CN114598498B - Access method, access system, computer device, and storage medium - Google Patents

Access method, access system, computer device, and storage medium Download PDF

Info

Publication number
CN114598498B
CN114598498B CN202210105459.2A CN202210105459A CN114598498B CN 114598498 B CN114598498 B CN 114598498B CN 202210105459 A CN202210105459 A CN 202210105459A CN 114598498 B CN114598498 B CN 114598498B
Authority
CN
China
Prior art keywords
user
service node
access service
intranet application
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210105459.2A
Other languages
Chinese (zh)
Other versions
CN114598498A (en
Inventor
刘书浩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Yigeyun Technology Co ltd
Original Assignee
Hangzhou Yigeyun Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Yigeyun Technology Co ltd filed Critical Hangzhou Yigeyun Technology Co ltd
Priority to CN202210105459.2A priority Critical patent/CN114598498B/en
Publication of CN114598498A publication Critical patent/CN114598498A/en
Application granted granted Critical
Publication of CN114598498B publication Critical patent/CN114598498B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • H04L63/0218Distributed architectures, e.g. distributed firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application relates to an access method, an access system, a computer device and a storage medium. The method comprises the following steps: the user access service node receives a user access request, and if the user access request passes through a first authentication, a first security tunnel is determined; if the first intranet application access service node fault is monitored, determining a second intranet application access service node and a second security tunnel which are matched with each other according to a preset forwarding strategy, and sending a forwarding message to the user access service node; and under the condition that the user access request passes the second authentication and the third authentication, forwarding the user access request to the intranet application through the intranet, so that the user side accesses the intranet application. By adopting the method, the access system deployed in the public cloud can be used for directly switching the forwarding tunnel without changing the networking of the user side when the access service node of the intranet application fails, thereby ensuring the intranet access service of the user and improving the stability and high reliability of the service access of the user.

Description

Access method, access system, computer device, and storage medium
Technical Field
The present application relates to the field of communications technologies, and in particular, to an access method, an access system, a computer device, and a storage medium.
Background
A conventional VPN (Virtual Private Network ) may provide secure data transfer tunneling services between enterprises or between individuals and enterprises. For access protection of resources, the traditional approach is to divide security zones, form network boundaries between the security zones, and deploy boundary security devices at the network boundaries. The boundary security device comprises a firewall, an IPS (Intrusion Prevention System ), a gas barrier, a WAF (Web Application Firewall, website application level intrusion prevention system) and the like, and can prevent various attacks from outside the boundary, so that an enterprise network security system is constructed, and the traditional mode can be called as a boundary security concept.
With the development of the emerging technology of cloud computing and with the trend of business migration to the cloud and mobile office, the data of enterprises are not limited to the intranet, and the network security is not limited to the boundary security. The current center of security shifts to data security, and data security of an enterprise intranet should be fully emphasized, while traditional boundary-based network security architectures and solutions have been difficult to adapt to modern enterprise network infrastructure.
In the related technology, the gateway is arranged on the enterprise intranet to realize the protection of a zero trust mechanism of the enterprise intranet data, and the default binding relation between trust and network position is broken. And the traditional VPN architecture and the current concept of zero trust architecture are concentrated on the gateway for all access deployment and control of resources, the requirement on the gateway is high, and once the gateway fails, the user terminal cannot access data.
Disclosure of Invention
In view of the foregoing, it is desirable to provide an access method, apparatus, computer device, computer-readable storage medium, and computer program product that can improve access reliability.
In a first aspect, the present application provides an access method. The access method is applied to an access system, the access system comprises a management and control server, a plurality of intranet application access service clients and a plurality of edge computing nodes deployed on public cloud, and the edge computing nodes comprise at least one user access service node and an intranet application access service node group; the user access service nodes are connected with the intranet application access service node group through a security tunnel group, and the security tunnels are in one-to-one correspondence with the intranet application access service nodes; the method comprises the following steps:
The user access service node receives a user access request, determines a first security tunnel according to a forwarding tunnel determination strategy under the condition that the user access request passes through first authentication, and forwards the user access request to a corresponding first intranet application access service node through the first security tunnel;
The management and control server determines a second intranet application access service node and a second secure tunnel matched with the first intranet application access service node according to a preset forwarding strategy under the condition that the first intranet application access service node is monitored to be faulty, and sends a forwarding message to the user access service node, wherein the forwarding message is used for indicating the user access service node to send the user access request to the second intranet application access service node through the second secure tunnel;
The second intranet application access service node forwards the user access request to the intranet application access service client under the condition that the user access request passes the second authentication;
And the intranet application access service client forwards the user access request to the intranet application through the intranet under the condition that the user access request passes the third authentication, so that the user accesses the intranet application.
In one embodiment, the determining the first secure tunnel according to the forwarding tunnel determination policy includes:
For each security tunnel contained in the security tunnel group, acquiring real-time resource information and geographic position information of the security tunnel;
According to the real-time resource information and the geographic position information, calculating the forwarding priority of the security tunnel through the preset priority algorithm;
and taking the security tunnel with the highest forwarding priority level in the security tunnel group as a first security tunnel.
In one embodiment, the determining the first secure tunnel according to the forwarding tunnel determination policy includes:
Analyzing the user access request to obtain a target access address;
calculating a target density grade of the target access address according to a preset density grade determining algorithm;
Determining a first intranet application access service node corresponding to the target density grade in the intranet application access service node group corresponding to the user access service node according to the corresponding relation between the pre-configured density grade and the intranet application access service node;
and taking the security tunnel corresponding to the first intranet application access service node as a first security tunnel.
In one embodiment, when the management and control server monitors that the first intranet application access service node fails, determining, according to a preset forwarding policy, a second intranet application access service node and a second secure tunnel that are matched with the first intranet application access service node, where the determining includes:
The management and control server determines a target intranet application access service node set with a density level greater than or equal to that of the first intranet application access service node according to the corresponding relation between the pre-configured density level and the intranet application access service node under the condition that the first intranet application access service node is monitored to be faulty;
And the management and control server determines a second intranet application access service node matched with the first intranet application access service node and a second security tunnel in the target intranet application access service node set according to a preset forwarding strategy.
In one embodiment, the user access request includes first user information and a target access address, where the first user information includes first identity information and first communication feature information;
before the step of determining the first secure tunnel according to the forwarding tunnel determination policy, the method further comprises:
analyzing the user access request to obtain first identity information, first communication characteristic information and target access address information;
And if the first communication characteristic information is in a preset target area and the first access authority corresponding to the first identity information is determined to contain a target access address by the user access service node according to the corresponding relation between the user and the access authority, determining that the user access request passes the first authentication.
In one of the embodiments, the access system further comprises: the intranet application end and at least one user end; the method further comprises the steps of:
the user access service node receives a user registration request sent by the user terminal and forwards the user registration request to the management and control server, wherein the user registration request comprises user information of a plurality of users in a preset range, and the user information comprises identity characteristic information and communication characteristic information;
The intranet application access service node receives an application registration request sent by the intranet application end, forwards the application registration request to the management and control server, wherein the application registration request comprises address information of an internal application, and the address information comprises a communication address and a communication port;
And under the condition that the management and control server receives the user registration request and the application registration request, according to a preset authority setting strategy and the identity characteristic information and the communication characteristic information, distributing access authorities for all users contained in the user registration request, generating a corresponding relation between the users and the access authorities, and transmitting the corresponding relation between the users and the access authorities to the user access service node, the intranet application access service node and the intranet application access service client, wherein the access authorities comprise address information of at least one intranet application, and the access authorities enable the user to access the intranet application.
In one embodiment, the allocating access rights to each user included in the user registration request according to the preset rights setting policy and the identity feature information and the communication feature information, and generating a correspondence between the user and the access rights, includes:
for each user in the user registration request, the management and control server calculates the trust feature degree corresponding to the user through a preset trust feature algorithm according to the identity feature information and the communication feature information; and distributing access rights corresponding to the trust feature degree to the user according to the trust feature degree corresponding to the user and a preset rights setting policy, and generating a corresponding relation between the user and the access rights.
In a second aspect, the application also provides an access system. The access system comprises a management and control server, a plurality of intranet application access service clients and a plurality of edge computing nodes deployed on public cloud, wherein the edge computing nodes comprise at least one user access service node and an intranet application access service node group; the user access service nodes are connected with the intranet application access service node group through a security tunnel group, and the security tunnels are in one-to-one correspondence with the intranet application access service nodes; wherein:
The user access service node receives a user access request, determines a first security tunnel according to a forwarding tunnel determination strategy under the condition that the user access request passes through first authentication, and forwards the user access request to a corresponding first intranet application access service node through the first security tunnel;
The management and control server determines a second intranet application access service node and a second secure tunnel matched with the first intranet application access service node according to a preset forwarding strategy under the condition that the first intranet application access service node is monitored to be faulty, and sends a forwarding message to the user access service node, wherein the forwarding message is used for indicating the user access service node to send the user access request to the second intranet application access service node through the second secure tunnel;
The second intranet application access service node forwards the user access request to the intranet application access service client under the condition that the user access request passes the second authentication;
And the intranet application access service client forwards the user access request to the intranet application through the intranet under the condition that the user access request passes the third authentication, so that the user accesses the intranet application.
In a third aspect, the present application also provides a computer device. The computer device comprises a memory storing a computer program and a processor implementing the steps described in the method embodiments above when the processor executes the computer program.
In a fourth aspect, the present application also provides a computer-readable storage medium. The computer readable storage medium has stored thereon a computer program which, when executed by a processor, implements the steps described in the method embodiments above.
In a fifth aspect, the present application also provides a computer program product. The computer program product comprises a computer program which, when executed by a processor, implements the steps described in the method embodiments above.
The access method, the access system, the computer equipment, the storage medium and the computer program product, wherein the user access service node receives the user access request, determines a first security tunnel according to a forwarding tunnel determination strategy under the condition that the user access request passes the first authentication, and forwards the user access request to a corresponding first intranet application access service node through the first security tunnel; under the condition that the first intranet application access service node is monitored to be faulty, the management and control server determines a second intranet application access service node and a second security tunnel matched with the first intranet application access service node according to a preset forwarding strategy, and sends a forwarding message to the user access service node, wherein the forwarding message is used for indicating the user access service node to send a user access request to the second intranet application access service node through the second security tunnel; the second intranet application access service node forwards the user access request to the intranet application access service client under the condition that the user access request passes the second authentication; and the intranet application access service client forwards the user access request to the intranet application through the intranet under the condition that the user access request passes the third authentication, so that the user accesses the intranet application. The access method provided by the embodiment of the invention can be applied to the access system deployed on public cloud, when the access service node of the intranet application fails, the network of the user side is not required to be changed, the forwarding tunnel is directly switched, the intranet access service of the user is ensured, a plurality of intranet application access service nodes can verify the access request of the user at the same time, and the stability and the high reliability of the access of the user service are improved.
Drawings
FIG. 1 is a schematic diagram of an access system in one embodiment;
FIG. 2 is a flow diagram of an access method in one embodiment;
FIG. 3 is a flow diagram of a first secure tunnel determination step in one embodiment;
FIG. 4 is a flowchart illustrating a first security tunnel determination step in another embodiment;
FIG. 5 is a flowchart illustrating steps for determining a second intranet application access service node in one embodiment;
FIG. 6 is a flow chart illustrating a first authentication procedure according to one embodiment;
FIG. 7 is a flow diagram of a registration step in one embodiment;
FIG. 8 is a block diagram of an access system in another embodiment;
fig. 9 is an internal structural diagram of a computer device in one embodiment.
Detailed Description
The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
The access method provided by the embodiment of the application can be applied to an access system in an application environment as shown in fig. 1, wherein the access system comprises a management and control server 400, a plurality of intranet application access service clients 500 and a plurality of edge computing nodes deployed on public cloud, and the edge computing nodes comprise a plurality of user access service nodes 200 and a plurality of intranet application access service node groups; the user access service node 200 is connected to an intranet application access service node group through a secure tunnel group, the intranet application access service node group includes a plurality of intranet application access service nodes, the secure tunnel group includes a plurality of secure tunnels, the secure tunnels are connected to an intranet application access service node 300, and the secure tunnels are in one-to-one correspondence with the intranet application access service nodes 300. Intranet application access service client 500 is deployed on intranet 600. The public cloud can be any other cloud resource such as an ali cloud or a messenger cloud. The user side accesses the application (intranet application) on the intranet through the access system. The client 100 may be, but not limited to, various personal computers, notebook computers, smart phones, tablet computers, internet of things devices and portable wearable devices, where the internet of things devices may be smart speakers, smart televisions, smart air conditioners, smart vehicle devices, and the like. The portable wearable device may be a smart watch, smart bracelet, headset, or the like. The intranet application access service client 500 may be a server or a mobile terminal.
In this embodiment, as shown in fig. 2, the access method includes the following steps:
Step 102, the user access service node receives the user access request, determines a first security tunnel according to a forwarding tunnel determination policy under the condition that the user access request passes the first authentication, and forwards the user access request to a corresponding first intranet application access service node through the first security tunnel.
The user access service node and the intranet application access service node group are connected through a security tunnel group, the security tunnel group comprises a plurality of security tunnels, the intranet application access service node group comprises a plurality of intranet application access service nodes, and each intranet application access service node is connected with a corresponding intranet application through an intranet application access service client.
Specifically, the user access service node is an edge computing node on public cloud, and the user side (PC side) is connected with the user access service node through a third secure tunnel. The first authentication policy configured in advance may be a security authentication manner determined according to an actual application scenario, for example, may be a manner of performing authentication according to information carried in a user access request. The user side responds to the login operation of the user and acquires user name information and user password information input by the user in the login operation. In this way, when the user side determines that the user verification passes according to the user name information and the user password information, the user side displays prompt information of successful login, and the prompt information is used for prompting the user that the user side has successfully logged in. In this way, the user can perform access operation on the user side, the user side responds to the access operation of the user, the user side can acquire an access request in the access operation, and then the access request is sent to the user access service node on the public cloud through the third secure tunnel, wherein the access request is a request of the user for accessing the intranet application through the user side, and the user side is connected with the user access service node through the third secure tunnel.
In this way, after the user access service node receives the user access request, the first authentication is performed according to the first authentication policy and the information carried in the user access request. Under the condition that the user access service node determines that the user access request passes the first authentication, determining a first security tunnel according to a forwarding tunnel determination strategy, and forwarding the user access request to a corresponding first intranet application access service node through the first security tunnel. The first intranet application access service node is a node in an intranet application access service node group connected with the user access service node.
In one example, the specific process of determining the first secure tunnel by the user access service node according to the forwarding tunnel determination policy may include: firstly, determining a target security tunnel group in an intranet application access service node group connected with a user access service node, acquiring real-time resource information and geographic position information of a plurality of security tunnels contained in the target security tunnel group, and calculating to obtain the forwarding priority level of each security tunnel, so that a first security tunnel can be determined; or the density grade of the intranet application access service node corresponding to the plurality of security tunnels contained in the target security tunnel group can be obtained and is matched with the target access address contained in the user access request, so that the first security tunnel is determined.
Step 104, the management and control server determines a second intranet application access service node and a second security tunnel matched with the first intranet application access service node according to a preset forwarding strategy under the condition that the first intranet application access service node is monitored to be faulty, and sends a forwarding message to the user access service node.
The forwarding message is used for indicating the user access service node to send the user access request to the second intranet application access service node through the second secure tunnel. The management and control server monitors each edge computing node on the public cloud by a preset heartbeat mechanism, and judges whether the edge computing node can normally operate or not by judging the reachability information and the failure information of each edge computing node.
In an example, the specific process of determining, by the management and control server, that the second intranet application access service node and the second secure tunnel according to the preset forwarding policy may be: the management and control server firstly determines an intranet application access service node group corresponding to the user access service node, and in the intranet application access service node group, a second intranet application access service node matched with the first intranet application access service node is determined according to geographic position information, calculation resource information, density grade information and the like of each intranet application access service node. Because the intranet application access service nodes are connected with the user access service nodes through the secure tunnels, the secure tunnels are in one-to-one correspondence with the intranet application access service nodes, and therefore the management and control server can also determine second secure tunnels corresponding to the second intranet application access service nodes. In this way, the management and control server may generate a forwarding message based on the second intranet application access service node and the second secure tunnel, and send the forwarding message to the user access service node. The user access service node can forward the user access request to the second intranet application access service node through the second secure tunnel.
And step 106, the second intranet application access service node forwards the user access request to the intranet application access service client under the condition that the user access request passes the second authentication.
The second intranet application access service node can judge whether the user access request can pass the second authentication according to a second authentication policy which is configured in advance. The second authentication policy configured in advance may be a security authentication manner determined according to an actual application scenario, and specifically may be a manner of performing authentication according to information carried in the user access request. The first authentication policy and the second authentication policy corresponding to the first authentication may be the same policy or different policies, and may specifically be determined according to the security degree of the environment where the edge computing node on the public cloud is located when the access request is received.
Specifically, the user access service node forwards the user access request passing through the first authentication to the second intranet application access service node through the second secure tunnel. The specific forwarding process may be: the user access service node determines an intranet application access service node client corresponding to the target application and an intranet application access service node according to a target application to be accessed by the user access request, and the user access service node can forward the user access request passing through the first authentication to a first intranet application access service node corresponding to the target application. Under the condition that the first intranet application access service node fails, the user access service node can send a user access request to the second intranet application access service node under the instruction of the management and control server.
In this way, after receiving the user access request, the second intranet application access service node performs the second authentication on the user access request according to a second authentication policy that is pre-configured, and the specific authentication process may be: and carrying out second authentication according to the information carried by the user access request. If the second intranet application access service node determines that the user access request passes the second authentication, forwarding the user access request to an intranet application access service client corresponding to the second intranet application access service node through a fourth secure tunnel, wherein the fourth secure tunnel is a secure tunnel for communication between the second intranet application access service node and the intranet application access service client corresponding to the second intranet application access service node.
And step 108, the intranet application access service client forwards the user access request to the intranet application through the intranet under the condition that the user access request passes the third authentication, so that the user accesses the intranet application.
The intranet application access service client can judge whether the user access request can pass the third authentication according to a preset third authentication policy. The third authentication policy configured in advance may be a security authentication manner determined according to an actual application scenario, and specifically may be a manner of performing authentication according to information carried in the user access request. The first authentication policy, the second authentication policy and the third authentication policy which are pre-configured may be the same policy or different policies, and may be specifically determined according to the security degree of the environment where the intranet application accesses the service client when the access request is received.
Specifically, the intranet application access client may be a client deployed on the intranet, and communicate with a corresponding intranet application access service node on the public cloud and communicate with an intranet application.
In the above access method, the user access service node receives the user access request, determines a first security tunnel according to the forwarding tunnel determination policy and forwards the first security tunnel when determining that the user access request passes the first authentication; under the condition that the first intranet application access service node is monitored to be faulty, the management and control server determines a second intranet application access service node and a second security tunnel matched with the first intranet application access service node according to a preset forwarding strategy, and sends a forwarding message to the user access service node, wherein the forwarding message is used for indicating the user access service node to send a user access request to the second intranet application access service node through the second security tunnel; the second intranet application access service node forwards the user access request under the condition that the user access request passes the second authentication; and the intranet application access service client forwards the user access request to the intranet application through the intranet under the condition that the user access request passes the third authentication, so that the user accesses the intranet application. The access method provided in the embodiment can be applied to an access system deployed on public cloud, and the forwarding tunnel is directly switched without changing the networking of the user side under the condition that the access service node of the intranet application fails, so that the intranet access service of the user is ensured, and a plurality of access service nodes of the intranet application can verify the access request of the user at the same time, so that the stability and the high reliability of the access of the user service are improved.
In one embodiment, as shown in fig. 3, the specific process of step 102 "determine a first security tunnel according to a forwarding tunnel determination policy" includes:
Step 202, for each secure tunnel included in the secure tunnel group, acquiring real-time resource information and geographic location information of the secure tunnel.
Specifically, the user access service nodes communicate with a plurality of intranet application access service nodes through a secure tunnel group, and the intranet application access service nodes are in one-to-one correspondence with the secure tunnels. The real-time resource information of the secure tunnel is information representing the idle load capacity of the tunnel, namely information of how much unit flow can be transmitted; the geographical location information of the secure tunnel is information of which area the secure tunnel is located in on the public cloud, and may be, for example, a city B area or the like.
In one possible implementation manner, a user access service node obtains real-time resource information and geographic position information of the secure tunnel for each secure tunnel in the secure tunnel group, and determines spare load capacity of the secure tunnel at the current moment and geographic position information of the secure tunnel on public cloud.
And 204, calculating the forwarding priority of the secure tunnel according to the real-time resource information and the geographic position information through a preset priority algorithm.
Specifically, the user access service node performs weighted calculation on the real-time resource information and the geographic position information of each security tunnel through a preset priority algorithm to obtain the forwarding priority corresponding to each security tunnel.
In one example, the specific process of calculating the forwarding priority of the secure tunnel by the user access service node through a preset priority algorithm may be: the user access service node obtains the geographical position information of each security tunnel in the security tunnel group, calculates to obtain the distance information of each security tunnel from the user access service node, determines the first weight corresponding to the real-time resource information and the second weight corresponding to the distance information, calculates the weighted result according to the first weight, the second weight, the real-time resource information and the distance information, and obtains the forwarding priority of the security tunnel according to the weighted result of the security tunnels.
For example, the forwarding priority level may be a size order of weighted results of the respective secure tunnels, and the forwarding priority level of the secure tunnel with the largest value corresponding to the weighted results may be the first forwarding priority level.
And 206, taking the security tunnel with the highest forwarding priority in the security tunnel group as a first security tunnel.
In this embodiment, when forwarding a user access request, the user access node may select a more appropriate secure tunnel for forwarding by calculating a plurality of secure tunnels included in the secure tunnel group, thereby reducing the forwarding pressure of the gateway and improving the stability and high reliability of user service access.
In one embodiment, as shown in fig. 4, the specific process of step 102 "determine a first security tunnel according to a forwarding tunnel determination policy" includes:
Step 302, resolving the user access request to obtain at least one target access address.
Specifically, the target access address is an address of an intranet application that the user side wants to access, for example, may be an IP address or a MAC address, etc.
Step 304, calculating the target density level of each target access address according to a preset density level determining algorithm.
Specifically, the user access service node determines a target application corresponding to the target access address, and may determine a target density level of the target access address according to a corresponding relationship between the application and the density level.
Step 306, determining a first intranet application access service node corresponding to each target density level in the intranet application access service node group corresponding to the user access service node according to the corresponding relation between the pre-configured density level and the intranet application access service node.
The corresponding relation between the pre-configured density level and the intranet application access service node can be generated according to the configuration operation of the user side.
Specifically, the user access service node extracts a first intranet application access service node matched with a target density level according to a corresponding relation between a pre-configured density level and the intranet application access service node.
In one example, in the correspondence between the preconfigured density level and the intranet application access service node, the density level of the M intranet application access service node may be M, the density level of the N intranet application access service node may be N, and in the case that the target density level is N, the first intranet application access service node matched with the target density level is the N intranet application access service node.
In another example, in the correspondence between the preconfigured density level and the intranet application access service node, the density level of the M intranet application access service node may be M, the density level of the N intranet application access service node may be N, the density level of the O intranet application access service node may be O, the density level O is higher than the density level N, and the density level N is higher than the density level M. In the case that the target density level is N, the first intranet application access service node matched with the target density level may be an N intranet application access service node or an O intranet application access service node, and then the first intranet application access service node may be determined according to geographical position information and real-time resource information between the two intranet application access service nodes and the user access service node.
Step 308, taking the security tunnel corresponding to the first intranet application access service node as a first security tunnel.
In the embodiment, the forwarding tunnel and the intranet application access service node are determined through the density grade, so that the forwarding pressure of the gateway can be reduced, and the stability and the high reliability of user service access are improved.
In one example, the step of determining the first secure tunnel according to the forwarding tunnel determination policy further comprises:
analyzing the user access request to obtain a plurality of target access addresses, and determining the density grade of the intranet application corresponding to each target access address, namely determining the target density grade of each target access address according to the corresponding relation between the preset application and the density grade; in this way, the user access service node may determine, according to the correspondence between the pre-configured density level and the intranet application access service node, a first intranet application access service node corresponding to each target density level in the intranet application access service node group corresponding to the user access service node.
Optionally, the user access service node may divide the user access request according to the density levels of the multiple target access addresses included in the user access request, so as to obtain multiple access sub-requests, where the density levels of the target access addresses included in the access sub-requests are the same. In this way, the user access service node can respectively determine the first intranet application access service node corresponding to the density class of the target access address contained in each access sub-request according to the corresponding relation between the pre-configured density class and the intranet application access service node, and respectively forward each access sub-request to the corresponding first intranet application access service node through the first security tunnel corresponding to the first intranet application access service node.
In one embodiment, as shown in fig. 5, the specific processing procedure of determining, by the management and control server, the second intranet application access service node and the second secure tunnel that are matched with the first intranet application access service node according to the preset forwarding policy when the first intranet application access service node is monitored to be faulty, includes:
In step 402, the management and control server determines, when detecting that the first intranet application access service node fails, a target intranet application access service node set having a density level greater than or equal to a density level corresponding to the first intranet application access service node according to a pre-configured correspondence between a density level and the intranet application access service node.
In step 404, the management and control server determines, in the target intranet application access service node set, a second intranet application access service node that is matched with the first intranet application access service node according to a preset forwarding policy, and determines a second security tunnel.
In one example, the specific process of determining, according to the preset forwarding policy, that the second intranet application accesses the service node may be: the management and control server obtains real-time resource information and geographic position information of each intranet application access service node in a target intranet application access service node set, calculates distance information of each intranet application access service node from a user access service node according to the geographic position information, determines a first weight corresponding to the real-time resource information and a second weight corresponding to the distance information, calculates a weighting result according to the first weight, the second weight, the real-time resource information and the distance information, and determines the intranet application access service node with the highest weighting result as a matched second intranet application access service node according to the weighting result of a plurality of intranet application access service nodes.
In one embodiment, the user access request includes first user information including first identity information and first communication characteristic information and a target access address.
Accordingly, as shown in fig. 6, before the step of determining the first secure tunnel according to the forwarding tunnel determination policy, the method further includes:
step 502, analyzing the user access request to obtain first identity information, first communication feature information and target access address information.
In step 504, if the first communication feature information is in the preset target area and the first access right corresponding to the first identity information is determined to include the target access address by the user access service node according to the corresponding relationship between the user and the access right, then the user access request is determined to pass the first authentication.
Specifically, after receiving a user access request sent by a user terminal, a user access service node analyzes the user access request to obtain first identity information, first communication feature information and a target access address corresponding to the user; in this way, the user access service node can judge whether the organization information of the first identity information is consistent with the organization information of the intranet corresponding to the intranet application of the target access address; if the organization information of the mobile terminal identification information is consistent with the organization information of the intranet corresponding to the intranet application of the target access address, the user access service node can judge that the organization information of the mobile terminal identification information is consistent with the organization information of the intranet corresponding to the intranet application of the target access address; if the position information of the mobile terminal is in the preset target area, the user access service node can judge whether the position information of the mobile terminal is in the preset target area, and if the position information of the mobile terminal is in the preset target area, the user access service node can judge whether the first access right contains the target access address according to the corresponding relation between the preset user and the access right. If the user access service node determines that the first access right corresponding to the first identity information contains the target access address, the user access request is determined to pass through the first authentication, and the user access request can be forwarded to the intranet application access service node.
In one example, the second authentication procedure of the second authentication policy, and the third authentication procedure of the third authentication policy are similar to the first authentication procedure of the first authentication policy described above, and are not described herein.
The access method provided in this embodiment may not rely on a single gateway node at the control plane, but rather disperse functional items of the gateway node, and perform strong association between each dispersed node through a segmented secure forwarding tunnel, and perform secure authentication based on traffic and users on each node, so as to ensure that after the authentication passes, the users can maintain verification and authentication states of access applications to the users at all times.
In one embodiment, the access system further comprises: the intranet application end and at least one user end, as shown in fig. 7, correspondingly, the access method further includes:
In step 602, the user access service node receives a user registration request sent by the user terminal, and forwards the user registration request to the management and control server.
The user registration request comprises user information of a plurality of users in a preset range, wherein the user information comprises identity characteristic information and communication characteristic information. The preset range may be within a target organization (enterprise). The plurality of users within the preset range may be a plurality of employees included in the target organization, and so on. The identity characteristic information may include name information, gender information, and affiliated organization information; the communication characteristic information may include mobile terminal information, mobile terminal identification information, and the like.
Specifically, a target organization may include multiple levels (departments), each of which may include multiple sub-levels, each of which may also include multiple grandchild levels, and each of which may include multiple users. For example, the target organization may include a first hierarchy including a first sub-hierarchy and a second hierarchy, and a second hierarchy including a third sub-hierarchy and a fourth sub-hierarchy. Multiple users may be included within each sub-hierarchy.
In this way, the user side can acquire the hierarchical structure information in the target organization and the user information of each user contained in each hierarchy, generate a user registration request according to the hierarchical structure information in the target organization and the user information of each user contained in each hierarchy,
In step 604, the intranet application access service node receives the application registration request sent by the intranet application end, and forwards the application registration request to the management and control server.
The application registration request includes address information of the internal application, where the address information includes a communication address and a communication port, and the communication address is, for example, an IP address of the internal network application, such as: 100.1.1.2; the communication port is a port number of an intranet application, such as: 6000.
Specifically, the intranet application end may include a plurality of applications, and the intranet application end generates an application registration request according to the IP address information and the port number information of the plurality of applications, and directly forwards the application registration request to the intranet application access client, and then forwards the application registration request to the corresponding intranet application access service node. And the intranet application access service node forwards the application registration request to the management and control server.
In one example, the intranet application end may respond to a selection operation of the intranet application, obtain the target intranet application, obtain IP address information and port number information of the target intranet application, and generate an application registration request corresponding to the target intranet application.
In step 606, the management and control server allocates access rights to each user included in the user registration request according to the preset rights setting policy and the identity feature information and the communication feature information under the condition that the user registration request and the application registration request are received, generates a corresponding relationship between the user and the access rights, and issues the corresponding relationship between the user and the access rights to the user access service node, the intranet application access service node and the intranet application access service client.
The access right includes address information of at least one intranet application, and the access right enables the user terminal 100 to access the intranet application. The preset authority setting strategy is an authorized access strategy, and can be actually a corresponding relation between the security level of the user and the intranet application according to the input of the manager on the management and control server; the security level of the user can be calculated according to the user information of the user, the security level of the user can also be directly set by a manager, and the determination mode of the security level of the specific user can be determined according to the actual application scene.
Specifically, the management and control server may calculate, according to a preset correspondence between the security level of the user and the intranet application, a target security level of the user, and determine target communication address information of the intranet application corresponding to the target security level. In this way, the management and control server can allocate the access right of the corresponding intranet application to the user, so that the user can access the intranet application corresponding to the target communication address information, and the communication address information can be, for example, IP address information or MAC address information.
In this way, the management and control server can issue the corresponding relation between the user and the access authority to a plurality of user access service nodes, a plurality of intranet application access service nodes and intranet application access service clients corresponding to the intranet application access service nodes on the public cloud.
In this embodiment, the access method may enable the user and the intranet application to initiate a registration request to the management and control server at the same time, and access the access system in both directions, that is, by deploying a specific user access client on the intranet of the user, the intranet of the user (intranet application) may directly implement reverse access with a node of the access system, so that a data forwarding secure tunnel may be constructed, and the port number of the intranet application is prevented from being exposed to the public network, and the attack of the public network on the intranet application based on the port number is prevented.
In one embodiment, the specific processing procedure of the step of allocating access rights to each user included in the user registration request according to the preset rights setting policy and the identity feature information and the communication feature information to generate the correspondence between the user and the access rights includes:
Aiming at each user in the user registration request, the management and control server calculates the trust feature degree corresponding to the user through a preset trust feature algorithm according to the identity feature information and the communication feature information. And distributing access rights corresponding to the trust feature degree to the user according to the trust feature degree corresponding to the user and a preset rights setting policy, and generating a corresponding relation between the user and the access rights.
In one example, the management and control server may monitor each edge computing node on the public cloud with a preset heartbeat mechanism, and determine whether the edge computing node can operate normally by determining reachability information and failure information of each edge computing node.
In this way, when the management and control server monitors that the user access service node receiving the user access request fails, the management and control server can take over the failed user access service node and forward the user access request received by the node to other user access service nodes which normally operate. The specific forwarding process may be: the management and control server determines other normally operated user access service nodes closest to the geographical position of the failed user access service node, and forwards the user access request; or may also be: and the management and control server determines other normally operated user access service nodes with the maximum edge computing resources within a certain range of the geographic position of the user access service node with the faults, and forwards the user access request. In this way, after the other normally operating user access service nodes receive the user access request forwarded by the management and control server, the processes performed in steps 102 to 108 may be continuously performed for the user access request.
As shown in fig. 8, the following describes in detail the access method and the application process of the access system, where the access system includes a user side (PC, handset), a user access service node, an intranet application access service node, a management server, and an intranet application access service client. The management and control server is connected with the user access service node, the intranet application access service node and the intranet application access service client, and can communicate with each other, which is not shown in fig. 8. The intranet also includes a user intranet application and a user intranet gateway. The specific implementation process comprises the following steps:
Step 1, a manager imports key information of an intranet user through a management server and manages user access service nodes, intranet application access service clients and intranet applications of users on a user side in an access system.
And 2, the access system can comprise a plurality of intranet application access service nodes and intranet application access service clients (a plurality of access points), and the safety and fault tolerance of intranet access of the user are improved by setting the plurality of access points.
Step 3, a user access service node located at the user side needs to increase a binding relationship with forwarding tunnels of a plurality of intranet application access service nodes, and a specific binding process may include:
firstly, a bidirectional safe forwarding tunnel 1 between a user end and a user access service node is created, a bidirectional safe forwarding tunnel a between the user access service node and an intranet application access service node 1 is created, and a bidirectional safe forwarding tunnel b between the user access service node and the intranet application access service node 2 is created.
And secondly, tunnel binding is carried out on the tunnel a and the tunnel b, and the tunnel is used as a forwarding tunnel group 2 for realizing multi-point access, namely, a safe tunnel group for communicating between a user access service node and a plurality of intranet application access service nodes. The tunnel group 2 has a plurality of forwarding tunnels, including a bidirectional safe forwarding tunnel a and a bidirectional safe forwarding tunnel b in this embodiment. And finally, carrying out bidirectional binding on the tunnel 1 and the tunnel group 2.
In this way, the user access service node receives the user traffic (user access request) that passes the security authentication transmitted from the tunnel 1. When the user traffic accesses the intranet application, the user traffic sent by the user side can be directly forwarded to the tunnel group 2 through the binding relationship between the tunnel 1 and the tunnel group 2. Traffic forwarded by tunnel group 2 may be load shared in tunnels a and b.
And 4, the intranet application access service node 1 and the intranet application access service client 1 need to deploy corresponding functions, and the intranet application access service client 1 goes to the intranet application access service 1 to safely access the authentication function. That is, the intranet application accesses the service client 1, and goes to the intranet application access service 1 to access the authentication function safely. The port number is only displayed on the server, and the intranet application is also used as a client to register with the intranet application service node, at this time, the intranet application can be used as the client, so that when the message is forwarded from the intranet application access service node to the intranet application, the outer layer message does not need to encapsulate the port number of TCP or UDP.
Therefore, the effect of shielding the port number of the intranet application can be achieved, only the intranet application access service node can be seen for the access node on the public cloud, but the intranet application access client registered with the intranet application access service node cannot be seen, so that the application of intranet users is well protected, and the safety and reliability are enhanced.
Thus, a bidirectional secure forwarding tunnel 3 (not shown in fig. 8) between the intranet application access service node 1 and the intranet application access service client 1 needs to be created, and the tunnel a and the tunnel 3 are bound in both directions. The intranet application access service node receives the user traffic passing the security authentication sent from the tunnel a, and can directly forward the traffic coming from the user side to the tunnel 3 through the binding relationship between the tunnel a and the tunnel 3 when accessing the intranet application.
Step 5, the intranet application access service node 2 and the intranet application access service client 2 (i.e. the access point 2 of the multipoint access) are corresponding deployment functions, and their main functions are: the intranet application accesses the service client 2 and goes to the intranet application access service 2 to safely access the authentication function. That is, the intranet application accesses the service client 2, and goes to the intranet application access service 2 to access the authentication function safely. The port number is only displayed on the server, and the intranet application is also used as a client to register with the intranet application service node, at this time, the intranet application can be used as the client, so that when the message is forwarded from the intranet application access service node to the intranet application, the outer layer message does not need to encapsulate the port number of TCP or UDP.
Therefore, the effect of shielding the port number of the intranet application can be achieved, only the intranet application access service node can be seen for the access node on the public cloud, but the intranet application access client registered with the intranet application access service node cannot be seen, so that the application of intranet users is well protected, and the safety and reliability are enhanced.
Thus, a bidirectional secure forwarding tunnel 4 (not shown in fig. 8) between the intranet application access service 2 and the intranet application access service client 2 needs to be created, and the tunnel b and the tunnel 4 are bound in both directions. When the intranet application accesses the user traffic passing the security authentication from the tunnel b, the user traffic from the user side can be directly forwarded to the tunnel 4 through the binding relationship between the tunnel b and the tunnel 4.
And 6, the PC end accesses the intranet application for the first time, the user traffic of the PC is forwarded to the tunnel group 2 at an access service node of the user end, the traffic is subjected to first hash calculation in the tunnel group 2, the traffic is shared to a tunnel a in the tunnel group 2 for forwarding, the intranet application is accessed to the service node 1 through the tunnel a, and then the intranet application can be accessed to the service client through the intranet application for accessing the intranet application.
Step 7, if the intranet application access service node 1 fails, the management and control server can receive the failure prompt message reported by the intranet application access service node 1, and can switch the traffic forwarding list item on the user access service node, and switch the user traffic accessed by the PC end from the tunnel a to the tunnel b of the tunnel group 2; and then the PC side can access the service node 2 through the intranet application to access the intranet application.
And 8, the intranet application access service node 1 and the intranet application access client of the intranet application access service node 2 are both in the intranet of the user, so that the single gateway pressure in the prior art can be simultaneously issued to access points of 2 different intranets, and when 1 access point fails, the networking of the user is not changed, the switching of the access points is directly carried out, the intranet access service of the user is ensured, and the reliability of an access system is ensured.
In one example, the access method may further comprise the steps of:
In step 10, the intranet application access service node 1 and the intranet application access service node 2 may divide the security class of the access point according to the security class of the intranet application in the intranet of the user. If the security level of the intranet application is level 1 and level 2; then the intranet application access service node 1 can be used as the intranet application access service node of the security class 1; the intranet application access service node 2 can be used as an intranet application access service node of the security class 2.
And step 11, the information forwarding table of the intranet application of the security class 1 is only issued to the intranet application access service node 1 and is reported to the management and control server. And the management and control server transmits the corresponding relation between the intranet application access service node and the intranet application to each user access service node, and binds the policy of the intranet application with the security class of 1 with the encrypted tunnel a.
And step 12, the information forwarding table of the intranet application of the security class 2 is only issued to the intranet application access service node 2 and is reported to the management and control server. And the management and control server transmits the corresponding relation between the intranet application access service node and the intranet application to each user access service node, and binds the policy of the intranet application with the security class of 2 with the encrypted tunnel a.
In step 13, the application of different security classes can be protected again by accessing the service node through different intranet applications.
And step 14, meanwhile, the intranet application access service node 2 can be used as a backup intranet application access service node of the intranet application access service node 1, when the intranet application access service node 1 fails, all information of the application from the upper surface of the intranet application access service node 1 to the upper surface of the security class 1 is managed and controlled to be issued to the upper surface of the intranet application access service node 2, and meanwhile, the security class of the access point 2 is improved. The failure of the intranet application access service node 1 includes: the tunnel a connected with the user side to serve fails, the intranet application access service node 1 fails, and communication between the intranet application access service node 1 and the intranet application fails. The intranet application access service node with high density level can be used as a backup node of the intranet application access service node with low density level.
In the access system applied by the access method provided by the embodiment, the intranet application access client of the multipoint access is in the intranet of the user, so that the pressure of a single gateway can be simultaneously issued to the access points of2 different intranets, the pressure of gateway forwarding is reduced, and the stability and high reliability of user service access are improved. And when a certain access point fails, the access point is directly switched without changing the networking of the user, so that the access service of the user intranet is ensured, and a plurality of access points can verify the authority of the user to access the intranet flow at the same time, thereby improving the safety and multiple protection of the user access.
It should be understood that, although the steps in the flowcharts related to the above embodiments are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least some of the other steps or stages.
Based on the same inventive concept, the embodiment of the application also provides an access system for realizing the above-mentioned access method. The implementation of the solution provided by the device is similar to the implementation described in the above method, so the specific limitation in one or more embodiments of the access system provided below may be referred to the limitation of the access method hereinabove, and will not be repeated herein.
In one embodiment, as shown in fig. 1, the access system includes a management and control server 400, a plurality of intranet application access service clients 500, and a plurality of edge computing nodes deployed on a public cloud, where the edge computing nodes include at least one user access service node 200 and an intranet application access service node group; the user access service node 200 is connected with the intranet application access service node group through a security tunnel group, and the security tunnels are in one-to-one correspondence with the intranet application access service nodes 300; wherein:
The user access service node 200 receives a user access request, determines a first security tunnel according to a forwarding tunnel determination policy when determining that the user access request passes a first authentication, and forwards the user access request to a corresponding first intranet application access service node 300 through the first security tunnel;
The management and control server 400 determines, according to a preset forwarding policy, a second intranet application access service node 300 and a second secure tunnel that are matched with the first intranet application access service node 300 when detecting that the first intranet application access service node 300 fails, and sends a forwarding message to the user access service node 200, where the forwarding message is used to instruct the user access service node 200 to send the user access request to the second intranet application access service node 300 through the second secure tunnel;
the second intranet application access service node 300 forwards the user access request to the intranet application access service client 500 under the condition that the user access request passes the second authentication;
And the intranet application access service client 500 forwards the user access request to the intranet application through the intranet under the condition that the user access request passes the third authentication, so that the user accesses the intranet application.
The various modules in the access system described above may be implemented in whole or in part by software, hardware, and combinations thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In one embodiment, a computer device is provided, which may be a server, and the internal structure of which may be as shown in fig. 9. The computer device includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The database of the computer device is for storing access data. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement an access method.
It will be appreciated by persons skilled in the art that the architecture shown in fig. 9 is merely a block diagram of some of the architecture relevant to the present inventive arrangements and is not limiting as to the computer device to which the present inventive arrangements are applicable, and that a particular computer device may include more or fewer components than shown, or may combine some of the components, or have a different arrangement of components.
In an embodiment, there is also provided a computer device comprising a memory and a processor, the memory having stored therein a computer program, the processor implementing the steps of the method embodiments described above when the computer program is executed.
In one embodiment, a computer-readable storage medium is provided, on which a computer program is stored which, when executed by a processor, carries out the steps of the method embodiments described above.
In an embodiment, a computer program product is provided, comprising a computer program which, when executed by a processor, implements the steps of the method embodiments described above.
The user information (including but not limited to user equipment information, user personal information, etc.) and the data (including but not limited to data for analysis, stored data, presented data, etc.) related to the present application are information and data authorized by the user or sufficiently authorized by each party.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high density embedded nonvolatile Memory, resistive random access Memory (ReRAM), magneto-resistive random access Memory (Magnetoresistive Random Access Memory, MRAM), ferroelectric Memory (Ferroelectric Random Access Memory, FRAM), phase change Memory (PHASE CHANGE Memory, PCM), graphene Memory, and the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can be in various forms such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), etc. The databases referred to in the embodiments provided herein may include at least one of a relational database and a non-relational database. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processor referred to in the embodiments provided in the present application may be a general-purpose processor, a central processing unit, a graphics processor, a digital signal processor, a programmable logic unit, a data processing logic unit based on quantum computing, or the like, but is not limited thereto.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The foregoing examples illustrate only a few embodiments of the application and are described in detail herein without thereby limiting the scope of the application. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of the application should be assessed as that of the appended claims.

Claims (11)

1. The access method is characterized in that the access method is applied to an access system, the access system comprises a management and control server, a plurality of intranet application access service clients and a plurality of edge computing nodes deployed on public cloud, and the edge computing nodes comprise at least one user access service node and an intranet application access service node group; the user access service nodes are connected with the intranet application access service node group through a security tunnel group, and the security tunnels are in one-to-one correspondence with the intranet application access service nodes; the method comprises the following steps:
The user access service node receives a user access request, determines a first security tunnel according to a forwarding tunnel determination strategy under the condition that the user access request passes a first authentication, and forwards the user access request to a corresponding first intranet application access service node through the first security tunnel, wherein the first authentication is performed according to the first authentication strategy and information carried in the user access request;
The management and control server determines a second intranet application access service node and a second secure tunnel matched with the first intranet application access service node according to a preset forwarding strategy under the condition that the first intranet application access service node is monitored to be faulty, and sends a forwarding message to the user access service node, wherein the forwarding message is used for indicating the user access service node to send the user access request to the second intranet application access service node through the second secure tunnel;
The second intranet application access service node forwards the user access request to the intranet application access service client under the condition that the user access request passes the second authentication;
And the intranet application access service client forwards the user access request to the intranet application through the intranet under the condition that the user access request passes the third authentication, so that the user accesses the intranet application.
2. The method of claim 1, wherein the determining the first secure tunnel based on the forwarding tunnel determination policy comprises:
For each security tunnel contained in the security tunnel group, acquiring real-time resource information and geographic position information of the security tunnel;
According to the real-time resource information and the geographic position information, calculating the forwarding priority of the security tunnel through the preset priority algorithm;
and taking the security tunnel with the highest forwarding priority level in the security tunnel group as a first security tunnel.
3. The method of claim 1, wherein the determining the first secure tunnel based on the forwarding tunnel determination policy comprises:
resolving the user access request to obtain at least one target access address;
calculating the target density grade of each target access address according to a preset density grade determining algorithm;
determining a first intranet application access service node corresponding to each target density grade in the intranet application access service node group corresponding to the user access service node according to the corresponding relation between the pre-configured density grade and the intranet application access service node;
and taking the security tunnel corresponding to the first intranet application access service node as a first security tunnel.
4. The method according to claim 1, wherein the determining, by the management and control server, the second intranet application access service node and the second secure tunnel that are matched with the first intranet application access service node according to a preset forwarding policy if the first intranet application access service node is monitored to be faulty, includes:
The management and control server determines a target intranet application access service node set with a density level greater than or equal to that of the first intranet application access service node according to the corresponding relation between the pre-configured density level and the intranet application access service node under the condition that the first intranet application access service node is monitored to be faulty;
And the management and control server determines a second intranet application access service node matched with the first intranet application access service node and a second security tunnel in the target intranet application access service node set according to a preset forwarding strategy.
5. The method of claim 1, wherein the user access request includes first user information and a target access address, the first user information including first identity information and first communication feature information;
before the step of determining the first secure tunnel according to the forwarding tunnel determination policy, the method further comprises:
analyzing the user access request to obtain first identity information, first communication characteristic information and target access address information;
And if the first communication characteristic information is in a preset target area and the first access authority corresponding to the first identity information is determined to contain a target access address by the user access service node according to the corresponding relation between the user and the access authority, determining that the user access request passes the first authentication.
6. The method of any of claims 1-5, wherein the access system further comprises: the intranet application end and at least one user end; the method further comprises the steps of:
the user access service node receives a user registration request sent by the user terminal and forwards the user registration request to the management and control server, wherein the user registration request comprises user information of a plurality of users in a preset range, and the user information comprises identity characteristic information and communication characteristic information;
The intranet application access service node receives an application registration request sent by the intranet application end, forwards the application registration request to the management and control server, wherein the application registration request comprises address information of an internal application, and the address information comprises a communication address and a communication port;
And under the condition that the management and control server receives the user registration request and the application registration request, according to a preset authority setting strategy and the identity characteristic information and the communication characteristic information, distributing access authorities for all users contained in the user registration request, generating a corresponding relation between the users and the access authorities, and transmitting the corresponding relation between the users and the access authorities to the user access service node, the intranet application access service node and the intranet application access service client, wherein the access authorities comprise address information of at least one intranet application, and the access authorities enable the user to access the intranet application.
7. The method of claim 6, wherein the allocating access rights to each user included in the user registration request according to the identity feature information and the communication feature information according to the preset rights setting policy, and generating the correspondence between the user and the access rights, includes:
for each user in the user registration request, the management and control server calculates the trust feature degree corresponding to the user through a preset trust feature algorithm according to the identity feature information and the communication feature information; and distributing access rights corresponding to the trust feature degree to the user according to the trust feature degree corresponding to the user and a preset rights setting policy, and generating a corresponding relation between the user and the access rights.
8. The access system is characterized by comprising a management and control server, a plurality of intranet application access service clients and a plurality of edge computing nodes deployed on public cloud, wherein the edge computing nodes comprise at least one user access service node and an intranet application access service node group; the user access service nodes are connected with the intranet application access service node group through a security tunnel group, and the security tunnels are in one-to-one correspondence with the intranet application access service nodes; wherein:
The user access service node receives a user access request, determines a first security tunnel according to a forwarding tunnel determination strategy under the condition that the user access request passes a first authentication, and forwards the user access request to a corresponding first intranet application access service node through the first security tunnel, wherein the first authentication is performed according to the first authentication strategy and information carried in the user access request;
The management and control server determines a second intranet application access service node and a second secure tunnel matched with the first intranet application access service node according to a preset forwarding strategy under the condition that the first intranet application access service node is monitored to be faulty, and sends a forwarding message to the user access service node, wherein the forwarding message is used for indicating the user access service node to send the user access request to the second intranet application access service node through the second secure tunnel;
The second intranet application access service node forwards the user access request to the intranet application access service client under the condition that the user access request passes the second authentication;
And the intranet application access service client forwards the user access request to the intranet application through the intranet under the condition that the user access request passes the third authentication, so that the user accesses the intranet application.
9. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any of claims 1 to 7 when the computer program is executed.
10. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 7.
11. A computer program product comprising a computer program, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 7.
CN202210105459.2A 2022-01-28 2022-01-28 Access method, access system, computer device, and storage medium Active CN114598498B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210105459.2A CN114598498B (en) 2022-01-28 2022-01-28 Access method, access system, computer device, and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210105459.2A CN114598498B (en) 2022-01-28 2022-01-28 Access method, access system, computer device, and storage medium

Publications (2)

Publication Number Publication Date
CN114598498A CN114598498A (en) 2022-06-07
CN114598498B true CN114598498B (en) 2024-06-14

Family

ID=81805035

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210105459.2A Active CN114598498B (en) 2022-01-28 2022-01-28 Access method, access system, computer device, and storage medium

Country Status (1)

Country Link
CN (1) CN114598498B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114448700B (en) * 2022-01-28 2024-06-14 杭州亿格云科技有限公司 Data access method, data access system, computer device, and storage medium
CN115766059B (en) * 2022-09-22 2024-05-17 网易(杭州)网络有限公司 Cluster deployment method, access method, device and electronic equipment
CN117155994B (en) * 2023-10-27 2024-02-02 广州市千钧网络科技有限公司 Service registration management method, device, equipment and readable storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112350918A (en) * 2020-12-10 2021-02-09 武汉绿色网络信息服务有限责任公司 Service traffic scheduling method, device, equipment and storage medium
CN113949573A (en) * 2021-10-18 2022-01-18 天翼数字生活科技有限公司 Zero-trust service access control system and method
CN114448700A (en) * 2022-01-28 2022-05-06 杭州亿格云科技有限公司 Data access method, data access system, computer device and storage medium

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8161541B2 (en) * 2007-12-13 2012-04-17 Alcatel Lucent Ethernet connectivity fault management with user verification option
US10681086B2 (en) * 2014-03-11 2020-06-09 Telefonaktiebolaget Lm Ericsson (Publ) Methods, devices and computer programs for subjecting traffic associated with a service to a specific treatment
CN108600204A (en) * 2018-04-11 2018-09-28 浙江大学 A kind of corporate intranet access method based on Opposite direction connection and application layer tunnel
CN111726366A (en) * 2020-06-30 2020-09-29 成都卫士通信息产业股份有限公司 Device communication method, device, system, medium and electronic device
CN112165532B (en) * 2020-10-14 2024-04-09 腾讯科技(深圳)有限公司 Node access method, device, equipment and computer readable storage medium
CN112100675B (en) * 2020-11-05 2021-02-12 南京云信达科技有限公司 Zero-trust data storage access method and system
CN113329101B (en) * 2021-08-02 2021-11-02 杭州钛鑫科技有限公司 Remote login method and login device for edge computing node
CN113905109B (en) * 2021-12-08 2022-03-22 深圳竹云科技有限公司 Zero trust network data transmission method, device, equipment and computer storage medium

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112350918A (en) * 2020-12-10 2021-02-09 武汉绿色网络信息服务有限责任公司 Service traffic scheduling method, device, equipment and storage medium
CN113949573A (en) * 2021-10-18 2022-01-18 天翼数字生活科技有限公司 Zero-trust service access control system and method
CN114448700A (en) * 2022-01-28 2022-05-06 杭州亿格云科技有限公司 Data access method, data access system, computer device and storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
浅析零信任安全模型在水电集控管理信息大区网络安全中的应用;黄懿;;《红水河》;第38卷(第06期);第4节 *

Also Published As

Publication number Publication date
CN114598498A (en) 2022-06-07

Similar Documents

Publication Publication Date Title
CN114598498B (en) Access method, access system, computer device, and storage medium
US10554622B2 (en) Secure application delivery system with dial out and associated method
US10581907B2 (en) Systems and methods for network access control
US11722465B2 (en) Password encryption for hybrid cloud services
CN114448700B (en) Data access method, data access system, computer device, and storage medium
JP6594449B2 (en) Micro VPN tunneling for mobile platforms
US10331882B2 (en) Tracking and managing virtual desktops using signed tokens
US9413723B2 (en) Configuring and managing remote security devices
US8948399B2 (en) Dynamic key management
EP2837131A1 (en) System and method for determining and using local reputations of users and hosts to protect information in a network environment
CN111818081B (en) Virtual encryption machine management method, device, computer equipment and storage medium
Jeyanthi et al. Detection of distributed denial of service attacks in cloud computing by identifying spoofed IP
US20220343028A1 (en) Application programming interface (api) call security
US11557016B2 (en) Tracking image senders on client devices
CN112291204B (en) Access request processing method and device and readable storage medium
Raghav et al. Enhancing flow security in ryu controller through set operations
US10148619B1 (en) Identity-based application-level filtering of network traffic
CN116938486A (en) Access control method, device, system, equipment and storage medium
Bhatnagar et al. An empirical study of security issues in grid middleware
Koch et al. Securing HTTP/3 Web Architecture in the Cloud
Rao et al. An Overall Perspective on Establishing End-to-End Security in Enterprise IoT (E-IoT)
Bhattacharya et al. DetecSec: A framework to detect and mitigate ARP cache poisoning attacks
Raza et al. A review on security issues and their impact on hybrid cloud computing environment
US20220150277A1 (en) Malware detonation
Veigas et al. A framework to monitor cloud infrastructure in service oriented approach

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant