CN116032500B - Service access traffic control method, device, equipment and medium - Google Patents
Service access traffic control method, device, equipment and mediumInfo
- Publication number
- CN116032500B CN116032500B CN202111244639.0A CN202111244639A CN116032500B CN 116032500 B CN116032500 B CN 116032500B CN 202111244639 A CN202111244639 A CN 202111244639A CN 116032500 B CN116032500 B CN 116032500B
- Authority
- CN
- China
- Prior art keywords
- access request
- target
- service access
- client
- service
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本申请公开了一种业务访问流量管控方法、装置、设备和介质,涉及云安全技术领域,可应用于云技术、云安全、人工智能、智慧交通等各种场景。本申请截获与业务应用相关联的业务访问请求;基于访问流量管控策略中划定的网络管控边界,识别属于目标网络区域的业务访问请求作为目标业务访问请求,访问流量管控策略基于网络管控边界划定目标网络区域;向安全管理服务器发送与目标业务访问请求对应的鉴权请求,以使安全管理服务器对目标业务访问请求进行合法性校验,得到合法校验结果;在合法校验结果指示目标业务访问请求具有合法性时,从业务服务器获取与目标业务访问请求对应的业务响应结果,从而使得管理者可以灵活的设定流量管理边界。
The present application discloses a method, device, equipment and medium for business access traffic control, which relates to the field of cloud security technology and can be applied to various scenarios such as cloud technology, cloud security, artificial intelligence, and smart transportation. The present application intercepts business access requests associated with business applications; based on the network control boundary defined in the access traffic control policy, identifies business access requests belonging to the target network area as target business access requests, and the access traffic control policy defines the target network area based on the network control boundary; sends an authentication request corresponding to the target business access request to the security management server, so that the security management server performs a legitimacy check on the target business access request and obtains a legitimacy check result; when the legitimacy check result indicates that the target business access request is legitimate, obtains a business response result corresponding to the target business access request from the business server, so that the administrator can flexibly set the traffic management boundary.
Description
Technical Field
The present disclosure relates generally to the field of computers, and more particularly, to a method, apparatus, device, and medium for traffic access flow management and control.
Background
Conventional fixed network area based schemes for managing application traffic typically distinguish between extranets and intranets. The management method generally adopts peripheral network equipment such as a switch to collect and grab traffic for auditing and monitoring. For example, it is generally configured that when the terminal device uses the intranet, the whole flow passing through the switch is audited and monitored, and when the terminal device uses the extranet, the switch is not controlled, and the audit and the monitoring are not performed, so that the audit and the monitoring on the access, which needs to be audited and monitored, of the terminal device using the extranet to access the business resources of the enterprise, etc. cannot be performed. Therefore, the enterprise manager cannot flexibly set the traffic management boundary due to the boundary division too dependent on the network location. The granularity of flow control is not fine enough and it is difficult to apply finer granularity access control.
Disclosure of Invention
In view of the foregoing drawbacks or shortcomings of the prior art, it is desirable to provide a method, apparatus, device, and medium for traffic access traffic management that allows an enterprise manager to flexibly set traffic management boundaries.
In a first aspect, an embodiment of the present application provides a service access flow control method, where the method includes:
intercepting a service access request associated with a service application;
identifying a service access request belonging to a target network area as a target service access request based on a network management boundary defined in an access flow management policy;
Sending an authentication request corresponding to the target service access request to a security management server so that the security management server performs validity check on the target service access request to obtain a validity check result;
And when the legal verification result indicates that the target service access request has validity, acquiring a service response result corresponding to the target service access request from a service server.
In a second aspect, an embodiment of the present application provides a traffic access flow control apparatus, including:
The acquisition module is used for intercepting a service access request associated with a service application;
The system comprises a determining module, a determining module and a processing module, wherein the determining module is used for identifying a service access request belonging to a target network area as a target service access request based on a network management boundary defined in an access flow management and control strategy;
the sending module is used for sending an authentication request corresponding to the target service access request to the security management server so that the security management server performs validity check on the target service access request to obtain a validity check result;
and the receiving module is used for acquiring a service response result corresponding to the target service access request from the service server when the legal check result indicates that the target service access request has validity.
In a third aspect, an embodiment of the present application provides an electronic device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing a method as described in the embodiment of the present application when the program is executed by the processor.
In a fourth aspect, embodiments of the present application provide a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements a method as described in embodiments of the present application.
In a fifth aspect, embodiments of the present application provide a computer program product comprising a computer program, characterized in that the computer program, when executed by a processor, implements a method as described in embodiments of the present application.
The application provides a service flow data management and control method, which flexibly sets a flow management boundary according to an access agent management and control mode set by a manager, captures and forwards network flow through an access agent component provided by a zero-trust security management client installed by a terminal, and effectively starts to execute process-level flow management from a source of application flow generation.
Additional aspects and advantages of the invention will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the invention.
Drawings
Other features, objects and advantages of the present application will become more apparent upon reading of the detailed description of non-limiting embodiments, made with reference to the accompanying drawings in which:
Fig. 1 is a schematic structural diagram of a network architecture according to an embodiment of the present application;
FIG. 2 is a schematic diagram of an access rights configuration policy provided by an embodiment of the present application;
FIG. 3 is a schematic diagram of a configuration of a control strategy for accessing a flow according to an embodiment of the present application;
FIG. 4 is a schematic diagram of a trusted application provided by an embodiment of the present application;
FIG. 5 is a schematic diagram of a login interface of a target client according to an embodiment of the present application;
FIG. 6 is a schematic diagram of details of a trusted application that is issued, provided by an embodiment of the present application;
Fig. 7 is a schematic diagram of an application for limiting access rights of an access device according to an embodiment of the present application;
FIG. 8 is a schematic diagram of a zero trust access management principle provided by an embodiment of the present application;
FIG. 9 is a schematic diagram of a zero trust access management principle provided by an embodiment of the present application;
fig. 10 is a flowchart of a method for managing and controlling traffic data according to an embodiment of the present application;
fig. 11 is a flowchart of another service traffic data management and control method according to an embodiment of the present application;
fig. 12 is a schematic diagram of a traffic data management and control principle according to an embodiment of the present application;
fig. 13 is a schematic diagram of another principle of traffic data management and control according to an embodiment of the present application;
fig. 14 is a schematic block diagram of a traffic data management and control device according to an embodiment of the present application;
Fig. 15 shows a schematic diagram of a computer system suitable for use in implementing an electronic device or security management server of an embodiment of the application.
