[go: up one dir, main page]

CN116318971A - A zero-trust IM terminal configuration method based on identity authentication - Google Patents

A zero-trust IM terminal configuration method based on identity authentication Download PDF

Info

Publication number
CN116318971A
CN116318971A CN202310251931.8A CN202310251931A CN116318971A CN 116318971 A CN116318971 A CN 116318971A CN 202310251931 A CN202310251931 A CN 202310251931A CN 116318971 A CN116318971 A CN 116318971A
Authority
CN
China
Prior art keywords
terminal
trust
zero
main device
identity authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310251931.8A
Other languages
Chinese (zh)
Inventor
梁桂明
杨馥铭
李映江
覃力更
潘华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangxi Beitou Xinchuang Technology Investment Group Co ltd
Original Assignee
Guangxi Beitou Xinchuang Technology Investment Group Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangxi Beitou Xinchuang Technology Investment Group Co ltd filed Critical Guangxi Beitou Xinchuang Technology Investment Group Co ltd
Priority to CN202310251931.8A priority Critical patent/CN116318971A/en
Publication of CN116318971A publication Critical patent/CN116318971A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • General Health & Medical Sciences (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention aims to provide a zero trust I M terminal configuration method based on identity authentication, which fully utilizes the self equipment characteristics of I M terminals and safely and quickly connects the I M terminals into a zero trust network. Therefore, the invention acquires the existing service type and the corresponding configuration information in the main equipment after the main equipment is detected by the zero trust terminal, the identity authentication policy server in the zero trust terminal records the identity of the main equipment and adds a security identifier to the main equipment, a I M user provides a corresponding permission opening request to a permission control center according to the provided permission application function, and the permission opening request is completely sent by the main equipment provided with the I M terminal, and the permission opening relates to other equipment connected to the main equipment. Therefore, the self performance of the I M terminal can be fully utilized, the safety configuration of the I M terminal can be rapidly set in the existing zero trust network, and the deployment speed and success rate are improved on the premise of ensuring the reliability of the zero trust system.

Description

基于身份认证的一种零信任IM终端配置方法A zero-trust IM terminal configuration method based on identity authentication

技术领域technical field

本发明涉及计算机网络技术领域,尤其涉及基于身份认证的一种零信任IM终端配置方法。The invention relates to the technical field of computer networks, in particular to a zero-trust IM terminal configuration method based on identity authentication.

背景技术Background technique

零信任解决的是基于过度信任带来的安全问题,尤其是信任区域内过度信任的问题。这一点对于安全防护要求高的单位尤为重要。而IM终端(InstantMessaging即时通信终端)由于其自身带有通信的功能,在接入零信任网络时,配置较为繁杂。例如现有技术中专利申请号为:CN202011536114.X的发明专利《通信方法、零信任架构体系下的目标系统及网络系统》中就公开了通信方法、零信任架构体系下的目标系统及网络系统,其中,目标系统包括:内网系统中用于提供应用服务的服务器,以及与服务器连接的连接器;连接器还与部署在外网中的零信任云网关连接;连接器主动连接零信任云网关;连接器在主动连接零信任云网关之后,与零信任云网关之间,采用预设的加解密算法,进行加密通信。一方面,连接器主动连接零信任云网关,即连接器无需向外提供端口,通过主动连接零信任云网关的方式,与零信任云网关之间建立隧道,从而,可以避免内网被攻破,进而提高内网的安全性。另一方面,连接器在主动连接零信任云网关之后,与零信任云网关之间,采用预设的加解密算法,进行加密通信,从而,进一步提高内网安全性。Zero trust solves the security problems based on excessive trust, especially the problem of excessive trust in the trust zone. This is especially important for units with high security protection requirements. However, since an IM terminal (InstantMessaging instant messaging terminal) has its own communication function, when accessing a zero-trust network, the configuration is relatively complicated. For example, the patent application number in the prior art is: CN202011536114.X's invention patent "communication method, target system and network system under the zero trust architecture system" discloses the communication method, the target system and the network system under the zero trust architecture system , where the target system includes: a server used to provide application services in the intranet system, and a connector connected to the server; the connector is also connected to the zero trust cloud gateway deployed in the external network; the connector actively connects to the zero trust cloud gateway ; After the connector actively connects to the zero-trust cloud gateway, the preset encryption and decryption algorithm is used to carry out encrypted communication with the zero-trust cloud gateway. On the one hand, the connector actively connects to the zero-trust cloud gateway, that is, the connector does not need to provide external ports. By actively connecting to the zero-trust cloud gateway, a tunnel is established with the zero-trust cloud gateway, thereby preventing the internal network from being breached. Thereby improving the security of the intranet. On the other hand, after the connector actively connects to the zero trust cloud gateway, the preset encryption and decryption algorithm is used to carry out encrypted communication with the zero trust cloud gateway, thereby further improving the security of the intranet.

在该申请中,连接器在主动连接零信任云网关之后,与零信任云网关之间,采用预设的加解密算法,进行加密通信,从而,进一步提高了内网的安全性。但是由于连接器自身的安全性其实没有被覆盖到,因此一旦连接器被侵入或被不法分子控制,其就能利用连接器不断发出请求要求权限,即便无法进入到零信任系统,依然会占用大量的系统资源,甚至导致整个系统崩溃。同时这样的配置方式也没有充分利用起IM终端自身的设备优势,导致了重复建设。In this application, after the connector actively connects to the zero-trust cloud gateway, the preset encryption and decryption algorithm is used to carry out encrypted communication with the zero-trust cloud gateway, thereby further improving the security of the intranet. However, since the security of the connector itself has not been covered, once the connector is invaded or controlled by criminals, it can use the connector to continuously send requests for permission. Even if it cannot enter the zero trust system, it will still take up a lot of system resources, and even cause the entire system to crash. At the same time, such a configuration method does not make full use of the advantages of the IM terminal itself, resulting in redundant construction.

