WO2017161706A1 - Method of controlling access to network resource in local area network, device, and gateway equipment - Google Patents

Method of controlling access to network resource in local area network, device, and gateway equipment Download PDF

Info

Publication number
WO2017161706A1
WO2017161706A1 PCT/CN2016/086270 CN2016086270W WO2017161706A1 WO 2017161706 A1 WO2017161706 A1 WO 2017161706A1 CN 2016086270 W CN2016086270 W CN 2016086270W WO 2017161706 A1 WO2017161706 A1 WO 2017161706A1
Authority
WO
WIPO (PCT)
Prior art keywords
resource
client
user
level
privilege level
Prior art date
Application number
PCT/CN2016/086270
Other languages
French (fr)
Chinese (zh)
Inventor
陈龙
梁会发
谢铁民
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2017161706A1 publication Critical patent/WO2017161706A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates

Definitions

  • the present application relates to, but is not limited to, the field of network security technologies, and in particular, to an access control method, apparatus, and gateway device for intranet resources of a local area network.
  • SSL VPN refers to a VPN (Virtual Private Network) technology that establishes a remote secure access channel based on the SSL (Security Socket Layer) protocol.
  • SSL Secure Socket Layer
  • the SSL protocol runs at the transport layer and encrypts only the application channels carried out by the communicating parties, rather than encrypting the entire channel from one host to another.
  • each application is a secure independent entity that can operate in a transparent mode on a Network Address Translation (NAT) proxy device.
  • NAT Network Address Translation
  • both parties can perform identity verification and implement digital signature through an asymmetric key algorithm. Since the data encrypted by the private key can only be decrypted by using the corresponding public key, the identity of the sender can be judged according to whether the decryption is successful, and SSL uses the mechanism provided by the PKI (Public Key Infrastructure) to ensure the public. The authenticity of the key.
  • the certificate system provided by the OpenSSL (Open Security Socket Layer) protocol can be used to establish the certificate system of the unit, and the private certificate and certificate of the server and multiple clients are created through the root certificate, and the client initiates the certificate. The authenticity and uniqueness of the user are ensured when the request is accessed.
  • SSL VPN network extension refers to the use of SSL protocol to connect dispersed users in the WAN through the construction of virtual LAN.
  • the SSL VPN network extends the relationship between users, gateway devices, and internal resources.
  • the user initiates a request to join the local area network to the gateway device through the client.
  • the gateway device authenticates the user as the server side. If the authentication succeeds, the available virtual local area network address of the virtual local area network is obtained from the address pool to the user. Then, the user side The assigned address is configured into a local virtual Ethernet device (herein referred to as a TUN device) by the running client program, and the gateway device pushes the network route accessible by the intranet to the user; finally, the client receives the accessible access. After the network route is added to the local routing table, the user successfully joins the virtual local area network.
  • TUN device local virtual Ethernet device
  • the TUN device sends the data. After the data is sent to the TUN device, the client encrypts the data sent to the TUN device. After the encryption is completed, the client program encapsulates the encrypted data into The specified port number, such as the TCP (Transmission Control Protocol) or UDP (User Datagram Protocol) packet, is sent from the real physical network port to the gateway device; the gateway device determines the TCP after receiving the data.
  • TCP Transmission Control Protocol
  • UDP User Datagram Protocol
  • the port number of the UDP port is 1194; if yes, the data packet of the port number is sent to the VPN module of the gateway device for decryption, and the successfully decrypted data is sent to the Ethernet TUN device of the gateway device, and then sent to the TUN device.
  • the data of the device is already in plain text, and it is sent to the protocol stack as if it were sent to a normal Ethernet device.
  • the resources of the internal network have different secret levels, and the user needs to perform security access control, and specific resources require specific permissions to allow access.
  • the related technology performs security access control, the user initiates access to a certain resource, obtains an access permission level, and determines whether the access right is determined according to the level. This method is inefficient in accessing resources and requires a connection to the requested resource each time, wasting internal network resources.
  • the gateway device checks the validity of the user accessing the resource, the gateway device needs to perform a complex legality check on the user who initiates the resource request according to the user packet information, and once the resource connection is established, the resource dynamics When the permission level is changed, the established connection cannot be updated in time and the security relationship exists.
  • the object of the embodiments of the present invention is to provide a method, a device, and a gateway device for accessing a network resource of a local area network, which are used to solve the problem of security risks when the resource access efficiency is low and the resource dynamic change authority is changed when the user accesses the internal resources of the local area network in the related art.
  • the problem is to provide a method, a device, and a gateway device for accessing a network resource of a local area network, which are used to solve the problem of security risks when the resource access efficiency is low and the resource dynamic change authority is changed when the user accesses the internal resources of the local area network in the related art.
  • An access control method for intranet resources of a local area network includes:
  • the resource connection request message of the first client is forwarded to the target server.
  • obtaining the first user privilege level of the client that initiates the resource connection request message to the gateway device includes:
  • obtaining the user privilege level of the first client from the access connection request includes:
  • the user common name of the first client is obtained by using an authentication mechanism of the Secure Sockets Layer (SSL) protocol, and the first client is authenticated according to the digital certificate corresponding to the common name of the user.
  • SSL Secure Sockets Layer
  • the intranet IP address is assigned to the first client, and the access connection with the first client is completed.
  • obtaining a resource permission level of the first client that initiates the resource connection request message to the gateway device includes:
  • the resource permission level corresponding to the resource connection request message is obtained according to the resource connection request message, including:
  • the content of the packet in the resource connection request message is parsed, and the resource to be connected is obtained as the first resource.
  • the resource permission list is obtained to obtain a resource authority level corresponding to the first resource.
  • the method further includes: after forwarding the resource connection request message of the first client to the target server, connecting, at the first client, to the target server according to the resource connection request message
  • the attribute information of the first client is saved in the user access list of the first resource.
  • the method further includes:
  • the attribute information of the first client is deleted from the user access list of the first resource.
  • the method further includes:
  • the user access list update is performed according to the resource authority level or the change of the user authority level.
  • performing the user access list update according to the change of the resource permission level includes:
  • the user access list of the resource whose resource authority level has been changed is searched, and the attribute information of the client that is accessing the resource of the changed resource authority level is acquired.
  • the first reset is sent to the client. a message and deleting the attribute information of the client from the user access list.
  • performing the user access list update according to the change of the user privilege level further includes:
  • the client After the user privilege level is lowered, if the attribute information of the client that has been reduced by the user privilege level is located in the user access list of the resource corresponding to the resource privilege level before the user privilege level is lowered, the client is at the reduced user privilege level. Sending a second reset message, and deleting the attribute information of the reduced user privilege level client from the user access list.
  • An access control device for a network intranet resource includes an acquisition module and an execution processing module.
  • the obtaining module is configured to acquire a user privilege level and a resource privilege level of the first client that initiates the resource connection request message to the gateway device.
  • Execution processing module is configured to: in the correspondence relationship table of the preset user privilege level and the resource privilege level, if the resource privilege level corresponding to the user privilege level of the first client is found, Then, the resource connection request message of the first client is forwarded to the target server.
  • the obtaining module includes a first acquiring submodule.
  • the obtaining, by the acquiring module, the user privilege level of the first client that initiates the resource connection request message to the gateway device includes:
  • the first obtaining sub-module is configured to receive an access connection request initiated by the first client to the gateway device, and obtain a user permission level of the first client from the access connection request.
  • the first obtaining submodule includes an identity verification unit, an access connection unit, and a user privilege level obtaining unit.
  • Obtaining, by the first obtaining submodule, the user privilege level of the first client from the access connection request includes:
  • the authentication unit is configured to obtain the user common name of the first client by using an authentication mechanism of the Secure Sockets Layer (SSL) protocol, and perform identity verification on the first client according to the digital certificate corresponding to the common name of the user.
  • SSL Secure Sockets Layer
  • the access connection unit is configured to, when the authentication of the first client passes, assign an intranet IP address to the first client, and complete an access connection with the first client.
  • the user privilege level obtaining unit is configured to obtain a user privilege level of the first client according to the user privilege name in the access connection request.
  • the obtaining module further includes a second obtaining submodule and a third acquiring submodule.
  • the obtaining, by the acquiring module, the resource permission level of the first client that initiates the resource connection request message to the gateway device includes:
  • the second obtaining submodule is configured to obtain a resource connection request message sent by the first client by using a secure socket protocol virtual private network SSL VPN.
  • the third obtaining sub-module is configured to acquire the resource permission level corresponding to the resource connection request message according to the resource connection request message.
  • the third obtaining submodule includes an analysis processing unit and a resource authority level acquiring unit.
  • the third obtaining submodule acquires the resource connection according to the resource connection request message.
  • the resource permission levels corresponding to the message include:
  • the parsing processing unit is configured to parse the content of the packet in the resource connection request message, and obtain the resource to be connected as the first resource.
  • the resource privilege level obtaining unit is configured to: obtain a resource privilege list, and obtain a resource privilege level corresponding to the first resource.
  • the device further comprises a first processing module.
  • the first processing module is configured to: after forwarding the resource connection request message of the first client to the target server, the first client connects to the target server according to the resource connection request message, When the first resource allocated by the resource authority level is saved, the attribute information of the first client is saved in the user access list of the first resource.
  • the device further comprises a second processing module.
  • the second processing module is configured to delete attribute information of the first client from a user access list of the first resource after the first client disconnects from the first resource.
  • the device further includes: an access list update module.
  • the access list update module is configured to perform a user access list update according to the resource authority level or the change of the user authority level.
  • the access list update module includes: a fourth acquisition submodule and a first update processing submodule.
  • the access list update module performs user access list update according to the change of the resource permission level, including:
  • the fourth obtaining submodule is configured to: after the resource authority level is changed, search for a user access list of the resource whose resource authority level has been changed, and acquire an attribute of the client that is accessing the resource of the changed resource permission level. information.
  • the first update processing sub-module is configured to: if the user privilege level of the client does not correspond to the changed resource privilege level in the correspondence relationship table of the preset user privilege level and the resource privilege level, Sending a first reset message to the client, and deleting the attribute information of the client from the user access list.
  • the access list update module further includes: a second update processing submodule.
  • the access list update module performs the user access list update according to the change of the user privilege level, and further includes:
  • the second update processing sub-module is configured to: after the user privilege level is lowered, if the attribute information of the client that has been reduced by the user privilege level is located in the user access list of the resource corresponding to the resource privilege level before the user privilege level is lowered, The client that has been reduced by the user privilege level sends a second reset message, and deletes the attribute information of the reduced user privilege level client from the user access list.
  • a gateway device includes an access control device for intranet resources of a local area network as described in the foregoing embodiments.
  • a computer readable storage medium storing computer executable instructions, the computer executable instructions being implemented by a processor to implement the access control method of the intranet resources.
  • the resource access authority of the client accessing the internal resources of the local area network is determined by the resource authority level corresponding to the user authority level directly on the gateway device, and the resource is accessed when the client has the resource access right.
  • the connection request is forwarded to the target server, which improves the resource access efficiency of the user accessing the internal resources of the local area network, reduces the processing load of the target server, and saves internal network resources; and ensures immediate resetting of the resource connection of the user or resource whose authority is changed.
  • the resource dynamic change permission is granted, the data security of the internal network resources of the local area network.
  • FIG. 1 is a schematic diagram of relationships between an extended user, a gateway device, and internal resources of an SSL VPN network according to an embodiment of the present invention
  • FIG. 2 is a schematic diagram of basic steps of an access control method for intranet resources of a local area network according to an embodiment of the present invention
  • FIG. 3 is a schematic structural diagram of a structure of an access control apparatus for intranet resources of a local area network according to an embodiment of the present invention
  • FIG. 4 is a schematic flowchart of a method for controlling access control of intranet resources in a local area network according to an embodiment of the present invention.
  • the embodiments of the present invention are directed to the problem that the user has access to the internal resources of the local area network, the resource access efficiency is low, and the resource dynamic change authority has a security risk.
  • the access control method for the intranet resources of the local area network is provided, and the user accesses the internal resources of the local area network.
  • the resource access efficiency is reduced, the processing load of the target server is reduced, the internal network resources are saved, and the data security of the internal network resources of the local area network is ensured when the resource dynamic change authority is ensured.
  • an embodiment of the present invention provides a method for controlling access of intranet resources in a local area network, including steps 11-12:
  • Step 11 Acquire a user privilege level and a resource privilege level of the first client that initiates the resource connection request message to the gateway device.
  • the user privilege level is the privilege level of the user who operates the client, and one user corresponds to one client.
  • Step 12 In the correspondence table between the preset user privilege level and the resource privilege level, if the resource privilege level corresponding to the user privilege level of the first client is found, the resource connection of the first client is forwarded to the target server. Request message.
  • the access control method for the intranet resources of the local area network in the embodiment of the present invention determines the resource access authority of the client accessing the internal resources of the local area network according to the resource permission level corresponding to the user authority level directly on the gateway device, and has the resource access authority on the client that accesses the internal resources of the local area network, and has the resource access authority on the client end
  • the resource connection request is forwarded to the target server, which improves the resource access efficiency of the user accessing the internal resources of the local area network, reduces the processing load of the target server, and saves internal network resources.
  • obtaining the user privilege level of the first client that initiates the resource connection request message to the gateway device in step 11 of the embodiment of the present invention includes: Step 111:
  • Step 111 Receive an access connection request initiated by the first client to the gateway device, and Obtaining a user privilege level of the first client in the access connection request.
  • the first client may be an SSL VPN network extension client
  • the gateway device may be a virtual private network VPN gateway device.
  • the step 111 receives an access connection request initiated by the first client to the gateway device, and acquires the user permission level of the first client from the access connection request, including steps 1111-1113:
  • Step 1111 Obtain a common name of the user of the first client by using an authentication mechanism of the Secure Sockets Layer SSL protocol, and perform identity verification on the first client according to the digital certificate corresponding to the common name of the user.
  • the user common name is a user identifier that the client uniquely identifies the client when applying for an account to the gateway device administrator.
  • the digital certificate corresponding to the user's common name can be obtained by the method provided by the Open Secure Sockets Layer protocol OpenSSL.
  • OpenSSL Open Secure Sockets Layer protocol
  • the private key corresponding to the user's common name can also be obtained by this method, where the digital certificate includes the personal identity information of the client.
  • Step 1112 When the identity verification of the first client passes, assign an intranet IP address to the first client, and complete an access connection with the first client.
  • the gateway device stores the user common name in the data area.
  • the gateway device directly rejects the access connection initiated by the first client.
  • the target server is not required to additionally process the authentication of the client to be accessed, which saves internal network resources and reduces the possibility of illegal clients acquiring internal data of the server.
  • Step 1113 Search for a user permission list according to the user common name in the access connection request, and obtain a user permission level of the first client.
  • the user permission list is pre-stored in the gateway device, where the user authority level of different users who can access the intranet resources is stored.
  • obtaining the resource permission level of the first client that initiates the resource connection request message to the gateway device in step 11 of the embodiment of the present invention includes the following steps 112-113:
  • Step 112 Obtain a resource connection request message sent by the first client by using a secure socket protocol virtual private network SSL VPN.
  • the gateway device completes the access connection with the first client before obtaining the resource connection request.
  • Step 113 Acquire, according to the resource connection request message, a resource authority level corresponding to the resource connection request message.
  • the gateway device does not obtain the resource permission level corresponding to the resource connection request message according to the resource connection request message, it indicates that the resource that the client wants to access is not in the resource permission list, that is, The resource does not have a resource privilege level, and no access rights are required. All authenticated clients can access this resource inside the LAN.
  • the step 113 according to the resource connection request message, acquiring the resource permission level corresponding to the resource connection request message includes steps 1131-1132:
  • step 1113 the content of the packet in the resource connection request message is parsed, and the resource to be connected is obtained as the first resource.
  • Step 1132 Find a resource permission list, and obtain a resource permission level corresponding to the first resource.
  • the resource permission list is pre-stored in the gateway device, where different resource permission levels corresponding to different resources are stored.
  • the access control method for the intranet resources of the local area network in the embodiment of the present invention may further include step 13:
  • Step 13 After forwarding the resource connection request message of the first client to the target server, the first client connects to the target server to allocate the first resource resource level according to the resource connection request message.
  • the attribute information of the first client is saved in the user access list of the first resource.
  • the user access list of the first resource stores the client that is currently accessing the first resource.
  • the access control method for the intranet resources of the local area network in the embodiment of the present invention may further include step 14:
  • Step 14 After the first client disconnects from the first resource, the first The attribute information of the client is deleted from the user access list of the first resource.
  • the attribute information of the first client is deleted from the user access list of the first resource, that is, the connection between the first client and the target server is immediately disconnected, thereby preventing subsequent users.
  • the privilege level or resource privilege level is changed, the intranet data is leaked to ensure the security of the intranet data resources.
  • the access control method for the intranet resources of the local area network in the embodiment of the present invention may further include step 15:
  • Step 15 Perform user access list update according to the resource permission level or the change of the user permission level.
  • step 15 performing user access list update according to the change of the resource authority level includes steps 151-152:
  • Step 151 After the resource authority level is changed, search for a user access list of the resource whose resource authority level has been changed, and obtain attribute information of the client that is accessing the resource of the changed resource permission level.
  • Step 152 In the correspondence table between the preset user privilege level and the resource privilege level, if the user privilege level of the client does not correspond to the changed resource privilege level, the method sends the first privilege level to the client. A reset message is deleted and the attribute information of the client is deleted from the user access list.
  • the correspondence between the preset user privilege level and the resource privilege level may be stored in the gateway device in advance by the gateway device administrator according to the user privilege level.
  • the above two-step process indicates that when the resource privilege level is changed, the client with insufficient user privilege level is deleted from the user access list of the resource, and the user access list is updated in time to ensure the security of the intranet resource data and effectively prevent resources.
  • the disclosure of data includes
  • the step of performing the user access list update according to the change of the user privilege level in the step 15 further includes the step 153:
  • Step 153 after the user privilege level is lowered, if the attribute information of the client that has been reduced by the user privilege level is located in the user access list of the resource corresponding to the user privilege level lowering, And sending a second reset message to the client that has been reduced in the privilege level, and deleting the attribute information of the reduced privilege level client from the user access list.
  • the client that has been reduced by the privilege level no longer has the right to access the resource corresponding to the privilege level before the user privilege level is lowered, and the attribute of the client that has been reduced by the privilege level is determined.
  • the information is deleted from the access list of the corresponding resource before the user privilege level is lowered, and the user access list is updated in time to ensure the security of the intranet resource data and effectively prevent the leakage of resource data.
  • the access control method for the intranet resources of the local area network in the embodiment of the present invention determines the resource access authority of the client accessing the internal resources of the local area network according to the resource permission level corresponding to the user authority level directly on the gateway device, and has the resource access authority on the client that accesses the internal resources of the local area network, and has the resource access authority on the client end
  • the resource connection request is forwarded to the target server, which improves the resource access efficiency of the user accessing the internal resources of the local area network, reduces the processing load of the target server, saves internal network resources, and passes the user or resource that changes the authority.
  • the immediate reset of the resource connection ensures the data security of the internal network resources of the local area network when the resource dynamically changes the authority.
  • an embodiment of the present invention further provides an access control device for a network resource of a local area network, including: an obtaining module 21 and an execution processing module 22.
  • the obtaining module 21 is configured to acquire a user privilege level and a resource privilege level of the first client that initiates the resource connection request message to the gateway device.
  • the user privilege level is the privilege level of the user who operates the client, and one user corresponds to one client.
  • the execution processing module 22 is configured to: in the correspondence relationship table of the preset user privilege level and the resource privilege level, if the resource privilege level corresponding to the first user privilege level of the client is found, forwarding the A resource connection request message for a client.
  • the obtaining module 21 in the embodiment of the present invention may include:
  • the first obtaining sub-module is configured to receive an access connection request initiated by the first client to the gateway device, and obtain a user permission level of the first client from the access connection request.
  • the first client can be an SSL VPN network extension client, and the gateway is configured. It can be a virtual private network VPN gateway device.
  • the first obtaining submodule may include:
  • An identity verification unit configured to obtain a user common name of the first client by using an authentication mechanism of the Secure Sockets Layer (SSL) protocol, and perform identity verification on the first client according to the digital certificate corresponding to the common name of the user;
  • SSL Secure Sockets Layer
  • the user common name is a user identifier that the client uniquely identifies the client when applying for an account to the gateway device administrator.
  • the digital certificate corresponding to the user's common name can be obtained by the method provided by the Open Secure Sockets Layer protocol OpenSSL.
  • OpenSSL Open Secure Sockets Layer protocol
  • the private key corresponding to the user's common name can also be obtained by this method, where the digital certificate includes the personal identity information of the client.
  • the access connection unit is configured to allocate an intranet IP address to the first client when the authentication of the first client passes, and complete an access connection with the first client.
  • the gateway device stores the first user common name in the data area.
  • the gateway device directly rejects the access connection initiated by the first client.
  • the target server is not required to additionally process the authentication of the client to be accessed, which saves internal network resources and reduces the possibility of illegal clients acquiring internal data of the server.
  • the user privilege level obtaining unit is configured to obtain a user privilege level of the first client according to the user privilege name in the access connection request.
  • the user permission list is pre-stored in the gateway device, where the user authority level of different users who can access the intranet resources is stored.
  • the obtaining module 21 in the embodiment of the present invention may further include:
  • the second obtaining submodule is configured to obtain a resource connection request message sent by the first client by using a secure socket protocol virtual private network SSL VPN.
  • the gateway device completes the access connection with the first client before obtaining the resource connection request.
  • the third obtaining sub-module is configured to acquire a resource permission level corresponding to the resource connection request message according to the resource connection request message.
  • the gateway device does not obtain the first resource permission level corresponding to the resource connection request message according to the resource connection request message, it indicates that the resource to be accessed by the client is not in the resource permission list. That is, the resource does not have a resource permission level, and no access rights are required, and all authenticated clients can access the resource inside the LAN.
  • the third obtaining submodule may include:
  • the parsing processing unit is configured to parse the content of the packet in the resource connection request message, and obtain the resource to be connected as the first resource.
  • the resource privilege level obtaining unit is configured to obtain a resource privilege list to obtain a resource privilege level corresponding to the first resource.
  • the resource permission list is pre-stored in the gateway device, where different resource permission levels corresponding to different resources are stored.
  • the access control apparatus for the intranet resources of the local area network in the embodiment of the present invention may further include:
  • the first processing module 23 is configured to: after forwarding the resource connection request message of the first client to the target server, connect to the target server as the resource permission according to the resource connection request message by the first client When the first resource of the level is allocated, the attribute information of the first client is saved in the user access list of the first resource.
  • the user access list of the first resource stores the client that is currently accessing the first resource.
  • the access control apparatus for the intranet resources of the local area network in the embodiment of the present invention may further include:
  • the second processing module 24 is configured to delete the attribute information of the first client from the user access list of the first resource after the first client disconnects the first resource.
  • the attribute information of the first client is deleted from the user access list of the first resource, that is, the connection between the first client and the target server is immediately disconnected, thereby preventing subsequent users. After the permission level or resource permission level is changed, the intranet data is leaked and guaranteed. Security of intranet data resources.
  • the access control apparatus for the intranet resources of the local area network may further include:
  • the access list update module 25 is configured to perform a user access list update according to the resource authority level or the change of the user authority level.
  • the access list update module 25 may include:
  • the fourth obtaining submodule is configured to: after the resource authority level is changed, search for a user access list of the resource whose resource authority level has been changed, and acquire attribute information of the client that is accessing the resource of the changed resource authority level.
  • the first update processing sub-module is configured to: in the correspondence relationship table of the preset user privilege level and the resource privilege level, if the user privilege level of the client is found to not correspond to the changed resource privilege level, then The client sends a first reset message and deletes the attribute information of the client from the user access list.
  • the correspondence between the preset user privilege level and the resource privilege level may be stored in the gateway device in advance by the gateway device administrator according to the user privilege level.
  • the execution processing of the foregoing obtaining sub-module and the first update processing sub-module indicates that when the resource authority level is changed, the client access list is deleted from the user access list of the resource by the user whose access level is insufficient, so that the user access list is updated in time. It ensures the security of intranet resource data and effectively prevents the leakage of resource data.
  • the access list update module 25 may further include:
  • a second update processing sub-module configured to: after the user privilege level is lowered, if the attribute information of the client that has been reduced by the privilege level is located in a user access list of a resource corresponding to the privilege level before the user privilege level is lowered, The client that has been reduced by the user privilege level sends a second reset message, and deletes the attribute information of the reduced user privilege level client from the user access list.
  • the second update processing sub-module does not have the privilege of accessing the corresponding resource before the user privilege level is lowered, and the Reduce the user privilege level of the client's attribute information from the user privilege level.
  • the deletion of the access list of the corresponding resource in the lower part realizes the timely update of the user access list, ensures the security of the intranet resource data, and effectively prevents the leakage of resource data.
  • the embodiment of the invention further provides a gateway device, which comprises the access control device for the intranet resources of the local area network described in the second embodiment.
  • the access control device for the intranet resources of the local area network in the embodiment of the present invention determines the resource access authority of the client accessing the internal resources of the local area network according to the resource authority level corresponding to the user authority level directly on the execution processing module in the gateway device, and When the client has the resource access right, the resource connection request is forwarded to the target server, which improves the resource access efficiency of the user accessing the internal resources of the local area network, reduces the processing load of the target server, and saves internal network resources; and the gateway device
  • the access list update module ensures the data security of the internal network resources of the local area network when the resources are dynamically changed by the immediate reset of the resource connection of the user or resource whose authority is changed.
  • FIG. 4 it is a schematic flowchart of an access control method for intranet resources of a local area network according to an embodiment of the present invention.
  • the following figure illustrates the implementation process of a user accessing intranet resources of a local area network.
  • the client is also the client described in the first embodiment and the second embodiment.
  • Step 301 The gateway device receives an access connection request of a user.
  • the user's access connection request message is sent to the gateway device through the SSL protocol establishment encryption tunnel.
  • step 302 the gateway device verifies whether the user identity is legal.
  • step 303 is performed; if the gateway device verifies that the user identity is invalid, the process ends and the access connection is disconnected.
  • the validity verification of the user identity can obtain the user common name of the user through the identity verification mechanism of the SSL protocol, and authenticate the user through the digital certificate corresponding to the common name of the user in the gateway device.
  • the intranet IP address is assigned to the user, and the access connection request is completed, which means that the user can access the internal resources of the local area network.
  • step 303 the user common name is recorded and the user permission level is obtained.
  • the user privilege level of the user can be obtained from the user privilege list in the gateway device by the user common name.
  • Step 304 The gateway device acquires a resource permission level of the resource accessed by the user.
  • the gateway device first receives the resource connection request sent by the user, obtains the resource to be accessed by the user according to the resource connection request, and obtains the permission level of the resource to be accessed by the user through the resource permission list in the gateway device.
  • Step 305 The gateway device determines whether the user has the right to access the resource.
  • step 306 is performed; if the gateway device determines that the user does not have the right to access the resource, the process ends.
  • the gateway device determines whether the resource privilege level corresponding to the user privilege level of the user is higher than or equal to the resource privilege level of the user to access the resource, and if the user privilege level corresponding to the user has a high resource privilege level At or equal to the resource privilege level of the resource that the user wants to access, the user has the privilege to access the resource.
  • Step 306 The gateway device forwards the resource connection request of the user to the target server.
  • the resource access efficiency of the user accessing the internal resources of the local area network is improved, the processing load of the target server is reduced, and internal network resources are saved.
  • step 307 the user connects and obtains the resource to be accessed.
  • step 308 the gateway device disconnects and deletes the access record of the user from the user access list of the resource.
  • deleting the user's access record from the user access list of the resource may prevent intranet data leakage after the user privilege level or resource privilege level is changed, thereby ensuring the security of the intranet data resource. It is also convenient for the user to access the list to update in time when the user privilege level or resource privilege level is changed.
  • the access control method for the intranet resources of the local area network in the embodiment of the present invention determines the resource access authority of the client accessing the internal resources of the local area network according to the resource permission level corresponding to the user authority level directly on the gateway device, and has the resource access authority on the client that accesses the internal resources of the local area network, and has the resource access authority on the client end
  • the resource connection request is forwarded to the target server, which improves the resource access efficiency of the user accessing the internal resources of the local area network, and
  • the processing load of the target server is alleviated, and internal network resources are saved.
  • the data connection of the internal network resources of the local area network is ensured when the resources are dynamically changed by the immediate reset of the resource connection of the user or resource whose authority is changed.
  • a computer readable storage medium storing computer executable instructions, the computer executable instructions being implemented by a processor to implement the access control method of the intranet resources.
  • all or part of the steps of the above embodiments may also be implemented by using an integrated circuit. These steps may be separately fabricated into individual integrated circuit modules, or multiple modules or steps may be fabricated into a single integrated circuit module. achieve.
  • the devices/function modules/functional units in the above embodiments may be implemented by a general-purpose computing device, which may be centralized on a single computing device or distributed over a network of multiple computing devices.
  • the device/function module/functional unit in the above embodiment When the device/function module/functional unit in the above embodiment is implemented in the form of a software function module and sold or used as a stand-alone product, it can be stored in a computer readable storage medium.
  • the above mentioned computer readable storage medium may be a read only memory, a magnetic disk or an optical disk or the like.
  • the resource access authority of the client accessing the internal resources of the local area network is determined by the resource authority level corresponding to the user authority level directly on the gateway device, and the resource is accessed when the client has the resource access right.
  • the connection request is forwarded to the target server, which improves the resource access efficiency of the user accessing the internal resources of the local area network, reduces the processing load of the target server, and saves internal network resources; and ensures immediate resetting of the resource connection of the user or resource whose authority is changed.
  • the resource dynamic change permission is granted, the data security of the internal network resources of the local area network.

Abstract

The application provides a method of controlling access to a network resource in a local area network, a device, and gateway equipment. The method comprises: acquiring a client permission level and a resource permission level of a first client and configured to initialize a resource connection request message to be sent to gateway equipment; and if a resource permission level corresponding to the client permission level of the first client is found in a preconfigured correspondence table of client permission levels and resource permission levels, forwarding to a target server the resource connection request message initialized by the first client.

Description

一种局域网内网资源的访问控制方法、装置及网关设备Access control method, device and gateway device for intranet network resource 技术领域Technical field
本申请涉及但不限于网络安全技术领域,尤其涉及一种局域网内网资源的访问控制方法、装置及网关设备。The present application relates to, but is not limited to, the field of network security technologies, and in particular, to an access control method, apparatus, and gateway device for intranet resources of a local area network.
背景技术Background technique
SSL VPN指的是基于SSL(Security Socket Layer,安全套接层)协议建立远程安全访问通道的VPN(Virtual Private Network,虚拟专用网络)技术。SSL协议运行在传输层,只对通信双方所进行的应用通道进行加密,而不是对从一个主机到另一主机的整个通道进行加密。在使用SSL协议的通信中,每一个应用是一个安全的独立体,可在NAT(Network Address Translation,网络地址转换)代理装置上以透明模式工作。SSL VPN refers to a VPN (Virtual Private Network) technology that establishes a remote secure access channel based on the SSL (Security Socket Layer) protocol. The SSL protocol runs at the transport layer and encrypts only the application channels carried out by the communicating parties, rather than encrypting the entire channel from one host to another. In communication using the SSL protocol, each application is a secure independent entity that can operate in a transparent mode on a Network Address Translation (NAT) proxy device.
服务器与客户端一次SSL连接中,双方可以进行身份验证,通过非对称密钥算法实现数字签名。由于通过私钥加密后的数据只能利用对应的公钥进行解密,因此根据解密是否成功,就可以判断发送者的身份,SSL利用PKI(Public Key Infrastructure,公钥基础设施)提供的机制保证公钥的真实性。在企业网应用时可以通过OpenSSL(Open Security Socket Layer,开放式安全套接层)协议提供的工具建立本单位的证书体系,通过根证书创建服务器和多个客户的私钥及证书,在客户端发起接入请求时确保了用户的真实性和唯一性。In the SSL connection between the server and the client, both parties can perform identity verification and implement digital signature through an asymmetric key algorithm. Since the data encrypted by the private key can only be decrypted by using the corresponding public key, the identity of the sender can be judged according to whether the decryption is successful, and SSL uses the mechanism provided by the PKI (Public Key Infrastructure) to ensure the public. The authenticity of the key. In the enterprise network application, the certificate system provided by the OpenSSL (Open Security Socket Layer) protocol can be used to establish the certificate system of the unit, and the private certificate and certificate of the server and multiple clients are created through the root certificate, and the client initiates the certificate. The authenticity and uniqueness of the user are ensured when the request is accessed.
SSL VPN网络扩展是指运用SSL协议将广域网中分散的用户通过构建虚拟局域网联系在一起。SSL VPN network extension refers to the use of SSL protocol to connect dispersed users in the WAN through the construction of virtual LAN.
如图1所示,SSL VPN网络扩展用户、网关设备和内部资源的关系示意图。用户通过客户端向网关设备发起请求加入局域网,在建立连接时网关设备作为服务器侧对用户进行身份认证,如果认证成功就从地址池中获取可用的虚拟局域网内网地址给用户;接着,用户侧通过运行的客户端程序将分配的地址配置到本地的虚拟以太网设备(这里简称TUN设备)中,同时网关设备会向用户推送内网可访问的网络路由;最后,客户端在收到可访问的网络路由后加入到本机路由表中,到此用户成功加入虚拟局域网。 As shown in Figure 1, the SSL VPN network extends the relationship between users, gateway devices, and internal resources. The user initiates a request to join the local area network to the gateway device through the client. When the connection is established, the gateway device authenticates the user as the server side. If the authentication succeeds, the available virtual local area network address of the virtual local area network is obtained from the address pool to the user. Then, the user side The assigned address is configured into a local virtual Ethernet device (herein referred to as a TUN device) by the running client program, and the gateway device pushes the network route accessible by the intranet to the user; finally, the client receives the accessible access. After the network route is added to the local routing table, the user successfully joins the virtual local area network.
根据用户访问不同的网络找到对应的路由条目。如果是访问虚拟局域网或网关设备内部网络资源,会通过TUN设备进行发送;在数据发送给TUN设备后,客户端将发送到TUN设备的数据进行加密,加密完成后客户端程序将加密数据封装成指定端口号,如1194,的TCP(Transmission Control Protocol传输控制协议)或UDP(User Datagram Protocol,用户数据报协议)报文从真实的物理网口发送给网关设备;网关设备收到数据后判断TCP或UDP的端口号是否为1194;如果是,则将此端口号的数据包发送到网关设备的VPN模块进行解密,解密成功的数据再发送给网关设备的以太网TUN设备,此时发送到TUN设备的数据已是明文,如同发送给普通的以太网设备一样收包随后进入协议栈处理。Find the corresponding routing entry based on the user accessing different networks. If the internal network resource of the virtual local area network or the gateway device is accessed, the TUN device sends the data. After the data is sent to the TUN device, the client encrypts the data sent to the TUN device. After the encryption is completed, the client program encapsulates the encrypted data into The specified port number, such as the TCP (Transmission Control Protocol) or UDP (User Datagram Protocol) packet, is sent from the real physical network port to the gateway device; the gateway device determines the TCP after receiving the data. Whether the port number of the UDP port is 1194; if yes, the data packet of the port number is sent to the VPN module of the gateway device for decryption, and the successfully decrypted data is sent to the Ethernet TUN device of the gateway device, and then sent to the TUN device. The data of the device is already in plain text, and it is sent to the protocol stack as if it were sent to a normal Ethernet device.
在实际的应用中,发现对于企业来说内部网络的资源存在不同的秘密等级,需要对用户进行安全访问控制,特定的资源需要特定的权限才允许访问。而相关技术在进行安全访问控制时,用户发起对某一次资源访问后,获取到访问权限等级,根据等级判断是否具有访问权限。此方法访问资源效率低,且每次都需要向所请求的资源发起连接,浪费内部网络资源。In practical applications, it is found that for the enterprise, the resources of the internal network have different secret levels, and the user needs to perform security access control, and specific resources require specific permissions to allow access. When the related technology performs security access control, the user initiates access to a certain resource, obtains an access permission level, and determines whether the access right is determined according to the level. This method is inefficient in accessing resources and requires a connection to the requested resource each time, wasting internal network resources.
另外,在用户请求资源时,网关设备端检查用户访问资源的合法性时,网关设备需要根据用户报文信息对发起资源请求的用户进行复杂的合法性检查,而且一旦建立资源连接后,资源动态变更权限等级时,已经建立好的连接无法得到及时权限关系更新,存在安全隐患。In addition, when the user requests the resource, when the gateway device checks the validity of the user accessing the resource, the gateway device needs to perform a complex legality check on the user who initiates the resource request according to the user packet information, and once the resource connection is established, the resource dynamics When the permission level is changed, the established connection cannot be updated in time and the security relationship exists.
发明内容Summary of the invention
以下是对本文详细描述的主题的概述。本概述并非是为了限制权利要求的保护范围。The following is an overview of the topics detailed in this document. This Summary is not intended to limit the scope of the claims.
本发明实施例的目的在于提供一种局域网内网资源的访问控制方法、装置及网关设备,用于解决相关技术中用户访问局域网内部资源时,资源访问效率低且资源动态变更权限时存在安全隐患的问题。The object of the embodiments of the present invention is to provide a method, a device, and a gateway device for accessing a network resource of a local area network, which are used to solve the problem of security risks when the resource access efficiency is low and the resource dynamic change authority is changed when the user accesses the internal resources of the local area network in the related art. The problem.
一种局域网内网资源的访问控制方法,包括:An access control method for intranet resources of a local area network includes:
获取向网关设备发起资源连接请求消息的第一客户端的用户权限级别以及资源权限等级。 Obtaining a user privilege level and a resource privilege level of the first client that initiates the resource connection request message to the gateway device.
在预设的用户权限级别和资源权限等级的对应关系表中,如果查找到所述第一客户端的用户权限级别对应的资源权限等级,向目标服务器转发所述第一客户端的资源连接请求消息。And in the corresponding relationship table of the preset user privilege level and the resource privilege level, if the resource privilege level corresponding to the user privilege level of the first client is found, the resource connection request message of the first client is forwarded to the target server.
可选地,获取向网关设备发起资源连接请求消息的客户端的第一用户权限级别包括:Optionally, obtaining the first user privilege level of the client that initiates the resource connection request message to the gateway device includes:
接收所述第一客户端向网关设备发起的访问连接请求,并从所述访问连接请求中获取所述第一客户端的用户权限级别。Receiving an access connection request initiated by the first client to the gateway device, and acquiring a user permission level of the first client from the access connection request.
可选地,从所述访问连接请求中获取所述第一客户端的用户权限级别包括:Optionally, obtaining the user privilege level of the first client from the access connection request includes:
通过安全套接层协议SSL的身份验证机制获取所述第一客户端的用户通用名,并根据所述用户通用名对应的数字证书对所述第一客户端进行身份验证。The user common name of the first client is obtained by using an authentication mechanism of the Secure Sockets Layer (SSL) protocol, and the first client is authenticated according to the digital certificate corresponding to the common name of the user.
在所述第一客户端的身份验证通过时,将内网IP地址分配给所述第一客户端,完成与所述第一客户端的访问连接。When the authentication of the first client passes, the intranet IP address is assigned to the first client, and the access connection with the first client is completed.
根据所述访问连接请求中所述用户通用名,查找用户权限列表获取所述第一客户端的用户权限级别。And searching for a user permission list to obtain a user authority level of the first client according to the user common name in the access connection request.
可选地,获取向网关设备发起资源连接请求消息的第一客户端的资源权限等级包括:Optionally, obtaining a resource permission level of the first client that initiates the resource connection request message to the gateway device includes:
获取所述第一客户端通过安全套接协议虚拟专用网络SSL VPN发送的资源连接请求消息。Obtaining a resource connection request message sent by the first client by using a secure socket protocol virtual private network SSL VPN.
根据所述资源连接请求消息,获取所述资源连接请求消息对应的资源权限等级。Obtaining a resource authority level corresponding to the resource connection request message according to the resource connection request message.
可选地,根据所述资源连接请求消息,获取所述资源连接请求消息对应的资源权限等级包括:Optionally, the resource permission level corresponding to the resource connection request message is obtained according to the resource connection request message, including:
解析所述资源连接请求消息中的报文内容,获取待连接的资源为第一资源。The content of the packet in the resource connection request message is parsed, and the resource to be connected is obtained as the first resource.
查找资源权限列表获取所述第一资源对应的资源权限等级。 The resource permission list is obtained to obtain a resource authority level corresponding to the first resource.
可选地,所述方法还包括:在向目标服务器转发所述第一客户端的资源连接请求消息之后,在所述第一客户端根据所述资源连接请求消息,连接到所述目标服务器为所述资源权限等级分配的第一资源时,将所述第一客户端的属性信息保存到第一资源的用户访问列表中。Optionally, the method further includes: after forwarding the resource connection request message of the first client to the target server, connecting, at the first client, to the target server according to the resource connection request message When the first resource allocated by the resource authority level is described, the attribute information of the first client is saved in the user access list of the first resource.
可选地,所述方法还包括:Optionally, the method further includes:
在所述第一客户端断开与所述第一资源的连接之后,将所述第一客户端的属性信息从所述第一资源的用户访问列表中删除。After the first client disconnects from the first resource, the attribute information of the first client is deleted from the user access list of the first resource.
可选地,所述方法还包括:Optionally, the method further includes:
根据所述资源权限等级或所述用户权限级别的变更,进行用户访问列表更新。The user access list update is performed according to the resource authority level or the change of the user authority level.
可选地,根据所述资源权限等级的变更,进行用户访问列表更新包括:Optionally, performing the user access list update according to the change of the resource permission level includes:
在所述资源权限等级变更后,查找已被变更资源权限等级的资源的用户访问列表,获取正在访问所述已被变更资源权限等级的资源的客户端的属性信息。After the resource authority level is changed, the user access list of the resource whose resource authority level has been changed is searched, and the attribute information of the client that is accessing the resource of the changed resource authority level is acquired.
在所述预设的用户权限级别和资源权限等级的对应关系表中,如果查找到所述客户端的用户权限级别与变更后的资源权限等级不对应,则向所述客户端发送第一重置消息,并将所述客户端的属性信息从所述用户访问列表中删除。And in the corresponding relationship table of the preset user privilege level and the resource privilege level, if the user privilege level of the client does not correspond to the changed resource privilege level, the first reset is sent to the client. a message and deleting the attribute information of the client from the user access list.
可选地,根据所述用户权限级别的变更,进行用户访问列表更新还包括:Optionally, performing the user access list update according to the change of the user privilege level further includes:
在所述用户权限级别降低后,如果所已被降低用户权限级别的客户端的属性信息位于用户权限级别降低前对应的资源的用户访问列表中,则向所述已被降低用户权限级别的客户端发送第二重置消息,并将所述已被降低用户权限级别客户端的属性信息从所述用户访问列表中删除。After the user privilege level is lowered, if the attribute information of the client that has been reduced by the user privilege level is located in the user access list of the resource corresponding to the resource privilege level before the user privilege level is lowered, the client is at the reduced user privilege level. Sending a second reset message, and deleting the attribute information of the reduced user privilege level client from the user access list.
一种局域网内网资源的访问控制装置,包括:获取模块和执行处理模块。An access control device for a network intranet resource includes an acquisition module and an execution processing module.
获取模块,设置为获取向网关设备发起资源连接请求消息的第一客户端的用户权限级别以及资源权限等级。The obtaining module is configured to acquire a user privilege level and a resource privilege level of the first client that initiates the resource connection request message to the gateway device.
执行处理模块,设置为在预设的用户权限级别和资源权限等级的对应关系表中,如果查找到所述第一客户端的用户权限级别对应的资源权限等级, 则向目标服务器转发所述第一客户端的资源连接请求消息。Execution processing module is configured to: in the correspondence relationship table of the preset user privilege level and the resource privilege level, if the resource privilege level corresponding to the user privilege level of the first client is found, Then, the resource connection request message of the first client is forwarded to the target server.
可选地,所述获取模块包括第一获取子模块。Optionally, the obtaining module includes a first acquiring submodule.
所述获取模块获取向网关设备发起资源连接请求消息的第一客户端的用户权限级别包括:The obtaining, by the acquiring module, the user privilege level of the first client that initiates the resource connection request message to the gateway device includes:
所述第一获取子模块设置为接收所述第一客户端向网关设备发起的访问连接请求,并从所述访问连接请求中获取所述第一客户端的用户权限级别。The first obtaining sub-module is configured to receive an access connection request initiated by the first client to the gateway device, and obtain a user permission level of the first client from the access connection request.
可选地,所述第一获取子模块包括身份验证单元、访问连接单元和用户权限级别获取单元。Optionally, the first obtaining submodule includes an identity verification unit, an access connection unit, and a user privilege level obtaining unit.
所述第一获取子模块从所述访问连接请求中获取所述第一客户端的用户权限级别包括:Obtaining, by the first obtaining submodule, the user privilege level of the first client from the access connection request includes:
身份验证单元设置为,通过安全套接层协议SSL的身份验证机制获取所述第一客户端的用户通用名,并根据所述用户通用名对应的数字证书对所述第一客户端进行身份验证。The authentication unit is configured to obtain the user common name of the first client by using an authentication mechanism of the Secure Sockets Layer (SSL) protocol, and perform identity verification on the first client according to the digital certificate corresponding to the common name of the user.
访问连接单元设置为,在所述第一客户端的身份验证通过时,将内网IP地址分配给所述第一客户端,完成与所述第一客户端的访问连接。The access connection unit is configured to, when the authentication of the first client passes, assign an intranet IP address to the first client, and complete an access connection with the first client.
用户权限级别获取单元,设置为根据所述访问连接请求中所述用户通用名,查找用户权限列表获取所述第一客户端的用户权限级别。The user privilege level obtaining unit is configured to obtain a user privilege level of the first client according to the user privilege name in the access connection request.
可选地,所述获取模块还包括第二获取子模块和第三获取子模块。Optionally, the obtaining module further includes a second obtaining submodule and a third acquiring submodule.
所述获取模块获取向网关设备发起资源连接请求消息的第一客户端的资源权限等级包括:The obtaining, by the acquiring module, the resource permission level of the first client that initiates the resource connection request message to the gateway device includes:
第二获取子模块设置为,获取所述第一客户端通过安全套接协议虚拟专用网络SSL VPN发送的资源连接请求消息。The second obtaining submodule is configured to obtain a resource connection request message sent by the first client by using a secure socket protocol virtual private network SSL VPN.
第三获取子模块设置为,根据所述资源连接请求消息,获取所述资源连接请求消息对应的资源权限等级。The third obtaining sub-module is configured to acquire the resource permission level corresponding to the resource connection request message according to the resource connection request message.
可选地,所述第三获取子模块包括解析处理单元和资源权限等级获取单元。Optionally, the third obtaining submodule includes an analysis processing unit and a resource authority level acquiring unit.
所述第三获取子模块根据所述资源连接请求消息,获取所述资源连接请 求消息对应的资源权限等级包括:The third obtaining submodule acquires the resource connection according to the resource connection request message. The resource permission levels corresponding to the message include:
解析处理单元设置为,解析所述资源连接请求消息中的报文内容,获取待连接的资源为第一资源。The parsing processing unit is configured to parse the content of the packet in the resource connection request message, and obtain the resource to be connected as the first resource.
资源权限等级获取单元设置为,查找资源权限列表获取所述第一资源对应的资源权限等级。The resource privilege level obtaining unit is configured to: obtain a resource privilege list, and obtain a resource privilege level corresponding to the first resource.
可选地,所述装置还包括第一处理模块。Optionally, the device further comprises a first processing module.
所述第一处理模块设置为:在向目标服务器转发所述第一客户端的资源连接请求消息之后,在所述第一客户端根据所述资源连接请求消息,连接到所述目标服务器为所述资源权限等级分配的第一资源时,将所述第一客户端的属性信息保存到第一资源的用户访问列表中。The first processing module is configured to: after forwarding the resource connection request message of the first client to the target server, the first client connects to the target server according to the resource connection request message, When the first resource allocated by the resource authority level is saved, the attribute information of the first client is saved in the user access list of the first resource.
可选地,所述装置还包括第二处理模块。Optionally, the device further comprises a second processing module.
所述第二处理模块设置为,在所述第一客户端断开与所述第一资源的连接之后,将所述第一客户端的属性信息从所述第一资源的用户访问列表中删除。The second processing module is configured to delete attribute information of the first client from a user access list of the first resource after the first client disconnects from the first resource.
可选地,所述装置还包括:访问列表更新模块。Optionally, the device further includes: an access list update module.
所述访问列表更新模块,设置为根据所述资源权限等级或所述用户权限级别的变更,进行用户访问列表更新。The access list update module is configured to perform a user access list update according to the resource authority level or the change of the user authority level.
可选地,所述访问列表更新模块包括:第四获取子模块和第一更新处理子模块。Optionally, the access list update module includes: a fourth acquisition submodule and a first update processing submodule.
所述访问列表更新模块根据所述资源权限等级的变更,进行用户访问列表更新包括:The access list update module performs user access list update according to the change of the resource permission level, including:
所述第四获取子模块设置为,在所述资源权限等级变更后,查找已被变更资源权限等级的资源的用户访问列表,获取正在访问所述已被变更资源权限等级的资源的客户端的属性信息。The fourth obtaining submodule is configured to: after the resource authority level is changed, search for a user access list of the resource whose resource authority level has been changed, and acquire an attribute of the client that is accessing the resource of the changed resource permission level. information.
所述第一更新处理子模块设置为,在所述预设的用户权限级别和资源权限等级的对应关系表中,如果查找到所述客户端的用户权限级别与变更后的资源权限等级不对应,则向所述客户端发送第一重置消息,并将所述客户端的属性信息从所述用户访问列表中删除。 The first update processing sub-module is configured to: if the user privilege level of the client does not correspond to the changed resource privilege level in the correspondence relationship table of the preset user privilege level and the resource privilege level, Sending a first reset message to the client, and deleting the attribute information of the client from the user access list.
可选地,所述访问列表更新模块还包括:第二更新处理子模块。Optionally, the access list update module further includes: a second update processing submodule.
所述访问列表更新模块根据所述用户权限级别的变更,进行用户访问列表更新还包括:The access list update module performs the user access list update according to the change of the user privilege level, and further includes:
所述第二更新处理子模块设置为,在所述用户权限级别降低后,如果已被降低用户权限级别的客户端的属性信息位于用户权限级别降低前对应的资源的用户访问列表中,则向所述已被降低用户权限级别的客户端发送第二重置消息,并将所述已被降低用户权限级别客户端的属性信息从所述用户访问列表中删除。The second update processing sub-module is configured to: after the user privilege level is lowered, if the attribute information of the client that has been reduced by the user privilege level is located in the user access list of the resource corresponding to the resource privilege level before the user privilege level is lowered, The client that has been reduced by the user privilege level sends a second reset message, and deletes the attribute information of the reduced user privilege level client from the user access list.
一种网关设备,包括如上述实施例所述的局域网内网资源的访问控制装置。A gateway device includes an access control device for intranet resources of a local area network as described in the foregoing embodiments.
一种计算机可读存储介质,存储有计算机可执行指令,所述计算机可执行指令被处理器执行时实现所述的局域网内网资源的访问控制方法。A computer readable storage medium storing computer executable instructions, the computer executable instructions being implemented by a processor to implement the access control method of the intranet resources.
本发明实施例的上述技术方案的有益效果如下:The beneficial effects of the above technical solutions of the embodiments of the present invention are as follows:
本发明实施例方案中,通过直接在网关设备上根据用户权限级别对应的资源权限等级对访问局域网内部资源的客户端进行资源访问权限的判断,并在该客户端具有资源访问权限时,将资源连接请求转发至目标服务器,提高了用户访问局域网内部资源的资源访问效率,且减轻目标服务器的处理负担,节省了内部网络资源;而且通过对权限变更的用户或资源的资源连接的立即复位,保证了资源动态变更权限时,局域网内部网络资源的数据安全。In the solution of the embodiment of the present invention, the resource access authority of the client accessing the internal resources of the local area network is determined by the resource authority level corresponding to the user authority level directly on the gateway device, and the resource is accessed when the client has the resource access right. The connection request is forwarded to the target server, which improves the resource access efficiency of the user accessing the internal resources of the local area network, reduces the processing load of the target server, and saves internal network resources; and ensures immediate resetting of the resource connection of the user or resource whose authority is changed. When the resource dynamic change permission is granted, the data security of the internal network resources of the local area network.
附图概述BRIEF abstract
图1为本发明实施例的SSL VPN网络扩展用户、网关设备和内部资源的关系示意图;1 is a schematic diagram of relationships between an extended user, a gateway device, and internal resources of an SSL VPN network according to an embodiment of the present invention;
图2为本发明实施例的局域网内网资源的访问控制方法的基本步骤示意图;2 is a schematic diagram of basic steps of an access control method for intranet resources of a local area network according to an embodiment of the present invention;
图3为本发明实施例的局域网内网资源的访问控制装置的组成结构示意图;3 is a schematic structural diagram of a structure of an access control apparatus for intranet resources of a local area network according to an embodiment of the present invention;
图4为本发明实施例的局域网内网资源的访问控制方法的具体流程示意 图。FIG. 4 is a schematic flowchart of a method for controlling access control of intranet resources in a local area network according to an embodiment of the present invention; Figure.
本发明的实施方式Embodiments of the invention
下文中将结合附图对本发明的实施例进行详细说明。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互任意组合。Embodiments of the present invention will be described in detail below with reference to the accompanying drawings. It should be noted that, in the case of no conflict, the features in the embodiments and the embodiments in the present application may be arbitrarily combined with each other.
本发明实施例针对相关技术中用户访问局域网内部资源时,资源访问效率低且资源动态变更权限时存在安全隐患的问题,提供一种局域网内网资源的访问控制方法,提高了用户访问局域网内部资源的资源访问效率,且减轻目标服务器的处理负担,节省了内部网络资源而且保证了资源动态变更权限时,局域网内部网络资源的数据安全。The embodiments of the present invention are directed to the problem that the user has access to the internal resources of the local area network, the resource access efficiency is low, and the resource dynamic change authority has a security risk. The access control method for the intranet resources of the local area network is provided, and the user accesses the internal resources of the local area network. The resource access efficiency is reduced, the processing load of the target server is reduced, the internal network resources are saved, and the data security of the internal network resources of the local area network is ensured when the resource dynamic change authority is ensured.
第一实施例First embodiment
如图2所示,本发明实施例提供一种局域网内网资源的访问控制方法,包括步骤11-12:As shown in FIG. 2, an embodiment of the present invention provides a method for controlling access of intranet resources in a local area network, including steps 11-12:
步骤11,获取向网关设备发起资源连接请求消息的第一客户端的用户权限级别以及资源权限等级。Step 11: Acquire a user privilege level and a resource privilege level of the first client that initiates the resource connection request message to the gateway device.
这里需要说明的是,用户权限级别为操作客户端的用户的权限级别,一个用户对应一个客户端。It should be noted here that the user privilege level is the privilege level of the user who operates the client, and one user corresponds to one client.
步骤12,在预设的用户权限级别和资源权限等级的对应关系表中,如果查找到所述第一客户端的用户权限级别对应的资源权限等级,向目标服务器转发所述第一客户端的资源连接请求消息。Step 12: In the correspondence table between the preset user privilege level and the resource privilege level, if the resource privilege level corresponding to the user privilege level of the first client is found, the resource connection of the first client is forwarded to the target server. Request message.
本发明实施例的局域网内网资源的访问控制方法,通过直接在网关设备上根据用户权限级别对应的资源权限等级对访问局域网内部资源的客户端进行资源访问权限的判断,并在该客户端具有资源访问权限时,将资源连接请求转发至目标服务器,提高了用户访问局域网内部资源的资源访问效率,且减轻目标服务器的处理负担,节省了内部网络资源。The access control method for the intranet resources of the local area network in the embodiment of the present invention determines the resource access authority of the client accessing the internal resources of the local area network according to the resource permission level corresponding to the user authority level directly on the gateway device, and has the resource access authority on the client that accesses the internal resources of the local area network, and has the resource access authority on the client end When the resource access rights are forwarded, the resource connection request is forwarded to the target server, which improves the resource access efficiency of the user accessing the internal resources of the local area network, reduces the processing load of the target server, and saves internal network resources.
可选地,本发明实施例所述步骤11中获取向网关设备发起资源连接请求消息的第一客户端的用户权限级别包括步骤111:Optionally, obtaining the user privilege level of the first client that initiates the resource connection request message to the gateway device in step 11 of the embodiment of the present invention includes: Step 111:
步骤111,接收所述第一客户端向网关设备发起的访问连接请求,并从 所述访问连接请求中获取所述第一客户端的用户权限级别。Step 111: Receive an access connection request initiated by the first client to the gateway device, and Obtaining a user privilege level of the first client in the access connection request.
这里需要说明的是,第一客户端可为SSL VPN网络扩展客户端,网关设备可为虚拟专用网络VPN网关设备。It should be noted that the first client may be an SSL VPN network extension client, and the gateway device may be a virtual private network VPN gateway device.
这里,所述步骤111接收所述第一客户端向网关设备发起的访问连接请求,并从所述访问连接请求中获取所述第一客户端的用户权限级别包括步骤1111-1113:Here, the step 111 receives an access connection request initiated by the first client to the gateway device, and acquires the user permission level of the first client from the access connection request, including steps 1111-1113:
步骤1111,通过安全套接层SSL协议的身份验证机制获取所述第一客户端的用户通用名,并根据所述用户通用名对应的数字证书对所述第一客户端进行身份验证。Step 1111: Obtain a common name of the user of the first client by using an authentication mechanism of the Secure Sockets Layer SSL protocol, and perform identity verification on the first client according to the digital certificate corresponding to the common name of the user.
这里需要说明的是,用户通用名是客户端在向网关设备管理员申请账号时唯一标识该客户端的用户标识。It should be noted that the user common name is a user identifier that the client uniquely identifies the client when applying for an account to the gateway device administrator.
用户通用名对应的数字证书可通过开放式安全套接层协议OpenSSL提供的方法获取,当然该用户通用名对应的私钥也可通过此方法获取,这里数字证书中包括有客户端的个人身份信息。The digital certificate corresponding to the user's common name can be obtained by the method provided by the Open Secure Sockets Layer protocol OpenSSL. Of course, the private key corresponding to the user's common name can also be obtained by this method, where the digital certificate includes the personal identity information of the client.
步骤1112,在所述第一客户端的身份验证通过时,将内网IP地址分配给所述第一客户端,完成与所述第一客户端的访问连接。Step 1112: When the identity verification of the first client passes, assign an intranet IP address to the first client, and complete an access connection with the first client.
这里,在所述第一客户端的身份验证通过时,将内网IP地址分配给所述第一客户端后,网关设备会将用户通用名存储于数据区。Here, after the identity verification of the first client is passed, after the intranet IP address is assigned to the first client, the gateway device stores the user common name in the data area.
需说明的是,如果第一客户端的身份验证未通过,则网关设备直接拒绝该第一客户端发起的访问连接。这样,无需目标服务器额外处理对待访问的客户端的身份验证,节省了内部网络资源,也降低了非法客户端获取服务器内部数据的可能性。It should be noted that if the identity verification of the first client fails, the gateway device directly rejects the access connection initiated by the first client. In this way, the target server is not required to additionally process the authentication of the client to be accessed, which saves internal network resources and reduces the possibility of illegal clients acquiring internal data of the server.
步骤1113,根据所述访问连接请求中所述用户通用名,查找用户权限列表获取所述第一客户端的用户权限级别。Step 1113: Search for a user permission list according to the user common name in the access connection request, and obtain a user permission level of the first client.
这里需说明的是,用户权限列表预先存储于网关设备中,其中存储有可访问内网资源的不同用户的用户权限级别。It should be noted that the user permission list is pre-stored in the gateway device, where the user authority level of different users who can access the intranet resources is stored.
可选地,本发明实施例所述步骤11中获取向网关设备发起资源连接请求消息的第一客户端的资源权限等级包括步骤112-113: Optionally, obtaining the resource permission level of the first client that initiates the resource connection request message to the gateway device in step 11 of the embodiment of the present invention includes the following steps 112-113:
步骤112,获取所述第一客户端通过安全套接协议虚拟专用网络SSL VPN发送的资源连接请求消息。Step 112: Obtain a resource connection request message sent by the first client by using a secure socket protocol virtual private network SSL VPN.
需说明的是,网关设备在获取资源连接请求之前,已完成与第一客户端的访问连接。It should be noted that the gateway device completes the access connection with the first client before obtaining the resource connection request.
步骤113,根据所述资源连接请求消息,获取所述资源连接请求消息对应的资源权限等级。Step 113: Acquire, according to the resource connection request message, a resource authority level corresponding to the resource connection request message.
这里需要说明的是,如果网关设备根据所述资源连接请求消息,获取不到与所述资源连接请求消息对应的资源权限等级,则表示客户端所要访问的资源未在资源权限列表中,也就是该资源未设置资源权限等级,无需访问权限,所有通过身份验证的客户端均可访问局域网内部的该资源。It should be noted that, if the gateway device does not obtain the resource permission level corresponding to the resource connection request message according to the resource connection request message, it indicates that the resource that the client wants to access is not in the resource permission list, that is, The resource does not have a resource privilege level, and no access rights are required. All authenticated clients can access this resource inside the LAN.
这里,所述步骤113根据所述资源连接请求消息,获取所述资源连接请求消息对应的资源权限等级包括步骤1131-1132:Here, the step 113, according to the resource connection request message, acquiring the resource permission level corresponding to the resource connection request message includes steps 1131-1132:
步骤1131,解析所述资源连接请求消息中的报文内容,获取待连接的资源为第一资源。In step 1113, the content of the packet in the resource connection request message is parsed, and the resource to be connected is obtained as the first resource.
步骤1132,查找资源权限列表获取所述第一资源对应的资源权限等级。Step 1132: Find a resource permission list, and obtain a resource permission level corresponding to the first resource.
这里需说明的是,资源权限列表预先存储于网关设备中,其中存储有不同资源对应的不同资源权限等级。It should be noted that the resource permission list is pre-stored in the gateway device, where different resource permission levels corresponding to different resources are stored.
可选地,本发明实施例中所述局域网内网资源的访问控制方法,还可包括步骤13:Optionally, the access control method for the intranet resources of the local area network in the embodiment of the present invention may further include step 13:
步骤13,向目标服务器转发所述第一客户端的资源连接请求消息之后,在所述第一客户端根据所述资源连接请求消息,连接到所述目标服务器为所述资源权限等级分配的第一资源时,将所述第一客户端的属性信息保存到第一资源的用户访问列表中。Step 13: After forwarding the resource connection request message of the first client to the target server, the first client connects to the target server to allocate the first resource resource level according to the resource connection request message. When the resource is used, the attribute information of the first client is saved in the user access list of the first resource.
这里需要说明的是,第一资源的用户访问列表中存储着当前正在访问第一资源的客户端。It should be noted here that the user access list of the first resource stores the client that is currently accessing the first resource.
可选地,本发明实施例中所述局域网内网资源的访问控制方法,还可包括步骤14:Optionally, the access control method for the intranet resources of the local area network in the embodiment of the present invention may further include step 14:
步骤14,在所述第一客户端断开与所述第一资源的连接后,将所述第一 客户端的属性信息从所述第一资源的用户访问列表中删除。Step 14. After the first client disconnects from the first resource, the first The attribute information of the client is deleted from the user access list of the first resource.
这里需要说明的是,将所述第一客户端的属性信息从所述第一资源的用户访问列表中删除,也就是,该第一客户端与目标服务器的连接立即断开,可防止后续如果用户权限级别或资源权限等级变更后,内网数据泄露,保证内网数据资源的安全性。It should be noted that the attribute information of the first client is deleted from the user access list of the first resource, that is, the connection between the first client and the target server is immediately disconnected, thereby preventing subsequent users. After the privilege level or resource privilege level is changed, the intranet data is leaked to ensure the security of the intranet data resources.
可选地,本发明实施例中所述局域网内网资源的访问控制方法,还可包括步骤15:Optionally, the access control method for the intranet resources of the local area network in the embodiment of the present invention may further include step 15:
步骤15,根据所述资源权限等级或所述用户权限级别的变更,进行用户访问列表更新。Step 15: Perform user access list update according to the resource permission level or the change of the user permission level.
这里,所述步骤15中根据所述资源权限等级的变更,进行用户访问列表更新包括步骤151-152:Here, in step 15 , performing user access list update according to the change of the resource authority level includes steps 151-152:
步骤151,在所述资源权限等级变更后,查找已被变更资源权限等级的资源的用户访问列表,获取正在访问所述已被变更资源权限等级的资源的客户端的属性信息。Step 151: After the resource authority level is changed, search for a user access list of the resource whose resource authority level has been changed, and obtain attribute information of the client that is accessing the resource of the changed resource permission level.
步骤152,在所述预设的用户权限级别和资源权限等级的对应关系表中,如果查找到所述客户端的用户权限级别与变更后的资源权限等级不对应,则向所述客户端发送第一重置消息,并将所述客户端的属性信息从所述用户访问列表中删除。Step 152: In the correspondence table between the preset user privilege level and the resource privilege level, if the user privilege level of the client does not correspond to the changed resource privilege level, the method sends the first privilege level to the client. A reset message is deleted and the attribute information of the client is deleted from the user access list.
这里需要说明的是,预设的用户权限级别和资源权限等级的对应关系表是可预先由网关设备管理员根据用户权限级别分配指定的资源权限等级存储于网关设备中。It should be noted that the correspondence between the preset user privilege level and the resource privilege level may be stored in the gateway device in advance by the gateway device administrator according to the user privilege level.
上述两分步骤表明在资源权限等级变更时,通过将用户权限级别不够的客户端从资源的用户访问列表中删除,实现用户访问列表的及时更新,保证了内网资源数据的安全,有效防止资源数据的泄露。The above two-step process indicates that when the resource privilege level is changed, the client with insufficient user privilege level is deleted from the user access list of the resource, and the user access list is updated in time to ensure the security of the intranet resource data and effectively prevent resources. The disclosure of data.
这里,所述步骤15中根据所述用户权限级别的变更,进行用户访问列表更新还包括步骤153:Here, the step of performing the user access list update according to the change of the user privilege level in the step 15 further includes the step 153:
步骤153,在所述用户权限级别降低后,如果已被降低用户权限级别的客户端的属性信息位于用户权限级别降低前对应的资源的用户访问列表中, 则向所述已被降低用户权限级别的客户端发送第二重置消息,并将所述已被降低用户权限级别客户端的属性信息从所述用户访问列表中删除。Step 153, after the user privilege level is lowered, if the attribute information of the client that has been reduced by the user privilege level is located in the user access list of the resource corresponding to the user privilege level lowering, And sending a second reset message to the client that has been reduced in the privilege level, and deleting the attribute information of the reduced privilege level client from the user access list.
需说明的是,步骤153在所用户权限级别降低后,已被降低用户权限级别客户端则不再具有访问用户权限级别降低前对应的资源的权限,通过将已被降低用户权限级别客户端的属性信息从用户权限级别降低前对应的资源的访问列表中删除,实现了用户访问列表的及时更新,保证了内网资源数据的安全,有效防止资源数据的泄露。It should be noted that, after the user privilege level is lowered, the client that has been reduced by the privilege level no longer has the right to access the resource corresponding to the privilege level before the user privilege level is lowered, and the attribute of the client that has been reduced by the privilege level is determined. The information is deleted from the access list of the corresponding resource before the user privilege level is lowered, and the user access list is updated in time to ensure the security of the intranet resource data and effectively prevent the leakage of resource data.
本发明实施例的局域网内网资源的访问控制方法,通过直接在网关设备上根据用户权限级别对应的资源权限等级对访问局域网内部资源的客户端进行资源访问权限的判断,并在该客户端具有资源访问权限时,将资源连接请求转发至目标服务器,提高了用户访问局域网内部资源的资源访问效率,且减轻目标服务器的处理负担,节省了内部网络资源;而且通过对权限变更的用户或资源的资源连接的立即复位,保证了资源动态变更权限时,局域网内部网络资源的数据安全。The access control method for the intranet resources of the local area network in the embodiment of the present invention determines the resource access authority of the client accessing the internal resources of the local area network according to the resource permission level corresponding to the user authority level directly on the gateway device, and has the resource access authority on the client that accesses the internal resources of the local area network, and has the resource access authority on the client end When the resource access rights are forwarded, the resource connection request is forwarded to the target server, which improves the resource access efficiency of the user accessing the internal resources of the local area network, reduces the processing load of the target server, saves internal network resources, and passes the user or resource that changes the authority. The immediate reset of the resource connection ensures the data security of the internal network resources of the local area network when the resource dynamically changes the authority.
第二实施例Second embodiment
如图3所示,本发明实施例还提供一种局域网内网资源的访问控制装置,包括:获取模块21和执行处理模块22。As shown in FIG. 3, an embodiment of the present invention further provides an access control device for a network resource of a local area network, including: an obtaining module 21 and an execution processing module 22.
获取模块21,设置为获取向网关设备发起资源连接请求消息的第一客户端的用户权限级别以及资源权限等级。The obtaining module 21 is configured to acquire a user privilege level and a resource privilege level of the first client that initiates the resource connection request message to the gateway device.
这里需要说明的是,用户权限级别为操作客户端的用户的权限级别,一个用户对应一个客户端。It should be noted here that the user privilege level is the privilege level of the user who operates the client, and one user corresponds to one client.
执行处理模块22,设置为在预设的用户权限级别和资源权限等级的对应关系表中,如果查找到所述客户端的第一用户权限级别对应的资源权限等级,则向目标服务器转发所述第一客户端的资源连接请求消息。The execution processing module 22 is configured to: in the correspondence relationship table of the preset user privilege level and the resource privilege level, if the resource privilege level corresponding to the first user privilege level of the client is found, forwarding the A resource connection request message for a client.
可选地,本发明实施例中所述获取模块21可包括:Optionally, the obtaining module 21 in the embodiment of the present invention may include:
第一获取子模块,设置为接收所述第一客户端向网关设备发起的访问连接请求,并从所述访问连接请求中获取所述第一客户端的用户权限级别。The first obtaining sub-module is configured to receive an access connection request initiated by the first client to the gateway device, and obtain a user permission level of the first client from the access connection request.
这里需要说明的是,第一客户端可为SSL VPN网络扩展客户端,网关设 备可为虚拟专用网络VPN网关设备。It should be noted that the first client can be an SSL VPN network extension client, and the gateway is configured. It can be a virtual private network VPN gateway device.
所述第一获取子模块可包括:The first obtaining submodule may include:
身份验证单元,设置为通过安全套接层协议SSL的身份验证机制获取所述第一客户端的用户通用名,并根据所述用户通用名对应的数字证书对所述第一客户端进行身份验证;An identity verification unit, configured to obtain a user common name of the first client by using an authentication mechanism of the Secure Sockets Layer (SSL) protocol, and perform identity verification on the first client according to the digital certificate corresponding to the common name of the user;
这里需要说明的是,用户通用名是客户端在向网关设备管理员申请账号时唯一标识该客户端的用户标识。It should be noted that the user common name is a user identifier that the client uniquely identifies the client when applying for an account to the gateway device administrator.
用户通用名对应的数字证书可通过开放式安全套接层协议OpenSSL提供的方法获取,当然该用户通用名对应的私钥也可通过此方法获取,这里数字证书中包括有客户端的个人身份信息。The digital certificate corresponding to the user's common name can be obtained by the method provided by the Open Secure Sockets Layer protocol OpenSSL. Of course, the private key corresponding to the user's common name can also be obtained by this method, where the digital certificate includes the personal identity information of the client.
访问连接单元,设置为在所述第一客户端的身份验证通过时,将内网IP地址分配给所述第一客户端,完成与所述第一客户端的访问连接。The access connection unit is configured to allocate an intranet IP address to the first client when the authentication of the first client passes, and complete an access connection with the first client.
这里,在所述第一客户端的身份验证通过时,将内网IP地址分配给所述第一客户端后,网关设备会将第一用户通用名存储于数据区。Here, after the identity verification of the first client is passed, after the intranet IP address is assigned to the first client, the gateway device stores the first user common name in the data area.
需说明的是,如果第一客户端的身份验证未通过,则网关设备直接拒绝该第一客户端发起的访问连接。这样,无需目标服务器额外处理对待访问的客户端的身份验证,节省了内部网络资源,也降低了非法客户端获取服务器内部数据的可能性。It should be noted that if the identity verification of the first client fails, the gateway device directly rejects the access connection initiated by the first client. In this way, the target server is not required to additionally process the authentication of the client to be accessed, which saves internal network resources and reduces the possibility of illegal clients acquiring internal data of the server.
用户权限级别获取单元,设置为根据所述访问连接请求中所述用户通用名,查找用户权限列表获取所述第一客户端的用户权限级别。The user privilege level obtaining unit is configured to obtain a user privilege level of the first client according to the user privilege name in the access connection request.
这里需说明的是,用户权限列表预先存储于网关设备中,其中存储有可访问内网资源的不同用户的用户权限级别。It should be noted that the user permission list is pre-stored in the gateway device, where the user authority level of different users who can access the intranet resources is stored.
这里,本发明实施例中所述获取模块21还可包括:Here, the obtaining module 21 in the embodiment of the present invention may further include:
第二获取子模块,设置为获取所述第一客户端通过安全套接协议虚拟专用网络SSL VPN发送的资源连接请求消息。The second obtaining submodule is configured to obtain a resource connection request message sent by the first client by using a secure socket protocol virtual private network SSL VPN.
需说明的是,网关设备在获取资源连接请求之前,已完成与第一客户端的访问连接。 It should be noted that the gateway device completes the access connection with the first client before obtaining the resource connection request.
第三获取子模块,设置为根据所述资源连接请求消息,获取所述资源连接请求消息对应的资源权限等级。The third obtaining sub-module is configured to acquire a resource permission level corresponding to the resource connection request message according to the resource connection request message.
这里需要说明的是,如果网关设备根据所述资源连接请求消息,获取不到与所述资源连接请求消息对应的第一资源权限等级,则表示客户端所要访问的资源未在资源权限列表中,也就是该资源未设置资源权限等级,无需访问权限,所有通过身份验证的客户端均可访问局域网内部的该资源。It should be noted that if the gateway device does not obtain the first resource permission level corresponding to the resource connection request message according to the resource connection request message, it indicates that the resource to be accessed by the client is not in the resource permission list. That is, the resource does not have a resource permission level, and no access rights are required, and all authenticated clients can access the resource inside the LAN.
这里,所述第三获取子模块可包括:Here, the third obtaining submodule may include:
解析处理单元,设置为解析所述资源连接请求消息中的报文内容,获取待连接的资源为第一资源。The parsing processing unit is configured to parse the content of the packet in the resource connection request message, and obtain the resource to be connected as the first resource.
资源权限等级获取单元,设置为查找资源权限列表获取所述第一资源对应的资源权限等级。The resource privilege level obtaining unit is configured to obtain a resource privilege list to obtain a resource privilege level corresponding to the first resource.
这里需说明的是,资源权限列表预先存储于网关设备中,其中存储有不同资源对应的不同资源权限等级。It should be noted that the resource permission list is pre-stored in the gateway device, where different resource permission levels corresponding to different resources are stored.
可选地,本发明实施例中所述局域网内网资源的访问控制装置,还可包括:Optionally, the access control apparatus for the intranet resources of the local area network in the embodiment of the present invention may further include:
第一处理模块23,设置为向目标服务器转发所述第一客户端的资源连接请求消息之后,在所述第一客户端根据所述资源连接请求消息,连接到所述目标服务器为所述资源权限等级分配的第一资源时,将所述第一客户端的属性信息保存到第一资源的用户访问列表中。The first processing module 23 is configured to: after forwarding the resource connection request message of the first client to the target server, connect to the target server as the resource permission according to the resource connection request message by the first client When the first resource of the level is allocated, the attribute information of the first client is saved in the user access list of the first resource.
这里需要说明的是,第一资源的用户访问列表中存储着当前正在访问第一资源的客户端。It should be noted here that the user access list of the first resource stores the client that is currently accessing the first resource.
可选地,本发明实施例中所述局域网内网资源的访问控制装置,还可包括:Optionally, the access control apparatus for the intranet resources of the local area network in the embodiment of the present invention may further include:
第二处理模块24,设置为在所述第一客户端断开与所述第一资源的连接后,将所述第一客户端的属性信息从所述第一资源的用户访问列表中删除。The second processing module 24 is configured to delete the attribute information of the first client from the user access list of the first resource after the first client disconnects the first resource.
这里需要说明的是,将所述第一客户端的属性信息从所述第一资源的用户访问列表中删除,也就是,该第一客户端与目标服务器的连接立即断开,可防止后续如果用户权限级别或资源权限等级变更后,内网数据泄露,保证 内网数据资源的安全性。It should be noted that the attribute information of the first client is deleted from the user access list of the first resource, that is, the connection between the first client and the target server is immediately disconnected, thereby preventing subsequent users. After the permission level or resource permission level is changed, the intranet data is leaked and guaranteed. Security of intranet data resources.
可选地,本发明实施例所述局域网内网资源的访问控制装置,还可包括:Optionally, the access control apparatus for the intranet resources of the local area network according to the embodiment of the present invention may further include:
访问列表更新模块25,设置为根据所述资源权限等级或所述用户权限级别的变更,进行用户访问列表更新。The access list update module 25 is configured to perform a user access list update according to the resource authority level or the change of the user authority level.
这里,所述访问列表更新模块25可包括:Here, the access list update module 25 may include:
第四获取子模块,设置为在所述资源权限等级变更后,查找已被变更资源权限等级的资源的用户访问列表,获取正在访问所述已被变更资源权限等级的资源的客户端的属性信息。The fourth obtaining submodule is configured to: after the resource authority level is changed, search for a user access list of the resource whose resource authority level has been changed, and acquire attribute information of the client that is accessing the resource of the changed resource authority level.
第一更新处理子模块,设置为在所述预设的用户权限级别和资源权限等级的对应关系表中,如果查找到所述客户端的用户权限级别与变更后的资源权限等级不对应,则向所述客户端发送第一重置消息,并将所述客户端的属性信息从所述用户访问列表中删除。The first update processing sub-module is configured to: in the correspondence relationship table of the preset user privilege level and the resource privilege level, if the user privilege level of the client is found to not correspond to the changed resource privilege level, then The client sends a first reset message and deletes the attribute information of the client from the user access list.
这里需要说明的是,预设的用户权限级别和资源权限等级的对应关系表是可预先由网关设备管理员根据用户权限级别分配指定的资源权限等级存储于网关设备中。It should be noted that the correspondence between the preset user privilege level and the resource privilege level may be stored in the gateway device in advance by the gateway device administrator according to the user privilege level.
这里,上述获取子模块以及第一更新处理子模块的执行处理表明在资源权限等级变更时,通过将用户权限级别不够的客户端从资源的用户访问列表中删除,实现用户访问列表的及时更新,保证了内网资源数据的安全,有效防止资源数据的泄露。Here, the execution processing of the foregoing obtaining sub-module and the first update processing sub-module indicates that when the resource authority level is changed, the client access list is deleted from the user access list of the resource by the user whose access level is insufficient, so that the user access list is updated in time. It ensures the security of intranet resource data and effectively prevents the leakage of resource data.
这里,所述访问列表更新模块25还可包括:Here, the access list update module 25 may further include:
第二更新处理子模块,设置为在所述用户权限级别降低后,如果所述已被降低用户权限级别的客户端的属性信息位于用户权限级别降低前对应的资源的用户访问列表中,则向所述已被降低用户权限级别的客户端发送第二重置消息,并将所述已被降低用户权限级别客户端的属性信息从所述用户访问列表中删除。a second update processing sub-module, configured to: after the user privilege level is lowered, if the attribute information of the client that has been reduced by the privilege level is located in a user access list of a resource corresponding to the privilege level before the user privilege level is lowered, The client that has been reduced by the user privilege level sends a second reset message, and deletes the attribute information of the reduced user privilege level client from the user access list.
需说明的是,所述第二更新处理子模块在所述用户权限级别降低后,已被降低用户权限级别客户端则不再具有访问用户权限级别降低前对应的资源的权限,通过将已被降低用户权限级别客户端的属性信息从用户权限级别降 低前对应的资源的访问列表中删除,实现了用户访问列表的及时更新,保证了内网资源数据的安全,有效防止资源数据的泄露。It should be noted that, after the user privilege level is lowered, the second update processing sub-module does not have the privilege of accessing the corresponding resource before the user privilege level is lowered, and the Reduce the user privilege level of the client's attribute information from the user privilege level The deletion of the access list of the corresponding resource in the lower part realizes the timely update of the user access list, ensures the security of the intranet resource data, and effectively prevents the leakage of resource data.
本发明实施例还提供一种网关设备,包括第二实施例中所述的局域网内网资源的访问控制装置。The embodiment of the invention further provides a gateway device, which comprises the access control device for the intranet resources of the local area network described in the second embodiment.
本发明实施例的局域网内网资源的访问控制装置,通过直接在网关设备中的执行处理模块上根据用户权限级别对应的资源权限等级对访问局域网内部资源的客户端进行资源访问权限的判断,并在该客户端具有资源访问权限时,将资源连接请求转发至目标服务器,提高了用户访问局域网内部资源的资源访问效率,且减轻目标服务器的处理负担,节省了内部网络资源;而且网关设备中的访问列表更新模块通过对权限变更的用户或资源的资源连接的立即复位,保证了资源动态变更权限时,局域网内部网络资源的数据安全。The access control device for the intranet resources of the local area network in the embodiment of the present invention determines the resource access authority of the client accessing the internal resources of the local area network according to the resource authority level corresponding to the user authority level directly on the execution processing module in the gateway device, and When the client has the resource access right, the resource connection request is forwarded to the target server, which improves the resource access efficiency of the user accessing the internal resources of the local area network, reduces the processing load of the target server, and saves internal network resources; and the gateway device The access list update module ensures the data security of the internal network resources of the local area network when the resources are dynamically changed by the immediate reset of the resource connection of the user or resource whose authority is changed.
第三实施例Third embodiment
如图4所示,为本发明实施例的局域网内网资源的访问控制方法的流程示意图,下面就该图说明用户端访问局域网内网资源的实施过程。As shown in FIG. 4, it is a schematic flowchart of an access control method for intranet resources of a local area network according to an embodiment of the present invention. The following figure illustrates the implementation process of a user accessing intranet resources of a local area network.
这里,用户端也就是第一实施例及第二实施例中所述的客户端。Here, the client is also the client described in the first embodiment and the second embodiment.
步骤301,网关设备接收一个用户的访问连接请求。Step 301: The gateway device receives an access connection request of a user.
这里,用户的访问连接请求消息通过SSL协议建立加密隧道发送至网关设备。Here, the user's access connection request message is sent to the gateway device through the SSL protocol establishment encryption tunnel.
步骤302,网关设备验证用户身份是否合法。In step 302, the gateway device verifies whether the user identity is legal.
如果网关设备验证用户身份合法,则执行步骤303;如果网关设备验证用户身份不合法,则结束流程,访问连接断开。If the gateway device verifies that the user identity is legal, step 303 is performed; if the gateway device verifies that the user identity is invalid, the process ends and the access connection is disconnected.
这里需要说明的是,用户身份的合法性验证可通过SSL协议的身份验证机制获取该用户的用户通用名,通过网关设备中该用户通用名对应的数字证书对该用户进行身份验证。It should be noted that the validity verification of the user identity can obtain the user common name of the user through the identity verification mechanism of the SSL protocol, and authenticate the user through the digital certificate corresponding to the common name of the user in the gateway device.
当验证通过后,将内网IP地址分配给该用户,完成该访问连接请求,这就意味着该用户可访问局域网的内部资源。When the verification is passed, the intranet IP address is assigned to the user, and the access connection request is completed, which means that the user can access the internal resources of the local area network.
步骤303,记录该用户通用名并获取用户权限级别。 In step 303, the user common name is recorded and the user permission level is obtained.
这里,可通过该用户通用名从网关设备中用户权限列表中获取该用户的用户权限级别。Here, the user privilege level of the user can be obtained from the user privilege list in the gateway device by the user common name.
步骤304,网关设备获取该用户所访问资源的资源权限等级。Step 304: The gateway device acquires a resource permission level of the resource accessed by the user.
这里,首先网关设备接收该用户发送的资源连接请求,根据该资源连接请求中获取该用户要访问的资源,通过网关设备中的资源权限列表获取该用户要访问的资源的权限等级。Here, the gateway device first receives the resource connection request sent by the user, obtains the resource to be accessed by the user according to the resource connection request, and obtains the permission level of the resource to be accessed by the user through the resource permission list in the gateway device.
步骤305,网关设备判断该用户是否具有权限访问该资源。Step 305: The gateway device determines whether the user has the right to access the resource.
如果网关设备判断该用户具有权限访问该资源,则执行步骤306;如果网关设备判断该用户不具有权限访问该资源,则结束流程。If the gateway device determines that the user has the right to access the resource, step 306 is performed; if the gateway device determines that the user does not have the right to access the resource, the process ends.
这里需说明的是,本步骤网关设备判断该用户的用户权限级别对应的资源权限等级是否高于或等于该用户所要访问资源的资源权限等级,如果该用户的用户权限级别对应的资源权限等级高于或等于该用户所要访问资源的资源权限等级,则该用户具有权限访问该资源。It should be noted that, in this step, the gateway device determines whether the resource privilege level corresponding to the user privilege level of the user is higher than or equal to the resource privilege level of the user to access the resource, and if the user privilege level corresponding to the user has a high resource privilege level At or equal to the resource privilege level of the resource that the user wants to access, the user has the privilege to access the resource.
步骤306,网关设备向目标服务器转发该用户的资源连接请求。Step 306: The gateway device forwards the resource connection request of the user to the target server.
这里,通过直接在网关设备上对用户的资源访问权限进行判断,提高了用户访问局域网内部资源的资源访问效率,且减轻目标服务器的处理负担,节省了内部网络资源。Here, by directly determining the resource access rights of the user on the gateway device, the resource access efficiency of the user accessing the internal resources of the local area network is improved, the processing load of the target server is reduced, and internal network resources are saved.
步骤307,用户连接并获取所要访问的资源。In step 307, the user connects and obtains the resource to be accessed.
步骤308,网关设备断开连接,并将该用户的访问记录从该资源的用户访问列表中删除。In step 308, the gateway device disconnects and deletes the access record of the user from the user access list of the resource.
这里需要说明的是,将该用户的访问记录从该资源的用户访问列表中删除可防止后续如果用户权限级别或资源权限等级变更后,内网数据泄露,保证内网数据资源的安全性,同时也便于用户权限级别或资源权限等级变更时,用户访问列表的及时更新。It should be noted that deleting the user's access record from the user access list of the resource may prevent intranet data leakage after the user privilege level or resource privilege level is changed, thereby ensuring the security of the intranet data resource. It is also convenient for the user to access the list to update in time when the user privilege level or resource privilege level is changed.
本发明实施例的局域网内网资源的访问控制方法,通过直接在网关设备上根据用户权限级别对应的资源权限等级对访问局域网内部资源的客户端进行资源访问权限的判断,并在该客户端具有资源访问权限时,将资源连接请求转发至目标服务器,提高了用户访问局域网内部资源的资源访问效率,且 减轻目标服务器的处理负担,节省了内部网络资源;而且通过对权限变更的用户或资源的资源连接的立即复位,保证了资源动态变更权限时,局域网内部网络资源的数据安全。The access control method for the intranet resources of the local area network in the embodiment of the present invention determines the resource access authority of the client accessing the internal resources of the local area network according to the resource permission level corresponding to the user authority level directly on the gateway device, and has the resource access authority on the client that accesses the internal resources of the local area network, and has the resource access authority on the client end When the resource access rights are forwarded, the resource connection request is forwarded to the target server, which improves the resource access efficiency of the user accessing the internal resources of the local area network, and The processing load of the target server is alleviated, and internal network resources are saved. Moreover, the data connection of the internal network resources of the local area network is ensured when the resources are dynamically changed by the immediate reset of the resource connection of the user or resource whose authority is changed.
一种计算机可读存储介质,存储有计算机可执行指令,所述计算机可执行指令被处理器执行时实现所述的局域网内网资源的访问控制方法。A computer readable storage medium storing computer executable instructions, the computer executable instructions being implemented by a processor to implement the access control method of the intranet resources.
本领域普通技术人员可以理解上述实施例的全部或部分步骤可以使用计算机程序流程来实现,所述计算机程序可以存储于一个计算机可读存储介质中,所述计算机程序在相应的硬件平台上(如系统、设备、装置、器件等)执行,在执行时,包括方法实施例的步骤之一或其组合。One of ordinary skill in the art will appreciate that all or a portion of the steps of the above-described embodiments can be implemented using a computer program flow, which can be stored in a computer readable storage medium, such as on a corresponding hardware platform (eg, The system, device, device, device, etc. are executed, and when executed, include one or a combination of the steps of the method embodiments.
可选地,上述实施例的全部或部分步骤也可以使用集成电路来实现,这些步骤可以被分别制作成一个个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。Alternatively, all or part of the steps of the above embodiments may also be implemented by using an integrated circuit. These steps may be separately fabricated into individual integrated circuit modules, or multiple modules or steps may be fabricated into a single integrated circuit module. achieve.
上述实施例中的装置/功能模块/功能单元可以采用通用的计算装置来实现,它们可以集中在单个的计算装置上,也可以分布在多个计算装置所组成的网络上。The devices/function modules/functional units in the above embodiments may be implemented by a general-purpose computing device, which may be centralized on a single computing device or distributed over a network of multiple computing devices.
上述实施例中的装置/功能模块/功能单元以软件功能模块的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。上述提到的计算机可读取存储介质可以是只读存储器,磁盘或光盘等。When the device/function module/functional unit in the above embodiment is implemented in the form of a software function module and sold or used as a stand-alone product, it can be stored in a computer readable storage medium. The above mentioned computer readable storage medium may be a read only memory, a magnetic disk or an optical disk or the like.
工业实用性Industrial applicability
本发明实施例方案中,通过直接在网关设备上根据用户权限级别对应的资源权限等级对访问局域网内部资源的客户端进行资源访问权限的判断,并在该客户端具有资源访问权限时,将资源连接请求转发至目标服务器,提高了用户访问局域网内部资源的资源访问效率,且减轻目标服务器的处理负担,节省了内部网络资源;而且通过对权限变更的用户或资源的资源连接的立即复位,保证了资源动态变更权限时,局域网内部网络资源的数据安全。 In the solution of the embodiment of the present invention, the resource access authority of the client accessing the internal resources of the local area network is determined by the resource authority level corresponding to the user authority level directly on the gateway device, and the resource is accessed when the client has the resource access right. The connection request is forwarded to the target server, which improves the resource access efficiency of the user accessing the internal resources of the local area network, reduces the processing load of the target server, and saves internal network resources; and ensures immediate resetting of the resource connection of the user or resource whose authority is changed. When the resource dynamic change permission is granted, the data security of the internal network resources of the local area network.

Claims (22)

  1. 一种局域网内网资源的访问控制方法,包括:An access control method for intranet resources of a local area network includes:
    获取向网关设备发起资源连接请求消息的第一客户端的用户权限级别以及资源权限等级;Obtaining a user privilege level and a resource privilege level of the first client that initiates the resource connection request message to the gateway device;
    在预设的用户权限级别和资源权限等级的对应关系表中,如果查找到所述第一客户端的用户权限级别对应的资源权限等级,则向目标服务器转发所述第一客户端的资源连接请求消息。And in the corresponding relationship table of the preset user privilege level and the resource privilege level, if the resource privilege level corresponding to the user privilege level of the first client is found, the resource connection request message of the first client is forwarded to the target server. .
  2. 根据权利要求1所述的局域网内网资源的访问控制方法,其中,所述获取向网关设备发起资源连接请求消息的第一客户端的用户权限级别包括:The access control method for the intranet resources of the local area network according to claim 1, wherein the obtaining the user privilege level of the first client that initiates the resource connection request message to the gateway device comprises:
    接收所述第一客户端向网关设备发起的访问连接请求,并从所述访问连接请求中获取所述第一客户端的用户权限级别。Receiving an access connection request initiated by the first client to the gateway device, and acquiring a user permission level of the first client from the access connection request.
  3. 根据权利要求2所述的局域网内网资源的访问控制方法,其中,所述从所述访问连接请求中获取所述第一客户端的用户权限级别包括:The access control method for the intranet resources of the local area network according to claim 2, wherein the obtaining the user privilege level of the first client from the access connection request comprises:
    通过安全套接层协议SSL的身份验证机制获取所述第一客户端的用户通用名,并根据所述用户通用名对应的数字证书对所述第一客户端进行身份验证;Obtaining a common name of the user of the first client by using an authentication mechanism of the Secure Sockets Layer (SSL) protocol, and performing identity verification on the first client according to the digital certificate corresponding to the common name of the user;
    在所述第一客户端的身份验证通过时,将内网IP地址分配给所述第一客户端,完成与所述第一客户端的访问连接;When the identity verification of the first client is passed, the intranet IP address is allocated to the first client, and the access connection with the first client is completed;
    根据所述访问连接请求中所述用户通用名,查找用户权限列表获取所述第一客户端的用户权限级别。And searching for a user permission list to obtain a user authority level of the first client according to the user common name in the access connection request.
  4. 根据权利要求1所述的局域网内网资源的访问控制方法,其中,所述获取向网关设备发起资源连接请求消息的第一客户端的资源权限等级包括:The access control method for the intranet resources of the local area network according to claim 1, wherein the obtaining the resource permission level of the first client that initiates the resource connection request message to the gateway device comprises:
    获取所述第一客户端通过安全套接协议虚拟专用网络SSL VPN发送的资源连接请求消息;Obtaining a resource connection request message sent by the first client by using a secure socket protocol virtual private network SSL VPN;
    根据所述资源连接请求消息,获取所述资源连接请求消息对应的资源权限等级。Obtaining a resource authority level corresponding to the resource connection request message according to the resource connection request message.
  5. 根据权利要求4所述的局域网内网资源的访问控制方法,其中,所述 根据所述资源连接请求消息,获取所述资源连接请求消息对应的资源权限等级包括:The access control method for intranet resources of a local area network according to claim 4, wherein said Obtaining, according to the resource connection request message, the resource permission level corresponding to the resource connection request message includes:
    解析所述资源连接请求消息中的报文内容,获取待连接的资源为第一资源;Parsing the content of the packet in the resource connection request message, and acquiring the resource to be connected as the first resource;
    查找资源权限列表获取所述第一资源对应的资源权限等级。The resource permission list is obtained to obtain a resource authority level corresponding to the first resource.
  6. 根据权利要求1所述的局域网内网资源的访问控制方法,所述方法还包括:在向目标服务器转发所述第一客户端的资源连接请求消息之后,在所述第一客户端根据所述资源连接请求消息,连接到所述目标服务器为所述资源权限等级分配的第一资源时,将所述第一客户端的属性信息保存到第一资源的用户访问列表中。The access control method for intranet resources of a local area network according to claim 1, further comprising: after forwarding the resource connection request message of the first client to the target server, according to the resource at the first client And a connection request message, when the first resource allocated by the target server for the resource authority level is connected, the attribute information of the first client is saved in a user access list of the first resource.
  7. 根据权利要求6所述的局域网内网资源的访问控制方法,所述方法还包括:The access control method for intranet resources of a local area network according to claim 6, the method further comprising:
    在所述第一客户端断开与所述第一资源的连接之后,将所述第一客户端的属性信息从所述第一资源的用户访问列表中删除。After the first client disconnects from the first resource, the attribute information of the first client is deleted from the user access list of the first resource.
  8. 根据权利要求6或7所述的局域网内网资源的访问控制方法,所述方法还包括:The access control method for intranet resources of a local area network according to claim 6 or 7, the method further comprising:
    根据所述资源权限等级或所述用户权限级别的变更,进行用户访问列表更新。The user access list update is performed according to the resource authority level or the change of the user authority level.
  9. 根据权利要求8所述的局域网内网资源的访问控制方法,其中,所述根据所述资源权限等级的变更,进行用户访问列表更新包括:The access control method for the intranet resources of the local area network according to claim 8, wherein the performing the user access list update according to the change of the resource permission level comprises:
    在所述资源权限等级变更后,查找已被变更资源权限等级的资源的用户访问列表,获取正在访问所述已被变更资源权限等级的资源的客户端的属性信息;After the resource authority level is changed, searching for a user access list of the resource whose resource authority level has been changed, and acquiring attribute information of the client that is accessing the resource of the changed resource permission level;
    在所述预设的用户权限级别和资源权限等级的对应关系表中,如果查找到所述客户端的用户权限级别与变更后的资源权限等级不对应,则向所述客户端发送第一重置消息,并将所述客户端的属性信息从所述用户访问列表中删除。And in the corresponding relationship table of the preset user privilege level and the resource privilege level, if the user privilege level of the client does not correspond to the changed resource privilege level, the first reset is sent to the client. a message and deleting the attribute information of the client from the user access list.
  10. 根据权利要求8所述的局域网内网资源的访问控制方法,其中,所 述根据所述用户权限级别的变更,进行用户访问列表更新还包括:The access control method for intranet resources of a local area network according to claim 8, wherein According to the change of the user privilege level, performing the user access list update further includes:
    在所述用户权限级别降低后,如果已被降低用户权限级别的客户端的属性信息位于用户权限级别降低前对应的资源的用户访问列表中,则向所述已被降低用户权限级别的客户端发送第二重置消息,并将所述已被降低用户权限级别客户端的属性信息从所述用户访问列表中删除。After the user privilege level is lowered, if the attribute information of the client that has been reduced by the privilege level is located in the user access list of the resource corresponding to the privilege level before the user privilege level is lowered, the privilege level is sent to the client that has been reduced by the privilege level. And second deleting the message, and deleting the attribute information of the reduced user authority level client from the user access list.
  11. 一种局域网内网资源的访问控制装置,包括:获取模块和执行处理模块;An access control device for a network intranet resource includes: an obtaining module and an execution processing module;
    所述获取模块,设置为获取向网关设备发起资源连接请求消息的第一客户端的用户权限级别以及资源权限等级;The acquiring module is configured to acquire a user privilege level and a resource privilege level of the first client that initiates the resource connection request message to the gateway device;
    所述执行处理模块,设置为在预设的用户权限级别和资源权限等级的对应关系表中,如果查找到所述第一客户端的用户权限级别对应的资源权限等级,则向目标服务器转发所述第一客户端的资源连接请求消息。The execution processing module is configured to: in the correspondence relationship table of the preset user privilege level and the resource privilege level, if the resource privilege level corresponding to the user privilege level of the first client is found, forwarding the The resource connection request message of the first client.
  12. 根据权利要求11所述的局域网内网资源的访问控制装置,其中,所述获取模块包括第一获取子模块;The access control device for the intranet resources of the local area network according to claim 11, wherein the obtaining module comprises a first acquiring submodule;
    所述获取模块获取向网关设备发起资源连接请求消息的第一客户端的用户权限级别包括:The obtaining, by the acquiring module, the user privilege level of the first client that initiates the resource connection request message to the gateway device includes:
    所述第一获取子模块设置为接收所述第一客户端向网关设备发起的访问连接请求,并从所述访问连接请求中获取所述第一客户端的用户权限级别。The first obtaining sub-module is configured to receive an access connection request initiated by the first client to the gateway device, and obtain a user permission level of the first client from the access connection request.
  13. 根据权利要求12所述的局域网内网资源的访问控制装置,其中,所述第一获取子模块包括身份验证单元、访问连接单元和用户权限级别获取单元;The access control device for intranet resources of a local area network according to claim 12, wherein the first acquisition submodule comprises an identity verification unit, an access connection unit, and a user authority level acquisition unit;
    所述第一获取子模块从所述访问连接请求中获取所述第一客户端的用户权限级别包括:Obtaining, by the first obtaining submodule, the user privilege level of the first client from the access connection request includes:
    身份验证单元设置为,通过安全套接层协议SSL的身份验证机制获取所述第一客户端的用户通用名,并根据所述用户通用名对应的数字证书对所述第一客户端进行身份验证;The authentication unit is configured to obtain a common name of the user of the first client by using an authentication mechanism of the Secure Sockets Layer (SSL) protocol, and perform identity verification on the first client according to the digital certificate corresponding to the common name of the user;
    访问连接单元设置为,在所述第一客户端的身份验证通过时,将内网IP地址分配给所述第一客户端,完成与所述第一客户端的访问连接; The access connection unit is configured to, when the authentication of the first client passes, assign an intranet IP address to the first client, and complete an access connection with the first client;
    用户权限级别获取单元,设置为根据所述访问连接请求中所述用户通用名,查找用户权限列表获取所述第一客户端的用户权限级别。The user privilege level obtaining unit is configured to obtain a user privilege level of the first client according to the user privilege name in the access connection request.
  14. 根据权利要求11所述的局域网内网资源的访问控制装置,其中,所述获取模块还包括第二获取子模块和第三获取子模块;The access control device for the intranet resources of the local area network according to claim 11, wherein the obtaining module further comprises a second obtaining submodule and a third obtaining submodule;
    所述获取模块获取向网关设备发起资源连接请求消息的第一客户端的资源权限等级包括:The obtaining, by the acquiring module, the resource permission level of the first client that initiates the resource connection request message to the gateway device includes:
    第二获取子模块设置为,获取所述第一客户端通过安全套接协议虚拟专用网络SSL VPN发送的资源连接请求消息;The second obtaining submodule is configured to obtain a resource connection request message sent by the first client by using a secure socket protocol virtual private network SSL VPN;
    第三获取子模块设置为,根据所述资源连接请求消息,获取所述资源连接请求消息对应的资源权限等级。The third obtaining sub-module is configured to acquire the resource permission level corresponding to the resource connection request message according to the resource connection request message.
  15. 根据权利要求14所述的局域网内网资源的访问控制装置,其中,所述第三获取子模块包括解析处理单元和资源权限等级获取单元;The access control device for the intranet resources of the local area network according to claim 14, wherein the third acquisition submodule comprises an analysis processing unit and a resource authority level acquisition unit;
    所述第三获取子模块根据所述资源连接请求消息,获取所述资源连接请求消息对应的资源权限等级包括:The obtaining, by the third obtaining sub-module, the resource permission level corresponding to the resource connection request message according to the resource connection request message includes:
    解析处理单元设置为,解析所述资源连接请求消息中的报文内容,获取待连接的资源为第一资源;The parsing processing unit is configured to parse the content of the packet in the resource connection request message, and obtain the resource to be connected as the first resource;
    资源权限等级获取单元设置为,查找资源权限列表获取所述第一资源对应的资源权限等级。The resource privilege level obtaining unit is configured to: obtain a resource privilege list, and obtain a resource privilege level corresponding to the first resource.
  16. 根据权利要求11所述的局域网内网资源的访问控制装置,所述装置还包括第一处理模块;The access control device for intranet resources of a local area network according to claim 11, wherein the device further comprises a first processing module;
    所述第一处理模块设置为:在向目标服务器转发所述第一客户端的资源连接请求消息之后,在所述第一客户端根据所述资源连接请求消息,连接到所述目标服务器为所述资源权限等级分配的第一资源时,将所述第一客户端的属性信息保存到第一资源的用户访问列表中。The first processing module is configured to: after forwarding the resource connection request message of the first client to the target server, the first client connects to the target server according to the resource connection request message, When the first resource allocated by the resource authority level is saved, the attribute information of the first client is saved in the user access list of the first resource.
  17. 根据权利要求16所述的局域网内网资源的访问控制装置,所述装置还包括第二处理模块:The access control device for intranet resources of a local area network according to claim 16, wherein the device further comprises a second processing module:
    所述第二处理模块设置为,在所述第一客户端断开与所述第一资源的连接之后,将所述第一客户端的属性信息从所述第一资源的用户访问列表中删 除。The second processing module is configured to: after the first client disconnects from the first resource, delete attribute information of the first client from a user access list of the first resource except.
  18. 根据权利要求16或17所述的局域网内网资源的访问控制装置,所述装置还包括:访问列表更新模块;The access control device for intranet resources of a local area network according to claim 16 or 17, wherein the device further comprises: an access list update module;
    所述访问列表更新模块,设置为根据所述资源权限等级或所述用户权限级别的变更,进行用户访问列表更新。The access list update module is configured to perform a user access list update according to the resource authority level or the change of the user authority level.
  19. 根据权利要求18所述的局域网内网资源的访问控制装置,其中,所述访问列表更新模块包括:第四获取子模块和第一更新处理子模块;The access control device for the intranet resources of the local area network according to claim 18, wherein the access list update module comprises: a fourth acquisition submodule and a first update processing submodule;
    所述访问列表更新模块根据所述资源权限等级的变更,进行用户访问列表更新包括:The access list update module performs user access list update according to the change of the resource permission level, including:
    所述第四获取子模块设置为,在所述资源权限等级变更后,查找已被变更资源权限等级的资源的用户访问列表,获取正在访问所述已被变更资源权限等级的资源的客户端的属性信息;The fourth obtaining submodule is configured to: after the resource authority level is changed, search for a user access list of the resource whose resource authority level has been changed, and acquire an attribute of the client that is accessing the resource of the changed resource permission level. information;
    所述第一更新处理子模块设置为,在所述预设的用户权限级别和资源权限等级的对应关系表中,如果查找到所述客户端的用户权限级别与变更后的资源权限等级不对应,则向所述客户端发送第一重置消息,并将所述客户端的属性信息从所述用户访问列表中删除。The first update processing sub-module is configured to: if the user privilege level of the client does not correspond to the changed resource privilege level in the correspondence relationship table of the preset user privilege level and the resource privilege level, Sending a first reset message to the client, and deleting the attribute information of the client from the user access list.
  20. 根据权利要求18所述的局域网内网资源的访问控制装置,其中,所述访问列表更新模块还包括:第二更新处理子模块;The access control device for the intranet resources of the local area network according to claim 18, wherein the access list update module further comprises: a second update processing submodule;
    所述访问列表更新模块根据所述用户权限级别的变更,进行用户访问列表更新还包括:The access list update module performs the user access list update according to the change of the user privilege level, and further includes:
    所述第二更新处理子模块设置为,在所述用户权限级别降低后,如果已被降低用户权限级别的客户端的属性信息位于用户权限级别降低前对应的资源的用户访问列表中,则向所述已被降低用户权限级别的客户端发送第二重置消息,并将所述已被降低用户权限级别客户端的属性信息从所述用户访问列表中删除。The second update processing sub-module is configured to: after the user privilege level is lowered, if the attribute information of the client that has been reduced by the user privilege level is located in the user access list of the resource corresponding to the resource privilege level before the user privilege level is lowered, The client that has been reduced by the user privilege level sends a second reset message, and deletes the attribute information of the reduced user privilege level client from the user access list.
  21. 一种网关设备,包括如权利要求11-20任意一项所述的局域网内网资源的访问控制装置。A gateway device comprising the access control device for intranet resources of a local area network according to any one of claims 11-20.
  22. 一种计算机可读存储介质,存储有计算机可执行指令,所述计算机 可执行指令被处理器执行时实现权利要求1至10任意一项所述的局域网内网资源的访问控制方法。 A computer readable storage medium storing computer executable instructions, the computer An access control method for implementing intranet resources of the local network according to any one of claims 1 to 10 when the executable instructions are executed by the processor.
PCT/CN2016/086270 2016-03-25 2016-06-17 Method of controlling access to network resource in local area network, device, and gateway equipment WO2017161706A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610176642.6 2016-03-25
CN201610176642.6A CN107231336A (en) 2016-03-25 2016-03-25 A kind of access control method, device and the gateway device of LAN Intranet resource

Publications (1)

Publication Number Publication Date
WO2017161706A1 true WO2017161706A1 (en) 2017-09-28

Family

ID=59899366

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/086270 WO2017161706A1 (en) 2016-03-25 2016-06-17 Method of controlling access to network resource in local area network, device, and gateway equipment

Country Status (2)

Country Link
CN (1) CN107231336A (en)
WO (1) WO2017161706A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108492868A (en) * 2018-03-06 2018-09-04 上海京颐科技股份有限公司 Medical mobile terminal and its function module control method, device, storage medium
CN110365778A (en) * 2019-07-17 2019-10-22 腾讯科技(深圳)有限公司 A kind of method, apparatus of communication control, electronic equipment and storage medium
CN111079104A (en) * 2019-11-21 2020-04-28 腾讯科技(深圳)有限公司 Authority control method, device, equipment and storage medium
CN111459769A (en) * 2020-03-31 2020-07-28 贵州电网有限责任公司 Data display method and system for network resources
CN113364800A (en) * 2021-06-23 2021-09-07 北京天融信网络安全技术有限公司 Resource access control method, device, electronic equipment and medium

Families Citing this family (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110233814B (en) * 2018-03-05 2022-05-17 上海可鲁系统软件有限公司 Intelligent virtual private network system for industrial Internet of things
CN109379383B (en) * 2018-12-10 2021-01-26 杭州迪普科技股份有限公司 Virtual private network VPN client and implementation method
CN109995792B (en) * 2019-04-11 2021-08-31 苏州浪潮智能科技有限公司 Safety management system of storage equipment
CN112115503A (en) * 2019-06-20 2020-12-22 北京金奔腾汽车科技有限公司 User authority access control method for automobile diagnosis system
CN110866228A (en) * 2019-10-17 2020-03-06 北京旷视科技有限公司 Data information authority management method, device and system for data issue
CN111431928A (en) * 2020-04-07 2020-07-17 国电南瑞科技股份有限公司 VPN-based intelligent substation network security management method and system
CN114338060A (en) * 2020-09-28 2022-04-12 北京金山云网络技术有限公司 Authority verification method, device, system, equipment and storage medium
CN112182788B (en) * 2020-11-03 2023-05-02 智慧航海(青岛)科技有限公司 Resource allocation method based on virtual simulation test platform
CN112910906B (en) * 2021-02-08 2022-10-14 北京小米移动软件有限公司 Data access method and device, mobile terminal and storage medium
CN113162985B (en) * 2021-03-25 2022-11-25 北京赛博云睿智能科技有限公司 Edge resource lightweight containerization integration and hierarchical domain sharing method and system
CN113225409A (en) * 2021-05-27 2021-08-06 北京天融信网络安全技术有限公司 NAT load balancing access method, device and storage medium
CN113347072B (en) * 2021-06-23 2022-12-13 北京天融信网络安全技术有限公司 VPN resource access method, device, electronic equipment and medium
CN114006739A (en) * 2021-10-25 2022-02-01 恒安嘉新(北京)科技股份公司 Resource request processing method, device, equipment and storage medium
CN114244569B (en) * 2021-11-18 2024-04-09 广东电网有限责任公司 SSL VPN remote access method, system and computer equipment
CN116827586A (en) * 2023-03-07 2023-09-29 北京火山引擎科技有限公司 Network authentication method, device, storage medium and electronic equipment
CN116545978A (en) * 2023-05-16 2023-08-04 深圳市石犀科技有限公司 Data processing method, device and system, readable storage medium and import network card

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1719813A (en) * 2004-07-09 2006-01-11 威达电股份有限公司 Safety gateway with SSL protection function and method
CN101072108A (en) * 2007-07-17 2007-11-14 杭州华三通信技术有限公司 SSL VPN client end safety inspection method, system and device
CN101989974A (en) * 2009-08-04 2011-03-23 西安交大捷普网络科技有限公司 Safety control method for intranet WEB access of security socket layer virtual private network (SSL VPN)
WO2014059604A1 (en) * 2012-10-16 2014-04-24 华为技术有限公司 Method and device for secure access to resource

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080034420A1 (en) * 2006-08-01 2008-02-07 Array Networks, Inc. System and method of portal customization for a virtual private network device
CN101415009A (en) * 2008-11-21 2009-04-22 中兴通讯股份有限公司 Management method and system for multi-user authority of communication system
CN101964800B (en) * 2010-10-21 2015-04-22 神州数码网络(北京)有限公司 Method for authenticating digital certificate user in SSL VPN
CN103200196B (en) * 2013-04-01 2016-08-03 天脉聚源(北京)传媒科技有限公司 A kind of access method, system and device between subscriber equipment and access target
CN103427995B (en) * 2013-08-02 2017-01-25 北京星网锐捷网络技术有限公司 User authentication method, SSL (security socket layer) VPN (virtual private network) server and SSL VPN system
CN104333553A (en) * 2014-11-11 2015-02-04 安徽四创电子股份有限公司 Mass data authority control strategy based on combination of blacklist and whitelist

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1719813A (en) * 2004-07-09 2006-01-11 威达电股份有限公司 Safety gateway with SSL protection function and method
CN101072108A (en) * 2007-07-17 2007-11-14 杭州华三通信技术有限公司 SSL VPN client end safety inspection method, system and device
CN101989974A (en) * 2009-08-04 2011-03-23 西安交大捷普网络科技有限公司 Safety control method for intranet WEB access of security socket layer virtual private network (SSL VPN)
WO2014059604A1 (en) * 2012-10-16 2014-04-24 华为技术有限公司 Method and device for secure access to resource

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108492868A (en) * 2018-03-06 2018-09-04 上海京颐科技股份有限公司 Medical mobile terminal and its function module control method, device, storage medium
CN110365778A (en) * 2019-07-17 2019-10-22 腾讯科技(深圳)有限公司 A kind of method, apparatus of communication control, electronic equipment and storage medium
CN110365778B (en) * 2019-07-17 2021-09-07 腾讯科技(深圳)有限公司 Communication control method and device, electronic equipment and storage medium
CN111079104A (en) * 2019-11-21 2020-04-28 腾讯科技(深圳)有限公司 Authority control method, device, equipment and storage medium
CN111459769A (en) * 2020-03-31 2020-07-28 贵州电网有限责任公司 Data display method and system for network resources
CN113364800A (en) * 2021-06-23 2021-09-07 北京天融信网络安全技术有限公司 Resource access control method, device, electronic equipment and medium

Also Published As

Publication number Publication date
CN107231336A (en) 2017-10-03

Similar Documents

Publication Publication Date Title
WO2017161706A1 (en) Method of controlling access to network resource in local area network, device, and gateway equipment
US11399044B2 (en) System and method for connecting a communication to a client
US9356928B2 (en) Mechanisms to use network session identifiers for software-as-a-service authentication
US8549300B1 (en) Virtual single sign-on for certificate-protected resources
US9525666B2 (en) Methods and systems for managing concurrent unsecured and cryptographically secure communications across unsecured networks
US10776489B2 (en) Methods and systems for providing and controlling cryptographic secure communications terminal operable to provide a plurality of desktop environments
US20080022392A1 (en) Resolution of attribute overlap on authentication, authorization, and accounting servers
US20060174120A1 (en) System and method for providing peer-to-peer communication
US8402511B2 (en) LDAPI communication across OS instances
US20210144015A1 (en) Accessing hosts in a computer network
JP7109909B2 (en) Authentication of users in computer networks
US9942200B1 (en) End user authentication using a virtual private network
US20180375648A1 (en) Systems and methods for data encryption for cloud services
JP2022533890A (en) Computing system and method for providing session access based on authentication tokens with different authentication credentials
JP2009163546A (en) Gateway, repeating method and program
US20150249639A1 (en) Method and devices for registering a client to a server
US10218704B2 (en) Resource access control using named capabilities
US10079812B1 (en) Secure content storage by customer-premises equipment
WO2016082363A1 (en) User data management method and apparatus
JP4878043B2 (en) Access control system, connection control device, and connection control method

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16895058

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 16895058

Country of ref document: EP

Kind code of ref document: A1