Detailed Description
The application is described in further detail below with reference to the drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the application and are not limiting of the application. It should be noted that, for convenience of description, only the portions related to the application are shown in the drawings.
It should be noted that, without conflict, the embodiments of the present application and features of the embodiments may be combined with each other. The application will be described in detail below with reference to the drawings in connection with embodiments.
Referring to fig. 1, fig. 1 is a schematic diagram of a network structure implemented by a traffic access flow control method according to an embodiment of the present application.
As shown in fig. 1, the network architecture may comprise a security management server 1 and a cluster of user terminals 2. The cluster of user terminals may comprise one or more user terminals, the number of which will not be limited here. The user terminal cluster may specifically comprise user terminals 2a, 2b, 2n.
As shown in fig. 1, the user terminals 2a, 2b, 2n may be respectively connected to the above-mentioned security management server 1 through a network, so that each user terminal may interact with the security management server 1 through the network.
Each user terminal in the user terminal cluster may include, but is not limited to, an intelligent terminal with a service data access function, such as a smart phone, a tablet computer, a notebook computer, a desktop computer, a wearable device, an intelligent home, a head-mounted device, a vehicle-mounted device, and the like.
It should be understood that each user terminal in the user terminal cluster 2 shown in fig. 1 may be provided with a service application and a target client (i.e. a zero trust security management system client, for example iOA client), and when the zero trust security management system client is running in each user terminal, the data interaction with the security management server 1 shown in fig. 1 described above may be performed separately. Wherein the zero trust security management system client herein may comprise a proxy client component for intercepting traffic.
The business application (i.e., business application client) related to the embodiment of the application can be an application client such as a social client, an office client, a search client (e.g., browser client), a live client, a news client, a shopping client (e.g., e-commerce client), etc.
The security management server 1 is a security management server corresponding to the zero-trust security management client, namely iOA background security management servers. The security management server 1 may be an independent physical security management server, or may be a security management server cluster or a distributed system formed by a plurality of physical security management servers, or may be a cloud security management server providing cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDNs, basic cloud computing services such as big data and artificial intelligence platforms, and the like.
The business flow data management and control method provided by the embodiment of the application can be realized based on the zero trust security management system client. The zero trust security management mode executed by the zero trust security management system client breaks the traditional area-based trust control mode, adopts the 4T principle based on Trusted identity (Trusted identity), trusted equipment (Trusted device), trusted application (Trusted application) and Trusted link (Trusted link) to grant access rights, forces all accesses to be authenticated, authorized and encrypted, and truly practices the design concept of zero trust, thereby effectively guaranteeing that the access users can safely access no matter where and when the access users are located.
In one or more embodiments, a manager of service traffic management may pre-configure a zero trust policy through a zero trust security management system client, and issue the configured zero trust policy to target clients logged in by each account, where the zero trust policy is used to determine whether access requests of each application in user terminal devices installed with the target clients need to be flow-regulated.
As shown in fig. 2, the zero trust policy is configured by three aspects of a user (or group of users) in an organization architecture, a trusted application (i.e., the target client described above), and a business system.
The trusted application refers to an application carrier which is trusted by the target client and can be accessed by the corresponding terminal equipment to the internal service system. Specifically, the application name, application MD5 (a message digest algorithm), signature information, etc. may be included. The service system is configured according to the service traffic data management and control requirement, including but not limited to an enterprise internal service system, for example, when only performing flow management and control on enterprise service system resources, only the enterprise service system may be configured, and when performing flow management and control on the full traffic of the user terminal, the full service system may be configured.
The organization framework is a user tree composed of users and used for expressing the relation between the users and the user group, and the granularity of the zero trust strategy is single user. If a zero trust policy is issued for a certain user group, all users of the user group share the same zero trust policy.
Specifically, the manager for service flow management may pre-configure the trusted application and service system corresponding to the user, for example, the manager for service flow management may configure the user a under the test group directory in the user tree system on the left side of fig. 2, and when any application in the upper XX operating system on the right side and the lower service system XX on the right side are checked, it is illustrated that the user a can access the selected service system XX when any application in the XX operating system is used.
The business system comprises at least one business server, and the business system generally comprises an OA site in an enterprise, a development test environment, a transportation and formal production environment and the like and is an object to be accessed by an access subject (person/equipment/application), wherein the access subject accesses an access object, the access subject is a party initiating the data access request in a data access request, the person/equipment/application accessing a business resource, the access object is a party accessed in the data access request, and the access object can be, for example, the business resource, the data, the development test environment, the operation and maintenance environment and the like in the business server.
As shown in fig. 3, the business system may be accessed through an edit setup. In connection with the specific description of fig. 3, when the setting of the accessible service system is performed, the website information of the service system, for example, com, may be edited in the service system, the manner for determining the accessible service system, for example, the IP address, is edited in the category, and when the IP address is selected, the specified IP of the accessible service system or the IP segment corresponding to the accessible system is further edited, where the specified IP of the accessible service system may be plural, and the specified IP address of the accessible service system is increased by adding the IP. It should be appreciated that the domain name of the business system may also be utilized when editing the accessible business system, i.e., the domain name category may be selected when editing the category, at which point additional editing of the specified domain name data is required. In one embodiment, the configuration for trusted applications may specifically include the configuration of process name, signature information, version, process MD5, and sha256 (a cryptographic hash algorithm) as shown in fig. 4. That is, the manager may configure the trusted applications and the accessible service systems in the interfaces as shown in fig. 3 and 4 in advance, and then, when configuring the zero trust policy for the a user, the configured trusted applications are displayed in the upper right side of fig. 2 in a list manner, the manager may select one or more trusted applications already configured through the list, and similarly, when the service systems configured by the manager are displayed in the lower right side of fig. 2 in a list manner, the manager may select one or more service systems already configured through the list, thereby completing the zero trust policy configuration for the a user.
After the manager configures the service system and the trusted application, the zero trust policy can be issued only by selecting the zero trust policy (comprising the access right information recorded with the access right of the trusted application) to be issued. Specifically, a manager configures a zero trust policy corresponding to each user or user group in the organization architecture on own terminal equipment, uploads the zero trust policy to a security management server, and then the zero trust policy is issued to a zero trust security management system client corresponding to each user account by the security management server, so that the zero trust security management system client can monitor and manage terminal traffic.
Correspondingly, the terminal user can realize the zero trust office function through logging in the target client, wherein the login interface of the target client is shown in fig. 5, and the user can log in the target client through a code scanning mode and the like.
After the login is completed, as shown in fig. 6, the login user can see the detail information of the security office protection issued by the management user, specifically, the target client informs the login user that the zero trust security management is started through a popup window, and displays the specific contents of the real-time protection policy, the antivirus protection policy and the security reinforcement policy, wherein the real-time protection policy comprises an application entry protection and an underlying protection, the application entry protection comprises but is not limited to desktop icon protection, camera protection, insertion disk protection, file download protection and webpage firewall, and the underlying protection comprises but is not limited to file system protection, registry protection, process protection, drive protection and hacker intrusion protection.
As shown in fig. 7, the login user has access rights to the designated service server according to the user-level policy issued by the administrator. Specifically, through the popup window of the target client, the login user is informed that the trusted software is configured, and through the trusted software tag and the interception software tag, the user is informed of the trusted software which can be used in the zero trust security protection process and the interception software which can be intercepted and cannot be used, and in the embodiment, the trusted software is any application.
The target client may be, for example, iOA client, and iOA client is a client based on a zero trust policy. The zero trust policy records the process available to the login user of iOA client and the accessible service site (or service security management server, or service server, etc.), and the granularity of the zero trust policy is the login user.
When the terminal equipment requests access to the service server by the login target client, the network request of the service server is hijacked, wherein the hijacking of the network request is executed by the proxy client included in the terminal equipment, so that the proxy client can intercept the network request. It can be understood that when any service device (such as the service server) under the protection of the zero trust policy is accessed, the access request needs to be checked (i.e. the access credential carried in the access request is checked) first, and after the check is passed, the access is performed, so as to ensure the security of the accessed service device. Based on hijacking the network request, the target client (or proxy client) intercepting the network request can obtain parameters such as a source internet protocol (Internet Protocol, IP), a source port, a destination IP, a destination port, a process identifier (Process Identification, PID) of the target client, and the like, wherein the IP can also be called a domain name, the source IP is the IP of the target client, and the destination IP is the IP of the service server.
In one or more embodiments, hijacking of the network request is performed by the proxy client, as shown in fig. 8, after the proxy client (e.g., the client marked by the mark 20 in fig. 8) intercepts the network request, the proxy client may send parameters such as a source IP, a source port, a destination IP, a destination port, an application process PID to the target client (iOA client, e.g., the client marked by 21 in fig. 8), the target client 21 may collect the MD5 of the obtained process through the process PID sent by the proxy client 20, a process path, a latest modification time of the process, copyright information, signature information, etc., and may communicate the source IP (source domain name), the source port, the destination IP, the destination port of the network request transmitted by the proxy client, and send a request for applying for an access credential to the security management server (e.g., the security management server marked by 22 in fig. 8), where, if the request is successful, the security management server 22 sends the access credential, a maximum number of times of use of the access credential, a valid time of the access credential, and a valid time of the access credential for the access credential to the target client 21, and the access credential 20.
The access ticket, which may also be referred to as a network request ticket, is authorization information issued by the security management server 22 for a single network request (or access request) to identify the authorization status of that network request. The proxy client 20 is configured to receive the access credential, send a data access request to the intelligent gateway (e.g. the gateway denoted by 23 in fig. 8), where the data access request may be a request (or Http request) based on the hypertext transfer security protocol (Hyper Text Transfer Protocol over SecureSocket Layer, https), where when the proxy client 20 sends the Http request to the intelligent gateway 23, the access credential may be carried in an Authorization header field of the Https request, the intelligent gateway 23 receives the data access request, parses the access credential from the data access request, and adds the access credential to the verification request and sends the verification request to the security management server 22, where the security management server 22 may verify the access credential, and if the security management server 22 verifies the access credential successfully, the intelligent gateway 23 may successfully establish a connection with the proxy client 20, and then the proxy client 20 may proxy target client (e.g. any application denoted by 24 in fig. 8) may access the service server (e.g. any of the security management servers denoted by 25 in fig. 8).
When the target client 21 applies for obtaining the access credentials from the security management server 22, in order to fully verify whether the access process to the service server 25 is a malicious process, the target client 21 initiates a process review request to the security management server 22, where the requested parameters include an identifier of a destination uniform resource locator (uniform resource locatoe, url) of the service server 25 requesting access, a process MD5, a hash code, a process path, and certificate chain details. The certificate chain detailed information comprises a digest algorithm, a root certificate name, a root certificate serial number, a root certificate expiration time, a middle certificate name, a middle certificate serial number, a middle certificate expiration time, a signature certificate name, a signature certificate serial number, a signature certificate expiration time, a signature state, a name of a signature user, a time stamp and signature verification error information. After receiving these information, the security management server 22 may periodically initiate a file-delivery request to the threat intelligence cloud-query service, tav (a type of antivirus engine) (as indicated by the reference 26 in fig. 8), etc., and if a file is malicious, the security management server 22 notifies the target client 21 back to interrupt the access request of the target client 24 to the service server 25, so as to prohibit the access of the target client 24 to the service server 25.
In one or more embodiments, the intelligent gateway 23 is deployed at the service server (or i application of the service server) and at the entrance of the data resource, takes charge of verification, authorization and forwarding of each session request for accessing the service server, the target client 21 is a security Agent (Agent) installed on the terminal device, takes charge of verifying the trusted identity of the logged-in user on the terminal device, verifies whether the terminal device is trusted and whether the target client is trusted, and applies for checking for an unknown process (such as an access request to the security management server or an access process, etc.) to the security management server, the proxy client 20 hives the network request through a TUN/TAP (a virtual network device in an operating system kernel), takes charge of forwarding the access request to the intelligent gateway after authentication by the target client 21, and directly interrupts the connection if the authentication is not passed. The security management server 22 comprises a policy center, a censoring service and a certificate (or bill) center, wherein the policy center carries out security scheduling on service flow through a policy control engine and authorizes according to granularity of person-equipment-software-application, the security management server periodically initiates file censoring to threat intelligence cloud-check service notification or tav based on the censoring service and notifies a target client to execute asynchronous blocking operation after a malicious process is identified, the certificate center is used for generating and issuing certificates, in addition, the security management server also comprises various modules, an identity verification module is used for verifying user identity, an equipment trusted module verifies equipment hardware information and equipment security state, an application detection module detects whether an application process is safe, if so, whether a virus Trojan is present or not, and the like.
In one or more embodiments, when the target client 21 proxies the data access to the service server 25, the target client 21 may first send a data access request carrying an access credential to the security management server 22, after receiving the data access request, the security management server 22 may determine the access credential for the service server from the data access request, and verify the access credential, and after the security management server 22 verifies the access credential, proxy access of the target client 21 to the service server is allowed, so that an access security problem of the target client 21 to the service server may be effectively ensured.
In one or more embodiments, after determining the access credential from the received data access request, the security management server 22 may first determine credential data that the security management server 22 employs in generating the access credential, where the credential data includes parameters described above, and the like, and the security management server 22 may process the credential data according to an algorithm employed in generating the access credential to thereby regenerate the reference access credential, where the reference access credential that is generated is a trusted access credential. When the security management server 22 checks the access credential sent by the target client, the reference access credential may be used to check the access credential sent by the target client, for example, the reference access credential may be compared with the access credential sent by the target client, so as to determine whether the access credential sent by the target client passes verification according to a comparison result, where if the comparison result indicates that the reference access credential is consistent with the access credential sent by the target client, or if the comparison result indicates that the similarity degree of the reference access credential and the access credential sent by the target client meets a preset similarity threshold (such as 98%), the verification of the access credential sent by the target client may be considered to pass.
In one or more embodiments, the target client 21 applies the unique ticket corresponding to the local to the security management server 22 according to the source process and the destination service server corresponding to the data access request, and directly responds to the proxy client. The unique bill has effective use times and maximum timeliness of the bill, and is used for the proxy client to construct bill cache, specifically, after the proxy client receives the unique bill corresponding to the access, the proxy client constructs the cache according to the maximum use times and timeliness of the bill, the subsequent same process accesses the resource or data of the same service server, and the bill is not repeatedly applied to the target client 21 within the effective period of the cache.
In one or more embodiments, after receiving the data access request of the access proxy, the target client 21 detects the compliant traffic through the access control policy, and generates a random string misplacement session ticket based on the device information, the login user information, the application process, the service server, the network session information, and the like by adopting an algorithm agreed with the server, and responds to the proxy client.
In one or more embodiments, as shown in FIG. 9, the zero trust security management system provides a unified portal for accessing resources of a principal (e.g., a target client as described above) requesting access to a guest (e.g., a business server as described above) over a network based on a zero trust proxy (e.g., a target client or proxy client as described above) and an intelligent gateway. The zero trust security management system (particularly a security management server in the zero trust security management system) provides authentication operation for the unified portal, and only the network request passing authentication can be forwarded to the intelligent gateway by the zero trust proxy, and the access of the actual service system is proxy by the access gateway. The zero-trust security management system can adapt to medium enterprises and institutions and governments through a single deployment mode, and can also adapt to large enterprise groups and multistage vertical government electronic government affair systems through a distributed cascade deployment mode.
In one or more embodiments, as shown in fig. 10, the service access flow management and control method provided by the embodiment of the present application includes the following steps:
step 101, intercepting a service access request associated with a service application.
It should be noted that, the service application receives instruction information of the user, generates a corresponding service access request according to the instruction information, and the target client monitors the service access request to obtain a service access request associated with the service application.
Step 102, identifying a service access request belonging to a target network area as a target service access request based on a network management boundary defined in an access flow management policy, wherein the access flow management policy defines the target network area based on the network management boundary.
The access flow control boundary is used for defining a target network area, namely, an address to be accessed corresponding to an access request belongs to the target network area, the service access request is determined to be in the access flow control boundary and is a target service access request needing to be subjected to access flow control, the address to be accessed corresponding to the access request does not belong to the target network area, the service access is determined not to be in the access flow control boundary and is a non-target service access request not needing to be subjected to access flow control.
It should be noted that, the enterprise may integrate the existing service system to deploy a specific access flow control policy through a security management system (such as iOA client), and as the network environment where the terminal is located changes, the terminal type and the management and control strength of the enterprise for the network access flow are different, the attention point and the management and control thought for the terminal flow are different, so that the boundary needing to perform flow control can be set through the iOA client, and thus the service access request needing to perform flow control can be intercepted and authenticated.
In one or more embodiments, the access flow management and control policy comprises a resource policy, the resource policy comprises a target IP section corresponding to a target service access request, and the method comprises the steps of determining that the service access request is a target service access request when an IP to be accessed corresponding to the service access request is in the target IP section, and determining that the service access request is a non-target service access request when the IP to be accessed corresponding to the service access request is not in the target IP section.
Further, when an enterprise configures an access flow management policy, two setting modes are generally provided, namely a full-flow hijacking mode and an enterprise business resource hijacking mode. The full-flow hijacking mode is to hijack all service access requests of the terminal into the proxy client, and the proxy client determines the processing mode of the service access requests after communication authentication with iOA client, for example, forwarding through an intelligent gateway or directly sending to a service server. The enterprise manager in enterprise business resource hijacking mode configures domain name, IP or IP segment matching rule of enterprise business system including data, interface and function at management end, when destination IP in business access request is matched with set IP or belongs to set IP segment, then the access subject is considered to try to access business resource, at this time, the business access request needs to be hijacked to proxy client, after proxy client is authenticated by communication with iOA client, processing mode of business access request is determined, if destination IP in business access request is not matched with set IP or does not belong to set IP segment, proxy client can send business access request to business server directly.
For example, the enterprise may determine to perform flow control on all service access requests of the terminal flow or perform flow control on only enterprise service resource accesses according to actual requirements, where when the flow control is required on all service access requests, a default address in a host routing table of the terminal device may be set as a virtual network card address of the proxy client, so that setting efficiency is effectively improved, and when the flow control is performed on only enterprise service resource accesses, a host routing table address corresponding to an IP or IP segment corresponding to the enterprise service resource address is set as a virtual network card address of the proxy client.
In one or more embodiments, the function policy is a state policy of a zero-trust access function corresponding to the target client, when the zero-trust access function is in an effective state, the candidate service access request is determined to be a target service access request, and when the zero-trust access function is in an invalid state, the candidate service access request is determined to be a non-target service access request.
That is, the access flow control of the service application may also be controlled by the terminal user, and when the user logs in iOA to the client, or opens the zero-trust access function or runs the zero-trust access function in the background, the flow control may be performed on the candidate service access request intercepted by the proxy client, that is, the candidate service access request is authenticated by the security management server and forwarded to the service server through the intelligent gateway.
That is, the access flow control policy may give decision rights to the end user, and the end user may track, manage, and monitor traffic only when he/she begins to use the zero trust network access function, and then end when he/she turns off the zero trust network access function.