发明内容Contents of the invention

针对现有技术的缺点,本发明的目的是提供基于身份认证的一种零信任IM终端配置方法,充分利用了IM终端自身的设备特点,将其安全快速连入零信任网络。同时也尽可能精简IM终端连入后的零信任系统,确保整体的安全性。Aiming at the shortcomings of the prior art, the purpose of the present invention is to provide a zero-trust IM terminal configuration method based on identity authentication, which makes full use of the device characteristics of the IM terminal itself, and securely and quickly connects it to a zero-trust network. At the same time, the zero-trust system after the IM terminal is connected is simplified as much as possible to ensure the overall security.

为了实现上述目的,本发明基于身份认证的一种零信任IM终端配置方法,用于在已配置完毕的零信任系统中添加IM终端设备,IM终端设备包括安装有IM终端的主设备和连接在该主设备上的其它设备,安装有IM终端的主设备接入带有零信任终端的网络,零信任终端检测到主设备后获取所述主设备内已有的业务类型以及相应的配置信息,零信任终端中的身份认证策略服务器记录主设备的身份,并对该主设备加上安全标识,对该主设备下发基础的接入权限,将权限写入可写的交换机,IM用户通过OA流程申请开通其它权限,所述申请通过流程控制中心审批,审批通过后,将该主设备的配置信息加入访问控制列表,并基于此开放权限申请,IM用户根据提供的权限申请功能向权限控制中心提出对应的权限开放请求,所述权限开放请求完全由安装有IM终端的主设备发出,权限开放涉及连接在主设备上的其它设备,请求被认可后对应设备带有身份认证策略服务器内设的权限控制中心下发的权限策略控制主动零信任的安全标识,所述安全标识统一发送至主设备,并根据权限请求由主设备分发给其它设备。In order to achieve the above object, the present invention is based on a zero-trust IM terminal configuration method based on identity authentication, which is used to add IM terminal equipment in the configured zero-trust system. For other devices on the main device, the main device with the IM terminal installed accesses the network with the zero-trust terminal, and the zero-trust terminal detects the main device and obtains the existing service types and corresponding configuration information in the main device, The identity authentication policy server in the zero-trust terminal records the identity of the main device, adds a security identifier to the main device, issues basic access permissions to the main device, and writes the permissions to the writable switch. IM users pass OA The process applies for opening other permissions, and the application is approved by the process control center. After the approval, the configuration information of the main device is added to the access control list, and based on this open permission application, the IM user submits the permission application function to the permission control center Propose a corresponding permission opening request, the permission opening request is completely issued by the main device installed with the IM terminal, the permission opening involves other devices connected to the main device, after the request is approved, the corresponding device has a built-in identity authentication policy server The authority policy issued by the authority control center controls the active zero-trust security identification, and the security identification is uniformly sent to the main device, and distributed by the main device to other devices according to the authority request.

优选的,所述安全标识用于代表人员、服务或IoT设备,它们定义了零信任控制平面,当某个安全标识尝试访问资源时,需要使用强身份验证来验证该安全标识,并确保访问符合要求并且是该安全标识的典型行为,遵循最低访问权限原则进行访问。在带有IM终端的主设备上集成零信任终端的基础功能,再通过连接在主设备上的网关集成零信任网关的功能实现零信任网关。此时带有IM终端的主设备在授权后完全可以充当独立的零信任系统服务器。Preferably, the security identifier is used to represent a person, service or IoT device, and they define a zero-trust control plane. When a certain security identifier tries to access resources, it is necessary to use strong authentication to verify the security identifier and ensure that the access conforms to It is required and is a typical behavior of this security identity, and access follows the principle of least access privilege. Integrate the basic functions of the zero-trust terminal on the main device with IM terminal, and then integrate the function of the zero-trust gateway through the gateway connected to the main device to realize the zero-trust gateway. At this time, the main device with the IM terminal can completely act as an independent zero-trust system server after being authorized.

优选的,在验证安全标识发现可疑访问时需进行二次多因子验证请求。所述可疑访问包括嗅探到以非常规IP地址登录的情况,非常规时间登录的情况,以及其它登录行为和操作员行程有冲突的情况。Preferably, a second multi-factor verification request is required when suspicious access is found during verification of the security identifier. The suspicious access includes sniffing a situation of logging in with an unconventional IP address, a situation of logging in at an irregular time, and a situation where other login behaviors conflict with the operator's itinerary.

优选的,二次多因子验证请求具体包括在IM终端通过短信,邮箱进行验证码操作,验证码验证完毕后刷脸实现二次认证用户的操作,同时通过IM终端自带的好友群体,寻找可信任角色协助确认用户的可信访问。这样可以避免非法用户通过正常手段接入零信任系统。Preferably, the second multi-factor verification request specifically includes performing a verification code operation on the IM terminal through a text message or an email address. Trust roles assist in validating trusted access for users. This can prevent illegal users from accessing the zero trust system through normal means.

优选的,通过可配置交换机控制安装有IM终端的主设备连接的网关实现零信任网关,在该网关中验证用户的请求包是否合法,决定是否开发TCP端口让应用接入。这样从发送内容中进行管理控制。Preferably, the gateway connected to the master device installed with the IM terminal is controlled by a configurable switch to realize a zero-trust gateway, and the gateway verifies whether the user's request packet is legal, and decides whether to develop a TCP port for application access. This gives administrative control from what is sent.

优选的,动态下发交换机ACL策略,作为零信任终端策略,在交换机内完成第一道认证,同时依赖安装有IM终端的主设备连接的网关获取的用户数据,环境,IP,GPS等基础环境数据校验用户的接入安全性。Preferably, the ACL policy of the switch is dynamically issued, as a zero-trust terminal strategy, to complete the first authentication in the switch, and at the same time rely on the user data, environment, IP, GPS and other basic environments obtained by the gateway connected to the main device installed with the IM terminal Data verification user's access security.

优选的,零信任终端获取安装有IM终端的主设备的配置信息后生成配置信息列表,根据配置信息列表进行初始化处理,根据配置信息列表,依次关闭高风险端口以及闲置端口,将安装有IM终端的主设备的配置修改至满足基本功能的最低配置。主设备上部分功能,以及连接在主设备上的其它设备的部分功能根据IM用户的请求可以进行临时开放。Preferably, the zero-trust terminal generates a configuration information list after obtaining the configuration information of the master device with the IM terminal installed, performs initialization processing according to the configuration information list, and closes high-risk ports and idle ports in turn according to the configuration information list, and the IM terminal will be installed. The configuration of the main device is modified to the minimum configuration that meets the basic functions. Part of the functions on the main device and some functions of other devices connected to the main device can be temporarily opened according to the request of the IM user.

优选的,IM终端在身份认证策略服务器记录后开通的基础权限有登录OA权限,WIFI认证接入权限以及基础接入功能权限。Preferably, the basic rights activated by the IM terminal after being recorded by the identity authentication policy server include login OA rights, WIFI authentication access rights and basic access function rights.

优选的,还包括回写配置,将初始化处理前和配置完毕后的IM终端的配置信息作为配置模板上传至零信任终端,一旦初始化处理后IM终端运行出现问题,则重新回滚为在先的配置信息,并在零信任终端中删除对应的配置模板,同时将此IM终端排除出零信任系统,IM用户需处理问题后再尝试重新配置。Preferably, it also includes writing back configuration, uploading the configuration information of the IM terminal before the initialization process and after the configuration is completed to the zero-trust terminal as a configuration template, once there is a problem with the operation of the IM terminal after the initialization process, then roll back to the previous Configure information, delete the corresponding configuration template in the zero trust terminal, and exclude this IM terminal from the zero trust system. IM users need to deal with the problem before trying to reconfigure.

优选的,零信任终端检测到新的IM终端的业务类型以及相应的配置信息后,先将其与已经保存的已经配置完成的IM终端的配置信息进行对比,根据对比结果选择是否直接采用已有的配置模板。Preferably, after the zero-trust terminal detects the service type of the new IM terminal and the corresponding configuration information, it first compares it with the configuration information of the already configured IM terminal that has been saved, and selects whether to directly adopt the existing IM terminal according to the comparison result. configuration template.

本发明技术方案的基于身份认证的一种零信任IM终端配置方法,能充分利用IM终端自身的性能,快速将其安全配置入已有的零信任网络,在确保零信任系统的可靠性的前提下,提高了部署的速度和成功率。A zero-trust IM terminal configuration method based on identity authentication in the technical solution of the present invention can make full use of the performance of the IM terminal itself, and quickly configure it safely into the existing zero-trust network, on the premise of ensuring the reliability of the zero-trust system Next, the speed and success rate of deployment are improved.

与现有技术相比,采用本发明的技术方案带有以下几个显著的有益效果:Compared with the prior art, adopting the technical scheme of the present invention has the following significant beneficial effects:

1、利用了IM终端自身的功能,对于一些非涉密的数据交互,例如在配置零信任网络客户端时需要下载数据等,无需进行前置操作,直接利用IM终端实现了数据的传输。1. Using the functions of the IM terminal itself, for some non-confidential data interactions, such as downloading data when configuring the zero-trust network client, there is no need to perform pre-operations, and the IM terminal is directly used to realize data transmission.

2、在出现异常时,可以利用IM终端实现最低程度的交互。将IM终端暂时脱离零信任网络,重新校验建立信任。如果在重新建立信任的过程中发现异常无法消除,则完整关闭零信任系统,将该IM终端及相关设备屏蔽。而在充分测试后确保异常排除后,可以利用IM终端快速重建零信任网络。2. When an abnormality occurs, the IM terminal can be used to achieve the minimum degree of interaction. Temporarily separate the IM terminal from the zero-trust network, and re-verify to establish trust. If it is found that the abnormality cannot be eliminated during the process of re-establishing trust, the zero-trust system will be completely shut down, and the IM terminal and related equipment will be shielded. After sufficient testing to ensure that abnormalities are eliminated, IM terminals can be used to quickly rebuild a zero-trust network.

3、一旦出现了IM终端被屏蔽出零信任系统时,IM终端会将过程数据传输到身份认证策略服务器,便于相关技术人员分析,从而不断完善零信任系统。3. Once the IM terminal is blocked from the zero trust system, the IM terminal will transmit the process data to the identity authentication policy server, which is convenient for relevant technical personnel to analyze, so as to continuously improve the zero trust system.

4、在IM终端接入零信任系统时,连接在主设备上的其它未接入零信任系统的设备,可以根据其自身功能单独工作。只是这些设备相对接入零信任系统的设备是数据隔绝的,除非是在进行主动申请开通权限以及等待回复的过程中。4. When the IM terminal is connected to the zero-trust system, other devices connected to the main device that are not connected to the zero-trust system can work independently according to their own functions. It's just that these devices are data-isolated relative to devices connected to the zero-trust system, except in the process of actively applying for permission and waiting for a reply.

附图说明Description of drawings

附图示出了本公开的示例性实施方式,并与其说明一起用于解释本公开的原理,其中包括了这些附图以提供对本公开的进一步理解,并且附图包括在本说明书中并构成本说明书的一部分。The accompanying drawings illustrate exemplary embodiments of the present disclosure and, together with the description, serve to explain the principles of the disclosure, are included to provide a further understanding of the disclosure, and are incorporated in and constitute this specification. part of the manual.

图1是本发明基于身份认证的一种零信任IM终端配置方法整体示意图。FIG. 1 is an overall schematic diagram of a zero-trust IM terminal configuration method based on identity authentication in the present invention.

图2是本发明基于身份认证的一种零信任IM终端配置方法工作流程示意图。FIG. 2 is a schematic diagram of a working flow of a zero-trust IM terminal configuration method based on identity authentication in the present invention.

图3是本发明基于身份认证的一种零信任IM终端配置方法的回写流程架构示意图。FIG. 3 is a schematic diagram of a write-back process architecture of a zero-trust IM terminal configuration method based on identity authentication in the present invention.

具体实施方式Detailed ways

下面结合附图和实施方式对本公开作进一步的详细说明。可以理解的是,此处所描述的具体实施方式仅用于解释相关内容,而非对本公开的限定。另外还需要说明的是,为了便于描述,附图中仅示出了与本公开相关的部分。The present disclosure will be further described in detail below with reference to the drawings and embodiments. It can be understood that the specific implementation manners described here are only used to explain relevant content, rather than to limit the present disclosure. It should also be noted that, for ease of description, only parts related to the present disclosure are shown in the drawings.

需要说明的是,在不冲突的情况下,本公开中的实施方式及实施方式中的特征可以相互组合。下面将参考附图并结合实施方式来详细说明本公开。为了使本发明的目的、技术方案及优点更加清楚明白,以下结合附图及实施例,对本发明进行进一步详细说明。应当理解,此处所描述的具体实施例仅仅用以解释本发明,并不用于限定本发明。It should be noted that, in the case of no conflict, the implementation modes and the features in the implementation modes in the present disclosure can be combined with each other. The present disclosure will be described in detail below with reference to the drawings and embodiments. In order to make the object, technical solution and advantages of the present invention clearer, the present invention will be further described in detail below in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described here are only used to explain the present invention, not to limit the present invention.

在此对部分术语进行说明:Some terms are explained here:

IM(InstantMessaging)即时通信。现有的零信任系统大多自带通信模块,但是很少有兼容即时通信的通信模块。IM (Instant Messaging) instant messaging. Most of the existing zero-trust systems have their own communication modules, but there are few communication modules compatible with instant messaging.

OA:(OfficeAutomation)办公自动化。就是采用Internet/Intranet技术,基于工作流概念,使企业内部人员方便快捷地共享信息,高效协同工作;改变过去复杂、低效的手工办公方式,实现迅速、全方位的信息采集、处理,为企业管理和决策提供科学依据。OA: (OfficeAutomation) office automation. It adopts Internet/Intranet technology, based on the concept of workflow, so that the internal personnel of the enterprise can share information conveniently and quickly, and work together efficiently; change the complicated and inefficient manual office method in the past, realize rapid and comprehensive information collection and processing, and serve the enterprise Provide scientific basis for management and decision-making.

IoT设备:(Internetofthings)物联网设备是将物理设备、车辆、建筑物和一些其他嵌入电子设备、软件、传感器等事物与网络链接起来,使这些对象能够手机和交换数据的网络设备。IoT devices: (Internet of things) Internet of things devices are network devices that link physical devices, vehicles, buildings, and some other embedded electronic devices, software, sensors, and other things with the network, enabling these objects to move and exchange data.

IP:(InternetProtocol)分配给用户上网使用的网际协议。IP: (InternetProtocol) The Internet protocol assigned to users to access the Internet.

GPS:(TheGlobalPositioningSystem)全球定位系统,一种卫星导航系统。GPS: (TheGlobalPositioningSystem) Global Positioning System, a satellite navigation system.

零信任网络需要动态持续监控、根据对象安全状态进行调整权限。同时传统的企业IM通常是购买第三方的通讯软件作为沟通使用,跟零信任系统没有很好的结合,在IM终端中的泄密依旧存在,账号多人使用情况经常发生,很容易造成账号被盗或者泄露的情况,影响企业系统安全。A zero-trust network requires dynamic and continuous monitoring and adjustment of permissions based on the security status of objects. At the same time, traditional enterprise IM usually purchases third-party communication software for communication, which is not well integrated with the zero trust system. Leakage still exists in the IM terminal, and multiple accounts often use the account, which can easily lead to account theft. Or leakage, affecting enterprise system security.

如图1所示为本发明基于身份认证的一种零信任IM终端配置方法,用于在已配置完毕的零信任系统中添加IM终端设备,包括安装有IM终端的主设备以及连接在主设备上的其它设备。安装有IM终端的主设备接入带有零信任终端的网络,零信任终端检测到IM终端后获取安装有IM终端的主设备内已有的业务类型以及相应的配置信息,零信任终端中的身份认证策略服务器记录安装有IM终端的主设备的身份,并对该主设备加上安全标识,对该IM终端下发基础的接入权限,将权限写入可写的交换机,IM用户通过OA流程申请开通其它权限,所述申请通过流程控制中心审批,审批通过后,将该IM终端的配置信息加入访问控制列表,并基于此开放权限申请。As shown in Figure 1, it is a zero-trust IM terminal configuration method based on identity authentication in the present invention, which is used to add an IM terminal device in the configured zero-trust system, including the main device installed with the IM terminal and the main device connected to the main device other devices on the The main device installed with the IM terminal is connected to the network with the zero-trust terminal. After the zero-trust terminal detects the IM terminal, it obtains the existing service types and corresponding configuration information in the main device installed with the IM terminal. The zero-trust terminal The identity authentication policy server records the identity of the main device installed with the IM terminal, adds a security identifier to the main device, issues basic access rights to the IM terminal, and writes the rights into the writable switch. The IM user passes the OA The process applies for opening other permissions, and the application is approved by the process control center. After the approval, the configuration information of the IM terminal is added to the access control list, and the permission application is opened based on this.

访问控制列表,即ACL,(AccessControlList)它是由一系列条件规则(即描述报文匹配条件的判断语句)组成,包括了报文的源地址、目的地址、端口号等,是一种应用在网络设备各种软硬接口上的的指令列表。根据ACL中的匹配条件对进站和出站的报文进行过滤处理。根据ACL中的条件对流量进行标识,以供设备进一步进行特殊处理。在本实施例中,将IM终端的配置信息加入访问控制列表后,即开放了源地址来自于该IM终端,或目的地址为该IM终端的报文发送。The access control list, that is, ACL, (AccessControlList) is composed of a series of conditional rules (that is, judgment statements describing the matching conditions of the message), including the source address, destination address, port number, etc. of the message, and is an application in A list of commands on various hardware and software interfaces of network devices. Filter incoming and outgoing packets according to the matching conditions in the ACL. Traffic is identified according to the conditions in the ACL for further special processing by the device. In this embodiment, after the configuration information of the IM terminal is added to the access control list, the transmission of the message whose source address comes from the IM terminal or whose destination address is the IM terminal is opened.

IM用户根据提供的权限申请功能向权限控制中心提出对应的权限开放请求,所述权限开放请求完全由IM终端发出,并带有权限控制中心下发更多的权限策略控制主动零信任的安全标识。所述安全标识用于代表人员、服务或IoT设备,它们定义了零信任控制平面,当某个安全标识尝试访问资源时,需要使用强身份验证来验证该安全标识,并确保访问符合要求并且是该安全标识的典型行为,遵循最低访问权限原则进行访问。在IM终端集成零信任终端的基础功能,通过连接在安装有IM终端的主设备上的网关,集成零信任网关的功能实现零信任网关的功能。在验证安全标识发现可疑访问时需进行二次多因子验证请求。二次多因子验证请求具体包括在IM终端通过短信,邮箱进行验证码操作,验证码验证完毕后刷脸实现二次认证用户的操作,同时通过IM终端自带的好友群体,寻找可信任角色协助确认用户的可信访问。这样可以避免非法用户通过正常手段接入零信任系统。According to the permission application function provided, the IM user submits a corresponding permission opening request to the permission control center. The permission opening request is completely sent by the IM terminal, and has more permission policies issued by the permission control center to control active zero-trust security signs. . The security identity is used to represent a person, service or IoT device, and they define a zero-trust control plane. When a certain security identity tries to access a resource, it needs to use strong authentication to verify the security identity and ensure that the access meets the requirements and is The typical behavior of this security ID follows the principle of least access privilege. The basic functions of the zero trust terminal are integrated in the IM terminal, and the function of the zero trust gateway is realized by integrating the function of the zero trust gateway through the gateway connected to the main device installed with the IM terminal. A second multi-factor verification request is required when suspicious access is found during verification of the security identity. The second multi-factor verification request specifically includes the verification code operation through SMS and email on the IM terminal. After the verification code is verified, the face-swiping operation is performed to realize the second authentication user operation. At the same time, through the friend group that comes with the IM terminal, find a trusted role to assist Confirm trusted access for users. This can prevent illegal users from accessing the zero trust system through normal means.

实施例1:身份认证策略服务器检测到某IM终端正在以境外IP访问时。同时根据IM用户的日程安排发现并无出境的状况。此时通过IM终端自带的信息弹窗功能要求客户端的访问确认,同时要求用户二次验证手机短信登录账户,否则将中止用户的访问请求。信息弹窗在1分钟内无响应时,直接断开用户的客户端登录。并且在用户二次验证手机短信登录账户前,拒绝该IM终端的所有登录尝试。Embodiment 1: When the identity authentication policy server detects that an IM terminal is accessing with an overseas IP. At the same time, according to the schedule of the IM user, it was found that there was no departure from the country. At this time, the information pop-up window function of the IM terminal requires the client to confirm the access, and at the same time requires the user to verify the mobile phone SMS login account twice, otherwise the user's access request will be terminated. If there is no response to the information pop-up window within 1 minute, the user's client login will be disconnected directly. And before the user authenticates the mobile phone SMS login account for the second time, all login attempts of the IM terminal are rejected.

在用户二次验证手机短信登录账户成功后,将发送异常说明至手机端,用户当详细说明异常发生时的状况。IM终端会将过程数据传输到身份认证策略服务器,便于相关技术人员分析并且和用户的情况说明相互验证。在本实施例中是用户非法打开了VPN软件,导致IP地址发生了变化。这个行为是不被允许的。因此在记录情况后封闭了该IM终端对应主设备的连接权限。After the user has successfully logged in to the account through the mobile phone text message for the second time, a description of the exception will be sent to the mobile phone, and the user will explain in detail the situation when the exception occurs. The IM terminal will transmit the process data to the identity authentication policy server, which is convenient for relevant technical personnel to analyze and mutually verify with the user's situation description. In this embodiment, the user illegally opens the VPN software, which causes the IP address to change. This behavior is not allowed. Therefore, after recording the situation, the connection authority of the IM terminal corresponding to the master device is closed.

如图2所示,连接在安装有IM终端的主设备上的网关中验证用户的请求包是否合法,决定是否开发TCP端口让应用接入。这样从发送内容中进行管理控制。动态下发交换机ACL策略,作为零信任终端策略,在交换机内完成第一道认证,同时依赖IM终端自身的网关获取的用户数据,环境,IP,GPS等基础环境数据校验用户的接入安全性。零信任终端获取IM终端的配置信息后生成配置信息列表,根据配置信息列表进行初始化处理,根据配置信息列表,依次关闭高风险端口以及闲置端口,将IM终端的配置修改至满足基本功能的最低配置。部分功能根据IM用户的请求可以进行临时开放。IM终端在身份认证策略服务器记录后开通的基础权限有登录OA权限,WIFI认证接入权限以及基础接入功能权限。As shown in Figure 2, the gateway connected to the main device installed with the IM terminal verifies whether the user's request packet is legal, and decides whether to develop a TCP port for application access. This gives administrative control from what is sent. Dynamically issue the ACL policy of the switch, as a zero-trust terminal strategy, complete the first authentication in the switch, and rely on the user data, environment, IP, GPS and other basic environmental data obtained by the IM terminal's own gateway to verify the user's access security sex. After obtaining the configuration information of the IM terminal, the zero-trust terminal generates a configuration information list, performs initialization processing according to the configuration information list, closes high-risk ports and idle ports in turn according to the configuration information list, and modifies the configuration of the IM terminal to the minimum configuration that meets the basic functions . Some functions can be temporarily opened according to the request of IM users. The basic permissions activated by the IM terminal after being recorded on the identity authentication policy server include login OA permissions, WIFI authentication access permissions, and basic access function permissions.

实施例2:连接在安装有IM终端的主设备上的网关验证用户的客户端IMEI信息时,发现主设备中的用户配置文件被修改,可弹窗要求用户重新输入密码,或者使用短信验证码登录。同时需要用户的相应IM好友协助发送相应的确认码到用户的账户,确认登录安全。Embodiment 2: When the gateway connected to the main device installed with the IM terminal verifies the user's client IMEI information, and finds that the user configuration file in the main device has been modified, a pop-up window can ask the user to re-enter the password, or use a SMS verification code Log in. At the same time, the corresponding IM friends of the user are required to assist in sending the corresponding confirmation code to the user's account to confirm the login security.

如图3所示,本发明还包括回写配置,将初始化处理前和配置完毕后的IM终端的配置信息作为配置模板上传至零信任终端,一旦初始化处理后IM终端运行出现问题,则重新回滚为在先的配置信息,并在零信任终端中删除对应的配置模板,同时将此IM终端排除出零信任系统,IM用户需处理问题后再尝试重新配置。零信任终端检测到新的IM终端的业务类型以及相应的配置信息后,先将其与已经保存的已经配置完成的IM终端的配置信息进行对比,根据对比结果选择是否直接采用已有的配置模板。As shown in Figure 3, the present invention also includes write-back configuration. The configuration information of the IM terminal before initialization and after configuration is uploaded to the zero-trust terminal as a configuration template. Roll over the previous configuration information, delete the corresponding configuration template in the zero trust terminal, and exclude this IM terminal from the zero trust system. IM users need to deal with the problem before trying to reconfigure. After the zero-trust terminal detects the service type of the new IM terminal and the corresponding configuration information, it first compares it with the saved configuration information of the configured IM terminal, and chooses whether to directly adopt the existing configuration template according to the comparison result .

虽然本发明以较佳实施例揭露如上,但并非用以限定本发明实施的范围。任何本领域的普通技术人员,在不脱离本发明的发明范围内,当可作些许的改进,即凡是依照本发明所做的同等改进,应为本发明的范围所涵盖。在本说明书的描述中,参考术语“一个实施例/方式”、“一些实施例/方式”、“示例”、“具体示例”、或“一些示例”等的描述意指结合该实施例/方式或示例描述的具体特征、结构、材料或者特点包含于本申请的至少一个实施例/方式或示例中。在本说明书中,对上述术语的示意性表述不必须针对的是相同的实施例/方式或示例。而且,描述的具体特征、结构、材料或者特点可以在任一个或多个实施例/方式或示例中以合适的方式结合。此外,在不相互矛盾的情况下,本领域的技术人员可以将本说明书中描述的不同实施例/方式或示例以及不同实施例/方式或示例的特征进行结合和组合。Although the present invention is disclosed above with preferred embodiments, it is not intended to limit the scope of the present invention. Any person skilled in the art may make some improvements without departing from the scope of the present invention, that is, all equivalent improvements made according to the present invention shall be covered by the scope of the present invention. In the description of this specification, descriptions referring to the terms "one embodiment/mode", "some embodiments/modes", "examples", "specific examples", or "some examples" mean that the embodiments/modes are combined The specific features, structures, materials or characteristics described in or examples are included in at least one embodiment/mode or example of the present application. In this specification, the schematic representations of the above terms do not necessarily refer to the same embodiment/mode or example. Moreover, the described specific features, structures, materials or characteristics may be combined in any one or more embodiments/modes or examples in an appropriate manner. In addition, those skilled in the art may combine and combine different embodiments/modes or examples and features of different embodiments/modes or examples described in this specification without conflicting with each other.

此外,术语“第一”、“第二”仅用于描述目的,而不能理解为指示或暗示相对重要性或者隐含指明所指示的技术特征的数量。由此,限定有“第一”、“第二”的特征可以明示或者隐含地包括至少一个该特征。在本申请的描述中,“多个”的含义是至少两个,例如两个,三个等,除非另有明确具体的限定。In addition, the terms "first" and "second" are used for descriptive purposes only, and cannot be interpreted as indicating or implying relative importance or implicitly specifying the quantity of indicated technical features. Thus, the features defined as "first" and "second" may explicitly or implicitly include at least one of these features. In the description of the present application, "plurality" means at least two, such as two, three, etc., unless otherwise specifically defined.

本领域的技术人员应当理解,上述实施方式仅仅是为了清楚地说明本公开,而并非是对本公开的范围进行限定。对于所属领域的技术人员而言,在上述公开的基础上还可以做出其它变化或变型,并且这些变化或变型仍处于本公开的范围内。It should be understood by those skilled in the art that the above-mentioned embodiments are only for clearly illustrating the present disclosure, rather than limiting the scope of the present disclosure. For those skilled in the art, other changes or modifications can be made on the basis of the above disclosure, and these changes or modifications are still within the scope of the present disclosure.

Claims (10)

1.基于身份认证的一种零信任IM终端配置方法,用于在已配置完毕的零信任系统中添加IM终端设备,其特征在于,IM终端设备包括安装有IM终端的主设备和连接在该主设备上的其它设备,安装有IM终端的主设备接入带有零信任终端的网络,零信任终端检测到主设备后获取所述主设备内已有的业务类型以及相应的配置信息,零信任终端中的身份认证策略服务器记录主设备的身份,并对该主设备加上安全标识,对该主设备下发基础的接入权限,将权限写入可写的交换机,IM用户通过OA流程申请开通其它权限,所述申请通过流程控制中心审批,审批通过后,将该主设备的配置信息加入访问控制列表,并基于此开放权限申请,IM用户根据提供的权限申请功能向权限控制中心提出对应的权限开放请求,所述权限开放请求完全由安装有IM终端的主设备发出,权限开放涉及连接在主设备上的其它设备,请求被认可后对应设备带有身份认证策略服务器内设的权限控制中心下发的权限策略控制主动零信任的安全标识,所述安全标识统一发送至主设备,并根据权限请求由主设备分发给其它设备。1. A zero-trust IM terminal configuration method based on identity authentication, which is used to add an IM terminal device in a configured zero-trust system, wherein the IM terminal device includes a master device equipped with an IM terminal and a master device connected to the IM terminal. For other devices on the main device, the main device with the IM terminal installed accesses the network with the zero-trust terminal. After the zero-trust terminal detects the main device, it obtains the existing service types and corresponding configuration information in the main device. The identity authentication policy server in the trust terminal records the identity of the main device, adds a security identifier to the main device, issues basic access rights to the main device, writes the rights into the writable switch, and the IM user passes the OA process Apply for opening other permissions. The application is approved by the process control center. After the approval, the configuration information of the main device is added to the access control list, and based on this open permission application, the IM user submits to the permission control center according to the provided permission application function. Corresponding permission opening request, the permission opening request is completely issued by the main device installed with the IM terminal, the permission opening involves other devices connected to the main device, after the request is approved, the corresponding device has the built-in authority of the identity authentication policy server The authority policy issued by the control center controls the active zero-trust security identification, and the security identification is uniformly sent to the main device, and distributed by the main device to other devices according to the authority request. 2.根据权利要求1所述的基于身份认证的一种零信任IM终端配置方法,其特征在于,所述安全标识用于代表人员、服务或IoT设备,它们定义了零信任控制平面,当某个安全标识尝试访问资源时,需要使用强身份验证来验证该安全标识,并确保访问符合要求并且是该安全标识的典型行为,遵循最低访问权限原则进行访问。2. A zero-trust IM terminal configuration method based on identity authentication according to claim 1, wherein the security identifier is used to represent personnel, services or IoT devices, and they define a zero-trust control plane, when a certain When a security ID tries to access a resource, it needs to use strong authentication to verify the security ID, and ensure that the access meets the requirements and is a typical behavior of the security ID, and the access follows the principle of least access privilege. 3.根据权利要求2所述的基于身份认证的一种零信任IM终端配置方法,其特征在于,在验证安全标识发现可疑访问时需进行二次多因子验证请求。3. A zero-trust IM terminal configuration method based on identity authentication according to claim 2, characterized in that a second multi-factor verification request is required when suspicious access is found in the verification of the security identification. 4.根据权利要求3所述的基于身份认证的一种零信任IM终端配置方法,其特征在于,二次多因子验证请求具体包括在IM终端通过短信,邮箱进行验证码操作,验证码验证完毕后刷脸实现二次认证用户的操作,同时通过IM终端自带的好友群体,寻找可信任角色协助确认用户的可信访问。4. A zero-trust IM terminal configuration method based on identity authentication according to claim 3, wherein the second multi-factor verification request specifically includes performing a verification code operation on the IM terminal through a text message and a mailbox, and the verification code verification is completed Then scan the face to realize the operation of the second authentication user, and at the same time, through the friend group that comes with the IM terminal, find a trusted role to help confirm the user's trusted access. 5.根据权利要求1所述的基于身份认证的一种零信任IM终端配置方法,其特征在于,通过可配置交换机控制安装有IM终端的主设备连接的网关实现零信任网关,在该网关中验证用户的请求包是否合法,决定是否开发TCP端口让应用接入。5. A kind of zero-trust IM terminal configuration method based on identity authentication according to claim 1, is characterized in that, realizes zero-trust gateway through the gateway that the master device that IM terminal is connected is controlled by configurable switchboard, in this gateway Verify whether the user's request packet is legal, and decide whether to develop a TCP port for application access. 6.根据权利要求5所述的基于身份认证的一种零信任IM终端配置方法,其特征在于,动态下发交换机ACL策略,作为零信任终端策略,在交换机内完成第一道认证,同时依赖安装有IM终端的主设备连接的网关获取的用户数据,环境,IP,GPS等基础环境数据校验用户的接入安全性。6. A zero-trust IM terminal configuration method based on identity authentication according to claim 5, characterized in that the switch ACL policy is dynamically issued as a zero-trust terminal policy, and the first authentication is completed in the switch, while relying on The user data, environment, IP, GPS and other basic environmental data obtained by the gateway connected to the main device installed with the IM terminal verify the user's access security. 7.根据权利要求1所述的基于身份认证的一种零信任IM终端配置方法,其特征在于,零信任终端获取安装有IM终端的主设备的配置信息后生成配置信息列表,根据配置信息列表进行初始化处理,根据配置信息列表,依次关闭高风险端口以及闲置端口,将安装有IM终端的主设备的配置修改至满足基本功能的最低配置。7. A kind of zero-trust IM terminal configuration method based on identity authentication according to claim 1, it is characterized in that, zero-trust terminal obtains the configuration information of the main device that IM terminal is installed after generating configuration information list, according to configuration information list Carry out initialization processing, close high-risk ports and idle ports in turn according to the configuration information list, and modify the configuration of the main device installed with the IM terminal to the minimum configuration that meets the basic functions. 8.根据权利要求1或7所述的基于身份认证的一种零信任IM终端配置方法,其特征在于,IM终端在身份认证策略服务器记录后开通的基础权限有登录OA权限,WIFI认证接入权限以及基础接入功能权限。8. A kind of zero-trust IM terminal configuration method based on identity authentication according to claim 1 or 7, characterized in that, the basic authority of the IM terminal opened after the identity authentication policy server records has login OA authority, WIFI authentication access Permissions and basic access function permissions. 9.根据权利要求7所述的基于身份认证的一种零信任IM终端配置方法,其特征在于,还包括回写配置,将初始化处理前和配置完毕后的IM终端的配置信息作为配置模板上传至零信任终端,一旦初始化处理后IM终端运行出现问题,则重新回滚为在先的配置信息,并在零信任终端中删除对应的配置模板,同时将此IM终端排除出零信任系统,IM用户需处理问题后再尝试重新配置。9. A kind of zero-trust IM terminal configuration method based on identity authentication according to claim 7, is characterized in that, also comprises write-back configuration, the configuration information of the IM terminal before initialization processing and after configuration is uploaded as configuration template For zero-trust terminals, once there is a problem with the operation of the IM terminal after the initialization process, the previous configuration information will be rolled back, and the corresponding configuration template will be deleted in the zero-trust terminal, and the IM terminal will be excluded from the zero-trust system. Users need to deal with the problem before attempting to reconfigure. 10.根据权利要求9所述的基于身份认证的一种零信任IM终端配置方法,其特征在于,零信任终端检测到新的IM终端的业务类型以及相应的配置信息后,先将其与已经保存的已经配置完成的IM终端的配置信息进行对比,根据对比结果选择是否直接采用已有的配置模板。10. A zero-trust IM terminal configuration method based on identity authentication according to claim 9, characterized in that, after the zero-trust terminal detects the service type of the new IM terminal and the corresponding configuration information, it first compares it with the existing IM terminal Compare the saved configuration information of the configured IM terminal, and choose whether to directly adopt the existing configuration template according to the comparison result.
CN202310251931.8A 2023-03-15 2023-03-15 A zero-trust IM terminal configuration method based on identity authentication Pending CN116318971A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310251931.8A CN116318971A (en) 2023-03-15 2023-03-15 A zero-trust IM terminal configuration method based on identity authentication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310251931.8A CN116318971A (en) 2023-03-15 2023-03-15 A zero-trust IM terminal configuration method based on identity authentication

Publications (1)

Publication Number Publication Date
CN116318971A true CN116318971A (en) 2023-06-23

Family

ID=86781117

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310251931.8A Pending CN116318971A (en) 2023-03-15 2023-03-15 A zero-trust IM terminal configuration method based on identity authentication

Country Status (1)

Country Link
CN (1) CN116318971A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017095215A1 (en) * 2015-11-30 2017-06-08 Linkdood Technologies Sdn Bhd A type of enterprise level instant messaging(im) system and method that supports cross system messaging
CN113949573A (en) * 2021-10-18 2022-01-18 天翼数字生活科技有限公司 Zero-trust service access control system and method
CN115701019A (en) * 2021-07-14 2023-02-07 腾讯科技(深圳)有限公司 Access request processing method and device of zero trust network and electronic equipment
US20230056432A1 (en) * 2020-11-05 2023-02-23 Tencent Technology (Shenzhen) Company Limited Service communication method, system, apparatus, electronic device, and storage medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017095215A1 (en) * 2015-11-30 2017-06-08 Linkdood Technologies Sdn Bhd A type of enterprise level instant messaging(im) system and method that supports cross system messaging
US20230056432A1 (en) * 2020-11-05 2023-02-23 Tencent Technology (Shenzhen) Company Limited Service communication method, system, apparatus, electronic device, and storage medium
CN115701019A (en) * 2021-07-14 2023-02-07 腾讯科技(深圳)有限公司 Access request processing method and device of zero trust network and electronic equipment
CN113949573A (en) * 2021-10-18 2022-01-18 天翼数字生活科技有限公司 Zero-trust service access control system and method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
孙元宁: "IMS系统的特性和功能", 电信技术, no. 07, 20 July 2005 (2005-07-20) *

Similar Documents

Publication Publication Date Title
US11604861B2 (en) Systems and methods for providing real time security and access monitoring of a removable media device
US20190188993A1 (en) Integrated physical and logical security management via a portable device
US7886335B1 (en) Reconciliation of multiple sets of network access control policies
US9467475B2 (en) Secure mobile framework
US20070143408A1 (en) Enterprise to enterprise instant messaging
CN113572738A (en) Zero trust network architecture and construction method
US20200311277A1 (en) Method, system and device for security configurations
US20080052755A1 (en) Secure, real-time application execution control system and methods
US11985113B2 (en) Computing system operational methods and apparatus
CN116032533A (en) Remote office access method and system based on zero trust
JP2016530814A (en) Gateway device to block a large number of VPN connections
US9608973B2 (en) Security management system including multiple relay servers and security management method
CN113472758B (en) Access control method, device, terminal, connector and storage medium
CN101986598A (en) Authentication method, server and system
EP3738012B1 (en) Asserting user, app, and device binding in an unmanaged mobile device
US20110321134A1 (en) Consigning Authentication Method
CN103069767B (en) Consigning authentication method
CN116318971A (en) A zero-trust IM terminal configuration method based on identity authentication
CN116248405A (en) A zero-trust-based network security access control method and a gateway system and storage medium using the method
CN117240465A (en) A unified analysis, evaluation and trusted access method for zero-trust security in the Internet of Things
KR102733046B1 (en) Method for securing private network and network system for performing the same
KR101314695B1 (en) Intranet Security Management System, Blocking Server therefor, and Security Method thereof
KR20240048158A (en) Method and system for controlling federation policy based on zta for enterprise wireless network infrastructure
CN119562177A (en) Network locking method, device, management platform and readable storage medium
CN118102297A (en) Construction method and system of mobile enterprise private line based on 5G slicing

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination