Network resource access control method under zero trust

A network resource and access control technology, applied in the direction of electrical components, transmission systems, etc., can solve the problems of being unable to prevent illegal access of network resources by intranet users, and cannot guarantee the security of network resources, so as to improve scalability, portability, and application The effect of wide range and increased bandwidth

Inactive Publication Date: 2021-08-06
XIDIAN UNIV
View PDF8 Cites 11 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

In the process of implementing access control, there is an obvious shortcoming: it is impossible to prevent illegal access to network resources initiated by intranet users or authorized users, which may allow illegal users to obtain key information on network resources, and cannot guarantee the security of network resources.

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Network resource access control method under zero trust
  • Network resource access control method under zero trust

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0038] Embodiment 1 The SDN administrator requests to access the SDN controller.

[0039] refer to figure 1, the implementation steps of this example are as follows:

[0040] Step 1. Connect two gateways in the cloud platform.

[0041] A hardware device gateway is connected after the SDN administrator, and a virtual device gateway is connected before the SDN controller. These two gateways have three operating modes: bridge, execution, and monitoring. Among them:

[0042] In bridge mode, the gateway just acts as a bridging device for two ports, it does not insert an identity token into the data packet, and does not perform identity resolution;

[0043] In the execution mode, the gateway inserts the token into the TCP data packet and executes the extraction and analysis of the token, and implements the security policy according to the analysis result;

[0044] In monitor mode, the gateway inserts a token into TCP packets and performs extraction and parsing of that token, but ...

Embodiment 2

[0059] Embodiment 2, an untrusted user requests to access the SDN controller.

[0060] refer to figure 1 , the implementation steps of this example are as follows:

[0061] Step 1. Connect two gateways in the cloud platform.

[0062] Connect a hardware device gateway after the untrusted user, and connect a virtual device gateway before the SDN controller. The operation mode of the two gateways is the same as that described in step 1 in Example 1.

[0063] Step 2. An untrustworthy user initiates an access request to generate an identity token.

[0064] The untrustworthy user requests to access the SDN controller, and generates a corresponding identity token during the establishment of a session with the SDN controller, and the inherent information of the token is the same as the token information described in step 2 in Example 1.

[0065] Step 3, inserting the identity token into the TCP data packet.

[0066] The hardware device gateway inserts the identity token of the unt...

Embodiment 3

[0075] Embodiment 3, an untrusted external client requests to access the SDN controller.

[0076] refer to figure 1 , the implementation steps of this example are as follows:

[0077] Step A. Connect two gateways in the cloud platform.

[0078] A hardware device gateway is connected after the untrusted external client, and a virtual device gateway is connected before the SDN controller. The operation mode of the two gateways is the same as that described in step 1 in Example 1.

[0079] Step B, the client obtains the IP address of the SDN controller through an external means.

[0080] Since this client is an external client and does not know the IP address of the SDN controller in advance, assuming that the client somehow obtained the IP address of the SDN controller through an external channel, this external channel may be for the administrator's network Phishing attack.

[0081] Step C, the client initiates an access request according to the obtained IP address, and gene...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a network resource access control method under zero trust, and mainly solves the problems that illegal access of intranet users or authorized users to network resources cannot be prevented in time and the security of the network resources cannot be ensured in the prior art. According to the implementation scheme, an identity token is generated before a user accesses network resources, and then the identity token is embedded into a TCP data packet and analyzed; whether a connection request of the user is accepted is judged according to an analysis result; according to the method, the authorized user is allowed to access, and the request of the unauthorized user is directly rejected under the condition of not feeding back any related information, so that the access control under zero trust is realized. According to the method and the system, illegal access of intranet users or authorized users to network resources can be effectively prevented, illegal users are prevented from obtaining key information of the network resources, the safety of the network resources is ensured, and the method and the system can be used for resource access to enterprise-level servers or cloud computing environments under zero trust.

Description

technical field [0001] The invention belongs to the technical field of information security, and in particular relates to a network resource access control method, which can be used for resource access to enterprise-level servers or cloud computing environments under zero trust. Background technique [0002] In recent years, with the rapid development of big data and cloud computing, the frequency and severity of network attacks have continued to increase, and data center security based on network segmentation is no longer applicable. The traditional network security architecture is based on network boundary protection. When building a network security system, enterprises first divide the network into different security areas such as the external network, internal network, and DMZ. Then, by deploying network security technologies such as firewalls, WAFs, and IPS on the network border, multiple protections are carried out to build a digital protection wall for enterprise busi...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): H04L29/06
CPCH04L63/0807H04L63/105H04L63/20H04L69/163
Inventor 马文平赵伟铮
Owner XIDIAN UNIV
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap