CN118802149A - Access processing method and device based on zero-trust network, electronic device, and medium - Google Patents
Access processing method and device based on zero-trust network, electronic device, and medium Download PDFInfo
- Publication number
- CN118802149A CN118802149A CN202310425078.7A CN202310425078A CN118802149A CN 118802149 A CN118802149 A CN 118802149A CN 202310425078 A CN202310425078 A CN 202310425078A CN 118802149 A CN118802149 A CN 118802149A
- Authority
- CN
- China
- Prior art keywords
- zero
- trust
- login
- ticket
- pseudo
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 37
- 238000000034 method Methods 0.000 claims abstract description 95
- 238000012795 verification Methods 0.000 claims abstract description 90
- 230000005856 abnormality Effects 0.000 claims abstract description 22
- 230000002159 abnormal effect Effects 0.000 claims abstract description 17
- 230000008569 process Effects 0.000 claims description 47
- 230000004044 response Effects 0.000 claims description 46
- 238000012545 processing Methods 0.000 claims description 41
- 230000006870 function Effects 0.000 description 25
- 238000010586 diagram Methods 0.000 description 24
- 238000007726 management method Methods 0.000 description 23
- 238000004590 computer program Methods 0.000 description 16
- 238000013475 authorization Methods 0.000 description 10
- 238000005516 engineering process Methods 0.000 description 9
- 238000004891 communication Methods 0.000 description 6
- 238000001514 detection method Methods 0.000 description 6
- 101100012902 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) FIG2 gene Proteins 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 5
- 230000000977 initiatory effect Effects 0.000 description 3
- 238000007689 inspection Methods 0.000 description 3
- 230000002688 persistence Effects 0.000 description 3
- 150000003839 salts Chemical class 0.000 description 3
- 101000827703 Homo sapiens Polyphosphoinositide phosphatase Proteins 0.000 description 2
- 102100023591 Polyphosphoinositide phosphatase Human genes 0.000 description 2
- 238000004422 calculation algorithm Methods 0.000 description 2
- 230000001419 dependent effect Effects 0.000 description 2
- 230000007613 environmental effect Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 101001121408 Homo sapiens L-amino-acid oxidase Proteins 0.000 description 1
- 102100026388 L-amino-acid oxidase Human genes 0.000 description 1
- 101100233916 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) KAR5 gene Proteins 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 239000000969 carrier Substances 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 238000009795 derivation Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本申请的实施例揭示了基于零信任网络的访问处理方法及装置、电子设备、介质。应用于零信任终端的方法包括:获取来自于零信任服务端的登录配置信息,所述登录配置信息是在检测到所述零信任网络中的登录服务出现异常后生成的,所述登录配置信息包括伪登录执行条件信息;基于所述登录配置信息确定所述零信任终端是否具备伪登录的条件;在所述零信任终端具备执行伪登录的条件时,生成本地访问票据,并将访问会话流量和所述本地访问票据发送至零信任网关,以使所述零信任网关在独立执行所述本地访问票据的校验后,将所述访问会话流量转发至业务服务器。本申请能够保证登录服务异常情况下正常的用户网络访问,能够提升零信任网络架构的可用性。
The embodiments of the present application disclose access processing methods and devices, electronic devices, and media based on a zero-trust network. The method applied to a zero-trust terminal includes: obtaining login configuration information from a zero-trust service end, the login configuration information is generated after detecting an abnormality in the login service in the zero-trust network, and the login configuration information includes pseudo-login execution condition information; determining whether the zero-trust terminal has the conditions for pseudo-login based on the login configuration information; when the zero-trust terminal has the conditions for executing pseudo-login, generating a local access ticket, and sending the access session traffic and the local access ticket to the zero-trust gateway, so that the zero-trust gateway forwards the access session traffic to the business server after independently performing the verification of the local access ticket. The present application can ensure normal user network access in the event of abnormal login service, and can improve the availability of the zero-trust network architecture.
Description
技术领域Technical Field
本申请涉及网络安全技术领域,具体涉及一种基于零信任网络的访问处理方法及装置、电子设备以及计算机可读存储介质。The present application relates to the field of network security technology, and specifically to an access processing method and device based on a zero-trust network, an electronic device, and a computer-readable storage medium.
背景技术Background Art
随着云计算、大数据、物联网等新兴技术的不断兴起,企业互联网架构正在从“有边界”向“无边界”转变,传统的基于防火墙的安全边界逐渐瓦解。与此同时,零信任安全逐渐进入人们的视野,成为解决新时代网络安全问题的新理念及新架构。在零信任网络中,对于网络资源的每个请求都必须是来自于经过身份验证和授权的用户。With the continuous rise of emerging technologies such as cloud computing, big data, and the Internet of Things, enterprise Internet architecture is changing from "bounded" to "borderless", and the traditional firewall-based security boundaries are gradually disintegrating. At the same time, zero-trust security has gradually entered people's field of vision and become a new concept and new architecture for solving network security problems in the new era. In a zero-trust network, every request for network resources must come from an authenticated and authorized user.
在现有的零信任网络访问架构中,当用户的网络访问因为实际环境原因或依赖的服务或组件出现问题而出现中断后,默认零信任终端与零信任服务端之间的登录服务正常,以及默认零信任网关集群健康,通过在零信任终端侧生成虚拟票据、零信任服务端自动放通、由安全终端生成票据等方法,实现在异常场景下将流量安全送到零信任网关,通过零信任网关正常转发流量到业务服务器,保证企业网络访问的可持续使用,但是在零信任终端与零信任服务端之间的登录服务异常的场景下则会直接影响用户网络访问,导致零信任网络访问架构的可用性较低。In the existing zero-trust network access architecture, when a user's network access is interrupted due to actual environmental reasons or problems with dependent services or components, the default login service between the zero-trust terminal and the zero-trust server is normal, and the default zero-trust gateway cluster is healthy. By generating virtual tickets on the zero-trust terminal side, automatically releasing the zero-trust server, and generating tickets by the security terminal, it is possible to securely send traffic to the zero-trust gateway in abnormal scenarios, and forward traffic to the business server normally through the zero-trust gateway to ensure the sustainable use of enterprise network access. However, in the scenario where the login service between the zero-trust terminal and the zero-trust server is abnormal, it will directly affect the user's network access, resulting in low availability of the zero-trust network access architecture.
发明内容Summary of the invention
为解决如上技术问题,本申请的实施例分别提供了基于零信任网络的访问处理方法、基于零信任网络的访问处理装置、电子设备、计算机可读存储介质以及计算机程序产品。To solve the above technical problems, the embodiments of the present application respectively provide an access processing method based on a zero-trust network, an access processing device based on a zero-trust network, an electronic device, a computer-readable storage medium, and a computer program product.
第一方面,本申请实施例提供了一种基于零信任网络的访问处理方法,应用于零信任终端,该方法包括:获取来自于零信任服务端的登录配置信息,所述登录配置信息是在检测到所述零信任网络中的登录服务出现异常后生成的,所述登录配置信息包括伪登录执行条件信息;基于所述登录配置信息确定所述零信任终端是否具备伪登录的条件;在所述零信任终端具备执行伪登录的条件时,生成本地访问票据,并将访问会话流量和所述本地访问票据发送至零信任网关,以使所述零信任网关在独立执行所述本地访问票据的校验后,将所述访问会话流量转发至业务服务器。In the first aspect, an embodiment of the present application provides an access processing method based on a zero-trust network, which is applied to a zero-trust terminal, and the method includes: obtaining login configuration information from a zero-trust server, the login configuration information being generated after an abnormality is detected in the login service in the zero-trust network, and the login configuration information including pseudo-login execution condition information; determining whether the zero-trust terminal has the conditions for a pseudo-login based on the login configuration information; when the zero-trust terminal has the conditions for executing a pseudo-login, generating a local access ticket, and sending the access session traffic and the local access ticket to a zero-trust gateway, so that the zero-trust gateway forwards the access session traffic to a business server after independently performing verification of the local access ticket.
第二方面,本申请实施例提供了一种基于零信任网络的访问处理装置,配置在零信任终端上,该装置包括:获取模块,配置为获取来自于零信任服务端的登录配置信息,所述登录配置信息是在检测到所述零信任网络中的登录服务出现异常后生成的,所述登录配置信息包括伪登录执行条件信息;确定模块,配置为基于所述登录配置信息确定所述零信任终端是否具备执行伪登录的条件;第一处理模块,配置为若所述零信任终端具备执行伪登录的条件,则生成本地访问票据,并将访问会话流量和所述本地访问票据发送至零信任网关,以使所述零信任网关在独立执行所述本地访问票据的校验后,将所述访问会话流量转发至业务服务器。In the second aspect, an embodiment of the present application provides an access processing device based on a zero-trust network, which is configured on a zero-trust terminal, and the device includes: an acquisition module, configured to obtain login configuration information from a zero-trust server, the login configuration information is generated after an abnormality is detected in the login service in the zero-trust network, and the login configuration information includes pseudo-login execution condition information; a determination module, configured to determine whether the zero-trust terminal has the conditions for executing a pseudo-login based on the login configuration information; a first processing module, configured to generate a local access ticket if the zero-trust terminal has the conditions for executing a pseudo-login, and send the access session traffic and the local access ticket to the zero-trust gateway, so that the zero-trust gateway forwards the access session traffic to the business server after independently performing verification of the local access ticket.
第三方面,本申请实施例提供了另一种基于零信任网络的访问处理方法,应用于零信任服务端,该方法包括:接收零信任管理端发送的指示信息,所述指示信息用于指示所述零信任网络中的登录服务出现异常;响应于所述指示信息,通知零信任网关进入票据独立校验状态;在接收到所述零信任网关返回的响应信息后,向零信任终端发送登录配置信息,所述登录配置信息包括伪登录执行条件信息,以使所述零信任终端基于所述登录配置信息将访问会话流量和本地访问票据发送至零信任网关,所述零信任网关在独立执行所述本地访问票据的校验后,将所述访问会话流量转发至业务服务器。In the third aspect, an embodiment of the present application provides another access processing method based on a zero-trust network, which is applied to a zero-trust service end, and the method includes: receiving indication information sent by a zero-trust management end, the indication information being used to indicate that an abnormality has occurred in the login service in the zero-trust network; in response to the indication information, notifying the zero-trust gateway to enter an independent ticket verification state; after receiving the response information returned by the zero-trust gateway, sending login configuration information to the zero-trust terminal, the login configuration information including pseudo-login execution condition information, so that the zero-trust terminal sends the access session traffic and the local access ticket to the zero-trust gateway based on the login configuration information, and the zero-trust gateway forwards the access session traffic to the business server after independently performing the verification of the local access ticket.
第四方面,本申请实施例提供了另一种基于零信任网络的访问处理装置,配置在零信任服务端上,该装置包括:第一接收模块,配置为接收零信任管理端发送的指示信息,所述指示信息用于指示所述零信任网络中的登录服务出现异常;通知模块,配置为响应于所述指示信息,通知零信任网关进入票据独立校验状态;第二处理模块,配置为在接收到所述零信任网关返回的响应信息后,向零信任终端发送登录配置信息,所述登录配置信息包括伪登录执行条件信息,以使所述零信任终端基于所述登录配置信息将访问会话流量和本地访问票据发送至零信任网关,所述零信任网关在独立执行所述本地访问票据的校验后,将所述访问会话流量转发至业务服务器。In a fourth aspect, an embodiment of the present application provides another access processing device based on a zero-trust network, which is configured on a zero-trust service end, and the device includes: a first receiving module, configured to receive indication information sent by a zero-trust management end, and the indication information is used to indicate that an abnormality has occurred in the login service in the zero-trust network; a notification module, configured to respond to the indication information and notify the zero-trust gateway to enter an independent ticket verification state; a second processing module, configured to send login configuration information to a zero-trust terminal after receiving a response information returned by the zero-trust gateway, and the login configuration information includes pseudo-login execution condition information, so that the zero-trust terminal sends the access session traffic and the local access ticket to the zero-trust gateway based on the login configuration information, and the zero-trust gateway forwards the access session traffic to the business server after independently performing the verification of the local access ticket.
第五方面,本申请实施例提供了另一种基于零信任网络的访问处理方法,应用于零信任网关,该方法包括:响应于零信任服务端发送的第一通知信息,进入票据独立校验状态,并向所述零信任服务端发送响应信息;接收零信任终端发送的访问会话流量和本地访问票据,所述本地访问票据是所述零信任终端基于所述零信任服务端发送的登录配置信息确定自身具备执行伪登录的条件后生成的,所述登录配置信息包括伪登录执行条件信息;独立执行所述本地访问票据的校验,并在校验通过后将所述访问会话流量转发至业务服务器。In a fifth aspect, an embodiment of the present application provides another access processing method based on a zero-trust network, which is applied to a zero-trust gateway, and the method includes: in response to a first notification message sent by a zero-trust server, entering a ticket independent verification state, and sending a response message to the zero-trust server; receiving access session traffic and a local access ticket sent by a zero-trust terminal, wherein the local access ticket is generated after the zero-trust terminal determines that it has the conditions to perform a pseudo-login based on the login configuration information sent by the zero-trust server, and the login configuration information includes pseudo-login execution condition information; independently performing verification of the local access ticket, and forwarding the access session traffic to the business server after the verification passes.
第六方面,本申请实施例提供了另一种基于零信任网络的访问处理装置,配置在零信任网关上,该装置包括:响应模块,配置为响应于零信任服务端发送的第一通知信息,进入票据独立校验状态,并向所述零信任服务端发送响应信息;第二接收模块,配置为接收零信任终端发送的访问会话流量和本地访问票据,所述本地访问票据是所述零信任终端基于所述零信任服务端发送的登录配置信息确定具备执行伪登录的条件后生成的,所述登录配置信息包括伪登录执行条件信息;第三处理模块,配置为独立执行所述本地访问票据的校验,并在校验通过后将所述访问会话流量转发至业务服务器。In a sixth aspect, an embodiment of the present application provides another access processing device based on a zero-trust network, which is configured on a zero-trust gateway, and the device includes: a response module, configured to respond to a first notification message sent by a zero-trust server, enter a ticket independent verification state, and send a response message to the zero-trust server; a second receiving module, configured to receive access session traffic and local access tickets sent by a zero-trust terminal, the local access ticket is generated after the zero-trust terminal determines that the conditions for executing a pseudo-login are met based on the login configuration information sent by the zero-trust server, and the login configuration information includes pseudo-login execution condition information; a third processing module, configured to independently execute verification of the local access ticket, and forward the access session traffic to the business server after the verification passes.
第七方面,本申请实施例提供了一种电子设备,包括:一个或多个处理器;存储器,用于存储一个或多个程序,当所述一个或多个程序被所述一个或多个处理器执行时,使得所述电子设备实现如前任一项所述的基于零信任网络的访问处理方法中的步骤。In the seventh aspect, an embodiment of the present application provides an electronic device, comprising: one or more processors; and a memory for storing one or more programs, wherein when the one or more programs are executed by the one or more processors, the electronic device implements the steps in the access processing method based on a zero-trust network as described in any of the preceding items.
第八方面,本申请实施例提供了一种计算机可读存储介质,其上存储有计算机可读指令,当所述计算机可读指令被计算机的处理器执行时,使计算机执行如上任一项所述的基于零信任网络的访问处理方法中的步骤。In an eighth aspect, an embodiment of the present application provides a computer-readable storage medium having computer-readable instructions stored thereon. When the computer-readable instructions are executed by a processor of a computer, the computer executes the steps in the access processing method based on a zero-trust network as described in any one of the above items.
第九方面,本申请实施例提供了一种计算机程序产品,包括计算机程序,该计算机程序被处理器执行时实现如上任一项所述的基于零信任网络的访问处理方法中的步骤。In a ninth aspect, an embodiment of the present application provides a computer program product, including a computer program, which, when executed by a processor, implements the steps in the access processing method based on a zero-trust network as described in any one of the above items.
在本申请的实施例所提供的技术方案中,在登录服务异常的情况下,通过零信任服务端向零信任终端发送包含伪登录执行条件信息的登录配置信息,使得零信任终端根据登录配置信息确定自身是否具备零信任服务端要求的执行伪登录的条件,并在符合条件的情况下将访问会话流量和生成的本地访问票据发送给零信任网关,使零信任网关在独立执行本地访问票据的校验后,将访问会话流量转发至业务服务器,这相当于是通过特殊通道给零信任终端和零信任网关发送特殊开关,让零信任终端进入伪登录状态,并联动零信任网关进入票据独立检验的状态,以使零信任终端仍能将访问会话流量传输至零信任网关,零信任网关也能将访问会话流量传输至业务服务器,由此保证了正常的用户网络访问,能够提升零信任网络架构的可用性。In the technical solution provided in the embodiments of the present application, in the case of an abnormal login service, login configuration information containing pseudo-login execution condition information is sent to the zero-trust terminal through the zero-trust server, so that the zero-trust terminal determines whether it has the conditions for executing pseudo-login required by the zero-trust server according to the login configuration information, and sends the access session traffic and the generated local access ticket to the zero-trust gateway if the conditions are met, so that the zero-trust gateway forwards the access session traffic to the business server after independently performing the verification of the local access ticket. This is equivalent to sending a special switch to the zero-trust terminal and the zero-trust gateway through a special channel, allowing the zero-trust terminal to enter a pseudo-login state, and linking the zero-trust gateway to enter a state of independent ticket verification, so that the zero-trust terminal can still transmit the access session traffic to the zero-trust gateway, and the zero-trust gateway can also transmit the access session traffic to the business server, thereby ensuring normal user network access and improving the availability of the zero-trust network architecture.
应理解的是,以上的一般描述和后文的细节描述仅是示例性和解释性的,并不能限制本申请。It is to be understood that the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the present application.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
图1是一示例性的基于零信任网络的应用场景示意图;FIG1 is a schematic diagram of an exemplary application scenario based on a zero-trust network;
图2示意了一种示例性的零信任网络的架构示意图;FIG2 is a schematic diagram showing an exemplary architecture of a zero-trust network;
图3示意了一种示例性的零信任网关配置界面的示意图;FIG3 illustrates a schematic diagram of an exemplary zero-trust gateway configuration interface;
图4示意了一种示例性的策略管理配置界面的示意图;FIG4 is a schematic diagram showing an exemplary policy management configuration interface;
图5示意了一种示例性的可访问业务系统配置界面的示意图;FIG5 is a schematic diagram showing an exemplary accessible business system configuration interface;
图6示意了一种示例性的零信任网络中可信应用的配置界面的示意图;FIG6 illustrates a schematic diagram of an exemplary configuration interface of a trusted application in a zero-trust network;
图7示意了一种示例性的零信任客户端的登录界面的示意图;FIG7 illustrates a schematic diagram of an exemplary zero-trust client login interface;
图8是本申请的一示例性实施例示出的基于零信任网络的访问处理方法的流程图;FIG8 is a flowchart of an access processing method based on a zero-trust network shown in an exemplary embodiment of the present application;
图9是在图8所示实施例的基础上进一步提出的基于零信任网络的访问处理方法的流程图;FIG9 is a flowchart of an access processing method based on a zero-trust network further proposed on the basis of the embodiment shown in FIG8 ;
图10是基于图8所示的实施例进一步提出的基于零信任网络的访问处理方法的流程图;FIG10 is a flowchart of an access processing method based on a zero-trust network further proposed based on the embodiment shown in FIG8 ;
图11是本申请的另一示例性实施例示出的基于零信任网络的访问处理方法的流程图;FIG11 is a flowchart of an access processing method based on a zero-trust network shown in another exemplary embodiment of the present application;
图12是本申请的另一示例性实施例示出的基于零信任网络的访问处理方法的流程图;FIG12 is a flowchart of an access processing method based on a zero-trust network shown in another exemplary embodiment of the present application;
图13示意了一种基于零信任网络的访问处理交互流程图;FIG13 illustrates an access processing interaction flow chart based on a zero-trust network;
图14是零信任终端启动零信任网络访问的流程示意图;FIG14 is a schematic diagram of a process for a zero-trust terminal to initiate zero-trust network access;
图15是本申请的一示例性实施例示出的基于零信任网络的访问处理装置的框图,该装置配置在零信任终端上;FIG15 is a block diagram of an access processing device based on a zero-trust network according to an exemplary embodiment of the present application, wherein the device is configured on a zero-trust terminal;
图16是本申请的一示例性实施例示出的基于零信任网络的访问处理装置的框图,该装置配置在零信任服务端上;FIG16 is a block diagram of an access processing device based on a zero-trust network shown in an exemplary embodiment of the present application, wherein the device is configured on a zero-trust server;
图17是本申请的一示例性实施例示出的基于零信任网络的访问处理装置的框图,该装置配置在零信任网关上;FIG17 is a block diagram of an access processing device based on a zero-trust network according to an exemplary embodiment of the present application, wherein the device is configured on a zero-trust gateway;
图18示出了适于用来实现本申请实施例的电子设备的计算机系统的结构示意图。FIG. 18 shows a schematic diagram of the structure of a computer system suitable for implementing an electronic device of an embodiment of the present application.
具体实施方式DETAILED DESCRIPTION
这里将详细地对示例性实施例执行说明,其示例表示在附图中。下面的描述涉及附图时,除非另有表示,不同附图中的相同数字表示相同或相似的要素。以下示例性实施例中所描述的实施方式并不代表与本申请相一致的所有实施方式。相反,它们仅是与如所附权利要求书中所详述的、本申请的一些方面相一致的装置和方法的例子。Here, exemplary embodiments will be described in detail, examples of which are shown in the accompanying drawings. When the following description refers to the drawings, unless otherwise indicated, the same numbers in different drawings represent the same or similar elements. The implementations described in the following exemplary embodiments do not represent all implementations consistent with the present application. Instead, they are only examples of devices and methods consistent with some aspects of the present application as detailed in the attached claims.
附图中所示的方框图仅仅是功能实体,不一定必须与物理上独立的实体相对应。即,可以采用软件形式来实现这些功能实体,或在一个或多个硬件模块或集成电路中实现这些功能实体,或在不同网络和/或处理器装置和/或微控制器装置中实现这些功能实体。The block diagrams shown in the accompanying drawings are merely functional entities and do not necessarily correspond to physically independent entities. That is, these functional entities may be implemented in software form, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.
附图中所示的流程图仅是示例性说明,不是必须包括所有的内容和操作/步骤,也不是必须按所描述的顺序执行。例如,有的操作/步骤还可以分解,而有的操作/步骤可以合并或部分合并,因此实际执行的顺序有可能根据实际情况改变。The flowcharts shown in the accompanying drawings are only exemplary and do not necessarily include all the contents and operations/steps, nor must they be executed in the order described. For example, some operations/steps can be decomposed, and some operations/steps can be combined or partially combined, so the actual execution order may change according to actual conditions.
在本申请中提及的“多个”是指两个或者两个以上。“和/或”描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。字符“/”一般表示前后关联对象是一种“或”的关系。The term "multiple" as used in this application refers to two or more than two. "And/or" describes the relationship between related objects, indicating that three relationships can exist. For example, A and/or B can mean: A exists alone, A and B exist at the same time, and B exists alone. The character "/" generally indicates that the related objects are in an "or" relationship.
本申请的说明书和权利要求书及所述附图中的术语“第一”、“第二”、“第三”和“第四”等是用于区别不同对象,而不是用于描述特定顺序。术语“包括”和“具有”以及它们任何变形,意图在于覆盖不排他的包含。例如包含了一系列步骤或单元的过程、方法、系统、产品或设备没有限定于已列出的步骤或单元,而是可选地还包括没有列出的步骤或单元,或可选地还包括对于这些过程、方法、产品或设备固有的其它步骤或单元。The terms "first", "second", "third" and "fourth" etc. in the specification and claims of the present application and the drawings are used to distinguish different objects, rather than to describe a specific order. The terms "including" and "having" and any variations thereof are intended to cover non-exclusive inclusions. For example, a process, method, system, product or device comprising a series of steps or units is not limited to the listed steps or units, but may optionally include steps or units that are not listed, or may optionally include other steps or units inherent to these processes, methods, products or devices.
如背景技术中所述的,随着云计算、大数据、物联网等新兴技术的不断兴起,企业IT(Internet Technology,互联网技术)架构正在从“有边界”向“无边界”转变,传统的安全边界逐渐瓦解。随着以5G(第五代通信技术)、工业互联网为代表的新基建的不断推进,还会进一步加速“无边界”的进化过程。与此同时,零信任安全逐渐进入人们的视野,成为解决新时代网络安全问题的新理念、新架构。As described in the background technology, with the continuous rise of emerging technologies such as cloud computing, big data, and the Internet of Things, the enterprise IT (Internet Technology) architecture is changing from "bounded" to "borderless", and the traditional security boundaries are gradually disintegrating. With the continuous advancement of new infrastructure represented by 5G (fifth-generation communication technology) and industrial Internet, the evolution of "borderless" will be further accelerated. At the same time, zero-trust security has gradually entered people's field of vision and become a new concept and new architecture for solving network security problems in the new era.
零信任是指一种网络安全防护理念,其关键在于打破默认的“信任”,用一句通俗的话来概括,就是“持续验证,永不信任”。零信任的核心思想是,默认情况下,企业内外部的任何人、事、物均不可信,应在授权前对任何试图接入网络和访问网络资源的人、事、物进行验证。Zero trust refers to a network security protection concept, the key of which is to break the default "trust". In simple terms, it is "continuous verification, never trust". The core idea of zero trust is that by default, anyone, anything, or anything inside or outside the enterprise is untrustworthy, and anyone, anything, or anything that attempts to access the network and network resources should be verified before authorization.
便于理解的,零信任承认了网络环境下传统边界安全架构的不足,认为主机无论处于网络什么位置,都应当被视为互联网主机,它们所在的网络,无论是互联网还是内部网络,都必须被视为充满威胁的危险网络。基于此,零信任网络默认不信任企业网络内外的任何人、设备和系统,基于身份认证和授权重新构建访问控制的信任基础,从而确保身份可信、设备可信、应用可信和链路可信。It is easy to understand that zero trust recognizes the shortcomings of traditional perimeter security architecture in the network environment, and believes that hosts, no matter where they are in the network, should be regarded as Internet hosts, and the networks they are in, whether they are the Internet or internal networks, must be regarded as dangerous networks full of threats. Based on this, the zero trust network defaults to not trusting any person, device, or system inside or outside the enterprise network, and rebuilds the trust foundation of access control based on identity authentication and authorization, thereby ensuring that identities, devices, applications, and links are trusted.
图1是一示例性的基于零信任网络的应用场景示意图,该应用场景包括零信任网络安全服务提供方、访问主体和访问客体。其中,访问主体是指在网络中发起访问的一方,是由人员、设备、应用和服务等因素单一组成或者组合形成的一种数字实体,访问客体是指在网络中被访问的一方。零信任网络安全服务提供方为访问主体通过网络请求访问客体的资源提供统一入口,并为统一入口提供鉴权操作,只有通过鉴权的网络请求才能由代理客户端转发给零信任网关,通过零信任网关代理实际业务系统的访问。Figure 1 is a schematic diagram of an exemplary application scenario based on a zero-trust network, which includes a zero-trust network security service provider, an access subject, and an access object. Among them, the access subject refers to the party that initiates access in the network, which is a digital entity composed of a single or combined combination of factors such as personnel, equipment, applications, and services. The access object refers to the party being accessed in the network. The zero-trust network security service provider provides a unified entrance for the access subject to request access to the object's resources through the network, and provides authentication operations for the unified entrance. Only network requests that pass the authentication can be forwarded by the proxy client to the zero-trust gateway, and the access to the actual business system is proxied through the zero-trust gateway.
图2示意了一种零信任网络的架构示意图,包括零信任管理端210、零信任服务端220、零信任终端230和零信任网关240,其中,零信任终端230上部署有可信应用、零信任客户端和代理客户端,零信任服务端220上部署有策略服务、送检服务、票据中心、认证服务等服务进程。Figure 2 shows a schematic diagram of the architecture of a zero-trust network, including a zero-trust management terminal 210, a zero-trust server 220, a zero-trust terminal 230 and a zero-trust gateway 240, wherein the zero-trust terminal 230 is deployed with trusted applications, zero-trust clients and proxy clients, and the zero-trust server 220 is deployed with service processes such as policy services, inspection services, ticket centers, and authentication services.
需要理解的是,零信任管理端210提供针对零信任网络进行配置的界面,用于对零信任网络进行配置,例如进行零信任访问控制策略的配置、进行零信任网关240的配置等。可以理解的,零信任访问控制策略由用户可使用的进程信息(即可信应用,是由零信任管理端授信的终端可访问业务资源的应用载体,可由应用名、应用MD5、签名信息等信息标识)以及可访问的业务站点(即可达区域)组成,在权限开通的情况下,用户可通过任何一个可信应用访问到任一个可达区域。因此零信任访问控制策略的粒度是登录用户,可以理解为零信任访问控制策略是为不同的登录用户制定不同的零信任策略。It should be understood that the zero-trust management terminal 210 provides an interface for configuring the zero-trust network, which is used to configure the zero-trust network, such as configuring the zero-trust access control policy, configuring the zero-trust gateway 240, etc. It can be understood that the zero-trust access control policy is composed of process information that can be used by users (i.e., trusted applications, which are application carriers that can access business resources from terminals authorized by the zero-trust management terminal, and can be identified by information such as application name, application MD5, signature information, etc.) and accessible business sites (i.e., reachable areas). When permissions are enabled, users can access any reachable area through any trusted application. Therefore, the granularity of the zero-trust access control policy is the logged-in user, which can be understood as the zero-trust access control policy formulating different zero-trust policies for different logged-in users.
例如在图3所示意的零信任网关配置界面中,可以查询、添加或者批量删除零信任网络中的零信任网关,其中针对零信任网关的添加,包括网关名称、网关设置信息、优先访问零信任网关的IP(Internet Protocol,互联网际协议)字段的信息和创建时间的信息等等。For example, in the zero-trust gateway configuration interface shown in Figure 3, you can query, add, or batch delete zero-trust gateways in the zero-trust network. The addition of zero-trust gateways includes the gateway name, gateway setting information, information on the IP (Internet Protocol) field that prioritizes access to the zero-trust gateway, and creation time information, etc.
又例如在图4所示意的策略管理配置界面中,可以针对不同的用户账户分别进行可信应用配置以及业务系统配置。其中,可信应用配置可以选择可配置应用所适配的操作系统,也提供了便捷的配置项目以供选择任意应用均可适应当前配置的项目;业务系统配置也是同样的,也提供了便捷的配置项目以供选择所有url(Uniform Resource Locator,统一资源定位器)均可适应当前配置的项目。For another example, in the policy management configuration interface shown in FIG4 , trusted application configuration and business system configuration can be performed for different user accounts. Among them, the trusted application configuration can select the operating system that the configurable application is adapted to, and also provides convenient configuration items for selecting any application that can adapt to the current configuration; the business system configuration is the same, and also provides convenient configuration items for selecting all URLs (Uniform Resource Locator) that can adapt to the current configuration.