In one or more embodiments, a proxy client intercepts a service access request and sends the service access request to a target client when a zero trust access function of the target client is in an effective state, the target client identifies that an IP to be accessed corresponding to the service access request is in a target IP section, determines that the service access request is a target service access request, sends the target service access request to a security management server so that the security management server performs validity check on the target service access request to obtain a legal check result corresponding to the target service access request, sends the legal check result corresponding to the target service access request to the proxy client, and sends the service access request to an intelligent gateway based on the legal check result so that the intelligent gateway sends the service access request to the service server.
Or in one or more embodiments, the target client controls the proxy client to intercept the service access request and send the service access request to the target client, the target client identifies that the IP to be accessed corresponding to the service access request is not in the target IP section, determines that the service access request is the target service access request, sends the target service access request to the security management server so that the security management server performs validity check on the target service access request to obtain a legal check result corresponding to the target service access request, the target client sends the legal check result corresponding to the target service access request to the proxy client, and the proxy client sends the service access request to the intelligent gateway based on the legal check result so that the intelligent gateway sends the service access request to the service server.
In one or more embodiments, when the service access request is determined to be a non-target service access request based on the access flow management policy issued by the target client, the service access request is directly sent to the service server, or when the legal verification result indicates that the target service access policy is not legal, a re-authentication instruction or an access blocking instruction issued by the security management server is received.
In one or more embodiments, a proxy client intercepts a service access request and sends the service access request to a target client when a zero trust access function of the target client is in an effective state, the target client identifies that an IP to be accessed corresponding to the service access request does not accord with a target IP, determines that the service access request is a non-target service access request, sends an identification result of the service access request being the non-target service access request to the proxy client, and sends the service access request to a service server.
Or in one or more embodiments, the proxy client identifies that the target client is in an invalid state after intercepting the service access request, and the proxy client sends the service access request to the service server.
In one or more embodiments, the process of hijacking the service access request by the proxy client may be controlled by the target client, i.e., when the target client exits, a control instruction is sent to the proxy client whether to continue hijacking, so that the proxy client continues to hijack the service access request or stops hijacking.
For example, when the target client controls the proxy client to exit from and start at the same time with the target client, there is an end user performing login on the iOA client to perform identity authentication, or clicking a space like "start work" or "start office" on the terminal interaction interface to start a zero trust network access function, the hijacking process of the proxy client is pulled up by the iOA client to start performing traffic hijacking, forwarding and reporting, and then performing traffic tracking and automatic audit operations on the security management server, and when the end user iOA client logs off or clicks a control like "stop work", "stop office" on the terminal interaction interface to stop the zero trust network access function, the iOA client sends a stop instruction to the proxy client, and the proxy client stops the network session in management, stops its own process, and simultaneously stops traffic hijacking and traffic forwarding. Wherein, the proxy client in the policy is not resident in the user terminal, the zero trust network access function is started when started, the zero trust network access function is stopped when stopped, and the iOA client performs monitoring and management of the user set range in the time range from the start to the end of the zero trust network access function, such as full flow monitoring or enterprise service resource monitoring.
It should be understood that in the policy that the target client controls the proxy client to exit from and start at the same time with the target client, when the proxy client is stopped, the service access request performs the original access procedure, for example, directly sent to the service server through the physical gateway, and the service access request does not pass through the proxy client or the intelligent gateway.
Or when the target client controls the proxy client and the target client to exit and start simultaneously, the proxy client continuously hives the service access request and forwards the service access request to the iOA client, and when the service access request is authenticated by the iOA client, the service access request is sent to the intelligent gateway through the proxy client so that the intelligent gateway forwards the service access request to the service server. When the iOA client logs off or clicks controls like stop work, stop office and the like on the terminal interactive interface to stop the zero trust network access function, the iOA client sends a full direct connection instruction to the proxy client so that the proxy client directly forwards all intercepted service access requests to the corresponding service servers. That is, under this policy, when iOA client logs off, the service access request passes through the proxy client but not through the intelligent gateway.
In one or more embodiments, different traffic management may be implemented according to a network area where the terminal is located, for example, when the user terminal is in an extranet environment, an enterprise service resource hijacking mode may be used, and when the user terminal is in an enterprise intranet, a full traffic hijacking mode may be used.
That is, the iOA client can continuously detect the network area where the user terminal is located, and implement different flow control policies through different network areas, for example, when the network area where the user terminal is located is an intranet or an enterprise sensitive network area, the proxy terminal process resides in the terminal, and hives the service access request of the intranet and extranet sites of the user all the time, the iOA client controls the access authority of the enterprise service resource, that is, the terminal user can access the enterprise service resource after logging in the iOA client and the access ticket passes authentication, when the network area where the user is located is a public network or a non-sensitive network area, the iOA client controls the start and stop of the access proxy client process, when the proxy client is started, the user can access the enterprise service resource, and the iOA client reports the service access request hijacked by the proxy client to the security management server for flow tracking and monitoring, when the proxy client is stopped, the user can only access the non-enterprise service resource, cannot access the enterprise service resource, and the iOA client automatically ignores the management of the non-service access flow.
Step 103, sending an authentication request corresponding to the target service access request to the security management server, so that the security management server sends a validity check to the target service access request to obtain a validity check result.
And 104, when the legal verification result indicates that the target service access request has validity, acquiring a service response result corresponding to the target service access request from the service server.
Further, when the service access request is determined to be a non-target service access request based on the access flow management policy issued by the target client, the service access request is directly sent to the service server, or when the legal check result indicates that the target service access policy is not legal, a re-authentication instruction or an access blocking instruction issued by the security management server is received.
Therefore, the business access flow management and control method provided by the embodiment of the application can be used for intercepting and forwarding the business access requests in different ranges according to the access flow management and control strategy, so that enterprises can effectively perform security management on the business access requests while flexibly setting the flow management boundary.
In one or more embodiments, as shown in fig. 11, further comprising:
In step 201, the service application generates a service request data packet corresponding to the service access request, and sends the service request data packet to the kernel protocol stack.
That is, when the terminal initiates network access through a certain application program (service application) by the access subject, network data is transferred from the network layer of the application program to the transport layer and then issued to the network layer, each layer adds header data of a corresponding hierarchy, and then sends a network data packet to the kernel protocol stack of the terminal device via the socket component.
Step 202, the kernel protocol stack extracts the destination address corresponding to the service request from the service request data packet, and searches the next hop address corresponding to the destination address according to the access flow control strategy issued by the target client.
And 203, intercepting a service access request by the proxy client when the next hop address is the virtual network card of the proxy client.
That is, when the iOA client administrator sets the access flow management policy, the address of the TUN/TAP virtual network card input to the proxy client is configured to the routing table, so that when the kernel protocol stack parses the service request packet, it determines that the next hop routing indication corresponding to the IP or the IP segment in the service request packet is the virtual network card of the proxy client, and then sends the service access request (service access request packet) to the proxy client, so that the proxy client can intercept the service access request.
Further, after the TUN/TAP virtual network card of the proxy client receives the service access request data packet, the user state proxy process in the iOA client is notified to obtain the data sent to the virtual network card by the kernel protocol stack, so that data exchange between the kernel protocol stack and the user layer is realized.
And iOA, after the user state proxy process in the client side obtains the service request data packet, carrying out data packet analysis, and sending an analysis result (a credential ticket) to the security management server for authentication. When the authentication of the service access request data packet passes, a new data packet with a source address being an Ethernet address and a target address being an intelligent gateway connection address is constructed based on the original service request data packet through a socket component, and the new data packet is sent to the intelligent gateway so that the intelligent gateway forwards the service access request to a service server, when the authentication of the service access request data packet does not pass, a new data packet with the source address being the Ethernet address and the target address being a target access site address is constructed based on the original service request data packet through the socket component, and the service access request is directly sent to the service server corresponding to the target access site.
In one or more embodiments, upon intercepting a service access request, structured data is generated according to the service access request, such that a security management server performs validity verification according to the structured data, and generates structured control flow information.
That is, after the proxy client and the intelligent gateway complete service access request forwarding and proxy access, structured data is automatically generated, and core data includes, but is not limited to, a request time of an original service access request, a terminal feature (such as a device name and a device unique identifier, etc.), an application name and process feature information (such as process information, copyright information, hash, etc.), iOA client login user information (such as a user name, user id, etc.), a source IP and source port, a remote target IP (intelligent gateway or a service server), a remote target port, a service system request result, a request method, a request URL, a traffic unique identifier, etc. Wherein the structured data may act as a data stream record.
In one or more embodiments, the target client generates structured data corresponding to the control flow after sending an identification result of the target service access request being a non-target service access request to the proxy client, or the proxy client generates structured data corresponding to the data flow according to a service response result corresponding to the target service access request obtained from the service server and sends the structured data corresponding to the data flow to the target client, and the target client uploads the structured data corresponding to the data flow and optionally the structured data corresponding to the control flow to the security management server to be stored as structured audit data.
As a possible embodiment, as shown in fig. 12, in the case that the service access request is determined to be a direct connection access request, as in the process of the number 1, after the proxy client hives the service access request, the service access request is sent to the iOA client, so that the iOA client communicates with the security management server to authenticate the service access request, the iOA client determines that the service access request is a non-target service access request according to the access flow management policy, that is, the service access request is a direct connection access request, the iOA client returns the identification result of the service access request that is the direct connection access request to the proxy client, and the iOA client determines that the service access request is a processing process and a result of the direct connection access request according to the access flow management policy to generate structural data corresponding to the control flow. The proxy access client sends the service access request to the service server to complete the direct access process as in the process of number 2. After sending the service access request to the service server, the proxy client generates structured data corresponding to the service access request based on the structured data corresponding to the control flow fed back by the iOA client and the local log generated by forwarding the service access request to the service server, and sends the structured data corresponding to the service access request to the iOA client. If the process of number 3, iOA the client sends the structured data corresponding to the service access request to the security management server to store the audit data corresponding to the service access request, and receives the audit result sent by the security management server.
In one or more embodiments, after the target client sends the legal verification result corresponding to the target service access request to the proxy client, the method further comprises the steps that the target client generates structured data corresponding to the control flow according to the legal verification result, the proxy client generates structured data corresponding to the data flow according to a service response result corresponding to the target service access request obtained from the intelligent gateway and sends the structured data corresponding to the data flow to the target client, and the target client uploads the structured data corresponding to the control flow and the structured data corresponding to the data flow to the security management server to be stored into structured audit data.
As another possible embodiment, as shown in fig. 13, when the service request is determined to be a proxy access request executed by the intelligent gateway, as in the process of number 1, after the proxy client hives the service access request, the proxy client sends the service access request to the iOA client, so that the iOA client communicates with the security management server to authenticate the service access request, the iOA client determines that the service access request is a target service access request according to the access flow management policy, and the iOA client further sends an authentication request to the security management server according to request information corresponding to the target service access request, and determines that the service access request is a proxy access request executed by the intelligent gateway after the authentication is passed. And iOA, the client returns the identification result of the service access request being the continuous access request to the proxy client, and iOA determines that the service access request is the processing process and the result of the proxy access request according to the access flow management and control strategy to generate the structured data corresponding to the control flow. The proxy access client sends the service access request to the intelligent gateway as in the process of number 2, and the intelligent gateway sends the service access request to the service server as in the process of number 3 to complete the proxy access process. After the proxy client sends the service access request to the intelligent gateway and then the intelligent gateway sends the service access request to the service server, as in the process of number 4, the intelligent gateway generates structured data corresponding to the service access request based on the structured data corresponding to the control flow fed back to the proxy client by the iOA client and the local log generated by forwarding the service access request to the service server via the intelligent gateway. The proxy client sends the structured data corresponding to the service access request to the iOA client, and sends the structured data corresponding to the service access request to the security management server through the iOA client to store and form audit data corresponding to the service access request, and receives the audit result sent by the security management server as in the process of number 5.
In one or more embodiments, after a service response result corresponding to a target service access request is obtained, structured data corresponding to the service access request is generated and sent to a security management server, and the security management server audits the structured data to identify an abnormal service access request and issues a re-authentication instruction or an access blocking instruction after the abnormal service access request is identified.
Further, the security management server may further generate structured control flow information according to the authentication process of the structured data, including, but not limited to, access time, terminal characteristics (such as device name and device unique identifier, etc.), application name and process characteristic information (such as process information, copyright information, hash, etc.), iOA client login user information (such as user name, user id, etc.), policy hit information, processing details of access control, terminal environment awareness information, traffic unique identifier, etc.
Furthermore, the iOA client, proxy client and intelligent gateway report the structured data of data flow and control flow, and the security management server can also automatically compare and count (the two types of data are associated by the unique flow identifier), and generate different types of flow monitoring graphs at the management and control end, so as to construct a zero trust operation data index model.
Meanwhile, whether abnormal index data exists in the access session of the terminal to the enterprise business resources is automatically detected through the automatic comparison result. If it is determined that there is an abnormal access session exceeding the set value based on the result of the automatic comparison, it is necessary to perform manual or automatic blackout for a specific terminal, and forcibly issue relevant pre-measures for dynamically detecting or adjusting the access control policy. Based on the zero trust operation data index model, the flow characteristic can be detected in real time, if abnormal behavior is detected, the current business access is stopped, the terminal user is reminded that the access can be continued after the secondary verification is completed, or the real-time processing including stopping or canceling the current and subsequent session is carried out.
Therefore, the application can effectively solve the problems of high performance cost and possible sensitive data leakage caused by frequent flow data acquisition or the problems of various log formats and low data utilization value caused by multiple data acquisition by automatically generating the flow characteristic structured data in an asynchronous low-delay way through the proxy client and the intelligent gateway, and simultaneously, the security management server can generate structured control information according to the structured data, automatically compare and identify the flow characteristics which are inconsistent with the set rules, and then issue a re-authentication or access blocking instruction to the terminal so as to realize the monitoring and management of the zero trust access of the service access request.
In summary, the service access flow management and control method provided by the embodiment of the application can pertinently intercept and forward service access requests in different ranges according to the access flow management and control strategy, so that enterprises can effectively perform security management on the service access requests while flexibly setting the flow management boundary.
It should be noted that although the operations of the method of the present invention are depicted in the drawings in a particular order, this does not require or imply that the operations must be performed in that particular order or that all of the illustrated operations be performed in order to achieve desirable results.
Fig. 14 is a schematic structural diagram of a traffic access flow control device according to an embodiment of the present application. As shown in fig. 14, a traffic access flow control apparatus 10 according to an embodiment of the present application includes:
an obtaining module 11, configured to obtain a service access request associated with a service application;
A determining module 12, configured to identify, as a target service access request, a service access request belonging to a target network area based on a network management boundary defined in an access flow management policy, where the access flow management policy defines the target network area based on the network management boundary;
a sending module 13, configured to send an authentication request corresponding to the target service access request to a security management server, so that the security management server performs validity verification on the target service access request to obtain a validity verification result;
and a receiving module 14, configured to obtain, from the service server, a service response result corresponding to the target service access request when the validity check result indicates that the target service access request has validity.
In some embodiments, the access flow control policy includes a resource policy, where the resource policy is used to determine a target IP that needs access flow control, and the determining module 11 is further configured to:
When the IP to be accessed corresponding to the service access request accords with the target IP, determining that the service access request is a target service access request;
and determining that the service access request is a non-target service access request when the IP to be accessed corresponding to the service access request does not accord with the target IP.
In some embodiments, the access flow control policy includes a function policy, where the function policy is a state policy of a zero-trust access function corresponding to the target client, and the determining module 11 is further configured to:
when the zero trust access function is in an effective state, determining that the service access request is the target service access request;
And when the zero trust access function is in a failure state, determining that the service access request is a non-target service access request.
In some embodiments, the target terminal comprises a proxy client and a target client device, wherein the proxy client is further used for intercepting a service access request and sending the service access request to the target client when a zero trust access function of the target client is in an effective state, the target client identifies an IP to be accessed corresponding to the service access request in a target IP section, determines that the service access request is a target service access request, sends the target service access request to a security management server so that the security management server performs validity check on the target service access request to obtain a legal check result corresponding to the target service access request, and sends the legal check result corresponding to the target service access request to the proxy client.
In some embodiments, the target client controls the proxy client to intercept the service access request and send the service access request to the target client, the target client identifies that the IP to be accessed corresponding to the service access request is in a target IP section, determines that the service access request is a target service access request, sends the target service access request to the security management server to enable the security management server to perform validity check on the target service access request to obtain a legal check result corresponding to the target service access request, the target client sends the legal check result corresponding to the target service access request to the proxy client, and the proxy client sends the service access request to the intelligent gateway based on the legal check result, so that the intelligent gateway sends the service access request to the service server.
In some embodiments, the target client generates structured data corresponding to the control flow according to the legal verification result, the proxy client generates structured data corresponding to the data flow according to a service response result corresponding to the target service access request obtained from the intelligent gateway and sends the structured data corresponding to the data flow to the target client, and the target client uploads the structured data corresponding to the control flow and the structured data corresponding to the data flow to the security management server to be stored as structured audit data.
In some embodiments, when the service access request is determined to be a non-target service access request based on the access flow management policy, the service access request is directly sent to the service server, or when the legal check result indicates that the target service access policy is not legal, a re-authentication instruction or an access blocking instruction issued by the security management server is received.
In some embodiments, the proxy client intercepts the service access request and sends the service access request to the target client when the zero trust access function of the target client is in an effective state, the target client identifies that the IP to be accessed corresponding to the service access request is not in the target IP section, determines that the service access request is a non-target service access request, sends the identification result of the service access request being the non-target service access request to the proxy client, and sends the service access request to the service server.
In some embodiments, after the proxy client intercepts the service access request, the proxy client identifies that the target client is in an invalid state, and the proxy client sends the service access request to the service server.
In some embodiments, the target client generates the structured data corresponding to the control flow after sending the identification result of the target service access request being the non-target service access request to the proxy client, or the proxy client generates the structured data corresponding to the data flow according to the service response result corresponding to the target service access request obtained from the service server and sends the structured data corresponding to the data flow to the target client, and the target client uploads the structured data corresponding to the data flow and optionally the structured data corresponding to the control flow to the security management server for storage as structured audit data.
In some embodiments, structured data corresponding to the service access request is generated according to the service response result and sent to the security management server, and the security management server audits the structured data to identify the abnormal service access request and issues a re-authentication instruction or an access blocking instruction after identifying the abnormal service access request.
It should be understood that the units or modules described in the traffic access flow control apparatus 10 correspond to the respective steps in the method described with reference to fig. 10. Thus, the operations and features described above with respect to the method are equally applicable to the traffic access flow control apparatus 10 and the elements contained therein, and are not described in detail herein. The service access flow control device 10 may be implemented in a browser of an electronic device or other security application in advance, or may be loaded into the browser of the electronic device or its security application by downloading or the like. The corresponding elements in the traffic access flow control apparatus 10 may interact with elements in the electronic device to implement aspects of embodiments of the present application.
The division of the modules or units mentioned in the above detailed description is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit in accordance with embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into a plurality of modules or units to be embodied.
In summary, the service access flow management and control device provided by the embodiment of the application can pertinently intercept and forward service access requests in different ranges according to the access flow management and control policy, so that an enterprise can effectively perform security management on the service access requests while flexibly setting a flow management boundary.
It should be noted that, details not disclosed in the traffic access flow control device in the embodiment of the present application are referred to the details disclosed in the foregoing embodiment of the present application, and are not repeated here.
Referring now to fig. 14, fig. 14 shows a schematic diagram of a computer system suitable for use in implementing an electronic device or security management server of an embodiment of the present application,
As shown in fig. 14, the computer system includes a Central Processing Unit (CPU) 1401, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 1402 or a program loaded from a storage section 1408 into a Random Access Memory (RAM) 1403. In the RAM1403, various programs and data required for operation instructions of the system are also stored. The CPU1401, ROM1402, and RAM1403 are connected to each other through a bus 1404. An input/output (I/O) interface 1405 is also connected to the bus 1404.
The following components are connected to the I/O interface 1405, an input portion 1406 including a keyboard, a mouse, and the like, an output portion 1407 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, a speaker, and the like, a storage portion 1408 including a hard disk, and the like, and a communication portion 1409 including a network interface card such as a LAN card, a modem, and the like. The communication section 1409 performs communication processing via a network such as the internet. The drive 1410 is also connected to the I/O interface 1405 as needed. Removable media 1411, such as magnetic disks, optical disks, magneto-optical disks, semiconductor memory, and the like, is installed as needed on drive 1410 so that a computer program read therefrom is installed as needed into storage portion 1408.
In particular, the process described above with reference to flowchart fig. 2 may be implemented as a computer software program according to an embodiment of the application. For example, embodiments of the present application include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method shown in the flowcharts. In such an embodiment, the computer program contains program code for performing the method shown in the flow chart. In such an embodiment, the computer program can be downloaded and installed from a network via the communication portion 1409 and/or installed from the removable medium 1411. The above-described functions defined in the system of the present application are performed when the computer program is executed by a Central Processing Unit (CPU) 1401.
The computer readable medium shown in the present application may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of a computer-readable storage medium may include, but are not limited to, an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present application, however, the computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with the computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation instructions of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, blocks shown in two separate connections may in fact be performed substantially in parallel, or they may sometimes be performed in the reverse order, depending on the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units or modules involved in the embodiments of the present application may be implemented in software or in hardware. The described units or modules may also be provided in a processor, which may be described as, for example, a processor comprising a determination module, a forwarding module and an acquisition module. Where the names of these units or modules do not constitute a limitation on the unit or module itself in some cases, for example, the determining module may also be described as "determining that a service access request is a target service access request based on an access flow control policy issued by a target client when a service access request associated with a service application is intercepted, where the access flow control policy is used to determine an access flow control boundary".
As another aspect, the present application also provides a computer-readable storage medium that may be included in the electronic device described in the above embodiment or may exist alone without being incorporated in the electronic device. The computer readable storage medium stores one or more programs that when executed by one or more processors perform the traffic control method described in the present application.
The above description is only illustrative of the preferred embodiments of the present application and of the principles of the technology employed. It will be appreciated by persons skilled in the art that the scope of the disclosure referred to in the present application is not limited to the specific combinations of technical features described above, but also covers other technical features which may be formed by any combination of the technical features described above or their equivalents without departing from the spirit of the disclosure. Such as the above-mentioned features and the technical features disclosed in the present application (but not limited to) having similar functions are replaced with each other.
Claims (15)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111244639.0A CN116032500B (en) | 2021-10-25 | 2021-10-25 | Service access traffic control method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111244639.0A CN116032500B (en) | 2021-10-25 | 2021-10-25 | Service access traffic control method, device, equipment and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116032500A CN116032500A (en) | 2023-04-28 |
| CN116032500B true CN116032500B (en) | 2025-08-08 |
Family
ID=86076394
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111244639.0A Active CN116032500B (en) | 2021-10-25 | 2021-10-25 | Service access traffic control method, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116032500B (en) |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111935169A (en) * | 2020-08-20 | 2020-11-13 | 腾讯科技(深圳)有限公司 | Business data access method, device, equipment and storage medium |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108616490B (en) * | 2016-12-13 | 2020-11-03 | 腾讯科技(深圳)有限公司 | Network access control method, device and system |
| CN112134866B (en) * | 2020-09-15 | 2024-06-14 | 腾讯云计算(北京)有限责任公司 | Service access control method, device and system and computer readable storage medium |
| CN112149105A (en) * | 2020-10-21 | 2020-12-29 | 腾讯科技(深圳)有限公司 | Data processing system, method, related equipment and storage medium |
-
2021
- 2021-10-25 CN CN202111244639.0A patent/CN116032500B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111935169A (en) * | 2020-08-20 | 2020-11-13 | 腾讯科技(深圳)有限公司 | Business data access method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116032500A (en) | 2023-04-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10931661B2 (en) | Methods and systems for certificate filtering | |
| US8327441B2 (en) | System and method for application attestation | |
| US20170324758A1 (en) | Detecting and reacting to malicious activity in decrypted application data | |
| US11792008B2 (en) | Actively monitoring encrypted traffic by inspecting logs | |
| US10454949B2 (en) | Guarding against cross-site request forgery (CSRF) attacks | |
| CN114745145B (en) | Business data access method, device and equipment and computer storage medium | |
| US8881273B2 (en) | Device reputation management | |
| Kumar et al. | Exploring security issues and solutions in cloud computing services–a survey | |
| US8832779B2 (en) | Generalized identity mediation and propagation | |
| US12445438B2 (en) | Techniques for managing cookies through a secure web gateway | |
| CN118233117A (en) | Access control method, device, electronic device and storage medium | |
| US7841005B2 (en) | Method and apparatus for providing security to web services | |
| CN116996238A (en) | Processing method and related device for network abnormal access | |
| CN115130116A (en) | Business resource access method, device, equipment, readable storage medium and system | |
| CN116032500B (en) | Service access traffic control method, device, equipment and medium | |
| US20060047832A1 (en) | Method and apparatus for processing web service messages | |
| CN118802179A (en) | Access policy adjustment method, device, equipment and storage medium | |
| CN119174139A (en) | Application Identification for Phishing Detection | |
| Kuzminykh et al. | Mechanisms of ensuring security in Keystone service | |
| CN120337236A (en) | A data resource access method, device, equipment and medium | |
| CN119071004A (en) | Zero-trust network access control method, device, computing device and storage medium | |
| CN116961967A (en) | Data processing methods, devices, computer-readable media and electronic equipment | |
| HK40041360B (en) | Request response method, device, computer readable storage medium and electronic equipment | |
| HK40041360A (en) | Request response method, device, computer readable storage medium and electronic equipment | |
| HK40035775B (en) | Method, system and device for controlling access, and computing apparatus |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |