single-packet authorization mode, opening the access right of the virtual private network gateway for the verified client side, and opening the access right of the honey pot system for the client side failing in the legitimacy verification;
the virtual private network gateway is used for carrying out user identity authentication and terminal authentication of the client side passing the validity verification and carrying out intranet access authority authorization on the client side passing the intranet access authority authentication;
the honey pot system is used for locating a network attack mode adopted by the client which fails to verify the validity.
2. The system according to claim 1, wherein the virtual private network gateway is specifically configured to:
Acquiring static identity authentication information, dynamic identity authentication information, identity information of terminal equipment and running environment information of the terminal equipment of the client;
Interacting with a unified identity authentication system to acquire a first authentication result of the unified identity authentication system based on the static identity authentication information;
interacting with a dynamic password authentication system to acquire a second authentication result of the dynamic password authentication system based on the dynamic identity authentication information;
Interacting with an asset management platform to acquire a third authentication result of the asset management platform for authentication based on the identity information of the terminal equipment;
based on the running environment information of the terminal equipment, authenticating the running environment of the terminal equipment to obtain a fourth authentication result;
if the authentication results indicate that the authentication passes, determining that the intranet access authority authentication of the client passes;
If any authentication result represents authentication failure, determining that the intranet access authority of the client fails to authenticate.
3. The system of claim 1, wherein the virtual private network gateway is further configured to:
constructing a service proxy gateway between a client terminal passing through the authentication of the intranet access authority and the intranet resources which can be accessed remotely; the service agent is used for forwarding the interaction information between the client and the corresponding intranet resources.
4. A system according to any one of claims 1-3, wherein the system further comprises: a security access control center; the security access control center is used for:
Monitoring intranet access data of a client accessing an intranet;
Carrying out trust evaluation on the client according to the monitored intranet access data;
And performing intranet access authorization control on the client with the trust evaluation failure.
5. The system according to claim 4, wherein the security access control center is specifically configured to:
Acquiring intranet access behaviors of clients accessing the intranet according to the intranet access data;
If the intranet access behavior of the client accessing the intranet is inconsistent with the access behavior portrait of the client, judging that the client has abnormal access behavior;
and carrying out trust evaluation on the client with abnormal access behaviors.
6. The system of claim 5, wherein the intranet access behavior comprises at least one of:
access frequency, time on-line and off-line, traffic trend.
7. The system according to claim 4, wherein the security access control center is specifically configured to:
acquiring network security information related to the client from a security operation center and/or a network abnormal behavior threat sensing system;
And carrying out trust evaluation on the client according to the acquired network security information related to the client and the abnormal access behavior of the client.
8. The system according to claim 4, wherein the security access control center is specifically configured to:
acquiring the risk level of a client with failed trust evaluation;
Performing intranet access authorization control on the client with trust evaluation failure according to intranet access authorization control operation corresponding to the risk level; the intranet access authorization control operation comprises any one of the following steps: reauthentication, termination of access, disconnection of network connection, rights reclamation.
9. The system of claim 8, wherein the secure access control center is further configured to:
and adding the mapping relation of the client with the trust evaluation failure and the corresponding intranet access authorization control operation to a monitoring list.
10. The system of claim 9, wherein the secure access control center is further configured to:
When the client in the monitoring list is identified to be accessed to the network again, the client is subjected to intranet access authorization control according to intranet access authorization control operation recorded in the monitoring list.
11. The system of claim 9, wherein the secure access control center is further configured to:
receiving complaint information of a client with failed trust evaluation;
Updating the trust evaluation result of the client according to the complaint information, and updating the access behavior portrait of the client according to the intranet access data of the client;
And/or from the monitoring list.
12. The system according to claim 4, wherein:
The secure access control center is further configured to synchronize an identifier of the client that fails the trust evaluation to the honeypot system;
The honey pot system is also used for positioning a network attack mode adopted by the client with failed trust evaluation.
13. A remote access method, the method being applied to a remote access system, the remote access system comprising: a proxy gateway, a virtual private network gateway, a honey pot system; the virtual private network gateway is respectively connected with the proxy gateway and the intranet;
The proxy gateway performs validity verification on the client side requesting to access the intranet in a single-packet authorization mode, opens the access right of the virtual private network gateway for the client side passing the verification, and opens the access right of the honey pot system for the client side failing the validity verification;
The virtual special network gateway performs user identity authentication and terminal authentication of the client passing the validity verification, and performs intranet access authority authorization on the client passing the intranet access authority authentication;
and the honey pot system locates a network attack mode adopted by the client which fails to verify the validity.
CN202410322627.2A 2024-03-20 2024-03-20 Remote access system and method Pending CN118157967A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410322627.2A CN118157967A (en) 2024-03-20 2024-03-20 Remote access system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410322627.2A CN118157967A (en) 2024-03-20 2024-03-20 Remote access system and method

Publications (1)

Publication Number Publication Date
CN118157967A true CN118157967A (en) 2024-06-07

Family

ID=91292434

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410322627.2A Pending CN118157967A (en) 2024-03-20 2024-03-20 Remote access system and method

Country Status (1)

Country Link
CN (1) CN118157967A (en)

Similar Documents

Publication Publication Date Title
US7644436B2 (en) Intelligent firewall
US8370936B2 (en) Multi-method gateway-based network security systems and methods
RU2514138C1 (en) System and method for verifying public key certificate to counteract "man-in-middle" attacks
US7793094B2 (en) HTTP cookie protection by a network security device
JP4911018B2 (en) Filtering apparatus, filtering method, and program causing computer to execute the method
CN111510453A (en) Business system access method, device, system and medium
Al-Bahadili et al. Network security using hybrid port knocking
CN115150208B (en) Zero-trust-based Internet of things terminal secure access method and system
CN111314381A (en) Safety isolation gateway
Rani et al. Cyber security techniques, architectures, and design
CN110611682A (en) Network access system, network access method and related equipment
RU2601147C2 (en) System and method for detection of target attacks
CN117155716B (en) Access verification method and device, storage medium and electronic equipment
Toosarvandani et al. The risk assessment and treatment approach in order to provide LAN security based on ISMS standard
CN116192497B (en) Network access and user authentication safe interaction method based on zero trust system
CN116248405A (en) Network security access control method based on zero trust and gateway system and storage medium adopting same
CN113194088B (en) Access interception method, device, log server and computer readable storage medium
Jadidoleslamy Weaknesses, Vulnerabilities and Elusion Strategies Against Intrusion Detection Systems
CN116996238A (en) Processing method and related device for network abnormal access
CN118157967A (en) Remote access system and method
Rattanalerdnusorn et al. IoTDePT: Detecting security threats and pinpointing anomalies in an IoT environment
Yang Network attack and Countermeasures Based on telnet connection in the era of Internet of Things
KR102362320B1 (en) System and method for communicating of network address mutation on dynamic network security
Harrison et al. A protocol layer survey of network security
Qureshi Analysis of Network Security Through VAPT and Network Monitoring

Legal Events

Date Code Title Description
PB01 Publication
SE01 Entry into force of request for substantive examination