又例如在图5所示意的可访问业务系统配置界面中,支持以添加IP段或者域名的方式添加零信任网络中的可访问业务系统,所添加的可访问业务系统支持适配所有端口或者指定端口。管理员还可针对每一个可访问业务系统配置不同的零信任网关,例如在配置好业务系统中的内网资源之后,还进行可访问的零信任网关的配置。For another example, in the accessible business system configuration interface shown in Figure 5, it is supported to add accessible business systems in the zero-trust network by adding IP segments or domain names, and the added accessible business systems support adapting all ports or specified ports. The administrator can also configure different zero-trust gateways for each accessible business system, for example, after configuring the intranet resources in the business system, the accessible zero-trust gateway is also configured.
图6示意了零信任网络中可信应用的配置界面,可以看出,可信应用的配置包括进程名、签名信息、版本、进程MD5和sha256的内容配置。Figure 6 illustrates the configuration interface of a trusted application in a zero-trust network. It can be seen that the configuration of a trusted application includes the process name, signature information, version, process MD5, and sha256 content configuration.
基于如上示意的配置界面可知,在零信任访问控制策略的配置中,基于用户账户-可信应用-目标业务系统的组合策略控制,实现流量过滤,支持泛域名、IP段、多端口,并且给予用户组织架构可实现继承和扩展。Based on the configuration interface shown above, it can be seen that in the configuration of the zero-trust access control policy, traffic filtering is implemented based on the combined policy control of user account-trusted application-target business system, supporting wildcard domain names, IP segments, and multiple ports, and providing the user organizational structure for inheritance and expansion.
零信任服务端220通过策略控制引擎,对业务流量进行安全调度,按照用户-零信任终端-零信任客户端-可信应用的颗粒度进行授权。零信任服务端220负责对用户身份进行验证、对零信任终端230的硬件信息和设备安全状态进行验证、对可信应用的安全性进行检测等。零信任服务端220还可以定期向云查服务中心发起文件送检,如果云查服务中心识别出恶意进程则通知零信任客户端执行异步阻断操作。Zero Trust Server 220 uses the policy control engine to securely schedule business traffic and authorize it at the granularity of user-zero trust terminal-zero trust client-trusted application. Zero Trust Server 220 is responsible for verifying the user's identity, verifying the hardware information and device security status of Zero Trust Terminal 230, and testing the security of trusted applications. Zero Trust Server 220 can also regularly send files to the Cloud Check Service Center for inspection. If the Cloud Check Service Center identifies a malicious process, it will notify the Zero Trust Client to perform an asynchronous blocking operation.
零信任客户端是安装在零信任终端230上的安全应用,负责验证零信任终端230上的用户可信身份,并验证零信任终端230是否可信,以及验证发起访问的应用是否可信。如果发起访问的应用进程为非可信的应用进程,也即为未知的应用进程,则向零信任服务端220申请送检。The zero-trust client is a security application installed on the zero-trust terminal 230, which is responsible for verifying the trusted identity of the user on the zero-trust terminal 230, verifying whether the zero-trust terminal 230 is trustworthy, and verifying whether the application initiating the access is trustworthy. If the application process initiating the access is an untrusted application process, that is, an unknown application process, then an application is submitted to the zero-trust server 220 for inspection.
图7示意了一示例性的零信任客户端的登录界面示意图,可以看出在开启零信任办公的应用场景下,终端用户可以通过扫码登录或者账号登录的方式登录至零信任客户端实现零信任办公功能。登录后,终端用户可以看到零信任管理端配置下发的可信应用的详情。依据零信任管理端下发的用户级策略,终端用户可以通过指定的可信应用访问管理员配置的业务系统。FIG7 shows a schematic diagram of an exemplary zero-trust client login interface. It can be seen that in the application scenario of enabling zero-trust office, the terminal user can log in to the zero-trust client by scanning a code or logging in with an account to implement the zero-trust office function. After logging in, the terminal user can see the details of the trusted application configured and issued by the zero-trust management end. According to the user-level policy issued by the zero-trust management end, the terminal user can access the business system configured by the administrator through the specified trusted application.
代理客户端是指部署于受控设备的发起安全访问的终端代理,负责访问主体可信身份验证的请求发起,若验证身份可信,即可与零信任网关240建立加密的访问连接,同时也是访问策略控制的执行点。代理客户端可通过虚拟网卡劫持零信任终端230的业务流量,并通过零信任客户端鉴权后将访问请求转发给零信任网关240。The proxy client refers to a terminal agent deployed on a controlled device that initiates secure access. It is responsible for initiating a request for trusted identity authentication of the access subject. If the verified identity is credible, it can establish an encrypted access connection with the zero-trust gateway 240. It is also the execution point of access policy control. The proxy client can hijack the business traffic of the zero-trust terminal 230 through a virtual network card, and forward the access request to the zero-trust gateway 240 after authentication by the zero-trust client.
零信任网关240是部署在应用程序和数据资源的入口,负责对每一个访问资源的会话请求进行验证和请求转发。The zero-trust gateway 240 is deployed at the entrance of applications and data resources, and is responsible for verifying and forwarding each session request to access resources.
需理解的是,零信任终端230可以是智能手机、平板电脑、笔记本电脑、台式计算机、智能音箱、智能手表等设备,但并不局限于此。零信任服务端220可以是服务器,该服务器可以是独立的服务器,也可以是多个物理服务器构成的服务器集群或者分布式系统,还可以是提供云服务、云数据库、云计算、云函数、云存储、网络服务、云通信、中间件服务、域名服务、安全服务、CDN(Content Delivery Network,内容分发网络)、以及大数据和人工智能平台等基础云计算服务的云服务器。It should be understood that the zero-trust terminal 230 can be a smart phone, tablet computer, laptop computer, desktop computer, smart speaker, smart watch and other devices, but is not limited to this. The zero-trust server 220 can be a server, which can be an independent server, a server cluster or a distributed system composed of multiple physical servers, or a cloud server that provides basic cloud computing services such as cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communications, middleware services, domain name services, security services, CDN (Content Delivery Network), and big data and artificial intelligence platforms.
还需要理解的是,云技术(Cloud technology)是指在广域网或局域网内将硬件、软件、网络等系列资源统一起来,实现数据的计算、储存、处理和共享的一种托管技术。云计算(Cloud computing)是一种计算模式,它将计算任务分布在大量计算机构成的资源池上,使各种应用系统能够根据需要获取计算力、存储空间和信息服务。提供资源的网络被称为“云”。“云”中的资源在使用者看来是可以无限扩展的,并且可以随时获取,按需使用,随时扩展。It is also important to understand that cloud technology refers to a hosting technology that unifies a series of resources such as hardware, software, and networks within a wide area network or a local area network to achieve data computing, storage, processing, and sharing. Cloud computing is a computing model that distributes computing tasks across a resource pool consisting of a large number of computers, allowing various application systems to obtain computing power, storage space, and information services as needed. The network that provides resources is called a "cloud." From the user's perspective, the resources in the "cloud" are infinitely expandable and can be obtained at any time, used on demand, and expanded at any time.
仍参照图2,在零信任网络架构下,零信任终端访问业务站点的总体流程如下:Still referring to Figure 2, under the zero-trust network architecture, the overall process of a zero-trust terminal accessing a business site is as follows:
访问主体通过可信应用发起针对访问客体的网络请求,零信任客户端通过代理客户端劫持到该网络请求后,向零信任客户端发起鉴权请求,即由代理客户端向零信任客户端申请当次网络请求的凭证,请求参数例如包括源IP或者域名、源端口、目的IP或者域名、目的端口、可信应用对应的进程PID(Process Identification,进程标识符)。The access subject initiates a network request for the access object through a trusted application. After the zero-trust client hijacks the network request through the proxy client, it initiates an authentication request to the zero-trust client. That is, the proxy client applies to the zero-trust client for the credentials of the current network request. The request parameters include, for example, the source IP or domain name, source port, destination IP or domain name, destination port, and the process PID (Process Identification) corresponding to the trusted application.
零信任客户端通过代理客户端发送的进程PID采集可信应用的进程的MD5、进程路径、进程最近修改时间、版权信息、签名信息等,连同代理客户端传递过来的网络请求的源IP或者域名、源端口、目的IP或者域名、目的端口向零信任服务端申请票据。如果申请成功,则将票据、票据最大使用次数、票据有效时间作为响应发送给代理客户端。需要说明的是,该票据可以理解为是零信任服务端为单个网络请求发放的授权信息,用于标识本次网络请求的授权状态,在登录服务正常的状态下,每次网络请求都需要经由零信任服务端的授权。The zero-trust client collects the MD5, process path, last modified time, copyright information, signature information, etc. of the trusted application process through the process PID sent by the proxy client, and applies for a ticket from the zero-trust server together with the source IP or domain name, source port, destination IP or domain name, and destination port of the network request passed by the proxy client. If the application is successful, the ticket, the maximum number of times the ticket is used, and the validity period of the ticket are sent to the proxy client as a response. It should be noted that the ticket can be understood as the authorization information issued by the zero-trust server for a single network request, which is used to identify the authorization status of this network request. When the login service is normal, each network request needs to be authorized by the zero-trust server.
代理客户端向零信任网关发送Https请求,其中在Authorization首部字段中带上零信任客户端传递过来的网络请求凭证(即票据)。零信任网关接收到请求后,解析出首部字段中的票据,向零信任服务端请求校验票据,如果校验成功,则零信任网关与代理客户端成功建立连接,之后代理客户端将原始网络请求发送给零信任网关,由零信任网关转发至对应的业务服务器,代理实际的应用网络访问;如果校验失败,则代理客户端与零信任网关的连接中断,针对零信任策略以外的应用访问特定站点的流量,则通过代理客户端直接向目标业务服务器发起网络访问请求以实现直连。The proxy client sends an Https request to the zero-trust gateway, in which the network request credentials (i.e., ticket) passed by the zero-trust client are included in the Authorization header field. After receiving the request, the zero-trust gateway parses the ticket in the header field and requests the zero-trust server to verify the ticket. If the verification is successful, the zero-trust gateway and the proxy client successfully establish a connection. After that, the proxy client sends the original network request to the zero-trust gateway, which forwards it to the corresponding business server and proxies the actual application network access. If the verification fails, the connection between the proxy client and the zero-trust gateway is interrupted. For traffic from applications outside the zero-trust policy to access specific sites, the proxy client directly initiates a network access request to the target business server to achieve a direct connection.
由以上流程可以看出,在零信任网络中,对于网络资源的每个请求都必须是来自于经过身份验证和授权的用户。It can be seen from the above process that in a zero-trust network, every request for network resources must come from an authenticated and authorized user.
在现有的零信任网络访问架构中,当用户的网络访问因为实际环境原因或依赖的服务或组件出现问题而出现中断后,例如零信任服务端宕机、零信任服务端中的IAM(Identity and Access Management,身份访问管理)服务或登录服务异常,默认零信任终端与零信任服务端之间的登录服务正常,以及默认零信任网关集群健康,通过在零信任终端侧生成虚拟票据、零信任服务端自动放通、由安全终端生成票据等方法,实现在异常场景下将流量安全送到零信任网关,通过零信任网关正常转发流量到业务服务器,保证用户网络访问的可持续使用,但是在零信任终端与零信任服务端之间的登录服务异常的场景下则会直接影响用户网络访问,导致零信任网络访问架构的可用性较低。In the existing zero-trust network access architecture, when a user's network access is interrupted due to actual environmental reasons or problems with dependent services or components, such as zero-trust server downtime, IAM (Identity and Access Management) service or login service abnormality in the zero-trust server, the login service between the default zero-trust terminal and the zero-trust server is normal, and the default zero-trust gateway cluster is healthy. By generating virtual tickets on the zero-trust terminal side, automatically releasing the zero-trust server, and generating tickets by the security terminal, the traffic can be securely sent to the zero-trust gateway in abnormal scenarios, and the traffic can be forwarded to the business server normally through the zero-trust gateway to ensure the sustainable use of user network access. However, in the scenario where the login service between the zero-trust terminal and the zero-trust server is abnormal, it will directly affect the user's network access, resulting in low availability of the zero-trust network access architecture.
为解决如上的技术问题,本申请的实施例提供了基于零信任网络的访问处理方法、基于零信任网络的访问处理装置、电子设备、计算机存储介质基于计算机程序产品,下面将对这些实施例进行详细介绍。In order to solve the above technical problems, the embodiments of the present application provide an access processing method based on a zero-trust network, an access processing device based on a zero-trust network, an electronic device, and a computer storage medium based on a computer program product. These embodiments will be described in detail below.
请参见图8,图8是本申请的一示例性实施例示出的基于零信任网络的访问处理方法的流程图。Please refer to FIG. 8 , which is a flowchart of an access processing method based on a zero-trust network shown in an exemplary embodiment of the present application.
需要说明的是,本实施例并未对零信任网络的架构进行改进,本实施例提及的零信任网络可以参见图2所示的网络架构。还需要说明的是,本实施例提及的方法由零信任网络中的零信任终端具体执行,例如图2中示意的零信任终端230,该零信任终端也即是指用户终端,零信任终端上配置有可信应用、零信任客户端和代理客户端。It should be noted that this embodiment does not improve the architecture of the zero-trust network. The zero-trust network mentioned in this embodiment can refer to the network architecture shown in Figure 2. It should also be noted that the method mentioned in this embodiment is specifically executed by a zero-trust terminal in the zero-trust network, such as the zero-trust terminal 230 shown in Figure 2, which is also a user terminal, and the zero-trust terminal is configured with a trusted application, a zero-trust client, and a proxy client.
如图8所示,该应用于零信任终端的方法包括S810-S830,详细介绍如下:As shown in FIG8 , the method applied to the zero-trust terminal includes S810-S830, which are described in detail as follows:
S810,获取来自于零信任服务端的登录配置信息,该登录配置信息是在检测到零信任网络中的登录服务出现异常后生成的,该登录配置信息包括伪登录执行条件信息。S810, obtaining login configuration information from a zero-trust server, where the login configuration information is generated after detecting an abnormality in a login service in a zero-trust network, and the login configuration information includes pseudo-login execution condition information.
零信任网络中的登录服务出现异常会导致用户网络访问失败,因此当检测到零信任网络中出现用户网络访问失败时,可进一步检测登录服务是否出现异常。示例性的,零信任服务端宕机、零信任服务端中的IAM服务或者登录服务异常都会导致零信任网络中出现登录服务异常的问题。Abnormalities in the login service in the zero-trust network will cause user network access failures. Therefore, when user network access failures are detected in the zero-trust network, further detection can be made as to whether the login service is abnormal. For example, zero-trust server downtime, IAM service or login service abnormalities in the zero-trust server will all lead to login service abnormalities in the zero-trust network.
当检测到零信任网络中的登录服务出现异常,表示需要启动进行网络访问救火,以保证网络访问的可持续使用。具体地,由零信任服务端向零信任终端发送登录配置信息,该登录配置信息包含伪登录执行条件信息,以使零信任终端在具备零信任服务端要求的条件下进入伪登录状态。When an abnormality is detected in the login service in the zero-trust network, it means that network access firefighting needs to be initiated to ensure the sustainable use of network access. Specifically, the zero-trust server sends login configuration information to the zero-trust terminal, and the login configuration information includes pseudo-login execution condition information, so that the zero-trust terminal enters the pseudo-login state under the conditions required by the zero-trust server.
可以理解的,伪登录是指零信任终端中用户的一种登录状态,该登录状态有别于正常登录状态。具体地,正常登录状态如图2所示流程中示意的,零信任终端中通过可信应用发起的每一次网络访问由零信任客户端劫持后,由代理客户端向零信任客户端发起鉴权请求,以获得零信任客户端向零信任服务端申领的访问票据,然后向零信任网关发送Https请求,在Authorization首部字段中携带访问票据,由零信任网关向零信任服务端请求校验访问票据,如果校验成功,则零信任网关与代理客户端成功建立连接,之后代理客户端将原始的网络请求发送给零信任网关,由零信任网关转发至对应的业务服务器,代理实际的应用网络访问;如果校验失败,,则代理客户端与零信任网关的连接中断,针对零信任策略以外的应用访问特定站点的流量,则通过代理客户端直接向目标业务服务器发起网络访问请求以实现直连。It can be understood that pseudo login refers to a login state of a user in a zero-trust terminal, which is different from the normal login state. Specifically, the normal login state is illustrated in the process shown in Figure 2. After each network access initiated by a trusted application in a zero-trust terminal is hijacked by a zero-trust client, the proxy client initiates an authentication request to the zero-trust client to obtain the access ticket applied for by the zero-trust client to the zero-trust server, and then sends an Https request to the zero-trust gateway, carrying the access ticket in the Authorization header field. The zero-trust gateway requests the zero-trust server to verify the access ticket. If the verification is successful, the zero-trust gateway successfully establishes a connection with the proxy client, and then the proxy client sends the original network request to the zero-trust gateway, which is forwarded to the corresponding business server by the zero-trust gateway to proxy the actual application network access; if the verification fails, the connection between the proxy client and the zero-trust gateway is interrupted. For traffic from applications outside the zero-trust policy to access specific sites, a network access request is directly initiated to the target business server through the proxy client to achieve direct connection.
在本实施例中,伪登录状态则是指,曾经登录过零信任客户端的用户在登录服务异常的情况下,使用本地生成的本地访问票据代替向零信任服务端申领的访问票据,在将本地访问票据发送给零信任网关后,零信任也不再请求零信任服务端进行票据校验,而是独立执行本地访问票据的校验,从而不使用零信任服务端的登录服务功能。因此,在零信任网络中存在登录服务异常的场景下,使零信任终端进入伪登录状态,同时联动零信任网关将其置于忽略票据检验(即采取独立校验零信任终端的本地访问票据)的状态,能够保证将访问流量传送到零信任网关,并通过零信任网关将访问流量正常转发给业务服务器,保证零信任功能的可持续使用,也能够提升零信任网络的整体可用性。In this embodiment, the pseudo-login state means that when a user who has logged into a zero-trust client encounters an abnormality in the login service, the user uses a locally generated local access ticket instead of the access ticket applied for from the zero-trust server. After sending the local access ticket to the zero-trust gateway, zero-trust no longer requests the zero-trust server to verify the ticket, but independently performs the verification of the local access ticket, thereby not using the login service function of the zero-trust server. Therefore, in the scenario where there is an abnormality in the login service in the zero-trust network, the zero-trust terminal is put into a pseudo-login state, and the zero-trust gateway is linked to put it in a state of ignoring ticket verification (i.e., independently verifying the local access ticket of the zero-trust terminal). This ensures that the access traffic is transmitted to the zero-trust gateway, and the access traffic is forwarded normally to the business server through the zero-trust gateway, ensuring the sustainable use of the zero-trust function and improving the overall availability of the zero-trust network.
零信任服务端检测零信任网络中的登录服务出现异常的方式包括自动检测或者手动检测。自动检测是指零信任服务端通过预设的程序实现登录服务异常情况的识别,例如检测到自身出现宕机,或者检测到自身的登录服务进程已经暂停执行超出预设时长等,在此不进行限制。手动检测是指零信任服务端接收零信任管理端发送的通知信息,该通知信息是零信任管理端基于登录服务的检测结果,在确定出现登录服务异常时向零信任服务端发送的。The way in which the zero-trust server detects abnormalities in the login service in the zero-trust network includes automatic detection or manual detection. Automatic detection means that the zero-trust server recognizes abnormalities in the login service through a preset program, such as detecting that it has crashed, or detecting that its own login service process has been suspended for more than a preset period of time, etc., which are not restricted here. Manual detection means that the zero-trust server receives notification information sent by the zero-trust management end. The notification information is sent by the zero-trust management end to the zero-trust server based on the detection results of the login service when it determines that the login service is abnormal.
零信任服务端获取来自于零信任服务端的登录配置信息的方式包括主动获取或者被动获取。自动获取是指零信任终端在登录用户账号前向零信任服务端拉取伪登录配置信息,该用户账号理解位是零信任终端的用户使用零信任客户端的登录账号。被动获取是指零信任服务端向零信任终端推送登录配置信息。The way that the zero trust server obtains the login configuration information from the zero trust server includes active acquisition or passive acquisition. Automatic acquisition means that the zero trust terminal pulls the pseudo login configuration information from the zero trust server before logging into the user account. The user account is understood as the login account of the user of the zero trust terminal using the zero trust client. Passive acquisition means that the zero trust server pushes the login configuration information to the zero trust terminal.
S820,基于登录配置信息确定零信任终端是否具备执行伪登录的条件。S820, determine whether the zero-trust terminal has the conditions for performing a pseudo login based on the login configuration information.
由于零信任终端获取到的登录配置信息包括伪登录执行条件信息,因此零信任终端可以基于该登录配置信息确定自身是否具备执行伪登录的条件。如果确定具备执行伪登录的条件,则进入伪登录状态。如果确定不具备执行伪登录的条件,则表示在当前的登录服务异常的场景下,无法保证零信任功能的可持续使用。Since the login configuration information obtained by the zero-trust terminal includes pseudo-login execution condition information, the zero-trust terminal can determine whether it has the conditions to execute pseudo-login based on the login configuration information. If it is determined that the conditions to execute pseudo-login are met, it enters the pseudo-login state. If it is determined that the conditions to execute pseudo-login are not met, it means that in the current login service abnormal scenario, the sustainable use of the zero-trust function cannot be guaranteed.
示例性的,零信任终端具备执行伪登录的条件包括,发起当前网络访问的用户是在零信任终端中进行过历史登录的用户,也即是只有曾经登录过零信任终端的用户才能够进入伪登录状态,否则不能进入伪登录状态,由此保证零信任终端进入伪登录状态后的网络安全。基于此,零信任终端通过查找历史登录信息,并将查找到的历史登录信息与接收到的登录配置信息进行对比,如果得到历史登录信息符合登陆配置信息所包含的执行伪登录的条件,则确定零信任终端具备执行伪登录的条件。Exemplarily, the conditions for a zero-trust terminal to perform a pseudo-login include that the user who initiated the current network access is a user who has logged in to the zero-trust terminal in the past, that is, only users who have logged in to the zero-trust terminal can enter the pseudo-login state, otherwise they cannot enter the pseudo-login state, thereby ensuring network security after the zero-trust terminal enters the pseudo-login state. Based on this, the zero-trust terminal searches for historical login information and compares the historical login information found with the received login configuration information. If the historical login information obtained meets the conditions for executing a pseudo-login contained in the login configuration information, it is determined that the zero-trust terminal has the conditions for executing a pseudo-login.
S830,在零信任终端具备执行伪登录的条件时,生成本地访问票据,并将访问会话流量和本地访问票据发送至零信任网关,以使零信任网关在独立执行本地访问票据的校验后,将访问会话流量转发至业务服务器。S830, when the zero-trust terminal has the conditions to perform a pseudo login, a local access ticket is generated, and the access session traffic and the local access ticket are sent to the zero-trust gateway, so that the zero-trust gateway forwards the access session traffic to the business server after independently performing verification of the local access ticket.
在零信任终端具备执行伪登录的条件时,零信任终端进入伪登录状态,具体操作为:首先生成本地访问票据,然后将访问会话流量和本地访问票据发送给零信任网关,以使零信任网关独立执行该本地访问票据的校验,并在校验通过后,将访问会话流量转发给对应的业务服务器。When the zero-trust terminal has the conditions to perform a pseudo-login, the zero-trust terminal enters a pseudo-login state. The specific operations are: first generate a local access ticket, then send the access session traffic and the local access ticket to the zero-trust gateway, so that the zero-trust gateway independently performs the verification of the local access ticket, and after the verification passes, forwards the access session traffic to the corresponding business server.
由于本地访问票据是在零信任终端本地生成,而无需零信任服务端参与,因此即使零信任网络中的登录服务异常,也不影响本地访问票据的生成。另外对于零信任网关而言,针对本地访问票据的校验也不需要零信任服务端参与,因此也能够适应于零信任网络中出现登录服务异常的情况。示例性的,本地访问票据包括用户唯一标识、应用进程哈希、票据本地的生成时间、票据有效时长中的至少一种内容,在此并不进行限制。Since the local access ticket is generated locally on the zero-trust terminal without the participation of the zero-trust server, even if the login service in the zero-trust network is abnormal, it will not affect the generation of the local access ticket. In addition, for the zero-trust gateway, the verification of the local access ticket does not require the participation of the zero-trust server, so it can also adapt to the situation where the login service in the zero-trust network is abnormal. Exemplarily, the local access ticket includes at least one of the user's unique identifier, the application process hash, the local generation time of the ticket, and the validity period of the ticket, which is not limited here.
访问会话流量是指与零信任终端通过可信应用发起的针对业务服务器中的业务资源进行访问有关的流量数据。因此,零信任网关在将访问会话流量转发至对应的业务服务器后,能够获得业务服务器的响应,该响应例如包括零信任终端所访问的业务资源,然后将该响应返回给零信任终端,从而实现在登录服务异常的场景下,仍能保证用户正常的网络访问。Access session traffic refers to traffic data related to access to business resources in business servers initiated by zero-trust terminals through trusted applications. Therefore, after forwarding the access session traffic to the corresponding business server, the zero-trust gateway can obtain a response from the business server, which includes, for example, the business resources accessed by the zero-trust terminal, and then return the response to the zero-trust terminal, thereby ensuring normal network access for users in scenarios where the login service is abnormal.
需要说明的是,零信任终端是通过在启动代理客户端进程之后,通过代理客户端进程将访问会话流量和本地访问票据发送至零信任网关。It should be noted that the zero-trust terminal sends the access session traffic and local access tickets to the zero-trust gateway through the proxy client process after starting the proxy client process.
由上可以看出,本实施例提供的方法相当于是通过特殊通道给零信任终端和零信任网关发送特殊开关,让零信任终端进入伪登录状态,并联动零信任网关进入票据独立检验的状态,以使零信任终端仍能将访问会话流量传输至零信任网关,零信任网关也能将访问会话流量传输至业务服务器,由此保证了正常的用户网络访问,能够提升零信任网络架构的可用性。It can be seen from the above that the method provided in this embodiment is equivalent to sending a special switch to the zero-trust terminal and the zero-trust gateway through a special channel, allowing the zero-trust terminal to enter a pseudo-login state, and linking the zero-trust gateway to enter a state of independent ticket verification, so that the zero-trust terminal can still transmit the access session traffic to the zero-trust gateway, and the zero-trust gateway can also transmit the access session traffic to the business server, thereby ensuring normal user network access and improving the availability of the zero-trust network architecture.
在一个示例性的实施例中,生成本地访问票据的过程包括如下步骤:In an exemplary embodiment, the process of generating a local access ticket includes the following steps:
根据票据内容信息生成票据有效载荷和票据签名,该票据生成信息包括用户唯一标识、票据生成时间和票据有效时长、可信应用密文中的至少一种;基于票据版本标识、票据有效载荷以及票据签名,生成本地访问票据。Generate a ticket payload and a ticket signature based on the ticket content information, where the ticket generation information includes at least one of a user unique identifier, a ticket generation time, a ticket validity period, and a trusted application ciphertext; generate a local access ticket based on the ticket version identifier, the ticket payload, and the ticket signature.
在本实施例中,本地访问票据可以生成为类JWT(Json Web Token)格式。可以理解,JWT格式是为了在网络应用环境间传递声明而执行的一种基于Json的开放标准,规定了数据传输的结构,即一串完整的JWT由三个段落组成,每个段落用英文句号(.)连接,因此常规的JWT内容格式为类似AAA.BBB.CCC的三段式格式。基于此,本地访问票据的内容格式也是三段式,包含票据版本标识、票据有效载荷和票据签名。In this embodiment, the local access ticket can be generated in a JWT (Json Web Token) format. It can be understood that the JWT format is an open standard based on Json that is implemented to transmit statements between network application environments. It specifies the structure of data transmission, that is, a complete JWT string consists of three paragraphs, each of which is connected by an English period (.), so the conventional JWT content format is a three-segment format similar to AAA.BBB.CCC. Based on this, the content format of the local access ticket is also a three-segment format, including a ticket version identifier, a ticket payload, and a ticket signature.
票据版本标识需要和登录服务正常的场景下的访问票据的版本标识进行区分,用以表征这是在网络救火场景下生成的访问票据,且由零信任网关独自校验。The ticket version identifier needs to be distinguished from the version identifier of the access ticket in the scenario where the login service is normal, to indicate that this is an access ticket generated in a network firefighting scenario and is verified solely by the zero-trust gateway.
票据有效载荷也即是指票据内容,票据有效载荷需要根据票据内容信息生成,示例性的,可以根据用户唯一标识、可信应用密文、票据生成时间和票据有效时长生成票据有效载荷,票据有效时长可设置为默认值。生成票据有效载荷的过程可表示为下式:The ticket payload also refers to the ticket content. The ticket payload needs to be generated based on the ticket content information. For example, the ticket payload can be generated based on the user's unique identifier, the trusted application ciphertext, the ticket generation time, and the ticket validity period. The ticket validity period can be set to a default value. The process of generating the ticket payload can be expressed as follows:
Base64UrlEncode(uid+应用进程md5+票据生成时间+票据有效时长)Base64UrlEncode(uid+application process md5+ticket generation time+ticket validity period)
上式中,uid即表示用户唯一标识,应用进程md5即表示可信应用密文,Base64UrlEncode表示一种预设的编码方式,这是一种适用于网络数据的编码方式,本实施例中的本地访问票据使用此方式进行编码,能够方便于本地访问票据在零信任网络中的传输。In the above formula, uid represents the user's unique identifier, application process md5 represents the trusted application ciphertext, and Base64UrlEncode represents a preset encoding method, which is an encoding method suitable for network data. The local access ticket in this embodiment is encoded using this method, which can facilitate the transmission of local access tickets in a zero-trust network.
票据签名用于验证本地访问票据在传输给零信任网关的过程中是否被更改,票据签名也需要根据如上所示的票据内容信息生成,示例性的,通过获取零信任终端与零信任网关之间约定的密钥,然后采用预设编码方式对票据内容信息进行编码,并基于密钥对编码后的票据内容信息进行加密运算,得到密文内容,最后基于预设编码方式对密文内容进行编码,从而得到票据签名。生成票据签名的过程可表示为下式:The ticket signature is used to verify whether the local access ticket has been changed during the transmission to the zero-trust gateway. The ticket signature also needs to be generated based on the ticket content information shown above. For example, by obtaining the key agreed upon between the zero-trust terminal and the zero-trust gateway, the ticket content information is encoded using a preset encoding method, and the encoded ticket content information is encrypted based on the key to obtain the ciphertext content. Finally, the ciphertext content is encoded based on the preset encoding method to obtain the ticket signature. The process of generating a ticket signature can be expressed as follows:
Base64UrlEncode(hmac_sha256(Base64UrlEncode(票据内容信息),密钥))Base64UrlEncode(hmac_sha256(Base64UrlEncode(ticket content information), key))
上式中,票据内容信息也是生成票据有效载荷所需要的内容信息,因此编码后的票据内容Base64UrlEncode(票据内容信息)可以理解为是票据有效载荷。采用hmac_sha256机密算法,并使用密钥对编码后的票据内容进行加密运算得到密文内容后,还通过Base64UrlEncode方式对该密文内容进行编码,即可得到票据签名。In the above formula, the bill content information is also the content information required to generate the bill payload, so the encoded bill content Base64UrlEncode (bill content information) can be understood as the bill payload. After using the hmac_sha256 confidentiality algorithm and using the key to encrypt the encoded bill content to obtain the ciphertext content, the ciphertext content is also encoded using the Base64UrlEncode method to obtain the bill signature.
示例性的,零信任终端与零信任网关之间所约定的密钥可以利用密钥导出函数PBKDF2生成,可以理解的,PBKDF2主要是通过一个伪随机函数导出密钥,导出的密钥的长度本质上是没有限制的,但是可以设置进行多次计算,将明文和一个盐值作为参数,最后生成密钥。可理解的,加盐之后生成的密钥可以增加抵御攻击的能力,PBKDF2中进行迭代的参数和盐值均需要零信任终端与零信任网关双方提前协商。Exemplarily, the key agreed upon between the zero-trust terminal and the zero-trust gateway can be generated using the key derivation function PBKDF2. It is understandable that PBKDF2 mainly derives the key through a pseudo-random function. The length of the derived key is essentially unlimited, but it can be set to perform multiple calculations, taking the plaintext and a salt value as parameters, and finally generating the key. It is understandable that the key generated after adding salt can increase the ability to resist attacks. The iterative parameters and salt values in PBKDF2 need to be negotiated in advance by both the zero-trust terminal and the zero-trust gateway.
与上述本地访问票据的生成过程相对应的,零信任网关独立执行本地访问票据的校验逻辑是:Corresponding to the above-mentioned local access ticket generation process, the zero-trust gateway independently executes the local access ticket verification logic as follows:
首先利用本地访问票据的前两段信息,即票据版本标识和票据有效载荷,使用同样的算法和密钥计算出签名值,然后将该签名值和本地访问票据中的第三段信息,即票据签名,进行对比,如果相同则表示校验通过,表示本地访问票据在传输至零信任网关的过程中未被更改,零信任网络是安全的,从而将访问会话流量转发给对应的业务服务器;反之则校验不通过,表示本地访问票据在传输至零信任网关的过程中被更改,零信任网络存在安全隐患,因此零信任网关不会将访问会话流程转发给业务服务器,以保证零信任网络中业务资源的安全性。First, the first two pieces of information in the local access ticket, namely the ticket version identifier and the ticket payload, are used to calculate the signature value using the same algorithm and key. Then, the signature value is compared with the third piece of information in the local access ticket, namely the ticket signature. If they are the same, the verification is passed, indicating that the local access ticket has not been changed during transmission to the zero-trust gateway, and the zero-trust network is secure, thereby forwarding the access session traffic to the corresponding business server; otherwise, the verification fails, indicating that the local access ticket has been changed during transmission to the zero-trust gateway, and there are security risks in the zero-trust network. Therefore, the zero-trust gateway will not forward the access session process to the business server to ensure the security of business resources in the zero-trust network.
图9是在图8所示实施例的基础上进一步提出的基于零信任网络的访问处理方法的流程图。如图9所示,基于登录配置信息确定零信任终端是否具备执行伪登录的条件的过程包括S821-S822,以及该方法还包括S840,详细介绍如下:FIG9 is a flowchart of an access processing method based on a zero-trust network further proposed on the basis of the embodiment shown in FIG8. As shown in FIG9, the process of determining whether a zero-trust terminal has the conditions for performing a pseudo-login based on the login configuration information includes S821-S822, and the method also includes S840, which is described in detail as follows:
S821,检测登录配置信息中包含的伪登录执行开关信息,该伪登录执行开关信息是零信任服务端在通知零信任网关进入票据独立校验状态后生成的。S821, detect the pseudo login execution switch information contained in the login configuration information, where the pseudo login execution switch information is generated by the zero trust server after notifying the zero trust gateway to enter the ticket independent verification state.
本实施例提及的登录配置信息不仅包括伪登录执行条件信息,还包括伪登录执行开关信息,该伪登录执行开关信息用于指示零信任网络中是否已经开启执行伪登录的功能。The login configuration information mentioned in this embodiment includes not only pseudo-login execution condition information, but also pseudo-login execution switch information, which is used to indicate whether the function of executing pseudo-login has been enabled in the zero-trust network.
需要理解的是,在零信任网络中开启执行伪登录的功能,需要零信任服务端通知零信任网关进入票据独立校验状态,也即伪登录功能的开启条件是零信任网关需进入票据独立校验状态,因此伪登录执行开关信息是零信任服务端在通知零信任网关进入票据独立校验状态后生成的。It should be understood that in order to enable the function of executing pseudo login in a zero-trust network, the zero-trust server needs to notify the zero-trust gateway to enter the independent ticket verification state. In other words, the condition for enabling the pseudo login function is that the zero-trust gateway needs to enter the independent ticket verification state. Therefore, the pseudo-login execution switch information is generated by the zero-trust server after notifying the zero-trust gateway to enter the independent ticket verification state.
S822,若伪登录执行开关信息指示开启执行伪登录,则确定零信任终端中的登录条件参数是否满足登录配置信息中包含的伪登录执行条件信息,若满足,则确定零信任终端具备执行伪登录的条件。S822, if the pseudo login execution switch information indicates to turn on the pseudo login execution, determine whether the login condition parameters in the zero trust terminal meet the pseudo login execution condition information contained in the login configuration information. If so, determine that the zero trust terminal has the conditions to execute the pseudo login.
若伪登录执行开关信息指示开启执行伪登录,则表示零信任网络已经开启伪登录功能,因此需要进一步确定零信任终端中的登录条件参数是否满足登录配置信息中包含的伪登录执行条件信息,在满足的条件下才确定零信任终端具备执行伪登录的条件。If the pseudo login execution switch information indicates that the pseudo login is turned on, it means that the zero trust network has turned on the pseudo login function. Therefore, it is necessary to further determine whether the login condition parameters in the zero trust terminal meet the pseudo login execution condition information contained in the login configuration information. Only when the conditions are met can it be determined that the zero trust terminal has the conditions to execute the pseudo login.
登录条件参数可理解为是对照伪登录执行条件信息,从零信任终端的历史登录信息中对应获取的相关参数。例如,伪登录执行条件信息要求最近一次有效登录的登录时间在规定的时间以前,对应获取的登录条件参数则包括同一用户在零信任终端中最近一次有效登录的登录时间。伪登录执行条件信息还要求最近一次有效登录的登录相关信息已经备份在零信任终端本地的加密持久化库中,对应的登录条件参数则包括零信任终端本地的加密持久化库中存储的与用户最近一次有效登录相关的信息。The login condition parameters can be understood as the relevant parameters obtained from the historical login information of the zero-trust terminal in accordance with the pseudo-login execution condition information. For example, the pseudo-login execution condition information requires that the login time of the last valid login is before the specified time, and the corresponding login condition parameters obtained include the login time of the last valid login of the same user in the zero-trust terminal. The pseudo-login execution condition information also requires that the login-related information of the last valid login has been backed up in the encrypted persistence library local to the zero-trust terminal, and the corresponding login condition parameters include the information related to the user's last valid login stored in the encrypted persistence library local to the zero-trust terminal.
示例性的,用户最近一次有效登录的登录相关信息包括用户唯一标识符、用户名、登录票据等,在此不进行限制。该登录票据理解为是用户成功登录零信任客户端后,由零信任服务端为该用户分配的加密字符串,表示该用户的登录授权信息,例如包括用户信息和授权有效期。持久化库理解为是存储在零信任终端本地的磁盘文件或者数据文件中的由内存中的数据结构或者对象模型转换而来的存储介质,可以使用加密文件、嵌入型数据库等实现。Exemplarily, the login-related information of the user's most recent valid login includes the user's unique identifier, user name, login ticket, etc., which are not limited here. The login ticket is understood to be an encrypted string assigned to the user by the zero-trust server after the user successfully logs in to the zero-trust client, which represents the user's login authorization information, such as user information and authorization validity period. The persistent library is understood to be a storage medium converted from a data structure or object model in the memory in a disk file or data file stored locally on the zero-trust terminal, which can be implemented using encrypted files, embedded databases, etc.
在一个示例性的实施方式中,可通过如下过程来确定零信任终端中的登录条件参数是否满足的登录配置信息中包含的伪登录执行条件信息:In an exemplary implementation, the following process may be used to determine whether the login condition parameters in the zero-trust terminal satisfy the pseudo login execution condition information contained in the login configuration information:
获取零信任终端中的历史登录信息;Obtain historical login information from zero-trust terminals;
若根据历史登录信息确定最近一次有效登录的登录时间在伪登录条件规定的时间以前,并且最近一次有效登录的登录相关信息已经在本地进行持久化存储,则确定零信任终端中的登录条件参数满足登录配置信息中包含的伪登录执行条件信息。If it is determined based on historical login information that the login time of the most recent valid login is before the time specified by the pseudo login condition, and the login-related information of the most recent valid login has been persistently stored locally, then it is determined that the login condition parameters in the zero-trust terminal meet the pseudo login execution condition information contained in the login configuration information.
如前所述,为保证执行伪登录时零信任网络中的安全性,需要发起当前网络访问的用户是曾经在零信任客户端中进行过历史登录的用户,零信任服务端在用户进行历史登录时已经针对该用户执行过身份授权,因此需要获取零信任终端中的历史登录信息,并将历史登录信息作为零信任终端中的登录条件参数,以基于历史登录信息来确定当前用户是否为曾经执行过登录的用户。若根据历史登录信息确定最近一次有效登录的登录时间在伪登录条件规定的时间以前,并且最近一次有效登录的登录相关信息已经在本地进行持久化存储,则确定零信任终端中的登录条件参数满足登录配置信息中包含的伪登录执行条件信息,因此确定零信任终端具备执行伪登录的条件。As mentioned above, in order to ensure the security of the zero-trust network when executing a pseudo-login, the user who initiates the current network access must be a user who has logged in historically in the zero-trust client. The zero-trust server has already performed identity authorization for the user when the user logged in historically, so it is necessary to obtain the historical login information in the zero-trust terminal, and use the historical login information as the login condition parameter in the zero-trust terminal to determine whether the current user is a user who has logged in before based on the historical login information. If the login time of the most recent valid login is determined to be before the time specified by the pseudo-login condition based on the historical login information, and the login-related information of the most recent valid login has been persistently stored locally, it is determined that the login condition parameters in the zero-trust terminal meet the pseudo-login execution condition information contained in the login configuration information, and therefore it is determined that the zero-trust terminal has the conditions to execute a pseudo-login.
便于理解地说,零信任终端具备执行伪登录的条件是:零信任服务端下发的伪登录开关是打开的,并且在此之前零信任终端中有用户登录过,而且满足上一次登录的时间在规定的时间以前,并且登录相关信息,例如用户唯一标识、用户名、登录票据等,已经备份在了终端本地的加密持久化库中。如果满足这些条件,零信任终端则直接进入伪登录状态。To put it simply, the conditions for a zero-trust terminal to perform a pseudo login are: the pseudo login switch sent by the zero-trust server is turned on, and a user has logged in to the zero-trust terminal before, and the last login time is before the specified time, and login-related information, such as the user's unique identifier, user name, login ticket, etc., has been backed up in the terminal's local encrypted persistence library. If these conditions are met, the zero-trust terminal directly enters the pseudo login state.
S840,在零信任终端不具备执行伪登录的条件时执行常规登录;若常规登录成功,则存储本次登录的用户信息和登录票据,并进入常规登录状态。S840, when the zero-trust terminal does not have the conditions to perform a pseudo login, perform a regular login; if the regular login is successful, store the user information and login ticket of this login, and enter the regular login state.
如果零信任终端不具备执行伪登录的条件,表示零信任终端无法进入伪登录状态,这时通过执行常规登录,以确定零信任网络中的登录服务是否已经恢复。如果常规登录成功,则存储本次登录的用户信息和登录票据,并进入常规登录状态。如果常规登录失败,则表示此次网络访问无法实现,则可以生成指示网络异常的通知信息。If the zero-trust terminal does not have the conditions to perform a pseudo login, it means that the zero-trust terminal cannot enter the pseudo login state. At this time, a regular login is performed to determine whether the login service in the zero-trust network has been restored. If the regular login is successful, the user information and login ticket of this login are stored, and the regular login state is entered. If the regular login fails, it means that the network access cannot be achieved this time, and a notification information indicating network abnormality can be generated.
可以理解的,常规登录是指在登录服务正常的情况下执行的用户登录方式,常规登录例如可以包括扫码登录、多因子登录或者账户密码登录。在常规登录时,当用户成功登录零信任客户端后,零信任服务端会为该用户指定加密字符串(即登录凭证),表示该用户的登录授权信息,也即零信任服务端已授权该用户登录至零信任终端。常规登录成功后,在零信任终端本地对本次登录的用户信息和登录票据进行存储。It can be understood that regular login refers to the user login method performed when the login service is normal. Regular login can include, for example, scanning code login, multi-factor login, or account password login. During regular login, when the user successfully logs in to the zero-trust client, the zero-trust server will specify an encrypted string (i.e., login credentials) for the user, indicating the user's login authorization information, that is, the zero-trust server has authorized the user to log in to the zero-trust terminal. After the regular login is successful, the user information and login ticket for this login are stored locally on the zero-trust terminal.
需要说明的是,零信任终端在常规登录状态下的网络访问流程请参见图2所示例的流程,在此不再进行赘述。It should be noted that the network access process of the zero-trust terminal in the normal login state can be found in the process shown in Figure 2, which will not be repeated here.
由上可以看出,在本实施例提供的方法中,一方面,通过在登录配置信息中包含伪登录执行开关信息,且设置伪登录执行开关信息是零信任服务端在通知零信任网关进入票据独立校验状态后生成,能够保证零信任终端在获取到登录配置信息时,零信任网络中就已经准备好零信任终端执行伪登录的条件,进而保证零信任终端能够顺利进入伪登录状态;另一方面,在零信任终端中的登录条件参数不满足登录配置信息中的伪登录执行条件信息时,转而执行常规登录,并在登录成功时通过存储本次登录的用户信息和登录票据,通过尝试进行常规登录,来保证在登录服务恢复的情况下,能够及时恢复常规的网络访问流程,也能够进一步提升零信任网络的可用性。It can be seen from the above that in the method provided in this embodiment, on the one hand, by including pseudo-login execution switch information in the login configuration information, and setting the pseudo-login execution switch information to be generated by the zero-trust server after notifying the zero-trust gateway to enter the ticket independent verification state, it can be ensured that when the zero-trust terminal obtains the login configuration information, the zero-trust network has prepared the conditions for the zero-trust terminal to execute the pseudo-login, thereby ensuring that the zero-trust terminal can smoothly enter the pseudo-login state; on the other hand, when the login condition parameters in the zero-trust terminal do not meet the pseudo-login execution condition information in the login configuration information, a regular login is executed instead, and when the login is successful, the user information and login ticket of this login are stored, and a regular login is attempted to ensure that when the login service is restored, the regular network access process can be restored in time, and the availability of the zero-trust network can be further improved.
图10是基于图8所示的实施例进一步提出的基于零信任网络的访问处理方法的流程图。如图10所示,该方法在图8所示流程的基础上还包括S850,详细介绍如下:Fig. 10 is a flowchart of a method for access processing based on a zero-trust network further proposed based on the embodiment shown in Fig. 8. As shown in Fig. 10, the method further includes S850 based on the process shown in Fig. 8, which is described in detail as follows:
S850,在接收到零信任服务端发送的指示退出伪登录的通知后,停止执行S830,以退出伪登录状态;或者,若检测到伪登录状态的持续时长超出登录配置信息中含有的伪登录持续最长时长,则通过自动注销登录账户,并清除本地访问票据,以退出伪登录状态。S850, after receiving the notification sent by the zero trust server instructing to exit the pseudo login, stop executing S830 to exit the pseudo login state; or, if it is detected that the duration of the pseudo login state exceeds the maximum duration of the pseudo login contained in the login configuration information, automatically log out of the login account and clear the local access ticket to exit the pseudo login state.
考虑到如果零信任终端长时间保持伪登录状态,可能导致零信任网络中存在安全隐患,因此本实施例还进一步提供了零信任终端退出伪登录状态的方案,从而保证了零信任网络的安全。Considering that if the zero-trust terminal remains in a pseudo-login state for a long time, it may cause security risks in the zero-trust network. Therefore, this embodiment further provides a solution for the zero-trust terminal to exit the pseudo-login state, thereby ensuring the security of the zero-trust network.
一种方案是,零信任服务端在检测到登录服务恢复后,向零信任终端发送指示退出伪登录的通知,例如零信任服务端先通知零信任网关取消票据独立校验状态,而恢复至正常的票据检验状态后,向零信任终端发送指示退出伪登录的通知,相当于向零信任终端发送指示退出伪登录的开关信息。零信任终端在接收到该通知后则停止继续执行生成本地访问票据,并将本地访问票据与访问会话流量转发至零信任网关的步骤,从而退出伪登录状态。One solution is that after detecting that the login service has been restored, the zero-trust server sends a notification to the zero-trust terminal instructing it to exit the pseudo-login. For example, the zero-trust server first notifies the zero-trust gateway to cancel the ticket independent verification state, and after returning to the normal ticket verification state, it sends a notification to the zero-trust terminal instructing it to exit the pseudo-login, which is equivalent to sending a switch information instructing it to exit the pseudo-login to the zero-trust terminal. After receiving the notification, the zero-trust terminal stops executing the steps of generating a local access ticket and forwarding the local access ticket and access session traffic to the zero-trust gateway, thereby exiting the pseudo-login state.
另一种方案是,零信任服务端向零信任终端发送的登录配置信息中除了包含伪登录执行条件信息和伪登录执行开关信息以外,还含有伪登录持续最长时长的信息,用于规定零信任终端持续伪登录状态的最长时长,因此零信任终端如果检测到自身持续伪登录状态的时长超出该伪登录持续最长时长,则通过自动注销登录账户,并清除本地访问票据,以退出伪登录状态。Another solution is that the login configuration information sent by the zero trust server to the zero trust terminal includes not only the pseudo login execution condition information and the pseudo login execution switch information, but also the maximum duration of the pseudo login, which is used to stipulate the maximum duration of the zero trust terminal's pseudo login state. Therefore, if the zero trust terminal detects that the duration of its own pseudo login state exceeds the maximum duration of the pseudo login, it will automatically log out of the login account and clear the local access ticket to exit the pseudo login state.
零信任终端在退出伪登录状态后,若仍需使用零信任网络的零信任能力来访问业务资源,则首先要执行常规登录,且在常规登录成功后,按照图2所示例的访问处理流程,向零信任服务端申请每次访问所需的访问票据,并且访问票据需要经过零信任网关校验通过后,才能正常访问业务资源,由此保证零信任网络的零信任功能能够在实际应用场景下可持续地使用。After the zero-trust terminal exits the pseudo-login state, if it still needs to use the zero-trust capability of the zero-trust network to access business resources, it must first perform a regular login. After the regular login is successful, according to the access processing flow shown in Figure 2, apply to the zero-trust server for the access ticket required for each access. The access ticket needs to be verified by the zero-trust gateway before it can access business resources normally, thereby ensuring that the zero-trust function of the zero-trust network can be used sustainably in actual application scenarios.
图11是本申请的另一示例性实施例示出的基于零信任网络的访问处理方法的流程图。需要说明的是,本实施例也未对零信任网络的架构进行改进,本实施例提及的零信任网络仍参见图2所示的网络架构。还需要说明的是,本实施例提及的方法由零信任网络中的零信任服务端具体执行,例如图2中示意的零信任服务端220。FIG11 is a flowchart of an access processing method based on a zero-trust network shown in another exemplary embodiment of the present application. It should be noted that this embodiment does not improve the architecture of the zero-trust network, and the zero-trust network mentioned in this embodiment still refers to the network architecture shown in FIG2. It should also be noted that the method mentioned in this embodiment is specifically executed by a zero-trust server in the zero-trust network, such as the zero-trust server 220 shown in FIG2.
如图11所示,基于零信任网络的访问处理方法包括如下步骤:As shown in FIG11 , the access processing method based on the zero-trust network includes the following steps:
S1110,接收零信任管理端发送的指示信息,该指示信息用于指示零信任网络中的登录服务出现异常;S1110, receiving indication information sent by the zero trust management terminal, where the indication information is used to indicate that an abnormality occurs in a login service in the zero trust network;
S1120,响应于指示信息,通知零信任网关进入票据独立校验状态;S1120, in response to the instruction information, notifying the zero trust gateway to enter the ticket independent verification state;
S1130,在接收到零信任网关返回的响应信息后,向零信任终端发送登录配置信息,该登录配置信息包括伪登录执行条件信息,以使零信任终端基于登录配置信息将访问会话流量和本地访问票据发送至零信任网关,零信任网关在独立执行本地访问票据的校验后,将访问会话流量转发至业务服务器。S1130, after receiving the response information returned by the zero trust gateway, sends login configuration information to the zero trust terminal, the login configuration information includes pseudo login execution condition information, so that the zero trust terminal sends the access session traffic and local access ticket to the zero trust gateway based on the login configuration information. After the zero trust gateway independently performs the verification of the local access ticket, it forwards the access session traffic to the business server.
由上可以看出,零信任服务端在接收到零信任管理端发送的用于指示零信任网络中的登录服务出现异常后,响应于该指示信息,通知零信任网关进入票据独立校验状态,在接收到零信任网关返回的响应信息后,表示零信任网络依据具备执行伪登录的准备条件,因此向零信任终端发送登录配置信息,以使零信任终端根据登录配置中含有的伪登录执行条件信息确定自身具备执行伪登录的条件后,将访问会话流量和本地访问票据发送至零信任网关,使得零信任网关在独立执行本地访问票据的校验后,将访问会话流量转发至业务服务器,从而使得在登录服务异常场景下,也能够保证零信任功能的可持续使用,提升零信任网络的整体可用性。From the above, it can be seen that after receiving the message sent by the zero trust management end indicating that the login service in the zero trust network is abnormal, the zero trust server responds to the indication information and notifies the zero trust gateway to enter the ticket independent verification state. After receiving the response information returned by the zero trust gateway, it indicates that the zero trust network is ready to perform a pseudo login. Therefore, the login configuration information is sent to the zero trust terminal, so that the zero trust terminal determines that it has the conditions to perform a pseudo login according to the pseudo login execution condition information contained in the login configuration, and then sends the access session traffic and the local access ticket to the zero trust gateway. After the zero trust gateway independently performs the verification of the local access ticket, it forwards the access session traffic to the business server, so that in the scenario of abnormal login service, the sustainable use of the zero trust function can be guaranteed, thereby improving the overall availability of the zero trust network.
在另一示例性实施例中,在图11所示实施例的基础上,基于零信任网络的访问处理方法还包括如下步骤:In another exemplary embodiment, based on the embodiment shown in FIG. 11 , the access processing method based on the zero-trust network further includes the following steps:
S1140,在接收到零信任管理端发送的指定通知消息后,通知零信任网关取消票据独立校验状态;S1140, after receiving the specified notification message sent by the zero trust management terminal, notify the zero trust gateway to cancel the independent verification status of the ticket;
S1150,在接收到零信任网关返回的响应信息后,向零信任终端发送指示退出伪登录的通知信息,以使零信任终端退出伪登录状态。S1150, after receiving the response information returned by the zero-trust gateway, send a notification message instructing to exit the pseudo-login to the zero-trust terminal, so that the zero-trust terminal exits the pseudo-login state.
由上可以看出,零信任服务端在接收到零信任管理端发送的指定通知消息后,先通知零信任网关取消票据独立校验状态,并在接收到零信任网关返回的响应信息后,向零信任终端发送指示退出伪登录的通知信息,以使零信任终端退出伪登录状态,由此提供一种使零信任终端退出伪登录状态的方案,以避免零信任终端长期处于伪登录状态所可能出现的安全隐患。From the above, it can be seen that after receiving the specified notification message sent by the zero trust management end, the zero trust server first notifies the zero trust gateway to cancel the independent verification status of the ticket, and after receiving the response information returned by the zero trust gateway, it sends a notification message instructing the zero trust terminal to exit the pseudo login state, so that the zero trust terminal exits the pseudo login state, thereby providing a solution for the zero trust terminal to exit the pseudo login state, so as to avoid the security risks that may arise when the zero trust terminal is in the pseudo login state for a long time.
需要说明的是,关于零信任服务端执行基于零信任网络的访问处理方法的细节内容,已经在前面关于零信任终端执行基于零信任网络的访问处理方法的实施例中进行了详细记载,在此不再进行赘述。It should be noted that the details of the zero-trust server executing the access processing method based on the zero-trust network have been recorded in detail in the previous embodiment of the zero-trust terminal executing the access processing method based on the zero-trust network, and will not be repeated here.
图12是本申请的另一示例性实施例示出的基于零信任网络的访问处理方法的流程图。需要说明的是,本实施例仍然未对零信任网络的架构进行改进,本实施例提及的零信任网络仍参见图2所示的网络架构。还需要说明的是,本实施例提及的方法由零信任网络中的零信任网关具体执行,例如图2中示意的零信任网关240。FIG12 is a flowchart of an access processing method based on a zero-trust network shown in another exemplary embodiment of the present application. It should be noted that this embodiment still does not improve the architecture of the zero-trust network, and the zero-trust network mentioned in this embodiment still refers to the network architecture shown in FIG2. It should also be noted that the method mentioned in this embodiment is specifically executed by a zero-trust gateway in the zero-trust network, such as the zero-trust gateway 240 shown in FIG2.
如图12所示,基于零信任网络的访问处理方法包括如下步骤:As shown in FIG12 , the access processing method based on the zero-trust network includes the following steps:
S1210,响应于零信任服务端发送的第一通知信息,进入票据独立校验状态,并向零信任服务端发送响应信息;S1210, in response to the first notification information sent by the zero trust server, entering the ticket independent verification state, and sending a response information to the zero trust server;
S1220,接收零信任终端发送的访问会话流量和本地访问票据,该本地访问票据是零信任终端基于零信任服务端发送的登录配置信息确定自身具备执行伪登录的条件后生成的,该登录配置信息包括伪登录执行条件信息;S1220, receiving access session traffic and a local access ticket sent by the zero-trust terminal, where the local access ticket is generated after the zero-trust terminal determines that it has conditions for executing a pseudo-login based on the login configuration information sent by the zero-trust server, where the login configuration information includes pseudo-login execution condition information;
S1230,独立执行本地访问票据的校验,并在校验通过后将访问会话流量转发至业务服务器。S1230, independently perform verification of the local access ticket, and forward the access session traffic to the business server after the verification passes.
由上可以看出,零信任网关接收到零信任服务端发送的第一通知信息后,响应于该第一通知信息,进入票据独立校验状态,并向零信任服务端返回响应信息。零信任服务端接收到零信任网关返回的响应信息后,则向零信任终端发送登录配置信息,以使零信任终端根据登录配置中含有的伪登录执行条件信息确定自身具备执行伪登录的条件后,将访问会话流量和本地访问票据发送至零信任网关。零信任网关接收到零信任终端发送的访问会话流量和本地访问票据后,独立执行本地访问票据的校验,并在校验通过后将访问会话流量转发给对应的业务服务器,使得在登录服务异常的场景下,零信任终端仍然能够正常进行业务资源访问,从而保证零信任功能的可持续使用,提升零信任网络的整体可用性。As can be seen from the above, after the zero-trust gateway receives the first notification information sent by the zero-trust server, it responds to the first notification information, enters the ticket independent verification state, and returns the response information to the zero-trust server. After the zero-trust server receives the response information returned by the zero-trust gateway, it sends the login configuration information to the zero-trust terminal, so that the zero-trust terminal determines that it has the conditions to execute the pseudo-login according to the pseudo-login execution condition information contained in the login configuration, and then sends the access session traffic and the local access ticket to the zero-trust gateway. After the zero-trust gateway receives the access session traffic and local access ticket sent by the zero-trust terminal, it independently performs the verification of the local access ticket, and forwards the access session traffic to the corresponding business server after the verification passes, so that in the scenario of abnormal login service, the zero-trust terminal can still access business resources normally, thereby ensuring the sustainable use of the zero-trust function and improving the overall availability of the zero-trust network.
在另一示例性实施例中,在图12所示实施例的基础上,基于零信任网络的访问处理方法还包括如下步骤:In another exemplary embodiment, based on the embodiment shown in FIG. 12 , the access processing method based on the zero-trust network further includes the following steps:
S1240,响应于零信任服务端发送的第二通知信息,退出票据独立校验状态,并向零信任服务端发送响应信息;S1240, in response to the second notification information sent by the zero trust server, exit the ticket independent verification state, and send a response information to the zero trust server;
S1250,接收零信任终端发送的访问会话流量和访问票据,该访问票据是由零信任终端向零信任服务端申请获得的;S1250, receiving access session traffic and an access ticket sent by the zero-trust terminal, where the access ticket is obtained by the zero-trust terminal applying to the zero-trust server;
S1260,向零信任服务端申请进行针对访问票据的校验,并在校验通过后将访问会话流量转发至业务服务器。S1260, apply to the zero trust server to verify the access ticket, and forward the access session traffic to the business server after the verification passes.
由上可以看出,零信任服务端在接收到零信任管理端发送的指定通知消息后相应通知零信任网关取消票据独立校验状态。零信任网关响应于零信任服务端发送的第二通知信息,退出票据独立校验状态,并向零信任服务端发送响应信息。零信任服务端在接收到零信任网关返回的响应信息后,向零信任终端发送指示退出伪登录的通知信息,以使零信任终端退出伪登录状态。后续若零信任网关依旧接收到零信任终端发送的访问会话流量和访问票据,则表示这是零信任终端执行正常的零信任访问,该访问票据是由零信任终端针对本次网络访问向零信任服务端申请获得的,因此零信任网关向零信任服务端申请进行针对访问票据的校验,并在校验通过后将访问会话流量转发至业务服务器,由此提供一种使零信任终端退出伪登录状态的方案,以避免零信任终端长期处于伪登录状态所可能出现的安全隐患,同时能够在伪登录退出后切换至正常的零信任访问。As can be seen from the above, after receiving the designated notification message sent by the zero trust management end, the zero trust server notifies the zero trust gateway to cancel the ticket independent verification state. In response to the second notification message sent by the zero trust server, the zero trust gateway exits the ticket independent verification state and sends a response message to the zero trust server. After receiving the response message returned by the zero trust gateway, the zero trust server sends a notification message indicating the exit of the pseudo login to the zero trust terminal, so that the zero trust terminal exits the pseudo login state. If the zero trust gateway still receives the access session traffic and access ticket sent by the zero trust terminal in the future, it means that this is a normal zero trust access performed by the zero trust terminal. The access ticket is obtained by the zero trust terminal from the zero trust server for this network access. Therefore, the zero trust gateway applies to the zero trust server for verification of the access ticket, and forwards the access session traffic to the business server after the verification is passed, thereby providing a solution for the zero trust terminal to exit the pseudo login state, so as to avoid the potential security risks that may arise when the zero trust terminal is in the pseudo login state for a long time, and can switch to normal zero trust access after the pseudo login is exited.
同样需要说明的是,关于零信任网关执行基于零信任网络的访问处理方法的细节内容,已经在前面关于零信任终端执行基于零信任网络的访问处理方法的实施例中进行了详细记载,在此也不进行赘述。It should also be noted that the details of the zero-trust gateway executing the access processing method based on the zero-trust network have been recorded in detail in the previous embodiment of the zero-trust terminal executing the access processing method based on the zero-trust network, and will not be repeated here.
为了进一步理解如上实施例记载的内容,图13示意了一种基于零信任网络的访问处理交互流程图。In order to further understand the contents described in the above embodiment, FIG13 illustrates an access processing interaction flow chart based on a zero-trust network.
如图13所示,首先由零信任管理端向零信任服务端下发指示信息,以指示检测到登录服务异常。零信任服务端正常进行响应,然后通知零信任网关进入票据独立校验状态。零信任网关在进入票据独立校验状态后,向零信任服务端返回响应。随后,零信任服务端则开启伪登录开关,生成登录配置信息。零信任终端能够发起网络访问的前提是已经进行用户登录,零信任终端在登录前向零信任服务端拉取登录配置信息,零信任服务端对此进行响应,将登录配置信息发送给零信任终端。零信任终端基于登录配置信息确定进入伪登录状态后,生成本地访问票据,并将访问会话流量和本地访问票据发送给零信任网关。由于零信任网关进入票据独立校验状态,零信任网关在对本地访问票据进行校验通过后,直接将访问会话流程转发给业务系统中对应的业务服务器。业务系统通过进行响应,将零信任终端想要访问的业务资源返回。As shown in Figure 13, the zero trust management terminal first sends an indication message to the zero trust server to indicate that a login service anomaly has been detected. The zero trust server responds normally and then notifies the zero trust gateway to enter the ticket independent verification state. After entering the ticket independent verification state, the zero trust gateway returns a response to the zero trust server. Subsequently, the zero trust server turns on the pseudo login switch and generates login configuration information. The premise for the zero trust terminal to initiate network access is that the user has logged in. Before logging in, the zero trust terminal pulls the login configuration information from the zero trust server. The zero trust server responds to this and sends the login configuration information to the zero trust terminal. After the zero trust terminal determines that it has entered the pseudo login state based on the login configuration information, it generates a local access ticket and sends the access session traffic and the local access ticket to the zero trust gateway. Since the zero trust gateway enters the ticket independent verification state, the zero trust gateway directly forwards the access session process to the corresponding business server in the business system after verifying the local access ticket. The business system responds and returns the business resources that the zero trust terminal wants to access.
当登录服务恢复时,零信任管理端向零信任服务端下发指定通知消息,以通知登录服务已恢复。零信任服务端正常进行响应,然后通知零信任网关取消票据独立校验状态。零信任网关在取消票据独立校验状态后,向零信任服务端返回响应。随后,零信任服务端则关闭伪登录开关。零信任终端若检测到自身执行的伪登录的持续时长超出登录配置信息中所设定的最长时长,则自动注销当前的登录账户,并清除上一次的登录票据。When the login service is restored, the Zero Trust Management sends a specified notification message to the Zero Trust Server to notify that the login service has been restored. The Zero Trust Server responds normally and then notifies the Zero Trust Gateway to cancel the independent verification status of the ticket. After canceling the independent verification status of the ticket, the Zero Trust Gateway returns a response to the Zero Trust Server. Subsequently, the Zero Trust Server turns off the pseudo login switch. If the Zero Trust Terminal detects that the duration of the pseudo login it performs exceeds the maximum duration set in the login configuration information, it automatically logs out of the current login account and clears the last login ticket.
零信任终端在下次进行网络访问时,需要重新进行用户登录,并在登录前向零信任服务端重新拉取是否执行伪登录的指示信息。零信任服务相应进行不执行伪登的指示响应。零信任终端则将网络访问的会话原始流量和访问票据发送给零信任网关。由于访问票据是零信任终端基于正常的零信任访问流程向零信任服务端申领的,因此零信任网关需要向零信任服务端申请校验该访问票据,并在校验通过后将会话原始流量转发给业务系统中对应的业务服务器。The next time the zero-trust terminal accesses the network, it needs to log in again and before logging in, it needs to re-pull the instruction information from the zero-trust server whether to perform a fake login. The zero-trust service will respond with an instruction not to perform a fake login. The zero-trust terminal sends the original session traffic and access ticket for network access to the zero-trust gateway. Since the access ticket is applied for by the zero-trust terminal from the zero-trust server based on the normal zero-trust access process, the zero-trust gateway needs to apply to the zero-trust server to verify the access ticket, and forward the original session traffic to the corresponding business server in the business system after the verification is passed.
图14是零信任终端启动零信任网络访问的流程示意图。如图14所示,零信任管理端下发伪登录开关后,也即如图13所示的零信任管理端指示零信任服务端开启伪登录开关后,将开启零信任终端以伪登录状态进行网络访问。具体来说,零信任终端在登录前向零信任服务端拉取登录配置信息,若判断拉取成功且指示零信任终端进入伪登录状态,则根据历史登录信息判断是否具备执行伪登录的条件,即是否能伪登录。FIG14 is a flow chart of a zero-trust terminal starting zero-trust network access. As shown in FIG14, after the zero-trust management terminal issues the pseudo-login switch, that is, after the zero-trust management terminal instructs the zero-trust server to turn on the pseudo-login switch as shown in FIG13, the zero-trust terminal will be enabled to access the network in a pseudo-login state. Specifically, the zero-trust terminal pulls the login configuration information from the zero-trust server before logging in. If it is determined that the pull is successful and the zero-trust terminal is instructed to enter the pseudo-login state, it is determined whether the conditions for executing the pseudo-login are met based on the historical login information, that is, whether the pseudo-login can be performed.
如果拉取的登录配置信息并非指示进行伪登录,或者根据零信任终端的历史登录信息判断不能进行伪登录,则进一步执行常规登录。如果常规登录失败,则表示无法使用零信任网络访问的功能,因此结束整个访问流程。如果常规登录执行成功,则需存储本次登录票据,并启动执行零信任网络访问,此时是以常规流程执行零信任网络访问。如果根据历史登录信息判断能执行伪登录,也启动执行零信任网络访问,此时是以伪登录流程执行零信任网络访问。If the pulled login configuration information does not indicate a pseudo login, or if it is determined that a pseudo login cannot be performed based on the historical login information of the zero-trust terminal, then a regular login is further performed. If the regular login fails, it means that the zero-trust network access function cannot be used, so the entire access process ends. If the regular login is successful, the login ticket for this time needs to be stored, and zero-trust network access is started. In this case, zero-trust network access is performed using the regular process. If it is determined that a pseudo login can be performed based on the historical login information, zero-trust network access is also started. In this case, zero-trust network access is performed using the pseudo login process.
基于图13和图14可以看出,本申请在登录服务异常的情况下,通过特殊通道给零信任终端和零信任网关推送特殊开关,让零信任终端进入伪登录状态,同时联动零信任网关将其置于忽略票据校验的状态,即票据独立校验状态,以达到在极端苛刻条件下,零信任终端也能将会话流量安全传送给零信任网关,零信任网关也能够正常转发会话流量到业务服务器,保证零信任功能的可持续使用,提升零信任网络的整体可用性。Based on Figures 13 and 14, it can be seen that when the login service is abnormal, this application pushes a special switch to the zero-trust terminal and the zero-trust gateway through a special channel, allowing the zero-trust terminal to enter a pseudo-login state, and at the same time links the zero-trust gateway to put it in a state of ignoring ticket verification, that is, an independent ticket verification state, so that under extremely harsh conditions, the zero-trust terminal can also securely transmit session traffic to the zero-trust gateway, and the zero-trust gateway can also forward session traffic to the business server normally, thereby ensuring the sustainable use of the zero-trust function and improving the overall availability of the zero-trust network.
图15是本申请的一示例性实施例示出的基于零信任网络的访问处理装置的框图,该装置配置在零信任终端上,包括获取模块1510、确定模块1520和第一处理模块1530。FIG15 is a block diagram of an access processing device based on a zero-trust network shown in an exemplary embodiment of the present application. The device is configured on a zero-trust terminal and includes an acquisition module 1510 , a determination module 1520 and a first processing module 1530 .
获取模块1510配置为获取来自于零信任服务端的登录配置信息,登录配置信息是在检测到零信任网络中的登录服务出现异常后生成的,登录配置信息包括伪登录执行条件信息。The acquisition module 1510 is configured to acquire login configuration information from the zero-trust server. The login configuration information is generated after an abnormality is detected in the login service in the zero-trust network. The login configuration information includes pseudo-login execution condition information.
确定模块1520配置为基于登录配置信息确定零信任终端是否具备执行伪登录的条件。The determination module 1520 is configured to determine whether the zero-trust terminal has the conditions to perform a pseudo login based on the login configuration information.
第一处理模块1530配置为若零信任终端具备执行伪登录的条件,则生成本地访问票据,并将访问会话流量和本地访问票据发送至零信任网关,以使零信任网关在独立执行本地访问票据的校验后,将访问会话流量转发至业务服务器。The first processing module 1530 is configured to generate a local access ticket if the zero-trust terminal meets the conditions for performing a pseudo login, and send the access session traffic and the local access ticket to the zero-trust gateway, so that the zero-trust gateway forwards the access session traffic to the business server after independently performing verification of the local access ticket.
在另一示例性实施例中,确定模块1520进一步配置为执行如下步骤:In another exemplary embodiment, the determination module 1520 is further configured to perform the following steps:
检测登录配置信息中包含的伪登录执行开关信息,伪登录执行开关信息是零信任服务端在通知零信任网关进入票据独立校验状态后生成的;Detect the pseudo login execution switch information contained in the login configuration information. The pseudo login execution switch information is generated by the zero trust server after notifying the zero trust gateway to enter the ticket independent verification state;
若伪登录执行开关信息指示开启执行伪登录,则确定零信任终端中的登录条件参数是否满足登录配置信息中包含的伪登录执行条件信息,若满足,则确定零信任终端具备执行伪登录的条件。If the pseudo login execution switch information indicates to turn on the pseudo login, it is determined whether the login condition parameters in the zero-trust terminal meet the pseudo login execution condition information contained in the login configuration information. If so, it is determined that the zero-trust terminal has the conditions to execute the pseudo login.
在另一示例性实施例中,确定模块1520进一步配置为执行如下步骤:In another exemplary embodiment, the determination module 1520 is further configured to perform the following steps:
获取零信任终端中的历史登录信息;Obtain historical login information from zero-trust terminals;
若根据历史登录信息确定最近一次有效登录的登录时间在伪登录执行条件信息规定的时间以前,并且最近一次有效登录的登录相关信息已经在本地进行持久化存储,则确定零信任终端中的登录条件参数满足登录配置信息中包含的伪登录执行条件信息。If it is determined based on historical login information that the login time of the most recent valid login is before the time specified in the pseudo login execution condition information, and the login-related information of the most recent valid login has been persistently stored locally, then it is determined that the login condition parameters in the zero-trust terminal meet the pseudo login execution condition information contained in the login configuration information.
在另一示例性实施例中,该装置还包括常规登录模块1540,常规登录模块1540配置为在零信任终端不具备执行伪登录的条件时执行常规登录;若常规登录成功,则存储本次登录的用户信息和登录票据,并进入常规登录状态。In another exemplary embodiment, the device also includes a regular login module 1540, which is configured to perform a regular login when the zero-trust terminal does not have the conditions to perform a pseudo login; if the regular login is successful, the user information and login ticket of this login are stored, and the regular login state is entered.
在另一示例性实施例中,第一处理模块1530进一步配置为执行如下步骤:In another exemplary embodiment, the first processing module 1530 is further configured to perform the following steps:
根据票据内容信息生成票据有效载荷和票据签名,票据生成信息包括用户唯一标识、票据生成时间和票据有效时长、可信应用密文中的至少一种;Generate a ticket payload and a ticket signature according to the ticket content information, where the ticket generation information includes at least one of a user unique identifier, a ticket generation time, a ticket validity period, and a trusted application ciphertext;
基于票据版本标识、票据有效载荷以及票据签名,生成本地访问票据。Generate a local access ticket based on the ticket version identifier, ticket payload, and ticket signature.
在另一示例性实施例中,第一处理模块1530进一步配置为执行如下步骤:In another exemplary embodiment, the first processing module 1530 is further configured to perform the following steps:
获取零信任终端与零信任网关之间约定的密钥;Obtain the key agreed upon between the zero-trust terminal and the zero-trust gateway;
采用预设编码方式对票据内容信息进行编码,并基于密钥对编码后的票据内容信息进行加密运算,得到密文内容;Encode the bill content information using a preset encoding method, and perform encryption operation on the encoded bill content information based on a key to obtain ciphertext content;
基于预设编码方式对密文内容进行编码,得到票据签名。The ciphertext content is encoded based on the preset encoding method to obtain the bill signature.
在另一示例性实施例中,第一处理模块1530进一步配置为在启动零信任终端中配置的代理客户端进程后,通过代理客户端进程将访问会话流量和本地访问票据发送至零信任网关。In another exemplary embodiment, the first processing module 1530 is further configured to send the access session traffic and the local access ticket to the zero trust gateway through the proxy client process after starting the proxy client process configured in the zero trust terminal.
在另一示例性实施例中,该装置还包括退出模块1550,退出模块1550配置为在接收到零信任服务端发送的指示退出伪登录的通知后,停止执行生成本地访问票据,并将访问会话流量和本地访问票据发送至零信任网关的步骤,以退出伪登录状态;或者,若检测到伪登录状态的持续时长超出登录配置信息中含有的伪登录持续最长时长,则通过自动注销登录账户,并清除本地访问票据,以退出伪登录状态。In another exemplary embodiment, the device also includes an exit module 1550, which is configured to stop executing the steps of generating a local access ticket and sending the access session traffic and the local access ticket to the zero trust gateway after receiving a notification sent by the zero trust server instructing to exit the pseudo login, so as to exit the pseudo login state; or, if it is detected that the duration of the pseudo login state exceeds the maximum duration of the pseudo login contained in the login configuration information, the login account is automatically logged out and the local access ticket is cleared to exit the pseudo login state.
图16是本申请的一示例性实施例示出的基于零信任网络的访问处理装置的框图,该装置配置在零信任服务端上,包括第一接收模块1610、通知模块1620和第二处理模块1630。Figure 16 is a block diagram of an access processing device based on a zero-trust network shown in an exemplary embodiment of the present application. The device is configured on a zero-trust server and includes a first receiving module 1610, a notification module 1620 and a second processing module 1630.
第一接收模块1610配置为接收零信任管理端发送的指示信息,指示信息用于指示零信任网络中的登录服务出现异常。The first receiving module 1610 is configured to receive indication information sent by the zero-trust management terminal, where the indication information is used to indicate that an abnormality has occurred in the login service in the zero-trust network.
通知模块1620配置为响应于指示信息,通知零信任网关进入票据独立校验状态。The notification module 1620 is configured to notify the zero-trust gateway to enter the ticket independent verification state in response to the indication information.
第二处理模块1630配置为在接收到零信任网关返回的响应信息后,向零信任终端发送登录配置信息,登录配置信息包括伪登录执行条件信息,以使零信任终端基于登录配置信息将访问会话流量和本地访问票据发送至零信任网关,零信任网关在独立执行本地访问票据的校验后,将访问会话流量转发至业务服务器。The second processing module 1630 is configured to send login configuration information to the zero trust terminal after receiving the response information returned by the zero trust gateway. The login configuration information includes pseudo login execution condition information, so that the zero trust terminal sends the access session traffic and local access ticket to the zero trust gateway based on the login configuration information. After the zero trust gateway independently performs the verification of the local access ticket, it forwards the access session traffic to the business server.
在另一示例性实施例中,该装置还包括退出指示模块1640,退出指示模块1640配置为在接收到零信任管理端发送的指定通知消息后,通知零信任网关取消票据独立校验状态,以及在接收到零信任网关返回的响应信息后,向零信任终端发送指示退出伪登录的通知信息,以使零信任终端退出伪登录状态。In another exemplary embodiment, the device also includes an exit indication module 1640, which is configured to notify the zero trust gateway to cancel the independent verification status of the ticket after receiving a specified notification message sent by the zero trust management terminal, and to send a notification message instructing to exit the pseudo login to the zero trust terminal after receiving a response message returned by the zero trust gateway, so that the zero trust terminal exits the pseudo login state.
图17是本申请的一示例性实施例示出的基于零信任网络的访问处理装置的框图,该装置配置在零信任网关上,包括响应模块1710、第二接收模块1720和第三处理模块1730。Figure 17 is a block diagram of an access processing device based on a zero-trust network shown in an exemplary embodiment of the present application. The device is configured on a zero-trust gateway and includes a response module 1710, a second receiving module 1720 and a third processing module 1730.
响应模块1710配置为响应于零信任服务端发送的第一通知信息,进入票据独立校验状态,并向零信任服务端发送响应信息。The response module 1710 is configured to enter a ticket independent verification state in response to the first notification information sent by the zero trust server, and send a response message to the zero trust server.
第二接收模块1720配置为接收零信任终端发送的访问会话流量和本地访问票据,本地访问票据是零信任终端基于零信任服务端发送的登录配置信息确定具备执行伪登录的条件后生成的,登录配置信息包括伪登录执行条件信息。The second receiving module 1720 is configured to receive access session traffic and local access tickets sent by the zero-trust terminal. The local access ticket is generated after the zero-trust terminal determines that the conditions for executing a pseudo-login are met based on the login configuration information sent by the zero-trust server. The login configuration information includes pseudo-login execution condition information.
第三处理模块1730配置为独立执行本地访问票据的校验,并在校验通过后将访问会话流量转发至业务服务器。The third processing module 1730 is configured to independently perform verification of the local access ticket, and forward the access session traffic to the business server after the verification passes.
在另一示例性实施例中,该装置还包括恢复处理模块1740,恢复处理模块1740配置为响应于零信任服务端发送的第二通知信息,退出票据独立校验状态,并向零信任服务端发送响应信息,接收零信任终端发送的访问会话流量和访问票据,访问票据是由零信任终端向零信任服务端申请获得的,向零信任服务端申请进行针对访问票据的校验,并在校验通过后将访问会话流量转发至业务服务器。In another exemplary embodiment, the device also includes a recovery processing module 1740, which is configured to respond to a second notification message sent by the zero trust server, exit the ticket independent verification state, send a response message to the zero trust server, receive the access session traffic and access ticket sent by the zero trust terminal, the access ticket is obtained by the zero trust terminal applying to the zero trust server, apply to the zero trust server for verification of the access ticket, and forward the access session traffic to the business server after the verification passes.
需要说明的是,上述实施例所提供的基于零信任网络的访问处理装置与上述实施例所提供的基于零信任网络的访问处理方法属于同一构思,其中各个模块和单元执行操作的具体方式已经在方法实施例中进行了详细描述,此处不再赘述。上述实施例所提供的基于零信任网络的访问处理装置在实际应用中,可以根据需要而将上述功能分配由不同的功能模块完成,即将装置的内部结构划分成不同的功能模块,以完成以上描述的全部或者部分功能,本处也不对此进行限制。It should be noted that the access processing device based on zero-trust network provided in the above embodiment and the access processing method based on zero-trust network provided in the above embodiment belong to the same concept, wherein the specific manner in which each module and unit performs the operation has been described in detail in the method embodiment, and will not be repeated here. In actual application, the access processing device based on zero-trust network provided in the above embodiment can distribute the above functions to different functional modules as needed, that is, divide the internal structure of the device into different functional modules to complete all or part of the functions described above, and this is not limited here.
本申请的实施例还提供了一种电子设备,包括:一个或多个处理器;存储器,用于存储一个或多个程序,当所述一个或多个程序被所述一个或多个处理器执行时,使得所述电子设备实现上述各个实施例中提供的基于零信任网络的访问处理方法。An embodiment of the present application also provides an electronic device, comprising: one or more processors; and a memory for storing one or more programs. When the one or more programs are executed by the one or more processors, the electronic device implements the access processing method based on the zero-trust network provided in the above-mentioned embodiments.
图18示出了适于用来实现本申请实施例的电子设备的计算机系统的结构示意图。需要说明的是,图18示出的电子设备的计算机系统1800仅是一个示例,不应对本申请实施例的功能和使用范围带来任何限制。Fig. 18 shows a schematic diagram of a computer system of an electronic device suitable for implementing an embodiment of the present application. It should be noted that the computer system 1800 of the electronic device shown in Fig. 18 is only an example and should not bring any limitation to the functions and scope of use of the embodiment of the present application.
如图18所示,计算机系统1800包括中央处理单元(Central Processing Unit,CPU)1801,其可以根据存储在只读存储器(Read-Only Memory,ROM)1802中的程序或者从储存部分1808加载到随机访问存储器(Random Access Memory,RAM)1803中的程序而执行各种适当的动作和处理,例如执行上述实施例中所述的方法。在RAM 1803中,还存储有系统操作所需的各种程序和数据。CPU 1801、ROM 1802以及RAM 1803通过总线1804彼此相连。输入/输出(Input/Output,I/O)接口1805也连接至总线1804。As shown in FIG. 18 , a computer system 1800 includes a central processing unit (CPU) 1801, which can perform various appropriate actions and processes according to a program stored in a read-only memory (ROM) 1802 or a program loaded from a storage part 1808 to a random access memory (RAM) 1803, such as executing the method described in the above embodiment. Various programs and data required for system operation are also stored in RAM 1803. CPU 1801, ROM 1802, and RAM 1803 are connected to each other via a bus 1804. An input/output (I/O) interface 1805 is also connected to bus 1804.
以下部件连接至I/O接口1805:包括键盘、鼠标等的输入部分1806;包括诸如阴极射线管(Cathode Ray Tube,CRT)、液晶显示器(Liquid Crystal Display,LCD)等以及扬声器等的输出部分1807;包括硬盘等的储存部分1808;以及包括诸如LAN(Local AreaNetwork,局域网)卡、调制解调器等的网络接口卡的通信部分1809。通信部分1809经由诸如因特网的网络执行通信处理。驱动器1810也根据需要连接至I/O接口1805。可拆卸介质1811,诸如磁盘、光盘、磁光盘、半导体存储器等等,根据需要安装在驱动器1810上,以便于从其上读出的计算机程序根据需要被安装入储存部分1808。The following components are connected to the I/O interface 1805: an input section 1806 including a keyboard, a mouse, etc.; an output section 1807 including a cathode ray tube (CRT), a liquid crystal display (LCD), etc., and a speaker, etc.; a storage section 1808 including a hard disk, etc.; and a communication section 1809 including a network interface card such as a LAN (Local Area Network) card, a modem, etc. The communication section 1809 performs communication processing via a network such as the Internet. A drive 1810 is also connected to the I/O interface 1805 as needed. A removable medium 1811, such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, etc., is installed on the drive 1810 as needed so that a computer program read therefrom is installed into the storage section 1808 as needed.
特别地,根据本申请的实施例,上文参考流程图描述的过程可以被实现为计算机软件程序。例如,本申请的实施例包括一种计算机程序产品,其包括承载在计算机可读介质上的计算机程序,该计算机程序包含用于执行流程图所示的方法的计算机程序。在这样的实施例中,该计算机程序可以通过通信部分1809从网络上被下载和安装,和/或从可拆卸介质1811被安装。在该计算机程序被中央处理单元(CPU)1801执行时,执行本申请的系统中限定的各种功能。In particular, according to an embodiment of the present application, the process described above with reference to the flowchart can be implemented as a computer software program. For example, an embodiment of the present application includes a computer program product, which includes a computer program carried on a computer-readable medium, and the computer program includes a computer program for executing the method shown in the flowchart. In such an embodiment, the computer program can be downloaded and installed from a network through a communication section 1809, and/or installed from a removable medium 1811. When the computer program is executed by a central processing unit (CPU) 1801, various functions defined in the system of the present application are executed.
需要说明的是,本申请实施例所示的计算机可读介质可以是计算机可读信号介质或者计算机可读存储介质或者是上述两者的任意组合。计算机可读存储介质的更具体的例子可以包括但不限于:具有一个或多个导线的电连接、便携式计算机磁盘、硬盘、随机访问存储器(RAM)、只读存储器(ROM)、可擦式可编程只读存储器(Erasable Programmable ReadOnly Memory,EPROM)、闪存、光纤、便携式紧凑磁盘只读存储器(Compact Disc Read-OnlyMemory,CD-ROM)、光存储器件、磁存储器件、或者上述的任意合适的组合。计算机可读介质上包含的计算机程序可以用任何适当的介质传输,包括但不限于:无线、有线等等,或者上述的任意合适的组合。It should be noted that the computer-readable medium shown in the embodiment of the present application can be a computer-readable signal medium or a computer-readable storage medium or any combination of the above two. More specific examples of computer-readable storage media may include, but are not limited to: an electrical connection with one or more wires, a portable computer disk, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM), a flash memory, an optical fiber, a portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the above. The computer program contained in the computer-readable medium can be transmitted using any suitable medium, including but not limited to: wireless, wired, etc., or any suitable combination of the above.
附图中的流程图和框图,图示了按照本申请各种实施例的系统、方法和计算机程序产品的可能实现的体系架构、功能和操作。其中,流程图或框图中的每个方框可以代表一个模块、程序段、或代码的一部分,上述模块、程序段、或代码的一部分包含一个或多个用于实现规定的逻辑功能的可执行指令。也应当注意,在有些作为替换的实现中,方框中所标注的功能也可以以不同于附图中所标注的顺序发生。例如,两个接连地表示的方框实际上可以基本并行地执行,它们有时也可以按相反的顺序执行,这依所涉及的功能而定。也要注意的是,框图或流程图中的每个方框、以及框图或流程图中的方框的组合,可以用执行规定的功能或操作的专用的基于硬件的系统来实现,或者可以用专用硬件与计算机指令的组合来实现。The flowchart and block diagram in the accompanying drawings illustrate the possible architecture, functions and operations of the system, method and computer program product according to various embodiments of the present application. Wherein, each box in the flowchart or block diagram can represent a module, a program segment, or a part of the code, and the above-mentioned module, program segment, or a part of the code contains one or more executable instructions for realizing the specified logical function. It should also be noted that in some alternative implementations, the functions marked in the box can also occur in a different order from the order marked in the accompanying drawings. For example, two boxes represented in succession can actually be executed substantially in parallel, and they can sometimes be executed in the opposite order, depending on the functions involved. It should also be noted that each box in the block diagram or flowchart, and the combination of boxes in the block diagram or flowchart can be implemented with a dedicated hardware-based system that performs a specified function or operation, or can be implemented with a combination of dedicated hardware and computer instructions.
描述于本申请实施例中所涉及到的单元可以通过软件的方式实现,也可以通过硬件的方式来实现,所描述的单元也可以设置在处理器中。其中,这些单元的名称在某种情况下并不构成对该单元本身的限定。The units involved in the embodiments described in this application may be implemented by software or hardware, and the units described may also be set in a processor. The names of these units do not, in some cases, constitute limitations on the units themselves.
本申请的另一方面还提供了一种计算机可读存储介质,其上存储有计算机程序,该计算机程序被处理器执行时实现如前所述的基于零信任网络的访问处理方法。该计算机可读存储介质可以是上述实施例中描述的电子设备中所包含的,也可以是单独存在,而未装配入该电子设备中。Another aspect of the present application further provides a computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements the access processing method based on a zero-trust network as described above. The computer-readable storage medium may be included in the electronic device described in the above embodiment, or may exist independently without being assembled into the electronic device.
本申请的另一方面还提供了一种计算机程序产品或计算机程序,该计算机程序产品或计算机程序包括计算机指令,该计算机指令存储在计算机可读存储介质中。计算机设备的处理器从计算机可读存储介质读取该计算机指令,处理器执行该计算机指令,使得该计算机设备执行上述各个实施例中提供的基于零信任网络的访问处理方法。Another aspect of the present application also provides a computer program product or a computer program, which includes a computer instruction stored in a computer-readable storage medium. The processor of the computer device reads the computer instruction from the computer-readable storage medium, and the processor executes the computer instruction, so that the computer device executes the access processing method based on the zero-trust network provided in each of the above embodiments.
上述内容,仅为本申请的较佳示例性实施例,并非用于限制本申请的实施方案,本领域普通技术人员根据本申请的主要构思和精神,可以十分方便地进行相应的变通或修改,故本申请的保护范围应以权利要求书所要求的保护范围为准。The above content is only a preferred exemplary embodiment of the present application and is not intended to limit the implementation scheme of the present application. A person skilled in the art can easily make corresponding changes or modifications based on the main concept and spirit of the present application. Therefore, the scope of protection of the present application shall be based on the scope of protection required by the claims.
另外需要说明的是,在本申请的具体实施方式中,涉及到登录配置信息、历史登录信息、票据内容信息等相关的数据,当本申请以上实施例运用到具体产品或技术中时,需要获得用户许可或者同意,且相关数据的收集、使用和处理需要遵守相关国家和地区的相关法律法规和标准。It should also be noted that in the specific implementation of this application, related data such as login configuration information, historical login information, ticket content information, etc., when the above embodiments of this application are applied to specific products or technologies, user permission or consent is required, and the collection, use and processing of relevant data must comply with relevant laws, regulations and standards of relevant countries and regions.
Claims (17)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310425078.7A CN118802149A (en) | 2023-04-14 | 2023-04-14 | Access processing method and device based on zero-trust network, electronic device, and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310425078.7A CN118802149A (en) | 2023-04-14 | 2023-04-14 | Access processing method and device based on zero-trust network, electronic device, and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN118802149A true CN118802149A (en) | 2024-10-18 |
Family
ID=93030149
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310425078.7A Pending CN118802149A (en) | 2023-04-14 | 2023-04-14 | Access processing method and device based on zero-trust network, electronic device, and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118802149A (en) |
-
2023
- 2023-04-14 CN CN202310425078.7A patent/CN118802149A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11652829B2 (en) | System and method for providing data and device security between external and host devices | |
| CN112073400B (en) | Access control method, system, device and computing equipment | |
| US10110638B2 (en) | Enabling dynamic authentication with different protocols on the same port for a switch | |
| US20230370442A1 (en) | Network security dynamic access control and policy enforcement | |
| US20170149787A1 (en) | Security of Computer Resources | |
| US20070143408A1 (en) | Enterprise to enterprise instant messaging | |
| CN110198297B (en) | Flow data monitoring method and device, electronic equipment and computer readable medium | |
| EP3132559A1 (en) | Automatic log-in and log-out of a session with session sharing | |
| WO2021138534A1 (en) | Edge network-based account protection service | |
| US11784993B2 (en) | Cross site request forgery (CSRF) protection for web browsers | |
| Chandra et al. | Authentication and authorization mechanism for cloud security | |
| CN115603932A (en) | Access control method, access control system and related equipment | |
| WO2023279782A1 (en) | Access control method, access control system and related device | |
| CN114661485A (en) | Application program interface access control system and method based on zero trust architecture | |
| CN106453336B (en) | Method for internal network to actively provide external network host calling service | |
| KR102148452B1 (en) | System for security network Using blockchain and Driving method thereof | |
| CN114374529B (en) | Resource access method, device, system, electronic device, medium and program | |
| CN116633562A (en) | Network zero trust security interaction method and system based on WireGuard | |
| CN118802149A (en) | Access processing method and device based on zero-trust network, electronic device, and medium | |
| US20220150277A1 (en) | Malware detonation | |
| CN115834252B (en) | Service access method and system | |
| CN115130116A (en) | Business resource access method, device, equipment, readable storage medium and system | |
| Adams et al. | Receipt-mode trust negotiation: efficient authorization through outsourced interactions | |
| CN116961967A (en) | Data processing method, device, computer readable medium and electronic equipment | |
| CN118054934A (en) | Power system safety realization method and architecture based on trusted computing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication |