Access control method, device and system, computer equipment and storage medium

Abstract

The invention provides an access control method, device and system, computer equipment and a storage medium. The access control method is applied to a connection receiving host and comprises the stepsof opening a service exposure time window after authorization of an authorization detection packet is passed, wherein in the state that the service exposure time window is opened, a connection opening host sending the authorization detection packet can have access to a target port of the connection receiving host; capturing a data packet transmitted and received by the connection receiving host;analyzing the data packet to judge whether the target port completes the access connection or not; and when the target port completes the access connection, closing the service exposure time window. According to the invention, the risk of carrying attack can be reduced on the premise of not influencing normal access.

Description

technical field [0001] The present invention relates to the technical field of access control, in particular to an access control method, device, system, computer equipment and storage medium. Background technique [0002] As enterprises embrace emerging technologies such as cloud computing, mobile Internet, and IoT, their data and applications are no longer limited to the intranet. Therefore, the traditional firewall-based physical boundary defense can no longer meet the needs, and has been replaced by a software-defined boundary (Software Defined Perimeter, that is, SDP). SDP is a new generation network security model proposed by the International Cloud Security Alliance (CSA) in 2014. SDP advocates network stealth, zero trust, and minimal authorization, and is an enterprise security architecture more suitable for the cloud and mobile era. [0003] In the SDP security framework, its basic components include: SDP connection opening host, SDP connection acceptance host and...

AI Technical Summary

Problems solved by technology

[0004] In the current SPA implementation scheme, when the SDP connection opening host is located behind a Network Address Translation (NAT) device, and it is authorized by SPA to connect to the SDP accepting host, the SDP connection opening host's allowed connection IP address is the SDP connection Enable the external egress address of the host, which is the IP address of the NAT device. For example, the IP address of the host whose SDP connection is enabled is 192.168.1.2, and its converted external IP address is 10.10.1.10. After authorization, all The access request whose source IP is 10.10.1.10 can be accepted by the SDP connection accepting host. If there is an attacker at this time, it is in the same subnet as the SDP connection opening host (for example, its IP is 192.168.1.3), then its The external IP address is also 10.10.1.10. During the service exposure time window of the SDP connection accepting host, the attacker can also directly access this service. That is to say, in the above SPA implementation scheme, it is vulnerable to piggyback attacks ( Piggyback Attack, the act of illegally accessing hidden services through a legal channel established by another user)

[0005] In the existing technology, the risk of being attacked is mitigated by adopting random ports and controlling the length of the service exposure time window. However, the inventors found that the length of the service exposure time window is difficult to accurately set. The service exposure time window is opened If the service exposure time is too short, the time window will expire and be closed before legitimate users can establish an access connection, which will affect normal access. The service exposure time window will be opened for too long, leaving plenty of time for attackers to detect random ports. access service

Images