WO2023116791A1 - 访问控制方法、访问控制系统、终端及存储介质 - Google Patents

访问控制方法、访问控制系统、终端及存储介质 Download PDF

Info

Publication number
WO2023116791A1
WO2023116791A1 PCT/CN2022/140814 CN2022140814W WO2023116791A1 WO 2023116791 A1 WO2023116791 A1 WO 2023116791A1 CN 2022140814 W CN2022140814 W CN 2022140814W WO 2023116791 A1 WO2023116791 A1 WO 2023116791A1
Authority
WO
WIPO (PCT)
Prior art keywords
access control
terminal
control rule
access
target server
Prior art date
Application number
PCT/CN2022/140814
Other languages
English (en)
French (fr)
Inventor
董路明
竹勇
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2023116791A1 publication Critical patent/WO2023116791A1/zh

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the present disclosure relates to the technical field of zero trust, and in particular to an access control method, an access control system, a terminal and a storage medium.
  • the Software Defined Perimeter (SDP) security model of Zero Trust is different from the traditional network access control model.
  • the network stealth technology is used to realize the connection after authentication, and the service port is not directly exposed to the Internet.
  • SDP has changed from traditional network-centric to identity-centric for least-privilege access control. Through network stealth technology, it does not distinguish between internal and external networks, ensuring that only legitimate identities, terminals and network environments can access.
  • Single Packet Authorization SPA for short
  • SPA is the core network security protocol to realize SDP network stealth. Verify the identity of the device and user before allowing access to the network where the controller, gateway and other related system components are located, realizing the security model concept of zero trust "authentication first, then connection”.
  • a terminal application when a terminal application initiates a network access request, it will trigger the construction and send a SPA message, and the SDP policy controller will perform authentication and authorization processing after receiving the SPA message, and notify the network firewall to open the corresponding service, namely Create an access control filter rule corresponding to the admission to allow the application to access the network service.
  • the corresponding access control filtering rules are closed, since neither the SDP policy controller nor the network firewall can grasp the precise status of subsequent access session connections, they can only postpone the closing by preset timeout thresholds, thereby controlling the service exposure time window. duration.
  • the service exposure time window is difficult to determine, if the time window is opened too short, the time window will be timed out and closed before a legitimate user can establish a session connection, affecting normal access; if the service exposure time window is opened for too long, Then leave enough time for the attacker to detect the attack.
  • the main purpose of the embodiments of the present disclosure is to provide an access control method, an access control system, a terminal, and a storage medium, by monitoring and sensing the real status of remote access at the terminal, and synchronously adjusting the access of the network firewall according to the access status at the terminal side Control, and realize the strict protection of the network firewall for network access throughout the entire life cycle of remote access.
  • an embodiment of the present disclosure provides an access control method applied to a terminal, including:
  • the policy controller When initiating access to the target server, sending a single-packet authorization authentication message to the policy controller, so that the policy controller notifies the network firewall to generate a first access control rule according to the verification result of the single-packet authorization authentication message; Wherein, the first access control rule is used for the target server to expose a service port to the terminal;
  • an embodiment of the present disclosure further provides an access control method, which is applied to an access control system, where the access control system includes: a terminal, a policy controller, a network firewall, and a target server; the access control method includes:
  • the policy controller notifies the network firewall to generate a first access control rule according to the verification result of the single-packet authorization authentication message; wherein, the first access control rule is used for the target server to expose service port;
  • the terminal establishes a session connection with the target server based on the first access control rule, and sends a connection establishment notification message to the policy controller;
  • the policy controller notifies the network firewall to generate a second access control rule and delete the first access control rule; wherein, the second access control rule is used by the target server to allow the application of the terminal manage.
  • an embodiment of the present disclosure further provides a terminal, the terminal includes a processor, a memory, and a computer stored in the memory and executable by the processor A program and a data bus for realizing connection and communication between the processor and the memory, wherein when the computer program is executed by the processor, any one of the accesses provided by the disclosure specification applied to the terminal can be realized The steps of the control method.
  • an embodiment of the present disclosure further provides an access control system, the access control system terminal, a policy controller, a network firewall, and a target server; the terminal, The policy controller, the network firewall and the target server are used to jointly execute the steps of any access control method applied to an access control system as provided in this disclosure specification.
  • the embodiments of the present disclosure further provide a storage medium for computer-readable storage, wherein the storage medium stores one or more programs, and the one or more programs can be processed by one or more implement the steps of any one of the access control methods provided in this disclosure specification.
  • FIG. 1 is a schematic block diagram of an access control system provided by an embodiment of the present disclosure
  • FIG. 2 is a schematic flowchart of an access control method provided by an embodiment of the present disclosure
  • FIG. 3 is a flow chart of scenarios when an access control system implements an access control method according to an embodiment of the present disclosure
  • FIG. 4 is a schematic block diagram of another access control system provided by an embodiment of the present disclosure.
  • FIG. 5 is a schematic flowchart of an access control method applied to a terminal provided by an embodiment of the present disclosure
  • Fig. 6 is a schematic diagram of the scene when the access control system provided in Fig. 4 implements the access control method
  • FIG. 7 is a schematic diagram of a scene where a universal terminal applies an access control method in remote security access according to Embodiment 1;
  • FIG. 8 is a schematic diagram of a scenario where an embedded terminal applies an access control method in remote secure access provided in Embodiment 2;
  • FIG. 9 is a schematic structural block diagram of a terminal provided by an embodiment of the present disclosure.
  • the traditional network access control is to access first and then authenticate. Because the network service port is directly exposed to the Internet, it is easy to suffer from security attacks, resulting in various security threats.
  • the SDP security model of Zero Trust is different from the traditional network access control model.
  • the network stealth technology is used to realize the first authentication and then the connection, and the service port is not directly exposed to the Internet.
  • SDP has changed from traditional network-centric to identity-centric for least-privilege access control. Through network stealth technology, it does not distinguish between internal and external networks, ensuring that only legitimate identities, terminals and network environments can access.
  • SPA is the core network security protocol to realize SDP network stealth. Verify the identity of the device and user before allowing access to the network where the controller, gateway and other related system components are located, realizing the security model concept of zero trust "authentication first, then connection”.
  • SPA includes connection request information including the requester's IP address, etc., which are encrypted and authenticated in a single network packet, and the protected network service is invisible to the outside world by configuring the default discarded firewall policy.
  • the purpose of SPA is to allow network services to be hidden by firewalls and to discard any probe and access packets by default, thus not providing potential attackers with any information about whether the service port is being listened on.
  • the terminal application should initiate a connection to the exposed network service and establish a session link. After that, the network firewall should adjust the access rules, close the service exposed port, and allow the established session connection to enter.
  • a terminal application when a terminal application initiates a network access request, it will trigger the construction and send a SPA message, and the SDP policy controller will perform authentication and authorization processing after receiving the SPA message, and notify the network firewall to open the corresponding service, namely Create an access control filter rule corresponding to the admission to allow the application to access the network service.
  • the corresponding access control filtering rules are closed, since neither the SDP policy controller nor the network firewall can grasp the precise status of subsequent access session connections, they can only postpone the closing by preset timeout thresholds, thereby controlling the service exposure time window. duration.
  • the service exposure time window is difficult to determine, if the time window is opened too short, the time window will be timed out and closed before a legitimate user can establish a session connection, affecting normal access; if the service exposure time window is opened for too long, Then leave enough time for the attacker to detect the attack.
  • the business packets carried by the session connection still have to pass through the network firewall to reach the network service. Based on the concept of zero trust, the firewall should only allow packets related to legitimate session connections to pass through, and discard other illegal packets.
  • the SDP security framework does not regulate the access control of session connections. How to automatically and accurately realize the access control of session connections on the network firewall is a problem to be solved.
  • the existing technical solution proposes to monitor the data packets received by the network service side, so as to determine whether the subsequent session connection has been established, and if it has been established, trigger the network firewall to adjust the access rules , Close the service exposed port, so that the network service can quickly return to the stealth state.
  • this technical solution can only solve the problem of inaccurate service exposure time, and cannot solve the problem of firewall access control for subsequent session connection messages.
  • connection control packets such as TCP SYN packets
  • replay packets constructed by external attackers through the network
  • Embodiments of the present disclosure provide an access control method, an access control system, a terminal, and a storage medium.
  • the access control method can be applied to mobile terminals, and the mobile terminals can be electronic devices such as mobile phones, tablet computers, notebook computers, desktop computers, personal digital assistants and wearable devices.
  • the access control system provided by the embodiment of the present disclosure is firstly introduced.
  • the present disclosure is applied to access control processing for terminal applications remotely accessing network servers in the scenario of remote secure access services provided based on the SDP security framework.
  • FIG. 1 is a schematic block diagram of an access control system provided by an embodiment of the present disclosure.
  • the access control system specifically includes: a terminal, a policy controller, a network firewall, and a target server.
  • the terminal When the terminal needs to access the target server, it first sends a request to the policy controller, and the policy controller issues instructions such as creation and deletion of access control rules to the network firewall according to the authentication result of the terminal request, triggering the network firewall to adjust the access rules of data packets , the terminal realizes the session connection with the target server according to the access control rules of the network firewall.
  • FIG. 2 is a schematic flow chart of an access control method applied to the above-mentioned access control system provided by an embodiment of the present disclosure, specifically including steps S101 to S104 .
  • Fig. 3 is a schematic diagram of a scene where an access control system provided by an embodiment of the present disclosure implements an access control method.
  • the terminal will send a SPA message to the SDP policy controller.
  • the policy controller notifies the network firewall to generate a first access control rule according to the verification result of the single-packet authorization authentication message; wherein, the first access control rule is used by the target server to The terminal exposes the service port;
  • the SDP policy controller will authenticate after receiving the SPA message: if the authentication is passed, it will authorize, and notify the network firewall of the target server to create a link based on the authorization result: the source IP address of the terminal (optional) + the IP address of the target server + target service port + the access control rule (ACL RULE) of the protocol type feature, which allows the target server to expose the service port to the terminal, which is called the first access control rule here.
  • ACL RULE access control rule
  • the first access control rule is a triplet or a quadruple, and in the triplet scenario, only packets that satisfy the IP address of the target server of the terminal + target service port + protocol type characteristics are allowed There is no restriction on the source port of the terminal and the source IP address of the terminal; in the quaternion scenario, only the source IP address of the terminal + the IP address of the target server + the target service port + protocol type characteristics are allowed There is no restriction on the source port of the terminal for the admission of packets.
  • the terminal establishes a session connection with the target server based on the first access control rule, and sends a connection establishment notification message to the policy controller;
  • the application on the terminal can start a link establishment process between the client and the target server on the network side, and if the session connection is successfully established, then further send a connection establishment notification message to the SDP policy controller.
  • the policy controller notifies the network firewall to generate a second access control rule and delete the first access control rule; wherein, the second access control rule is used by the target server to perform an application on the terminal Access management.
  • the SDP policy controller receives the notification message that the terminal application has established a connection with the target server, and notifies the network firewall to add access control rule entries strictly corresponding to the characteristic information of the established connection, so as to adjust the network access of the terminal application. Specifically, the policy controller notifies the network firewall to generate the second access control rule, and delete the first access control rule for exposing the service port.
  • the second access control rule includes: the source IP address of the terminal + the source port of the terminal + the IP address of the target server + the service port + the access control rule corresponding to the protocol type.
  • the protocol type may be TCP, UDP, and other communication protocols determined by specific applications of the terminal.
  • the network firewall will only allow the packets corresponding to the established access session connection to pass through, and at the same time, because the access of the service exposed port is closed, the service port has returned to the hidden state.
  • the second access control rule is a stricter access rule, which only allows legal terminal application connection session packets to pass through; so the first access control rule is replaced by the second access control rule, It can effectively prevent malicious attackers from exposing the service port, forging the source IP address or using the uncertainty of the source port to forge messages that can bypass the network firewall to attack the network service; and make the service port exposure time and the real connection established The time spans spent are exactly the same, which prevents malicious attackers from exploiting redundant time windows for detection attacks.
  • the terminal will send a connection termination notification message to notify the SDP policy controller, which includes the characteristic information of the session connection.
  • the SDP policy controller receives the connection termination notification message, it performs network admission adjustment processing again, and notifies the network firewall to delete the access control rule (ACL RULE) corresponding to the session connection, that is, delete the second access control rule.
  • ACL RULE access control rule
  • the network firewall will synchronously adjust the access rules and discard any packets corresponding to the access characteristics, thereby avoiding forgery and replay attacks.
  • a timeout deletion mechanism can be set to deal with problems such as abnormal exit of a legitimate terminal or network interruption during access to network services.
  • the SDP policy controller cannot be notified of the abnormal termination of the access session connection, which leads to the abnormal scenario that the second access control rule built by the firewall cannot be deleted
  • the SDP controller and the network firewall can Add protection mechanism.
  • An aging timeout window is set for the second access control rule, and when the timeout occurs and no matching message passes through the access control rule within several subsequent statistical periods, the network firewall can delete the second access control rule autonomously.
  • the network firewall After the network firewall generates an access control rule, if no packet matching the access control rule is received within a preset period, start a timer; if the timer expires, continue If no message conforming to the access control rule is received, the network firewall automatically deletes the access control rule; wherein the access control rule includes: the first access control rule and the second access control rule.
  • integrity and confidentiality protection can be performed for the newly added control message between the terminal and the SDP control strategist, including the transmission of the connection establishment notification message and the connection termination notification message, so as to ensure the security of the newly added control message itself.
  • Its specific implementation is not limited in this disclosure.
  • it can be implemented by using the security protection mechanism of the existing SPA authentication request message, using the inherent trust certificate between the terminal application and the SDP policy controller, including but not limited to: digital certificates, user passwords or keys, etc.
  • the access control method provided in this disclosure improves the access control method based on single-packet authorization in the existing SDP framework, and the interaction between the remote access status message actively monitored by the terminal side and the SDP policy controller and network firewall is accurate. Control the opening and closing of corresponding access control rules on the network firewall, thereby ensuring the entire life cycle of terminal applications accessing network services. Furthermore, in the phases of creating an access connection and maintaining an access connection session, different types of access control rules are synchronously and dynamically maintained on the network firewall, so that the network firewall realizes the full life cycle protection of legal terminal access traffic, and protects The time window is strictly synchronized with the actual access.
  • the present disclosure also provides a terminal, including a terminal application and a security proxy module.
  • the security proxy module is deployed on the terminal together with the application, and the security proxy module can perceive and monitor the status of the session in the whole life cycle of the application accessing the network service through the internal interface in real time; at the same time, the security proxy module can connect according to the status of the session To change, construct the expected access control admission and denial rule information and notify the SDP policy controller.
  • the SDP policy controller issues instructions such as creation and deletion of access control rules to the network firewall, and triggers the network firewall to adjust the access rules of data packets.
  • Fig. 4 is a schematic block diagram of an access control system including a terminal deployed with a security agent provided by an embodiment of the present disclosure.
  • the access control system specifically includes: a terminal, a policy controller, a network firewall, and a target server, and multiple End application and security agent.
  • FIG. 5 is a schematic flowchart of an access control method applied to a terminal provided by an embodiment of the present disclosure, specifically including steps S201 to S202 .
  • FIG. 6 is a schematic diagram of a scene based on a terminal-based security agent module and other components of an application and access control system provided by an embodiment of the present disclosure.
  • Step S201 When initiating access to the target server, send a single-packet authorization authentication message to the policy controller, so that the policy controller notifies the network firewall to generate the first An access control rule; wherein, the first access control rule is used for the target server to expose a service port to the terminal;
  • the security agent module will start monitoring the legitimate terminal application, and monitor its access behavior to the target server of the external network.
  • the security agent module may monitor the terminal application, including but not limited to: restoring the state of the session connection by sniffing the message that the terminal application interacts with the external system on the system kernel or the network card device, Or in some embedded application scenarios, the security agent directly interacts with the application, and subscribes to the connection transaction start and stop information of the network access it initiates.
  • a legitimate terminal application When a legitimate terminal application initiates an access to the network server, it will trigger the security agent module to construct and send the SPA authentication message, and the SDP policy controller will perform authentication after receiving the message: if the authentication passes, then authorize and notify according to the authorization result
  • the network firewall creates a first access control rule, which allows the network server to be exposed to the terminal. It should be noted that the network firewall needs to enable the default discard mode.
  • the first access control rule is a triplet or a quadruple.
  • a triplet only the IP address of the target server of the terminal is allowed + the target service port + protocol type is allowed to be admitted.
  • the source port of the terminal For There is no restriction on the source port of the terminal and the source IP address of the terminal; in the quaternion scenario, only the matching of the packet that satisfies the source IP address of the terminal + the IP address of the target server + target service port + protocol type is allowed. input, there is no restriction on the source port of the terminal.
  • Step S202 establish a session connection with the target server based on the first access control rule, and send a connection establishment notification message to the policy controller, so that the policy controller notifies the network firewall to generate a second access control rule and delete the first access control rule; wherein, the second access control rule is used for the target server to perform admission management on the application of the terminal.
  • the application on the terminal can start the link establishment process between the client and the target server on the network side. If the session connection is successfully established, the security agent module can sense that the terminal application has successfully connected with the network service through monitoring. Establish a session connection, record the feature information of the session connection, such as the five-tuple feature (source IP+source port+target IP+service port+protocol type) of the TCP connection, and construct a connection establishment notification message to notify the SDP policy controller.
  • the feature information of the session connection such as the five-tuple feature (source IP+source port+target IP+service port+protocol type) of the TCP connection
  • the SDP policy controller receives the notification message that the terminal application has established a connection with the target server, and notifies the network firewall to add access control rule entries strictly corresponding to the characteristic information of the established connection, so as to adjust the network access of the terminal application. Specifically, the policy controller notifies the network firewall to generate the second access control rule, and delete the first access control rule for exposing the service port.
  • the second access control rule includes: the source IP address of the terminal + the source port of the terminal + the IP address of the target server + the service port + the access control rule corresponding to the protocol type.
  • the protocol type may be TCP, UDP, and other communication protocols determined by specific applications of the terminal.
  • the network firewall will only allow the packets corresponding to the established access session connection to pass through, and at the same time, because the access of the service exposed port is closed, the service port has returned to the hidden state.
  • the security proxy module senses that the session connection is terminated by monitoring the connection status of the application accessing the network service in the terminal, and then constructs a connection termination notification message to notify the SDP policy control device, which contains the characteristic information of the session connection.
  • the SDP policy controller receives the connection termination notification message, performs network admission adjustment processing again, and notifies the network firewall to delete the second access control rule corresponding to the session connection. Specifically, when the session connection with the target server is terminated, a connection termination notification message is sent to the policy controller, so that the policy controller notifies the network firewall to delete the second access control rule.
  • the network firewall With the end of a single access to a network service by a legitimate terminal application, the network firewall will synchronously adjust the access rules and discard any packets corresponding to the access characteristics, thereby avoiding forgery and replay attacks.
  • the access control method provided by this disclosure ensures that the access control rules configured on the network firewall correspond to real and legal access messages by using the security agent module built in the terminal as the source of controlling the access of network firewall messages, avoiding the Maliciously forged packets from the network side may open up the firewall through deception.
  • the present disclosure is applied to the access control processing based on single-package authorization in the remote secure access environment of the general terminal, and the access control processing of the dedicated embedded device terminal in the remote secure access environment.
  • Access control processing based on single-package authorization lies only in the technical means for the security agent to perceive and monitor the session state of the application accessing the network.
  • Figure 7 is a schematic diagram of a scenario for implementing the access control method provided in Embodiment 1. As shown in Figure 7, this embodiment demonstrates the access of a general terminal based on single-package authorization in a remote secure access environment. control processing.
  • Step 1 The terminal-side security agent pre-configures a whitelist of legal applications, which includes the characteristics of the application program name and the type of communication protocol required to access the network.
  • the application starts and registers with the security agent. After the security agent confirms that it is a legitimate application through whitelist comparison, it starts to monitor its access behavior to the external network.
  • the application access network service is based on the TCP protocol, and that the terminal is based on general-purpose operating systems such as Linux and Windows, and the security agent can obtain the current kernel IP protocol stack by periodically calling the netstat command provided by the operating system The state of the network protocol connection with the attribution application.
  • Step 2 When the terminal application initiates access to the network server, it will trigger the security proxy module to construct and send the SPA authentication message, and the SDP policy controller will perform authentication after receiving the message: if the authentication passes, then authorize, and according to the authorization result Notify the network firewall to create the first access control rule: the access control rule for the four-tuple characteristic of the source IP address+target IP+target service port+protocol type, that is, allow the service to be exposed to the terminal.
  • the system can also set a timeout window for the first access control rule. If it times out, the system will force the aging and delete the first access control rule, so that the service port can be restored to the stealth state.
  • Step 3 The terminal application starts a TCP link establishment process between the client and the server on the network side, and successfully establishes a session connection before the first access control rule ages out.
  • Step 4 the security proxy module on the terminal side monitors in real time through the method described in step 2 and perceives that the terminal application has successfully established a session TCP connection with the network service, and records the feature information of the session connection, that is, the quintuple feature of the TCP connection (source IP+source port+target IP+service port+protocol type), and construct a connection establishment notification message to notify the SDP policy controller.
  • the connection establishment notification message can be protected with confidentiality and integrity by the inherent credential between the terminal and the SDP policy controller, and the protection mechanism is the same as that of the SPA authentication message.
  • the SDP policy controller receives the connection establishment notification message. If it is a security-protected message, it needs to decrypt and integrity check and restore the plaintext, and then perform network access adjustment processing according to the message content, and notify the network firewall to increase
  • the feature information of the established connection is strictly corresponding to the access control rule entry, that is, the second access control rule corresponding to the five-tuple feature (source IP+source port+target IP+service port+protocol type) of the established TCP connection, and delete the access control rule with The first access control rule entry exposed on the service port.
  • the SDP controller and the network firewall A protection mechanism can also be added, and an aging timeout time window is set for the second access control rule.
  • the network firewall can autonomously pass the second access control rule. Two access control rules are deleted.
  • the network firewall will only allow the packets of the established access session connection to pass through, and at the same time, because the access to the service exposed port is closed, the service port has returned to the hidden state.
  • the second access control rule is a stricter access rule, which only allows legitimate application connection session packets to pass through; therefore, replacing the first access control rule with the second access control rule can be effective.
  • Step 6 When the access session between the terminal application and the network service is terminated, the security agent monitors in real time through the method described in step 2 and perceives that the session connection is terminated, and then constructs a connection termination notification message to notify the SDP policy control device, which contains the characteristic information of the session connection, such as the five-tuple characteristic of the TCP connection (source IP+source port+target IP+service port+protocol type).
  • the confidentiality and integrity protection of the connection termination notification message can be carried out by the inherent credential between the terminal and the SDP policy controller, and the protection mechanism is the same as that of the SPA authentication message.
  • Step 7 The SDP policy controller receives the connection termination notification message. If it is a security-protected message, it needs to decrypt and integrity check and restore the plaintext, and then perform network access adjustment processing again according to the message content, and notify the network firewall Delete the second access control rule corresponding to the connection.
  • the network firewall will synchronously adjust the access rules and discard any packets corresponding to the access characteristics, thereby avoiding forgery and replay attacks.
  • FIG. 8 is a schematic diagram of a scenario for implementing the access control method provided in Embodiment 2.
  • the terminal is specifically a dedicated embedded device terminal.
  • the communication protocol is processed by the manufacturer's self-developed simplified user mode protocol stack, the connection status is directly controlled by the application, and the computing resources of the system are extremely limited. Therefore, regarding the status of the network connection, the security agent is required to directly subscribe the network connection status to the application.
  • Step 1 The application program on the terminal side starts, registers with the security agent, and the security agent subscribes the information of its network access connection to the application title, and starts to monitor its access behavior to the external network.
  • Step 2 the terminal application initiates access to the network server. Since the security agent has subscribed to the connection status of the application, the application will notify the security agent of the access connection establishment request in advance, trigger the security agent module to construct and send the SPA authentication message, and the SDP policy controller will perform authentication after receiving the message: if authentication Pass, then authorize, and notify the network firewall to create the first access control rule according to the authorization result: the access control rule (ACLRULE) for the source IP address+target IP address+target service port+protocol type quadruple feature, that is, allow Services are exposed to this endpoint.
  • the system sets the timeout window of the first access control rule, and if it times out, it will be forced to age and delete the first access control rule, so that the service will return to the stealth state, and the processing will end.
  • Step 3 The terminal application, as the client, initiates the establishment process of the access session connection between the server on the network side, and successfully establishes the session connection before the first access control rule ages out.
  • Step 4 the security proxy module on the terminal side learns from the terminal application that the access session connection has been successfully established through the subscription notification mechanism of the application, and records the characteristic information of the session connection, such as the five-tuple characteristic of the connection (source IP+source port+target IP+service port + protocol type), and construct a connection establishment notification message to notify the SDP policy controller.
  • the connection establishment notification message can be protected with confidentiality and integrity by the inherent credential between the terminal and the SDP policy controller, and the protection mechanism is the same as that of the SPA authentication message.
  • the SDP policy controller receives the connection establishment notification message. If it is a security-protected message, it needs to decrypt and integrity check and restore the plaintext, and then perform network access adjustment processing according to the message content, that is, notify the network firewall Increase the access control rule entry strictly corresponding to the established session connection feature, that is, the second access control rule corresponding to the five-tuple feature (source IP+source port+target IP+service port+protocol type) of the established session connection, and delete the step The first access control rule for service port exposure described in b.
  • the SDP controller and the network firewall A protection mechanism can also be added, and an aging timeout time window is set for the second access control rule.
  • the network firewall can autonomously pass the second access control rule. Two access control rules are deleted.
  • the network firewall will only allow the packets of the established access session connection to pass through, and at the same time, because the access to the service exposed port is closed, the service port has returned to the hidden state.
  • the second access control rule is a stricter access rule, which only allows legitimate application connection session packets to pass through; therefore, replacing the first access control rule with the second access control rule can be effective.
  • Step 6 When the access session between the terminal application and the network service is terminated, the security agent monitors in real time through the subscription notification mechanism of the application and perceives the termination of the session connection, and constructs a connection termination notification message to notify the SDP policy controller , which contains the characteristic information of the session connection, that is, the five-tuple characteristic (source IP+source port+destination IP+service port+protocol type) of the session connection.
  • the confidentiality and integrity protection of the connection termination notification message can be carried out by the inherent credential between the terminal and the SDP policy controller, and the protection mechanism is the same as that of the SPA authentication message.
  • Step 7 The SDP policy controller receives the connection termination notification message. If it is a security-protected message, it needs to decrypt and integrity check and restore the plaintext, and then perform network access adjustment processing again according to the message content, and notify the network firewall Delete the second access control rule corresponding to the connection.
  • the network firewall will synchronously adjust the access rules and discard any packets corresponding to the access characteristics, thereby avoiding forgery and replay attacks.
  • the access control method provided by the embodiments of the present disclosure can at least achieve the following beneficial effects: 1. Improve the access control method based on single-package authorization in the existing SDP framework, by embedding a perceptible terminal application in the access terminal to access The security agent module of the network service state, and through the interaction with the SDP policy controller and the network firewall, accurately controls the opening and closing of the corresponding access control rules on the network firewall, which improves the concealment of network services and does not leave malicious attackers Additional time windows for detection and attack. 2.
  • different types of access control rules are dynamically maintained on the network firewall, so that the network firewall realizes legal protection.
  • Full lifecycle protection of network access traffic, and the time window of protection is strictly synchronized with the actual access. It not only ensures that the network firewall strictly protects each network access throughout the entire life cycle of the access, and improves the security of access, but also implements the access control policy efficiently and fully automatically, without manual intervention to configure the network firewall. 3.
  • the network firewall By monitoring the state changes of the network access session connection on the terminal side and synchronously adjusting the access control rules of the network firewall, it can truly reflect the scenarios and demands of legitimate terminal applications accessing network services, and avoid being deceived by malicious attackers forging network access messages , which improves the credibility of the SDP system.
  • FIG. 9 is a schematic structural block diagram of a terminal provided by an embodiment of the present disclosure.
  • the terminal 300 includes a processor 301 and a memory 302, and the processor 301 and the memory 302 are connected through a bus 303, such as an I2C (Inter-integrated Circuit) bus.
  • a bus 303 such as an I2C (Inter-integrated Circuit) bus.
  • the processor 301 is used to provide computing and control capabilities to support the operation of the entire terminal.
  • the processor 301 can be a central processing unit (Central Processing Unit, referred to as CPU), and the processor 301 can also be other general processors, digital signal processors (Digital Signal Processor, referred to as DSP), application specific integrated circuits (Application Specific Integrated Circuit, referred to as ASIC), Field-Programmable Gate Array (Field-Programmable Gate Array, referred to as FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
  • the general-purpose processor may be a microprocessor or the processor may be any conventional processor and the like.
  • the memory 302 may be a Flash chip, a read-only memory (Read-Only Memory, ROM for short) disk, an optical disk, a U disk, or a mobile hard disk.
  • ROM Read-Only Memory
  • FIG. 9 is only a block diagram of a partial structure related to the solution of the embodiment of the present disclosure, and does not constitute a limitation on the terminal to which the solution of the embodiment of the present disclosure is applied.
  • the server may include more or fewer components than shown in the figures, or combine certain components, or have a different arrangement of components.
  • the processor is configured to run a computer program stored in the memory, and implement any one of the access control methods provided in the embodiments of the present disclosure when the computer program is executed.
  • the processor is configured to run a computer program stored in a memory, and implement the following steps when executing the computer program:
  • the policy controller When initiating access to the target server, send a single-packet authorization authentication message to the policy controller, so that the policy controller notifies the network firewall to generate the first access control according to the verification result of the single-packet authorization authentication message Rules; wherein, the first access control rule is used for the target server to expose a service port to the terminal;
  • the processor when implementing the access control method, is configured to: send a connection termination notification message to the policy controller when the session connection with the target server is terminated, so that the policy The controller notifies the network firewall to delete the second access control rule.
  • the processor when implementing the access control method, is configured to: monitor the The access behavior and access status of the target server by the application of the terminal.
  • the processor when implementing the access control method, is configured to realize that: the first access control rule includes: the IP address of the target server, the service port and the protocol type.
  • the second access control rule includes: the IP address of the terminal, the source port of the terminal, the IP address of the target server, the service port and the protocol type.
  • An embodiment of the present disclosure also provides an access control system.
  • the access control system includes: a terminal, a policy controller, a network firewall, and a target server; the terminal, policy controller, network firewall, and target server are used to jointly execute the
  • the computer program implements any one of the access control methods provided by the embodiments of the present disclosure.
  • the access control system is used to run a computer program stored in a memory, and implement the following steps when executing the computer program:
  • the policy controller notifies the network firewall to generate a first access control rule according to the verification result of the single-packet authorization authentication message; wherein, the first access control rule is used for the target server to expose service port;
  • the terminal establishes a session connection with the target server based on the first access control rule, and sends a connection establishment notification message to the policy controller;
  • the policy controller notifies the network firewall to generate a second access control rule and delete the first access control rule; wherein, the second access control rule is used by the target server to allow the application of the terminal manage.
  • the access control system when implementing the access control method, is configured to: send a connection termination notification message to the policy controller when the session connection between the terminal and the target server is terminated; The policy controller notifies the network firewall to delete the second access control rule.
  • the access control system when implementing the access control method, is configured to: perform encryption protection and integrity check on messages between the terminal and the policy controller; wherein, the The message includes: the connection establishment notification message and the connection termination notification message.
  • the access control system when implementing the access control method, is configured to: after the network firewall generates the access control rule, if no report conforming to the access control rule is received within a preset period, start the timer, and if no message conforming to the access control rule is received after the timer expires, the network firewall automatically deletes the access control rule; wherein, the access control rule Including: the first access control rule and the second access control rule.
  • the access control system when implementing the access control method, is configured to implement: the first access control rule includes: the IP address of the target server, the service port and protocol type.
  • the second access control rule includes: the IP address of the terminal, the source port of the terminal, the IP address of the target server, the service port and the protocol type.
  • An embodiment of the present disclosure also provides a storage medium for computer-readable storage, the storage medium stores one or more programs, and the one or more programs can be executed by one or more processors to implement the following: The steps of any access control method provided in the description of the embodiments of the present disclosure.
  • the storage medium may be an internal storage unit of the terminal described in the foregoing embodiments, such as a hard disk or a memory of the terminal.
  • the storage medium may also be an external storage device of the terminal, such as a plug-in hard disk equipped on the terminal, a smart memory card (Smart Media Card, referred to as SMC), a secure digital (Secure Digital, referred to as SD) card, flash card (Flash Card), etc.
  • SMC Smart Media Card
  • SD Secure Digital
  • flash card Flash Card
  • the functional modules/units in the system, and the device can be implemented as software, firmware, hardware, and an appropriate combination thereof.
  • the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be composed of several physical components. Components cooperate to execute.
  • Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application-specific integrated circuit .
  • Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media).
  • computer storage media includes both volatile and nonvolatile media implemented in any method or technology for storage of information, such as computer readable instructions, data structures, program modules, or other data. permanent, removable and non-removable media.
  • Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disk (DVD) or other optical disk storage, magnetic cartridges, tape, magnetic disk storage or other magnetic storage devices, or can Any other medium used to store desired information and which can be accessed by a computer.
  • communication media typically embodies computer readable instructions, data structures, program modules, or other data in a modulated data signal such as a carrier wave or other transport mechanism, and may include any information delivery media .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

本公开实施例提供一种访问控制方法、访问控制系统、终端及存储介质,属于零信任技术领域。方法包括:在向目标服务器发起访问时,发送单包授权认证报文至策略控制器,以使策略控制器根据对单包授权认证报文的验证结果通知网络防火墙生成用于对终端暴露服务端口的第一访问控制规则;基于第一访问控制规则与目标服务器建立会话连接,并发送连接建立通知消息给策略控制器,以使策略控制器通知网络防火墙生成用于对终端的应用进行准入管理的第二访问控制规则并删除第一访问控制规则。

Description

访问控制方法、访问控制系统、终端及存储介质
相关申请的交叉引用
本公开基于2021年12月22日提交的发明名称为“访问控制方法、访问控制系统、终端及存储介质”的中国专利申请CN202111582807.7,并且要求该专利申请的优先权,通过引用将其所公开的内容全部并入本公开。
技术领域
本公开涉及零信任技术领域,尤其涉及一种访问控制方法、访问控制系统、终端及存储介质。
背景技术
零信任(Zero Trust)的软件定义边界(Software Defined Perimeter,简称为SDP)安全模型跟传统的网络接入控制模型不同,通过网络隐身技术实现先认证后连接,服务端口不直接暴露在互联网。SDP从传统的以网络为中心转变为以身份为中心进行最小权限访问控制。通过网络隐身技术,不区分内外网,确保只有合法的身份以及终端和网络环境才能接入。单包授权(Single Packet Authorization,简称为SPA)是实现SDP网络隐身的核心网络安全协议。在允许访问控制器、网关等相关系统组件所在的网络之前先验证设备和用户身份,实现零信任“先认证,再连接”的安全模型理念。
在现有技术中,终端应用在发起网络访问请求时将触发构造并发送SPA报文,SDP策略控制器在收到SPA报文后进行认证和授权处理,并通知网络防火墙打开相应的服务,即创建对应准入的访问控制过滤规则,从而准许应用访问网络服务。但是,对于相应的访问控制过滤规则何时关闭,由于SDP策略控制器和网络防火墙均不掌握后续访问会话连接的精准状态,只能通过预设超时门限来延期关闭,从而控制服务暴露时间窗口的时长。由于服务暴露时间窗口比较难确定,如果时间窗口开启的时长太短,合法的用户还未来得及建立会话连接,时间窗口就超时关闭,影响正常访问;如果该服务暴露时间窗口开启的时长太长,则留给攻击者充裕的时间进行探测攻击。
因此,如何彻底贯彻零信任理念,对SDP安全架构中的针对单包授权的访问控制的弱点进行改进,保证网络防火墙对于每次网络访问的保护严格贯穿与访问的整个生命周期,是一个迫切需要解决的问题。
发明内容
本公开实施例的主要目的在于提供一种访问控制方法、访问控制系统、终端及存储介质,通过在终端监控并感知远程访问的真实状态,并根据终端侧的访问状态同步调整网络防火墙的准入控制,实现了网络防火墙对于网络访问的保护严格贯穿于远程访问的整个生命周期。
第一方面,本公开实施例提供一种访问控制方法,应用于终端,包括:
在向目标服务器发起访问时,发送单包授权认证报文至策略控制器,以使所述策略控制器根据对所述单包授权认证报文的验证结果通知网络防火墙生成第一访问控制规则;其中, 所述第一访问控制规则用于所述目标服务器对所述终端暴露服务端口;
基于所述第一访问控制规则与所述目标服务器建立会话连接,并发送连接建立通知消息给所述策略控制器,以使所述策略控制器通知所述网络防火墙生成第二访问控制规则并删除所述第一访问控制规则;其中,所述第二访问控制规则用于所述目标服务器对所述终端的应用进行准入管理。
第二方面,本公开实施例还提供一种访问控制方法,应用于访问控制系统,所述访问控制系统包括:终端、策略控制器、网络防火墙、目标服务器;所述访问控制方法包括:
在所述终端向所述目标服务器发起访问时,发送单包授权认证报文至所述策略控制器;
所述策略控制器根据对所述单包授权认证报文的验证结果通知所述网络防火墙生成第一访问控制规则;其中,所述第一访问控制规则用于所述目标服务器对所述终端暴露服务端口;
所述终端基于所述第一访问控制规则与所述目标服务器建立会话连接,并发送连接建立通知消息给所述策略控制器;
所述策略控制器通知所述网络防火墙生成第二访问控制规则并删除所述第一访问控制规则;其中,所述第二访问控制规则用于所述目标服务器对所述终端的应用进行准入管理。
第三方面,为了实施上述应用于终端的访问控制方法,本公开实施例还提供一种终端,所述终端包括处理器、存储器、存储在所述存储器上并可被所述处理器执行的计算机程序以及用于实现所述处理器和所述存储器之间的连接通信的数据总线,其中所述计算机程序被所述处理器执行时,实现如本公开说明书提供的任一项应用于终端的访问控制方法的步骤。
第四方面,为了实施上述应用于访问控制系统的访问控制方法,本公开实施例还提供一种访问控制系统,所述访问控制系统终端、策略控制器、网络防火墙和目标服务器;所述终端、策略控制器、网络防火墙和目标服务器用于共同执行如本公开说明书提供的任一项应用于访问控制系统的访问控制方法的步骤。
第五方面,本公开实施例还提供一种存储介质,用于计算机可读存储,其中,所述存储介质存储有一个或者多个程序,所述一个或者多个程序可被一个或者多个处理器执行,以实现如本公开说明书提供的任一项访问控制方法的步骤。
附图说明
为了更清楚地说明本公开实施例技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图是本公开的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。
图1为本公开实施例提供的一种访问控制系统的示意性框图;
图2为本公开实施例提供的一种访问控制方法的流程示意图;
图3为本公开实施例提供一种访问控制系统在实现访问控制方法时的场景流程图;
图4为本公开实施例提供的另一种访问控制系统的示意性框图;
图5为本公开实施例提供的应用于终端的一种访问控制方法的流程示意图;
图6为图4中提供的访问控制系统在实现访问控制方法时的场景示意图;
图7为本实施例一提供的通用终端在远程安全接入中应用访问控制方法的场景示意图;
图8为本实施例二提供的嵌入式终端在远程安全接入中应用访问控制方法的场景示意图;
图9为本公开实施例提供的一种终端的结构示意框图。
具体实施方式
下面将结合本公开实施例中的附图,对本公开实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本公开一部分实施例,而不是全部的实施例。基于本公开中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本公开保护的范围。
附图中所示的流程图仅是示例说明,不是必须包括所有的内容和操作/步骤,也不是必须按所描述的顺序执行。例如,有的操作/步骤还可以分解、组合或部分合并,因此实际执行的顺序有可能根据实际情况改变。
应当理解,在此本公开说明书中所使用的术语仅仅是出于描述特定实施例的目的而并不意在限制本公开。如在本公开说明书和所附权利要求书中所使用的那样,除非上下文清楚地指明其它情况,否则单数形式的“一”、“一个”及“该”意在包括复数形式。
传统的网络接入控制是先接入再认证,由于网络服务端口直接暴露在互联网上,很容易遭受安全攻击,从而产生各种安全威胁。零信任(Zero Trust)的SDP安全模型跟传统的网络接入控制模型不同,通过网络隐身技术实现先认证后连接,服务端口不直接暴露在互联网。SDP从传统的以网络为中心转变为以身份为中心进行最小权限访问控制。通过网络隐身技术,不区分内外网,确保只有合法的身份以及终端和网络环境才能接入。
SPA是实现SDP网络隐身的核心网络安全协议。在允许访问控制器、网关等相关系统组件所在的网络之前先验证设备和用户身份,实现零信任“先认证,再连接”的安全模型理念。SPA包含包括请求方的IP地址等在内的连接请求信息,在单一的网络信息包中被加密和认证,通过配置默认丢弃的防火墙策略使保护的网络服务对外不可见。SPA的目的是允许网络服务被防火墙隐藏起来并被默认丢弃任何探测和访问报文,从而不为潜在的攻击者提供任何关于服务端口是否正被监听的信息。
在单包授权通过之后,终端应用应向暴露的网络服务发起连接,建立会话链路,之后网络防火墙应调整准入规则,关闭服务暴露端口,允许已建立的会话连接准入。
在现有技术中,终端应用在发起网络访问请求时将触发构造并发送SPA报文,SDP策略控制器在收到SPA报文后进行认证和授权处理,并通知网络防火墙打开相应的服务,即创建对应准入的访问控制过滤规则,从而准许应用访问网络服务。但是,对于相应的访问控制过滤规则何时关闭,由于SDP策略控制器和网络防火墙均不掌握后续访问会话连接的精准状态,只能通过预设超时门限来延期关闭,从而控制服务暴露时间窗口的时长。由于服务暴露时间窗口比较难确定,如果时间窗口开启的时长太短,合法的用户还未来得及建立会话连接,时间窗口就超时关闭,影响正常访问;如果该服务暴露时间窗口开启的时长太长,则留给攻击者充裕的时间进行探测攻击。
在会话连接建立之后,会话连接所承载的业务报文仍然要通过网络防火墙才能抵达网络服务,基于零信任的理念,防火墙应该只允许合法会话连接相关的报文通过,而丢弃其他非法报文。但是对于会话连接的准入控制,SDP安全框架并没有进行规范,如何在网络防火墙上自动且精准实现针对会话连接的准入控制是一个有待解决的问题。
此外,针对上述服务暴露时间窗口准确性的问题,现有技术方案提出可以监控网络服务侧所接收的数据包,从而判断后续的会话连接是否已经建立,如果已建立则触发网络防火墙 调整准入规则,关闭服务暴露端口,从而使网络服务迅速回归到隐身状态。但该技术方案仅能解决服务暴露时长不精确的问题,不能解决防火墙针对后续会话连接报文的准入控制问题。同时,由于是通过在网络侧嗅探报文来分析会话连接的状态,很容易被外部攻击者通过网络构造的连接控制报文(例如TCP的SYN报文)或重放报文所欺骗,导致误认为会话连接已建立而提早关闭服务暴露端口,致使合法终端应用访问网络服务失败。
综上所述,如何彻底贯彻零信任理念,对SDP安全架构中的针对单包授权的访问控制的弱点进行改进,保证网络防火墙对于每次网络访问的保护严格贯穿与访问的整个生命周期,是一个迫切需要解决的问题。
本公开实施例提供了一种访问控制方法、访问控制系统、终端及存储介质。其中,该访问控制方法可应用于移动终端中,该移动终端可以手机、平板电脑、笔记本电脑、台式电脑、个人数字助理和穿戴式设备等电子设备。
下面结合附图,对本公开的一些实施例作详细说明。在不冲突的情况下,下述的实施例及实施例中的特征可以相互组合。
为了更好地说明本公开的访问控制方法,首先介绍本公开实施例提供的访问控制系统。
本公开应用于在基于SDP安全框架所提供的远程安全接入服务的场景下,针对终端的应用远程访问网络服务器的访问控制处理。
请参照图1,图1为本公开实施例提供的一种访问控制系统的示意性框图,访问控制系统具体包括:终端、策略控制器、网络防火墙、目标服务器。
终端需要访问目标服务器时,首先向策略控制器发送请求,策略控制器根据对终端请求的认证结果向网络防火墙下达访问控制规则的创建、删除等指令,触发网络防火墙调整数据报文的准入规则,终端根据网络防火墙的访问控制规则实现与目标服务器的会话连接。
具体的,请参照图2,图2为本公开实施例提供的一种应用于上述访问控制系统的访问控制方法的流程示意图,具体包括步骤S101至步骤S104。图3为本公开实施例提供的访问控制系统在实现访问控制方法的场景示意图。
S101、在所述终端向所述目标服务器发起访问时,发送单包授权认证报文至所述策略控制器;
具体的,当终端上部署的应用需向目标服务器发起访问时,终端会发送SPA报文给SDP策略控制器。
S102、所述策略控制器根据对所述单包授权认证报文的验证结果通知所述网络防火墙生成第一访问控制规则;其中,所述第一访问控制规则用于所述目标服务器对所述终端暴露服务端口;
SDP策略控制器收到SPA报文会进行认证:如果认证通过,会进行授权,并根据授权结果通知目标服务器的网络防火墙创建一条针对:终端的源IP地址(可选)+目标服务器端的IP地址+目标服务端口+协议类型特征的访问控制规则(ACL RULE),即允许目标服务器对该终端暴露服务端口,在此称为第一访问控制规则。
需要说明的是,网络防火墙需要开启默认丢弃模式。
可选地,该第一访问控制规则为三元组或四元组,在三元组的场景下,仅允许满足所述终端的目标服务器的IP地址+目标服务端口+协议类型特征的报文的准入,对于终端的源端口与终端的源IP地址没有限制;在四元组的场景下,仅允许满足所述终端的源IP地址+目标服 务器的IP地址+目标服务端口+协议类型特征的报文的准入,对于终端的源端口没有限制。
S103、所述终端基于所述第一访问控制规则与所述目标服务器建立会话连接,并发送连接建立通知消息给所述策略控制器;
根据防火墙创建的第一访问规则,终端上的应用可以作为客户端与网络侧目标服务器之间启动建链流程,若成功建立会话连接,则进一步发送连接建立通知消息给SDP策略控制器。
S104、所述策略控制器通知所述网络防火墙生成第二访问控制规则并删除所述第一访问控制规则;其中,所述第二访问控制规则用于所述目标服务器对所述终端的应用进行准入管理。
SDP策略控制器收到终端的应用已经与目标服务器已连接建立的通知消息,通知网络防火墙增加与已建立连接的特征信息严格对应访问的控制规则条目,从而对终端的应用进行网络准入调整。具体地,所述策略控制器通知所述网络防火墙生成第二访问控制规则,并删除用于暴露服务端口的第一访问控制规则。
所述第二访问控制规则为包括:终端的源IP地址+终端的源端口+目标服务器的IP地址+服务端口+协议类型对应的访问控制规则。
示例性地,所述协议类型可以为TCP、UDP,以及其他由终端的具体应用确定的通信协议。
至此,网络防火墙将仅允许已建立访问会话连接对应的报文通过,同时由于关闭了服务暴露端口的准入,服务端口又恢复了隐藏状态。由于相对于第一访问控制规则,第二访问控制规则是更加偏严的准入规则,它仅允许合法的终端应用连接会话报文通过;所以用第二访问控制规则取代第一访问控制规则,能有效杜绝恶意攻击者利用服务端口暴露,伪造源IP地址或利用源端口的不确定性来伪造可绕过网络防火墙的报文对网络服务实施攻击;并使服务端口暴露的时长与真正建立连接所花费的时间跨度完全一致,避免了恶意攻击者利用多余的时间窗口进行探测攻击。
后续,当所述终端与目标服务器之间的所述访问会话终结,终端会发送连接终止通知消息通知SDP策略控制器,其中包含了会话连接的特征信息。SDP策略控制器收到连接终止通知消息后,再次进行网络准入调整处理,通知网络防火墙删除该会话连接对应的访问控制规则(ACL RULE),也即删除第二访问控制规则。具体地,所述终端与所述目标服务器的会话连接终止时,发送连接中止通知消息给所述策略控制器;所述策略控制器通知所述网络防火墙删除所述第二访问控制规则。
至此,随着合法终端应用针对网络服务的单次访问结束,网络防火墙将同步调整准入规则并丢弃与该次访问特征对应的任何报文,从而避免了伪造与重放攻击。
进一步地,无论是对于所述第一访问控制规则和第二访问控制规则,均可以设置超时删除机制,以应对合法终端在访问网络服务过程中异常退出或网络中断等问题。
例如,针对后续因网络中断或终端故障等原因,因无法通知SDP策略控制器访问会话连接异常终止,进而导致防火墙所建的第二访问控制规则无法删除的异常场景,SDP控制器与网络防火墙可增加保护机制。针对所述第二访问控制规则设置老化超时时间窗口,当超时发生,且该访问控制规则在后续若干统计周期内无匹配报文通过,则网络防火墙可自主将所述第二访问控制规则删除。
具体地,在所述网络防火墙在生成访问控制规则之后,若在预设周期内未收到匹配所述访问控制规则的报文,开始启动定时器,若在所述定时器到期之后,还未收到符合所述访问 控制规则的报文,所述网络防火墙自动删除所述访问控制规则;其中,所述访问控制规则包括:所述第一访问控制规则和所述第二访问控制规则。
另外,对于终端和SDP控制策略器之间新增的控制消息,包括连接建立通知消息与连接终止通知消息的传递,可以进行完整性与机密性保护,以保证新增控制消息本身的安全性。其具体实现方式本公开对此不作限定。例如,可以借助既有SPA认证请求消息的安全保护机制,采用终端应用与SDP策略控制器之间固有的信任状来实施,包括且不限于:数字证书、用户口令或密钥等。
本公开提供的访问控制方法,针对现有SDP框架中基于单包授权的访问控制方法进行了改进,通过终端侧主动监控到的远程访问的状态消息与SDP策略控制器和网络防火墙的交互,精准控制网络防火墙上相应的访问控制规则的打开与关闭,进而能够保证在终端应用访问网络服务的整个生命周期。进一步地,在访问连接的创建和访问连接会话的维护阶段,通过在网络防火墙上同步动态维护不同类型的访问控制规则,从而使得网络防火墙实现了对合法终端访问流量的全生命周期保护,且保护的时间窗口与实际访问严格同步一致。
为了有效实施本公开的访问控制方法,本公开还提供了一种终端,包括终端应用以及安全代理模块。其中,安全代理模块与应用一起部署在终端上,安全代理模块可通过内部接口实时感知和监控和应用访问网络服务的会话在整个生命周期中的状态;同时,安全代理模块可根据会话连接的状态变化,构造期望的访问控制准入和拒绝规则信息通知SDP策略控制器。SDP策略控制器根据来自安全代理的上述请求,向网络防火墙下达访问控制规则的创建、删除等指令,触发网络防火墙调整数据报文准入规则。
图4为本公开实施例提供的包含部署了安全代理的终端的访问控制系统的示意性框图,访问控制系统具体包括:终端、策略控制器、网络防火墙、目标服务器,且终端内部署了多个终端应用以及安全代理。
请参照图5,图5为本公开实施例提供的一种应用于终端的访问控制方法的流程示意图,具体包括步骤S201至步骤S202。图6为本公开实施例提供的基于终端内的安全代理模块与应用与访问控制系统其它各部件的场景示意图。
步骤S201、在向目标服务器发起访问时,发送单包授权认证报文至策略控制器,以使所述策略控制器根据对所述单包授权认证报文的验证结果通知所述网络防火墙生成第一访问控制规则;其中,所述第一访问控制规则用于所述目标服务器对所述终端暴露服务端口;
具体的,终端上电后,安全代理模块会启动对合法终端应用的监控,监控其对外部网络目标服务器的访问行为。其中,安全代理模块对终端应用监控的实现存在多种可选的方式,包括且不限于:通过在系统内核或网卡设备上嗅探终端应用与外部系统交互的报文从而还原会话连接的状态、或者在一些嵌入式应用场景下,安全代理与应用直接交互,订阅其发起网络访问的连接事务启动和停止信息。
当有合法终端应用向网络服务器发起访问时,会触发安全代理模块构造并发送SPA认证报文,SDP策略控制器收到报文会进行认证:如果认证通过,再进行授权,并根据授权结果通知网络防火墙创建第一访问控制规则,即允许网络服务器对该终端暴露。需要说明是,网络防火墙需要开启默认丢弃模式。
第一访问控制规则为三元组或四元组,在三元组的场景下,仅允许满足所述终端的目标服务器的IP地址+目标服务端口+协议类型特征的报文的准入,对于终端的源端口与终端的源 IP地址没有限制;在四元组的场景下,仅允许满足所述终端的源IP地址+目标服务器的IP地址+目标服务端口+协议类型特征的报文的准入,对于终端的源端口没有限制。
步骤S202、基于所述第一访问控制规则与所述目标服务器建立会话连接,并发送连接建立通知消息给所述策略控制器,以使所述策略控制器通知所述网络防火墙生成第二访问控制规则并删除所述第一访问控制规则;其中,所述第二访问控制规则用于所述目标服务器对所述终端的应用进行准入管理。
根据防火墙创建的第一访问控制规则,终端上的应用可以作为客户端与网络侧目标服务器之间启动建链流程,若成功建立会话连接,安全代理模块通过监控感知到终端应用已与网络服务成功建立会话连接,记录会话连接的特征信息,例如TCP连接的五元组特征(源IP+源端口+目标IP+服务端口+协议类型),并构造连接建立通知消息通知SDP策略控制器。
SDP策略控制器收到终端的应用已经与目标服务器已连接建立的通知消息,通知网络防火墙增加与已建立连接的特征信息严格对应访问的控制规则条目,从而对终端的应用进行网络准入调整。具体地,所述策略控制器通知所述网络防火墙生成第二访问控制规则,并删除用于暴露服务端口的第一访问控制规则。
所述第二访问控制规则为包括:终端的源IP地址+终端的源端口+目标服务器的IP地址+服务端口+协议类型对应的访问控制规则。示例性地,所述协议类型可以为TCP、UDP,以及其他由终端的具体应用确定的通信协议。
至此,网络防火墙将仅允许已建立访问会话连接对应的报文通过,同时由于关闭了服务暴露端口的准入,服务端口又恢复了隐藏状态。
后续,当所述终端应用与网络服务之间的所述访问会话终结,安全代理模块通过监测本终端中应用访问网络服务的连接状态感知到会话连接终止,则构造连接终止通知消息通知SDP策略控制器,其中包含了会话连接的特征信息。
SDP策略控制器收到连接终止通知消息,再次进行网络准入调整处理,通知网络防火墙删除该会话连接对应的第二访问控制规则。具体地,在与所述目标服务器的会话连接终止时,发送连接中止通知消息给所述策略控制器,以使所述策略控制器通知所述网络防火墙删除所述第二访问控制规则。
随着合法终端应用针对网络服务的单次访问结束,网络防火墙将同步调整准入规则并丢弃与该次访问特征对应的任何报文,从而避免了伪造与重放攻击。
本公开提供的访问控制方法,通过由内置于终端中的安全代理模块作为控制网络防火墙报文准入的源头,保证了网络防火墙上所配置的访问控制规则对应真实合法的访问报文,避免了来自网络侧的恶意伪造报文通过欺骗叩开防火墙的可能性。
为了更好地阐释本公开的访问控制方法,将本公开分别应用于通用终端在远程安全接入环境下基于单包授权的访问控制处理,以及专用的嵌入式设备终端在远程安全接入环境下基于单包授权的访问控制处理。这两个实施例的差异仅在于安全代理感知和监控应用访问网络的会话状态的技术手段有所差异而已。
实施例一
请参照图7,图7为实施本实施例一提供的访问控制方法的一场景示意图,如图7所示,本实施例演示的是通用终端在远程安全接入环境下基于单包授权的访问控制处理。
需要说明的是,网络防火墙需要开启默认丢弃模式。
步骤1、终端侧安全代理预先配置合法应用的白名单,白名单中包括应用程序名称特征、以及访问网络所需要的通信协议类型等。应用程序启动,向安全代理注册,安全代理通过白名单对比确认其为合法的应用后,开始监控其对外部网络的访问行为。在本实施例中,可假定应用访问网络服务是基于TCP协议,并假定终端是基于Linux与Windows等通用操作系统,安全代理可通过周期性调用操作系统提供的netstat命令来获取当前内核IP协议栈中的网络协议连接的状态与归属的应用程序。
步骤2、当终端应用向网络服务器发起访问时,会触发安全代理模块构造并发送SPA认证报文,SDP策略控制器收到报文会进行认证:如果认证通过,再进行授权,并根据授权结果通知网络防火墙创建第一访问控制规则:针对该源IP地址+目标IP+目标服务端口+协议类型的四元组特征的访问控制规则,即允许服务对该终端暴露。可选地,系统还可以针对该第一访问控制规则设置超时窗口,如果超时则强制老化并删除第一访问控制规则,使得服务端口能够重新恢复至隐身状态。
步骤3、该终端应用作为客户端与网络侧服务器之间启动TCP建链流程,并在所述第一访问控制规则老化之前成功建立会话连接。
步骤4,终端侧的安全代理模块通过步骤2所述的方法实时监控并感知到终端应用已与网络服务成功建立会话TCP连接,记录会话连接的特征信息,即TCP连接的五元组特征(源IP+源端口+目标IP+服务端口+协议类型),并构造连接建立通知消息通知SDP策略控制器。可选地,其中连接建立通知消息可用终端与SDP策略控制器之间固有的信任状进行机密性和完整性保护,机制与SPA认证报文的保护相同。
步骤5、SDP策略控制器收到连接建立通知消息,如果是经过安全保护的报文,要进行解密和完整性校验并恢复明文,然后根据消息内容进行网络准入调整处理,通知网络防火墙增加与已建立连接的特征信息严格对应访问控制规则条目,即与所建TCP连接的五元组特征(源IP+源端口+目标IP+服务端口+协议类型)对应的第二访问控制规则,并删除用于服务端口暴露的第一访问控制规则条目。
可选地,针对后续因网络中断或所述终端故障,安全代理因无法通知SDP控制器访问会话连接异常终止而导致所建的第二访问控制规则无法删除的异常场景,SDP控制器与网络防火墙也可增加保护机制,针对所述第二访问控制规则设置老化超时时间窗口,当超时发生,且该访问控制规则在后续若干统计周期内无匹配报文通过,则网络防火墙可自主将所述第二访问控制规则删除。
至此,网络防火墙将仅允许已建立访问会话连接的报文通过,同时由于关闭了服务暴露端口的准入,服务端口又恢复了隐藏状态。由于相对于第一访问控制规则,第二访问控制规则是更加偏严的准入规则,它仅允许合法应用连接会话报文通过;所以用第二访问控制规则取代第一访问控制规则,能有效杜绝恶意攻击者利用服务端口暴露,伪造源IP地址或利用源端口的不确定性来伪造可绕过网络防火墙的报文对网络服务实施攻击;并使服务端口暴露的时长与真正建立连接所花费的时间跨度完全一致,避免了恶意攻击者利用多余的时间窗口进行探测攻击。
步骤6、当所述终端应用与网络服务之间的所述访问会话终结,安全代理通过步骤2所述的方法实时监控并感知到所述会话连接终止,则构造连接终止通知消息通知SDP策略控制器,其中包含了该会话连接的特征信息,例如TCP连接的五元组特征(源IP+源端口+目标IP+ 服务端口+协议类型)。可选地,所述连接终止通知消息可用终端与SDP策略控制器之间固有的信任状进行机密性和完整性保护,机制与SPA认证报文的保护相同。
步骤7、SDP策略控制器收到连接终止通知消息,如果是经过安全保护的报文,要进行解密和完整性校验并恢复明文,然后根据消息内容再次进行网络准入调整处理,通知网络防火墙删除该连接对应的第二访问控制规则。
至此,随着合法终端应用针对网络服务的单次访问结束,网络防火墙将同步调整准入规则并丢弃与该次访问特征对应的任何报文,从而避免了伪造与重放攻击。
实施例二
请参照图8,图8为实施本实施例二提供的访问控制方法的一场景示意图,在本实施例中,终端具体为专用的嵌入式设备终端。
由于在典型的嵌入式环境中,通信协议使用厂家自研的简化用户态协议栈处理,连接状态由应用直接控制,且系统的计算资源极为有限。因此,关于网络连接的状态,需要安全代理直接向应用订阅网络连接状态。
需要说明的是,网络防火墙需要开启默认丢弃模式。
步骤1、终端侧应用程序启动,向安全代理注册,安全代理向应用题订阅其网络访问连接的信息,开始由此监控其对外部网络的访问行为。
步骤2、终端应用向网络服务器发起访问。由于安全代理已订阅了应用的连接状态,因此应用会将访问连接建立请求提前通知安全代理,触发安全代理模块构造并发送SPA认证报文,SDP策略控制器收到报文会进行认证:如果认证通过,再进行授权,并根据授权结果通知网络防火墙创建第一访问控制规则:针对该源IP地址+目标IP地址+目标服务端口+协议类型四元组特征的访问控制规则(ACLRULE),即允许服务对该终端暴露。同时,系统设置该第一访问控制规则的超时窗口,如果超时则强制老化并删除第一访问控制规则,使得服务重新恢复至隐身状态,结束处理。
步骤3、该终端应用作为客户端与网络侧服务器之间启动访问会话连接的建立流程,并在所述第一访问控制规则老化之前成功建立会话连接。
步骤4、终端侧的安全代理模块通过应用的订阅通知机制,从终端应用获知成功建立访问会话连接,记录会话连接的特征信息,例如连接的五元组特征(源IP+源端口+目标IP+服务端口+协议类型),并构造连接建立通知消息通知SDP策略控制器。可选地,其中连接建立通知消息可用终端与SDP策略控制器之间固有的信任状进行机密性和完整性保护,机制与SPA认证报文的保护相同。
步骤5、SDP策略控制器收到连接建立通知消息,如果是经过安全保护的报文,要进行解密和完整性校验并恢复明文,然后根据消息内容进行网络准入调整处理,即通知网络防火墙增加已建立会话连接特征严格对应的访问控制规则条目,即与所建会话连接的五元组特征(源IP+源端口+目标IP+服务端口+协议类型)对应的第二访问控制规则,并删除步骤b中所述的用于服务端口暴露的第一访问控制规则。
可选地,针对后续因网络中断或所述终端故障,安全代理因无法通知SDP控制器访问会话连接异常终止而导致所建的第二访问控制规则无法删除的异常场景,SDP控制器与网络防火墙也可增加保护机制,针对所述第二访问控制规则设置老化超时时间窗口,当超时发生,且该访问控制规则在后续若干统计周期内无匹配报文通过,则网络防火墙可自主将所述第二 访问控制规则删除。
至此,网络防火墙将仅允许已建立访问会话连接的报文通过,同时由于关闭了服务暴露端口的准入,服务端口又恢复了隐藏状态。由于相对于第一访问控制规则,第二访问控制规则是更加偏严的准入规则,它仅允许合法应用连接会话报文通过;所以用第二访问控制规则取代第一访问控制规则,能有效杜绝恶意攻击者利用服务端口暴露,伪造源IP地址或利用源端口的不确定性来伪造可绕过网络防火墙的报文对网络服务实施攻击;并使服务端口暴露的时长与真正建立连接所花费的时间跨度完全一致,避免了恶意攻击者利用多余的时间窗口进行探测攻击。
步骤6、当所述终端应用与网络服务之间的所述访问会话终结,安全代理通过应用的订阅通知机制实时监控并感知到所述会话连接终止,则构造连接终止通知消息通知SDP策略控制器,其中包含了该会话连接的特征信息,即会话连接的五元组特征(源IP+源端口+目标IP+服务端口+协议类型)。可选地,所述连接终止通知消息可用终端与SDP策略控制器之间固有的信任状进行机密性和完整性保护,机制与SPA认证报文的保护相同。
步骤7、SDP策略控制器收到连接终止通知消息,如果是经过安全保护的报文,要进行解密和完整性校验并恢复明文,然后根据消息内容再次进行网络准入调整处理,通知网络防火墙删除该连接对应的第二访问控制规则。
至此,随着合法终端应用针对网络服务的单次访问结束,网络防火墙将同步调整准入规则并丢弃与该次访问特征对应的任何报文,从而避免了伪造与重放攻击。
本公开实施例提供的访问控制方法,至少能够实现以下有益效果:1、对对现有SDP框架中基于单包授权的访问控制方法进行了改进,通过在访问终端中植入可感知终端应用访问网络服务状态的安全代理模块,并通过与SDP策略控制器和网络防火墙的交互,精准控制网络防火墙上相应的访问控制规则的打开与关闭,提升了网络服务的隐藏性,不给恶意攻击者留下探测与攻击的额外时间窗口。2、在终端应用访问网络服务的整个生命周期内,在访问连接的创建和访问连接会话的维护阶段,通过在网络防火墙上同步动态维护不同类型的访问控制规则,从而使得网络防火墙实现了对合法网络访问流量的全生命周期保护,且保护的时间窗口与实际访问严格同步一致。不但保证了网络防火墙对于每次网络访问的保护严格贯穿与访问的整个生命周期,提高了访问的安全性,而且访问控制策略高效全自动化实施,无须人工干预配置网络防火墙。3、通过在终端侧监控网络访问会话连接的状态变化并网络防火墙同步调整访问控制规则,可真实反映合法的终端应用访问网络服务的场景与诉求,避免被恶意攻击者伪造的网络访问报文欺骗,提高了SDP系统的可信性。
请参阅图9,图9为本公开实施例提供的一种终端的结构示意性框图。
如图9所示,终端300包括处理器301和存储器302,处理器301和存储器302通过总线303连接,该总线比如为I2C(Inter-integrated Circuit)总线。
具体地,处理器301用于提供计算和控制能力,支撑整个终端的运行。处理器301可以是中央处理单元(Central Processing Unit,简称为CPU),该处理器301还可以是其他通用处理器、数字信号处理器(Digital Signal Processor,简称为DSP)、专用集成电路(Application Specific Integrated Circuit,简称为ASIC)、现场可编程门阵列(Field-Programmable Gate Array,简称为FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。其中,通用处理器可以是微处理器或者该处理器也可以是 任何常规的处理器等。
具体地,存储器302可以是Flash芯片、只读存储器(Read-Only Memory,简称为ROM)磁盘、光盘、U盘或移动硬盘等。
本领域技术人员可以理解,图9中示出的结构,仅仅是与本公开实施例方案相关的部分结构的框图,并不构成对本公开实施例方案所应用于其上的终端的限定,具体的服务器可以包括比图中所示更多或更少的部件,或者组合某些部件,或者具有不同的部件布置。
其中,所述处理器用于运行存储在存储器中的计算机程序,并在执行所述计算机程序时实现本公开实施例提供的任意一种所述的访问控制方法。
在一实施例中,所述处理器用于运行存储在存储器中的计算机程序,并在执行所述计算机程序时实现如下步骤:
在向目标服务器发起访问时,发送单包授权认证报文至策略控制器,以使所述策略控制器根据对所述单包授权认证报文的验证结果通知所述网络防火墙生成第一访问控制规则;其中,所述第一访问控制规则用于所述目标服务器对所述终端暴露服务端口服务端口;
基于所述第一访问控制规则与所述目标服务器建立会话连接,并发送连接建立通知消息给所述策略控制器,以使所述策略控制器通知所述网络防火墙生成第二访问控制规则并删除所述第一访问控制规则;其中,所述第二访问控制规则用于所述目标服务器对所述终端的应用进行准入管理。
在一实施例中,所述处理器在实现访问控制方法时,用于实现:在与所述目标服务器的会话连接终止时,发送连接中止通知消息给所述策略控制器,以使所述策略控制器通知所述网络防火墙删除所述第二访问控制规则。
在一实施例中,所述处理器在实现访问控制方法时,用于实现:通过从所述终端的操作系统进行API调用和/或通过向所述终端的应用订阅通知机制,来监控所述终端的应用向所述目标服务器的访问行为和访问状态。
在一实施例中,所述处理器在实现访问控制方法时,用于实现:所述第一访问控制规则包括:所述目标服务器的IP地址,所述服务端口及协议类型。所述第二访问控制规则包括:所述终端的IP地址、所述终端的源端口、所述目标服务器的IP地址,所述服务端口及所述协议类型。
需要说明的是,所属领域的技术人员可以清楚地了解到,为了描述的方便和简洁,上述描述的终端的具体工作过程,可以参考前述访问控制方法实施例中的对应过程,在此不再赘述。
本公开实施例还提供一种访问控制系统,所述访问控制系统包括:终端、策略控制器、网络防火墙和目标服务器;所述终端、策略控制器、网络防火墙和目标服务器用于共同执行所述计算机程序时实现本公开实施例提供的任意一种所述的访问控制方法。
在一实施例中,所述访问控制系统用于运行存储在存储器中的计算机程序,并在执行所述计算机程序时实现如下步骤:
在所述终端向所述目标服务器发起访问时,发送单包授权认证报文至所述策略控制器;
所述策略控制器根据对所述单包授权认证报文的验证结果通知所述网络防火墙生成第一访问控制规则;其中,所述第一访问控制规则用于所述目标服务器对所述终端暴露服务端口;
所述终端基于所述第一访问控制规则与所述目标服务器建立会话连接,并发送连接建立 通知消息给所述策略控制器;
所述策略控制器通知所述网络防火墙生成第二访问控制规则并删除所述第一访问控制规则;其中,所述第二访问控制规则用于所述目标服务器对所述终端的应用进行准入管理。
在一实施例中,所述访问控制系统在实现访问控制方法时,用于实现:所述终端与所述目标服务器的会话连接终止时,发送连接中止通知消息给所述策略控制器;所述策略控制器通知所述网络防火墙删除所述第二访问控制规则。
在一实施例中,所述访问控制系统在实现访问控制方法时,用于实现:对所述终端与所述策略控制器之间的消息进行加密性保护和完整性校验;其中,所述消息包括:所述连接建立通知消息和所述连接中止通知消息。
在一实施例中,所述访问控制系统在实现访问控制方法时,用于实现:在所述网络防火墙生成访问控制规则之后,若在预设周期内未收到符合所述访问控制规则的报文,开始启动定时器,若在所述定时器到期之后,还未收到符合所述访问控制规则的报文,所述网络防火墙自动删除所述访问控制规则;其中,所述访问控制规则包括:所述第一访问控制规则和所述第二访问控制规则。
在一实施例中,所述访问控制系统在实现访问控制方法时,用于实现:所述第一访问控制规则包括:所述目标服务器的IP地址,所述服务端口及协议类型。所述第二访问控制规则包括:所述终端的IP地址、所述终端的源端口、所述目标服务器的IP地址,所述服务端口及所述协议类型。
本公开实施例还提供一种存储介质,用于计算机可读存储,所述存储介质存储有一个或者多个程序,所述一个或者多个程序可被一个或者多个处理器执行,以实现如本公开实施例说明书提供的任一项访问控制方法的步骤。
其中,所述存储介质可以是前述实施例所述的终端的内部存储单元,例如所述终端的硬盘或内存。所述存储介质也可以是所述终端的外部存储设备,例如所述终端上配备的插接式硬盘,智能存储卡(Smart Media Card,简称为SMC),安全数字(Secure Digital,简称为SD)卡,闪存卡(Flash Card)等。
本领域普通技术人员可以理解,上文中所公开方法中的全部或某些步骤、系统、装置中的功能模块/单元可以被实施为软件、固件、硬件及其适当的组合。在硬件实施例中,在以上描述中提及的功能模块/单元之间的划分不一定对应于物理组件的划分;例如,一个物理组件可以具有多个功能,或者一个功能或步骤可以由若干物理组件合作执行。某些物理组件或所有物理组件可以被实施为由处理器,如中央处理器、数字信号处理器或微处理器执行的软件,或者被实施为硬件,或者被实施为集成电路,如专用集成电路。这样的软件可以分布在计算机可读介质上,计算机可读介质可以包括计算机存储介质(或非暂时性介质)和通信介质(或暂时性介质)。如本领域普通技术人员公知的,术语计算机存储介质包括在用于存储信息(诸如计算机可读指令、数据结构、程序模块或其他数据)的任何方法或技术中实施的易失性和非易失性、可移除和不可移除介质。计算机存储介质包括但不限于RAM、ROM、EEPROM、闪存或其他存储器技术、CD-ROM、数字多功能盘(DVD)或其他光盘存储、磁盒、磁带、磁盘存储或其他磁存储装置、或者可以用于存储期望的信息并且可以被计算机访问的任何其他的介质。此外,本领域普通技术人员公知的是,通信介质通常包含计算机可读指令、数据结构、程序模块或者诸如载波或其他传输机制之类的调制数据信号中的其他数据,并且可包括任何信息 递送介质。
应当理解,在本公开说明书和所附权利要求书中使用的术语“和/或”是指相关联列出的项中的一个或多个的任何组合以及所有可能组合,并且包括这些组合。需要说明的是,在本文中,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者系统不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者系统所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括该要素的过程、方法、物品或者系统中还存在另外的相同要素。
上述本公开实施例序号仅仅为了描述,不代表实施例的优劣。以上所述,仅为本公开的具体实施例,但本公开的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本公开揭露的技术范围内,可轻易想到各种等效的修改或替换,这些修改或替换都应涵盖在本公开的保护范围之内。因此,本公开的保护范围应以权利要求的保护范围为准。

Claims (12)

  1. 一种访问控制方法,应用于终端,包括:
    在向目标服务器发起访问时,发送单包授权认证报文至策略控制器,以使所述策略控制器根据对所述单包授权认证报文的验证结果通知网络防火墙生成第一访问控制规则;其中,所述第一访问控制规则用于所述目标服务器对所述终端暴露服务端口;
    基于所述第一访问控制规则与所述目标服务器建立会话连接,并发送连接建立通知消息给所述策略控制器,以使所述策略控制器通知所述网络防火墙生成第二访问控制规则并删除所述第一访问控制规则;其中,所述第二访问控制规则用于所述目标服务器对所述终端的应用进行准入管理。
  2. 根据权利要求1所述的访问控制方法,其中,在所述基于所述第一访问控制规则与所述目标服务器建立会话连接的步骤之后,还包括:
    在与所述目标服务器的会话连接终止时,发送连接中止通知消息给所述策略控制器,以使所述策略控制器通知所述网络防火墙删除所述第二访问控制规则。
  3. 根据权利要求1所述的访问控制方法,其中,在所述向目标服务器发起访问之前,还包括:
    通过从所述终端的操作系统进行API调用和/或通过向所述终端的应用订阅通知机制,来监控所述终端的应用向所述目标服务器的访问行为和访问状态。
  4. 根据权利要求1-3任一项所述的访问控制方法,其中,
    所述第一访问控制规则包括:所述目标服务器的IP地址,所述服务端口及协议类型;
    所述第二访问控制规则包括:所述终端的IP地址、所述终端的源端口、所述目标服务器的IP地址,所述服务端口及所述协议类型。
  5. 一种访问控制方法,其中,应用于访问控制系统,所述访问控制系统包括:终端、策略控制器、网络防火墙、目标服务器;
    在所述终端向所述目标服务器发起访问时,发送单包授权认证报文至所述策略控制器;
    所述策略控制器根据对所述单包授权认证报文的验证结果通知所述网络防火墙生成第一访问控制规则;其中,所述第一访问控制规则用于所述目标服务器对所述终端暴露服务端口;
    所述终端基于所述第一访问控制规则与所述目标服务器建立会话连接,并发送连接建立通知消息给所述策略控制器;
    所述策略控制器通知所述网络防火墙生成第二访问控制规则并删除所述第一访问控制规则;其中,所述第二访问控制规则用于所述目标服务器对所述终端的应用进行准入管理。
  6. 根据权利要求5所述的访问控制方法,其中,还包括:
    所述终端与所述目标服务器的会话连接终止时,发送连接中止通知消息给所述策略控制器;
    所述策略控制器通知所述网络防火墙删除所述第二访问控制规则。
  7. 根据权利要求6所述的访问控制方法,其中,还包括:
    对所述终端与所述策略控制器之间的消息进行加密性保护和完整性校验;
    其中,所述消息包括:所述连接建立通知消息和所述连接中止通知消息。
  8. 根据权利要求5所述的访问控制方法,其中,还包括:
    在所述网络防火墙生成访问控制规则之后,若在预设周期内未收到符合所述访问控制规则的报文,开始启动定时器,若在所述定时器到期之后,还未收到符合所述访问控制规则的报文,所述网络防火墙自动删除所述访问控制规则;
    其中,所述访问控制规则包括:所述第一访问控制规则和所述第二访问控制规则。
  9. 根据权利要求5-8任一项所述的访问控制方法,其中,
    所述第一访问控制规则包括:所述目标服务器的IP地址,所述服务端口及协议类型;
    所述第二访问控制规则包括:所述终端的IP地址、所述终端的源端口、所述目标服务器的IP地址,所述服务端口及所述协议类型。
  10. 一种终端,所述终端包括处理器、存储器、存储在所述存储器上并可被所述处理器执行的计算机程序以及用于实现所述处理器和所述存储器之间的连接通信的数据总线,其中所述计算机程序被所述处理器执行时,实现如权利要求1至4中任一项所述的访问控制方法的步骤。
  11. 一种访问控制系统,所述访问控制系统包括:终端、策略控制器、网络防火墙和目标服务器;所述终端、策略控制器、网络防火墙和目标服务器用于共同执行如权利要求5至9中任一项所述的访问控制方法的步骤。
  12. 一种存储介质,用于计算机可读存储,所述存储介质存储有一个或者多个程序,所述一个或者多个程序可被一个或者多个处理器执行,以实现权利要求1至9中任一项所述的访问控制方法的步骤。
PCT/CN2022/140814 2021-12-22 2022-12-21 访问控制方法、访问控制系统、终端及存储介质 WO2023116791A1 (zh)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202111582807.7 2021-12-22
CN202111582807.7A CN116346375A (zh) 2021-12-22 2021-12-22 访问控制方法、访问控制系统、终端及存储介质

Publications (1)

Publication Number Publication Date
WO2023116791A1 true WO2023116791A1 (zh) 2023-06-29

Family

ID=86874793

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/140814 WO2023116791A1 (zh) 2021-12-22 2022-12-21 访问控制方法、访问控制系统、终端及存储介质

Country Status (2)

Country Link
CN (1) CN116346375A (zh)
WO (1) WO2023116791A1 (zh)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116582374A (zh) * 2023-07-14 2023-08-11 湖北省楚天云有限公司 一种基于流量识别的零信任动态访问控制方法

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116708039B (zh) * 2023-08-07 2023-11-21 深圳竹云科技股份有限公司 基于零信任单包认证的访问方法、装置及系统
CN116887266B (zh) * 2023-09-05 2024-04-12 中电长城网际系统应用有限公司 车辆数据访问方法、电子设备及计算机可读存储介质
CN117097573B (zh) * 2023-10-19 2024-01-30 深圳竹云科技股份有限公司 一种零信任安全体系下的防火墙动态访问控制方法及装置

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150058967A1 (en) * 2013-08-23 2015-02-26 Desktone, Inc. Remote Access Manager for Virtual Computing Services
KR20170044835A (ko) * 2015-10-16 2017-04-26 한밭대학교 산학협력단 802.1x 기반 동적 호스트 접근통제 시스템 및 방법
US20190081927A1 (en) * 2017-09-12 2019-03-14 Wayne Taylor Methods, systems, and media for modifying firewalls based on dynamic ip addresses
CN109495295A (zh) * 2018-10-31 2019-03-19 电子科技大学 一种接入智能管控方法
CN111131310A (zh) * 2019-12-31 2020-05-08 奇安信科技集团股份有限公司 访问控制方法、装置、系统、计算机设备和存储介质
US20210185018A1 (en) * 2019-12-16 2021-06-17 Vmware, Inc. Concealing internal applications that are accessed over a network

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150058967A1 (en) * 2013-08-23 2015-02-26 Desktone, Inc. Remote Access Manager for Virtual Computing Services
KR20170044835A (ko) * 2015-10-16 2017-04-26 한밭대학교 산학협력단 802.1x 기반 동적 호스트 접근통제 시스템 및 방법
US20190081927A1 (en) * 2017-09-12 2019-03-14 Wayne Taylor Methods, systems, and media for modifying firewalls based on dynamic ip addresses
CN109495295A (zh) * 2018-10-31 2019-03-19 电子科技大学 一种接入智能管控方法
US20210185018A1 (en) * 2019-12-16 2021-06-17 Vmware, Inc. Concealing internal applications that are accessed over a network
CN111131310A (zh) * 2019-12-31 2020-05-08 奇安信科技集团股份有限公司 访问控制方法、装置、系统、计算机设备和存储介质

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116582374A (zh) * 2023-07-14 2023-08-11 湖北省楚天云有限公司 一种基于流量识别的零信任动态访问控制方法
CN116582374B (zh) * 2023-07-14 2023-09-26 湖北省楚天云有限公司 一种基于流量识别的零信任动态访问控制方法

Also Published As

Publication number Publication date
CN116346375A (zh) 2023-06-27

Similar Documents

Publication Publication Date Title
WO2023116791A1 (zh) 访问控制方法、访问控制系统、终端及存储介质
US11647003B2 (en) Concealing internal applications that are accessed over a network
US11595385B2 (en) Secure controlled access to protected resources
US9781114B2 (en) Computer security system
US10903999B1 (en) Protecting PII data from man-in-the-middle attacks in a network
US8831011B1 (en) Point to multi-point connections
US8590035B2 (en) Network firewall host application identification and authentication
US9350704B2 (en) Provisioning network access through a firewall
US9154484B2 (en) Identity propagation
US7069434B1 (en) Secure data transfer method and system
US10609020B2 (en) Method and arrangements for intermediary node discovery during handshake
JP2023514736A (ja) 安全な通信のための方法及びシステム
KR20050001397A (ko) 응용 프로그램이 방화벽을 트래버스하도록 돕는 방법
US10050938B2 (en) Highly secure firewall system
WO2023174143A1 (zh) 数据传输方法、设备、介质及产品
US9641485B1 (en) System and method for out-of-band network firewall
WO2023125712A1 (zh) 单包授权的状态检测方法、终端设备及存储介质
US20210288978A1 (en) Web server security
CN113904826B (zh) 数据传输方法、装置、设备和存储介质
CN106453336B (zh) 一种内网主动提供外网主机调用服务的方法
US9779222B2 (en) Secure management of host connections
CN116633562A (zh) 一种基于WireGuard的网络零信任安全交互方法及系统
CN117768137A (zh) 远程办公系统和在远程办公系统中提供安全机制的方法
US11558490B2 (en) Per-application network content filtering
CN115801347A (zh) 一种基于单包授权技术增强网络安全的方法和系统

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22910103

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE