CN114710365B

CN114710365B - Intranet environment establishing method, electronic equipment and storage medium

Info

Publication number: CN114710365B
Application number: CN202210571960.8A
Authority: CN
Inventors: 张登超
Original assignee: Shenzhen Huace Huihong Technology Co ltd
Current assignee: Shenzhen Xiaoyudian Digital Technology Co.,Ltd.
Priority date: 2022-05-25
Filing date: 2022-05-25
Publication date: 2022-10-21
Anticipated expiration: 2042-05-25
Also published as: CN114710365A

Abstract

The application discloses an intranet environment establishing method, electronic equipment and a storage medium. The method is applied to trusted center equipment in an intranet environment, the intranet environment comprises at least one piece of network equipment, and the method comprises the following steps: acquiring neighbor tables of all network devices in an intranet environment, wherein one neighbor table is used for storing neighbor information of one network device; under the condition that the first network equipment exists in the intranet environment based on the neighbor table, setting the state of the first network equipment to be in an unregistered state, and placing the first network equipment in an access isolation area to be only capable of communicating with the adjacent network equipment of the first network equipment; and under the condition that the user terminal accessing the intranet environment through the first network equipment passes authentication, setting the state of the first network equipment to be a trusted registration state, and moving the first network equipment from the access isolation area to the trusted environment area, wherein the network equipment in the trusted environment area can communicate with any network equipment in the trusted environment area.

Description

Intranet environment establishing method, electronic equipment and storage medium

Technical Field

The present invention relates to the field of communications technologies, and in particular, to a method for establishing an intranet environment, an electronic device, and a storage medium.

Background

The intranet usually refers to a local area network, and the intranet has the characteristics of convenience and rapidness in installation, cost saving, convenience in expansion and the like, so that the intranet can be widely applied to various offices. The local area network can realize functions of file management, application software sharing, printer sharing and the like, and in the using process, the safety of the local area network is maintained, so that the data safety can be effectively protected, and the normal and stable operation of the local area network can be ensured.

In some current security control policies, a client or a device providing authentication, authorization, and access control is usually installed to ensure the security and the credibility of an intranet environment, so as to implement the intranet trusted environment. When a client or a device fails, the intranet environment may be illegally invaded and accessed, and the security and the credibility of the intranet environment cannot be ensured.

Disclosure of Invention

The application provides an intranet environment establishing method, electronic equipment and a storage medium.

In a first aspect, a method for establishing an intranet environment is provided, where the method is applied to a trusted center device in the intranet environment, and the intranet environment includes at least one network device, and the method includes:

acquiring neighbor tables of all network devices in the intranet environment, wherein one neighbor table is used for storing neighbor information of one network device, and the neighbor information refers to information of adjacent network devices connected with the one network device;

under the condition that it is determined that a first network device exists in the intranet environment based on the neighbor table, setting the state of the first network device to be an unregistered state, and placing the first network device in an access isolation area, wherein the first network device is a network device newly accessed to the intranet environment, and the network device in the unregistered state can only communicate with a neighboring network device of the network device in the unregistered state;

and under the condition that a user terminal accessing the intranet environment through the first network device passes authentication, setting the state of the first network device to be a trusted registration state, and moving the first network device from the access isolation area to a trusted environment area, wherein the network device in the trusted environment area can communicate with any network device in the trusted environment area.

Optionally, after the obtaining the neighbor tables of all network devices in the intranet environment, the method further includes:

calculating a path from each network device in the access isolation area to a resource server based on the neighbor table, marking the path from each network device in the access isolation area to the resource server as an untrusted path, and storing the untrusted path;

the method further comprises the following steps:

and under the condition that a user terminal accessing the intranet environment through the first network equipment passes authentication, marking an untrusted path corresponding to the user terminal as a trusted path, wherein the untrusted path corresponding to the user terminal is a path from the user terminal to the resource server through the first network equipment.

Optionally, after the untrusted path corresponding to the user terminal is marked as the trusted path, the method further includes:

periodically checking whether a user terminal accessing the resource server through the trusted path passes authentication;

and under the condition that the user terminal accessing the resource server through the trusted path is not authenticated, moving the first network device from the trusted environment area to the access isolation area, setting the state of the first network device to a temporary untrusted state, and marking the trusted path as an untrusted path, wherein the network device in the temporary untrusted state can communicate with the adjacent network device of the network device in the temporary untrusted state after waiting for a preset time and can only communicate with the adjacent network device of the network device in the temporary untrusted state.

Optionally, the method further includes:

and under the condition that the number of times that a user terminal accessing the intranet environment through the first network equipment fails to pass authentication is greater than a preset number of times, setting the state of the first network equipment to be in an untrusted state, wherein the network equipment in the untrusted state cannot communicate with adjacent network equipment of the network equipment in the untrusted state.

Optionally, the method further includes:

acquiring abnormal information of the network equipment in the trusted environment area based on an intranet trusted protocol, wherein the abnormal information is used for indicating that the network equipment has a fault or network layer attack;

and if the abnormal information of the second network equipment in the trusted environment zone meets a preset equipment isolation condition, moving the second network equipment from the trusted environment zone to the access isolation zone, and setting the state of the second network equipment to be in the temporary untrusted state, wherein the network equipment in the temporary untrusted state can communicate with the adjacent network equipment of the network equipment in the temporary untrusted state only after waiting for a preset time length, and can communicate with the adjacent network equipment of the network equipment in the temporary untrusted state only.

Optionally, after moving the first network device from the access isolation zone to the trusted environment zone, the method further includes:

and initiating election to elect a new trusted central device and a new backup central trusted device from the network devices in the trusted environment zone, wherein the backup central trusted device is used for executing the method executed by the trusted central device in case of failure of the trusted central device.

Optionally, the initiating election to elect a new trusted central device and a new backup central trusted device from the network devices in the trusted environment zone includes:

initiating election based on an intranet trusted protocol so that each network device of the trusted environment area obtains the trusted indexes of all network devices in the trusted environment area, wherein the trusted indexes are used for reflecting the credibility of the network devices in the trusted environment area;

and based on the credibility indexes of all the network devices in the credible environment area, respectively taking the first two network devices with the highest credibility indexes as the new credible center device and the new backup center credible device.

Optionally, the trust index of the third network device is obtained based on at least one of a device priority of the third network device, an interface bandwidth of the third network device, a number of resource servers connected to the third network device, a number of network segments connected to the third network device, and an interface delay condition of the third network device, where the third network device is any network device in the trusted environment area.

In a second aspect, an apparatus for establishing an intranet environment is provided, including:

an obtaining module, configured to obtain neighbor tables of all network devices in the intranet environment, where one neighbor table is used to store neighbor information of one network device, and the neighbor information refers to information of an adjacent network device connected to the one network device;

a setting module, configured to set a state of a first network device to an unregistered state and place the first network device in an access isolation area when it is determined that the first network device exists in the intranet environment based on the neighbor table, where the first network device is a network device newly accessed to the intranet environment, and the network device in the unregistered state can only communicate with a neighboring network device of the network device in the unregistered state;

the setting module is further configured to set the state of the first network device to a trusted registration state and move the first network device from the access isolation area to a trusted environment area when the user terminal accessing the intranet environment through the first network device passes authentication, where the network device in the trusted environment area may communicate with any network device in the trusted environment area.

Optionally, the system further includes a path module, configured to:

calculating a path of each network device in the access isolation area to a resource server based on the neighbor table, marking the path of each network device in the access isolation area to the resource server as an untrusted path, and storing the untrusted path;

Optionally, the setting module is further configured to:

periodically checking whether a user terminal accessing the resource server via the trusted path is authenticated;

Optionally, the setting module is further configured to set the state of the first network device to an untrusted state when the number of times that the user terminal accessing the intranet environment through the first network device fails to pass authentication is greater than a preset number of times, where the network device in the untrusted state cannot communicate with an adjacent network device of the network device in the untrusted state.

Optionally, the obtaining module is further configured to obtain, based on an intranet trusted protocol, abnormal information of the network device in the trusted environment region, where the abnormal information is used to indicate that the network device has a fault or a network layer attack;

the setting module is further configured to, if the abnormal information of the second network device in the trusted environment zone satisfies a preset device isolation condition, move the second network device from the trusted environment zone to the access isolation zone, set the state of the second network device to the temporarily untrusted state, where the network device in the temporarily untrusted state can communicate with the neighboring network device of the network device in the temporarily untrusted state only after waiting for a preset duration and can communicate with the neighboring network device of the network device in the temporarily untrusted state only.

Optionally, the system further includes an election module, configured to:

Optionally, the election module is specifically configured to:

Optionally, the trust index of the third network device is obtained based on at least one of a device priority of the third network device, an interface bandwidth of the third network device, the number of resource servers connected to the third network device, the number of network segments connected to the third network device, and an interface delay condition of the third network device, where the third network device is any network device in the trusted environment area.

In a third aspect, an electronic device is provided, comprising a memory and a processor, the memory storing a computer program that, when executed by the processor, causes the processor to perform the steps as in the first aspect and any possible implementation thereof.

In a fourth aspect, a computer storage medium is provided, which stores one or more instructions adapted to be loaded by a processor and to perform the steps of the first aspect and any possible implementation thereof as described above.

The intranet environment establishment method is applied to trusted center equipment in an intranet environment, wherein the intranet environment comprises at least one piece of network equipment; acquiring neighbor tables of all network devices in the intranet environment, wherein one neighbor table is used for storing neighbor information of one network device, and the neighbor information refers to information of adjacent network devices connected with the one network device; under the condition that it is determined that a first network device exists in the intranet environment based on the neighbor table, setting the state of the first network device to be an unregistered state, and placing the first network device in an access isolation area, wherein the first network device is a network device newly accessed to the intranet environment, and the network device in the unregistered state can only communicate with a neighboring network device of the network device in the unregistered state; when the user terminal accessing the intranet environment through the first network device is authenticated, setting the state of the first network device to be a trusted registration state, and moving the first network device from the access isolation area to a trusted environment area, wherein the network device of the trusted environment area can communicate with any network device in the trusted environment area; when newly added network equipment is detected, the newly added network equipment is placed in an isolation area, so that the newly added network equipment can only communicate with adjacent network equipment of the newly added network equipment, namely, resource access control is performed on the newly added intranet equipment, and the newly added network equipment can only access limited resources; and under the condition that the user terminal connected with the newly added network equipment passes the authentication, the newly added equipment is moved to the trusted environment area from the isolation area, so that the newly added network equipment can access all resources in the intranet environment, and the stability and the safety of the intranet environment can be ensured.

Drawings

In order to more clearly illustrate the technical solutions in the embodiments or the background art of the present application, the drawings required to be used in the embodiments or the background art of the present application will be described below.

Fig. 1 is a schematic diagram of an intranet environment architecture according to an embodiment of the present application;

fig. 2 is a schematic flowchart of a method for establishing an intranet environment according to an embodiment of the present application;

fig. 3 is a schematic view of an election process of a network device according to an embodiment of the present application;

fig. 4 is a schematic structural diagram of an intranet environment establishing apparatus according to an embodiment of the present application;

fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present application.

Detailed Description

In order to make the technical solutions of the present application better understood, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.

The terms "first," "second," and the like in the description and claims of the present application and in the above-described drawings are used for distinguishing between different objects and not for describing a particular order. Furthermore, the terms "include" and "have," as well as any variations thereof, are intended to cover a non-exclusive inclusion. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements listed, but may alternatively include other steps or elements not listed, or inherent to such process, method, article, or apparatus.

Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the application. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is explicitly and implicitly understood by one skilled in the art that the embodiments described herein may be combined with other embodiments.

The general technical concept of the present application is as follows: the intranet environment establishing method comprises the steps that an intranet credible protocol which needs to be followed by network equipment in an intranet environment to access intranet resources is predefined, the intranet credible protocol can be operated in each network equipment in the intranet environment, each network equipment in the intranet environment carries out network communication according to a working process and a standard defined by the intranet credible protocol, and the intranet environment establishing method provided by the application is executed according to equipment roles defined in the intranet credible protocol respectively, so that the network equipment under different conditions in the intranet environment can be controlled and managed, unsafe network equipment is prevented from accessing the intranet resources, the intranet environment with a credible mechanism can be established, and the established intranet environment is safe and credible.

The intranet trusted protocol specifically defines the following contents:

1. a neighbor discovery function, based on which a network device can discover neighboring network devices (neighbors) of the network device, where a neighboring network device refers to a network device that has a direct connection relationship with the network device on a physical connection; based on the neighbor device discovery function, a neighbor relation can be established between two adjacent network devices; after the neighbor relation is established, two adjacent network devices can perform network communication based on the neighbor relation.

2. The trusted path data exchange and data exchange functions are that after the adjacent two network devices establish the neighbor relationship, the adjacent two network devices can exchange respective trusted path data and other data.

3. And an election mechanism, based on which a Trusted Central Device (TCD) and a Backup Trusted Central Device (BTCD) can be elected from the network devices in the intranet Trusted environment zone.

The TCD is used for managing each network device in the intranet environment, and comprises the steps of judging whether each network device in the trusted environment area is trusted, moving an untrusted network device out of the trusted environment area, monitoring the untrusted network device, adding a network device meeting conditions into the trusted environment area and the like;

BTCD is used to take over the above-mentioned role of TCD when trusted central equipment is not available;

4. and when a plurality of trusted paths can acquire information, the shortest and most trusted paths are selected to access resources.

Some concepts related to the present application are next presented.

1. Intranet environment: the local area network is connected with various computers, external equipment and databases in a certain area to form a computer communication network, and is connected with local area networks or databases in other places through a special data line to form a wider information processing system. In the use, through maintaining intranet environmental security, can protect data safety effectively, guarantee the operation that the network can be normal stable. As shown in fig. 1, an intranet environment in the present application may be composed of a network device and a resource area, where the resource area may include one or more resource servers.

2. A network device: the network device is a computer device for implementing network communication, including but not limited to a gateway, a firewall, a switch, and the like. The network devices may be connected to form a network topology to enable network communications.

3. The adjacent network device: the neighboring network device is a network device having a direct connection relationship with a network device on a physical connection, and may also be referred to as a neighbor of the network device. For example, if the network device a is a neighboring network device of the network device B, it indicates that the network device a and the network device B have a direct connection relationship on a physical connection, for example, the network device a and the network device B are connected through a communication cable.

4. TCD (thermal conductive device): is one of the network devices in the intranet environment. The trusted central device is a management node of the whole intranet environment, is used for managing each network device in the intranet environment, and comprises the steps of judging whether each network device in the trusted environment area is trusted or not, moving the untrusted network device out of the trusted environment area, monitoring the untrusted network device, adding the network device meeting the conditions into the trusted environment area, and the like.

5. BTCD: the network equipment backs up the data of the trusted central equipment, and when the trusted central equipment is unavailable, the backed-up trusted central equipment takes over the function of the trusted central equipment.

6. A resource server: the resource server in the application is a server for providing access resources in an intranet trusted environment area, and can provide resource access authentication, and only a user terminal passing the authentication and a network device in a trusted registration state can access the resources provided by the resource server.

7. The user terminal: a network device in an intranet environment may be connected to request access to resources provided by a resource server through the network device. The user terminal is generally used by a user, and includes but is not limited to a mobile phone, a notebook computer, a desktop computer, and the like.

8. Accessing the isolation area: the method is an isolation area in a logic meaning and is used for isolating network equipment with an undefined trust state in an intranet environment from safe and trusted network equipment in the intranet environment and preventing the network equipment with the undefined trust state from threatening the safety of the intranet environment. The access of the network device in the access isolation area to the resources in the intranet environment may be limited.

9. A trusted environment zone: the network equipment in the trusted environment zone is network equipment with safe and trusted current state, and the network equipment in the trusted environment can randomly access resources in the intranet environment without limitation.

The embodiments of the present application will be described below with reference to the drawings.

Fig. 2 is a schematic flowchart of a method for distributing network for devices according to an embodiment of the present disclosure, where the method is applicable to a TCD, and reference may be made to the definition of the TCD. As shown in fig. 1, the method may include:

101. the method comprises the steps of obtaining neighbor tables of all network devices in an intranet environment, wherein one neighbor table is used for storing neighbor information of one network device, and the neighbor information refers to information of adjacent network devices connected with the one network device.

The neighbor table is a table for storing network devices which establish neighbor relations based on neighbor device discovery in an intranet trusted protocol. The neighbor discovery function specifically defines a format of a discovery message used by the network device to implement the neighbor discovery function. As can be seen from table 1, table 1 shows the format and content of a discovery message, which is composed of a protocol header, a label, a message type, a timer, and a check column.

Protocol head (TCP)

Reference numerals

Message type

Timer

Check column

TABLE 1

The protocol header indicates that the discovery message is in compliance with a trusted protocol standard.

The label is used to indicate a physical interface of the device, and a transmission port and a reception port of the discovery message can be determined according to the label, and thus, a neighboring network device that transmits or receives the discovery message can be determined. For example, the network device includes 6 interfaces, and when the reference number in the discovery message is 2, it indicates that the discovery message is a discovery message sent from the 2 nd interface or received from the 2 nd interface.

The message type is used for identifying the type of the discovery message, and the discovery message is divided into a sending type and a feedback type. The sending type message, namely the Hello message, is a message sent by the network equipment to the adjacent network equipment; the Hello message contains the device name and IP address of the network device that sent the discovery message. The feedback type message, namely a Received message, is a message replied by the adjacent network equipment after receiving the Hello message; the Received message carries back the device name and the IP address of the neighboring network device. If the Hello message sent by a network device through an interface does not receive the Received message corresponding to the interface, it indicates that the adjacent network device connected through the interface does not exist or is disconnected.

The timer is used for indicating the timing time for sending the discovery message, and the network equipment can send the Hello message through each interface at regular time according to the timing time indicated by the timer.

The check column is used for checking the discovery message, and is obtained by performing one-way hash on a field in front of the check column by the network equipment; after receiving the discovery message, the network device takes out the field before the check column from the discovery message, performs a one-way hash, and compares the result with the content in the check column to prevent the discovery message from being tampered.

The network device may perform message interaction according to the above-described format of the discovery message, thereby establishing the neighbor relationship. When one network device A sends a Hello message to the outside and receives a Received message sent by the other network device B, and a check column of the Received message is not tampered after hash check, a neighbor relation is established between the two network devices A and B, and meanwhile, the network device A records the device name and the IP address of the network device B to a neighbor table. For example, the neighbor table of network device a may be as shown in table 2, which indicates that network device B is a neighboring network device of network device a, and network device B is connected to interface 2 of network device a. The neighbor table of network device B may be as shown in table 3, which indicates that network device a is a neighboring network device of network device B, and network device a is connected to interface 1 of network device B.

Device name	IP address	Interface
			Network device B	IP address B	Eth-2
…	…	…

TABLE 2

Device name	IP address	Interface
			Network device A	IP address A	Eth-1
…	…	…

TABLE 3

All network devices joining the intranet environment can establish a neighbor relation in the above manner, generate a neighbor table, and then provide the neighbors to the TCD. When only two network devices exist in the intranet environment, one of the two network devices is a TCD, the other network device is an adjacent network device of the TCD, and the other network device can send the neighbor table of the other network device to the TCD through an interface connected with the TCD. When there are multiple network devices in the intranet environment, each network device may send the neighbor table to its neighboring network devices to forward the neighbor table to the TCD.

Optionally, after acquiring the neighbor tables of all network devices within the intranet environment, the TCD may save a copy of the neighbor tables of all network devices within the intranet environment to the BTCD so that it can take over the TCD at any time.

102. And under the condition that the first network equipment exists in the intranet environment based on the neighbor table, setting the state of the first network equipment to be an unregistered state, and placing the first network equipment in an access isolation area, wherein the first network equipment is newly accessed to the intranet environment, and the network equipment in the unregistered state can only communicate with the adjacent network equipment of the network equipment in the unregistered state.

The network device newly entering the intranet environment is a network device that establishes a physical connection with one network device in the intranet environment.

Under the condition that only one TCD device exists in the intranet environment, the TCD can send a Hello message outwards based on the neighbor discovery function, and detect whether a newly accessed network device exists in the intranet environment. And if the TCD receives the Received message, determining that the network equipment sending the Received message is the new access network equipment.

Under the condition that a plurality of network devices (including TCD) exist in the intranet environment, the plurality of network devices can all send Hello messages outwards based on the neighbor discovery function, and whether a newly accessed network device exists in the intranet environment is detected. If any network device C in the multiple network devices receives the Received message, the newly accessed network device can be found, a neighbor relation is established with the newly accessed network device and is recorded in a neighbor table, and if the network device C is TCD, the network device which sends the Received message is determined to be the newly accessed network device; if the network device C is not the TCD, the network device C may update its own neighbor table and transmit the updated neighbor table to the TCD, and the TCD may determine that the newly accessed network device exists in the intranet environment according to the updated neighbor table of the network device C.

Any network device in the access isolation area can only communicate with the adjacent network device, and the communication here refers to logical communication, and the network device can only request to access some open and non-confidential resources through the adjacent network device, and cannot access the intranet resource area. In the embodiment of the present application, isolation of the network device by accessing the isolation area may be understood as a logical isolation, that is, the TCD controls specific ports of the network device in the access isolation area to prohibit communication, where the ports are ports for accessing the intranet resource server, so that the ports cannot access the resource server.

Specifically, the TCD may send an unregistered indication to an adjacent network device of the first network device, where the unregistered indication carries a device name of the first network device to indicate an unregistered state of the first network device; after receiving the unregistered indication, the adjacent network equipment of the first network equipment determines that the state of the first network equipment is an unregistered state according to the equipment name of the first network equipment carried in the unregistered indication; when a specific port of the first network device sends out an access request, the adjacent network device will block the access request to prevent the first network device from accessing the behavior of the intranet resource server, so that the logical access isolation of the first network device can be realized.

103. And when the user terminal accessing the intranet environment through the first network device passes authentication, setting the state of the first network device to a trusted registration state, and moving the first network device from the access isolation area to a trusted environment area, where the network device in the trusted environment area may communicate with any network device in the trusted environment area.

The method comprises the steps that under the condition that a user terminal connected with first network equipment requests to access intranet resources, the user terminal accesses the first network equipment, the first network equipment is communicated with a TCD (communication control device), the TCD acquires an authentication link from a resource server to be accessed by the user terminal, sends the authentication link to the first network equipment and requests the user terminal to authenticate; after the user terminal submits the authentication information according to the authentication link, if the authentication is passed, the TCD sets the state of the first network equipment to be a trusted registration state, and moves the first network equipment from the access isolation area to the trusted environment area. Wherein, the TCD releases the communication inhibition by controlling specific ports of the first network equipment, which are ports for accessing the intranet resource server, so that the TCD can access the resource server. The network device of the trusted environment zone may communicate with any network device in the trusted environment zone, for example, the first network device may communicate with the network device in the trusted environment zone, which essentially means that the first network device can access non-public or confidential resources of the network device in the trusted environment zone. If the first network device is connected with the resource server, the resource provided by the resource server can be directly accessed, and if the first network device is connected with the resource server through other network devices in the trusted environment area, the resource provided by the resource server can be accessed through other network devices. The first network device can access the resource server in the intranet environment, and the user terminal can access the resource area in the intranet environment through the first network device.

Specifically, the TCD may send a trusted registration instruction to an adjacent network device of the first network device, where the trusted registration instruction carries a device name of the first network device to indicate a trusted registration state of the first network device; after receiving the registration instruction, the adjacent network equipment of the first network equipment determines the credible registration state of the first network equipment according to the name of the first network equipment carried in the registration instruction; when a specific port of a first network device sends an access request, the adjacent network device sends the access request, so that the first network device can normally access the resource server, and the first network device is logically isolated.

It should be noted that, for the network device in the access isolation area, the TCD may authenticate the network device in the access isolation area through the authentication method, so that the network device in the access isolation area is moved to the trusted environment area.

In the above scheme, when detecting a newly added network device, placing the newly added network device in an isolation area, so that the newly added network device can only communicate with an adjacent network device of the newly added network device, which is equivalent to performing resource access control on the newly added intranet device, and so that the newly added network device can only access limited resources; and under the condition that the user terminal connected with the newly added network equipment passes the authentication, the newly added equipment is moved to the trusted environment area from the isolation area, so that the newly added network equipment can access all resources in the intranet environment, and the stability and the safety of the intranet environment can be ensured.

In an optional implementation manner, the step 101 further includes:

calculating a path from each network device in the access isolation area to a resource server based on the neighbor table, marking the path as an untrusted path, and storing the untrusted path;

the method further comprises the following steps: and when the user terminal accessing the intranet environment through the first network device passes the authentication, marking an untrusted path corresponding to the user terminal as a trusted path, wherein the untrusted path corresponding to the user terminal is a path through which the user terminal reaches the resource server through the first network device.

In the process of gradually building the intranet, after a resource server is accessed into the intranet, network equipment is connected with the resource server, and the resource server provides resource access authentication. The TCD may record a trusted path from the user terminal to the resource server, where one or more network devices may be in a path, as long as the user terminal requesting access provides the correct access credentials.

Specifically, a neighbor table of one network device stores neighbor information of one network device, after receiving all neighbor tables, the TCD can determine a path between each network device and a neighbor of the network device through each neighbor table, the TCD can integrate all paths, and starts from one network device, finds a path of a resource server, for example, a neighbor of a device a includes a device B, a neighbor of the device B includes a device a and a resource server, and starts from the device a, the TCD finds the path of the resource server as the device a-device B-resource server, and calculates the path from the device a to the resource server; and the TCD starts from the equipment B, finds out that the path of the resource server is the equipment B-resource server, and calculates the path from the equipment B to the resource server.

And marking paths of each network device in the access isolation area to the resource servers as non-trusted paths, and storing the paths to the device storage unit, wherein the process is called trusted path convergence. The path from the network device to each resource area is a physical path, and is composed of network devices that the network device needs to pass through to access the resource area, and one path may pass through one or more network devices.

The untrusted path at this point is not a trusted path because there may be untrusted network devices or behaviors violating the trusted context. In all cases, the intranet resource region will be configured with authentication, authorization, and access control. Therefore, after the user terminal accesses the network device (taking the first network device as an example) connected to the user terminal, the TCD needs the user terminal to perform authentication, that is, the first network device may send an authentication request to the TCD through the neighboring device to obtain an authentication link provided by the TCD request to the resource server, after the user terminal fills in correct authentication information and passes authentication, the TCD marks a path (untrusted path) from the user terminal to the resource server through the first network device as a trusted path, and may store the authentication information of the user terminal on the path.

The network devices on the untrusted path may include untrusted network devices, such as network devices in an unregistered state, network devices in a temporarily untrusted state, and network devices in an untrusted state, which are not capable of accessing the resource server, that is, the user terminal is not capable of accessing the resource server through the untrusted path. The network equipment on the trusted path can access the resource of the resource server, and the user terminal can access the resource of the resource server through the trusted path.

If the user terminal fails to pass the authentication, the TCD may continue to place the first network device in the isolation area, and keep its unregistered state, that is, unable to access the resource area in the intranet environment.

By marking the path from the network equipment to the resource server based on the neighbor table, the access control of the intranet environment can be realized, thereby ensuring the stability and the safety of the intranet environment.

Optionally, after the untrusted path corresponding to the user terminal is marked as a trusted path, the method further includes:

periodically checking whether the user terminal accessing the resource server through the trusted path passes authentication;

and when the user terminal accessing the resource server through the trusted path is not authenticated, moving the first network device from the trusted environment zone to the access isolation zone, setting the state of the first network device to a temporary untrusted state, and marking the trusted path as an untrusted path, where the network device in the temporary untrusted state cannot communicate with the neighboring network device of the network device in the temporary untrusted state after waiting for a preset time period and can only communicate with the neighboring network device of the network device in the temporary untrusted state.

Specifically, in the trusted environment, the TCD periodically performs authentication and verification on the trusted path, where the verification manner may be consistent with the foregoing description, and initiates an authentication link to a user terminal accessing the resource server via the trusted path, and the user terminal fills in authentication information to perform authentication. And if the user terminal is found to be incapable of passing the authentication, placing the first network equipment connected with the user terminal in the access isolation area, and marking the first network equipment in a temporary untrusted state. Specifically, the TCD may further issue a temporary untrusted indication, where the temporary untrusted indication carries an equipment name of the first network equipment, so as to indicate a temporary untrusted state of the first network equipment; after receiving the temporary untrusted instruction, the adjacent network device of the first network device determines that the state of the first network device is a temporary untrusted state according to the device name of the first network device carried in the temporary untrusted instruction; and the adjacent network equipment performs the neighbor equipment discovery process with the first network equipment again after waiting for the preset time length so as to reestablish the neighbor relation. After the neighbor relation is established, the neighboring network device enables the first network device to process the access behavior of the first network device according to the network device in the unregistered state, that is, the access behavior of the first network device is prevented when the first network device accesses the resources of the intranet resource area through the neighboring network device, so that the logical isolation of the first network device is realized.

Wherein a network device in a temporarily untrusted state has an opportunity to revert to a trusted registration state. After a certain amount of time, the TCD may again require the user terminal to authenticate. Specifically, the TCD instructs the resource server to provide the resource access authentication to the user terminal, where the authentication may pass through a path including the first network device, such as a path for authentication when the first network device is determined to be in the temporary untrusted state; and if the authentication is successful, the first network equipment is moved from the access isolation area to the trusted environment area again, the state of the first network equipment is set to be the trusted state, and the corresponding trusted path is stored.

It should be understood that, in addition to performing the periodic audit and processing on the trusted path corresponding to the network device (i.e., the first network device) newly joining the intranet environment, the TCD may also perform the periodic audit on the trusted path corresponding to each network device in the trusted environment region, where the mode of auditing and processing is the same as that of the first network device, and details are not described here again.

The method comprises the steps of monitoring user equipment accessing a trusted path by periodically auditing and processing the trusted path of an intranet environment, timely finding user terminals incapable of passing authentication, setting the state of network equipment connected with the user terminals incapable of passing authentication to be a temporary unreliable state and placing the temporary unreliable state in an access isolation area, and limiting the access authority of the network equipment and the user terminals, thereby avoiding illegal access to resources of a resource server and improving the security of the intranet environment.

In an optional embodiment, the method further comprises:

and under the condition that the number of times of the user terminal accessing the intranet environment through the first network equipment is not authenticated is greater than the preset number of times, setting the state of the first network equipment to be in an untrusted state, wherein the network equipment in the untrusted state cannot communicate with the neighbor equipment and cannot access any resource in the intranet environment.

Specifically, the preset times can be set as required; and if the user terminal accessing the intranet environment through the first network equipment fails in multiple authentications and the times of failing to pass the authentications are greater than the preset times, the first network equipment is separated from the trusted environment. The state of the first network device may be set to an untrusted state, the untrusted state of the network device being unable to communicate with the neighboring device and unable to access any resources in the intranet environment. Specifically, the TCD may further issue an untrusted indication, where the untrusted indication carries a device name of the first network device, so as to indicate an untrusted state of the first network device; after receiving the untrusted indication, the neighboring network device of the first network device determines that the state of the first network device is an untrusted state according to the device name of the first network device carried in the untrusted indication.

Wherein the duration of the untrusted state may be longer than the temporarily untrusted state, but the network device in the untrusted state may still have an opportunity to revert to the trusted state. The temporary untrusted state and the untrusted state both belong to a supervised state, i.e. the network devices in the two states can be supervised by the TCD, and the trusted state can be restored when conditions are met; the condition for recovering from the untrusted state to the trusted state may be more severe than changing from the temporarily untrusted state to the trusted state, for example, a user having an authority needs to perform manual setting.

Under the condition that the times that the user terminal fails to pass the authentication are larger than the preset times, the state of the network equipment connected with the user equipment is set to be an untrusted state, the user terminal which can not pass the authentication for many times is found in time, the access authority of the network equipment and the user terminal is limited, the resource of the resource server is prevented from being illegally accessed, and the safety of the intranet environment is improved.

In an optional embodiment, the method further comprises:

and if the abnormal information of the second network equipment in the trusted environment zone meets the preset equipment isolation condition, moving the second network equipment from the trusted environment zone to the access isolation zone, and setting the state of the second network equipment to be in the temporary untrusted state, wherein the network equipment in the temporary untrusted state cannot access any resource in the intranet environment.

Based on the internal network trusted protocol and the neighbor table, the TCD may obtain state information of the network device in the trusted environment region, including abnormal information, where the abnormal information may indicate an abnormal condition of the network device, such as a condition that the network device has a fault, a network black hole, or a network layer attack (attack means such as a broadcast storm, ARP spoofing, etc.), which affects normal communication or has a risk. The network black hole may be understood as a situation where, due to information or data loss at a certain network device, an originally reachable path is unreachable and there is no backup path, for example, a path from the network device a to the resource server C only has: one network device A, one network device B and one resource server C, and a network black hole appears at the network device B, so that the path from the network device A to the resource server C is unreachable.

Specifically, when a second network device in the trusted environment zone is abnormal, the second network device may send abnormal information to an adjacent network device of the second network device through the trusted protocol. The abnormal information may be in a report form, and mainly includes the type, location, time and the like of the abnormal occurred in the operation process of the network device. Some kinds of exceptions are usually defined in the network device, for example, the software system or program has already described the exception type and handling method for some common exceptions. For some exceptions that are not within the expected range of the system or program, the exception information generally only indicates the location of the exception, and there is no exception handling method, and such information may also be referred to as vulnerability information.

Other network devices are notified based on the neighbor table to report the exception information of the second network device to the TCD. The TCD can timely judge whether the abnormal information meets the preset device isolation condition, if yes, the second network device is moved to the access isolation area from the trusted environment area, and the state of the second network device is set to be a temporary untrusted state. The preset device isolation condition may be set as needed, for example, an exception type and/or an exception occurrence position that needs to be isolated are specified, and if it is determined that the type or the occurrence position belongs to the exception type or the exception occurrence position that needs to be isolated, the preset device isolation condition is satisfied.

Optionally, for the network device in the temporarily untrusted state, operations of neighbor discovery, election participation, and trusted path recording may be performed again after waiting for a certain duration until the network device cannot join the trusted environment area or run normally.

It should be understood that the TCD may process the network device (i.e., the first network device) newly joining the intranet environment in the same manner as the first network device, except that the TCD may process the network device in the same manner as the first network device.

After the step 103, the method may further include:

initiating election to elect a new TCD and a new BTCD from network devices in the trusted environment zone, wherein the BTCD is used to perform a TCD execution method in case of TCD failure.

In the embodiment of the application, by means of the selection of the network device, the TCD and the BTCD with the highest credibility in the credible environment area can be selected, the TCD and the BTCD are adjusted in time according to the change of the intranet environment, the higher credibility of the TCD and the BTCD is ensured, the intranet environment is effectively controlled, and the security of the intranet environment is improved.

In the embodiment of the present application, appropriate TCD and BTCD may be selected from network devices in the trusted environment zone. The following description of the election method is based on the embodiment shown in fig. 1.

Fig. 3 is a schematic view of an election process of a network device according to an embodiment of the present application, and as shown in fig. 3, the method includes:

301. and initiating election based on an intranet trusted protocol so that each network device in the trusted environment area can acquire the trusted indexes of all the network devices in the trusted environment area, wherein the trusted indexes are used for reflecting the credibility of the network devices in the trusted environment area.

302. And based on the credibility indexes of all the network devices in the credible environment area, respectively taking the first two network devices with the highest credibility indexes as the new TCD and the new backup center credible device.

When new network equipment is added into the intranet trusted environment area, for example, an administrator adds equipment in a trusted registration state in the intranet environment, or network equipment leaves the access isolation area and enters the trusted environment area, so that the trusted environment area has multiple pieces of network equipment, the TCD and the BTCD can be elected based on an intranet trusted protocol. In the earliest election, only one network device exists in the intranet environment, no other resource can be accessed at the moment, namely, the resource server is not accessed into the intranet environment at the moment, the only accessible resource is the management function provided by the device, and the network device serves as the TCD and the BTCD.

The election may be initiated by the TCD, and based on an election mechanism in the intranet trusted protocol, each network device in the trusted environment region may acquire the trusted indexes of all network devices in the trusted environment region, where the trusted indexes reflect the trustworthiness of the network devices in the trusted environment region, so that step 302 may be performed.

Specifically, the TCD calculates its own trust index (TCD trust index), and notifies all the neighboring network devices 1 of the TCD trust index based on the data exchange function of the trusted protocol; the adjacent network equipment of the TCD informs the adjacent network equipment 2 of the adjacent network 1 of the TCD credibility index based on the data exchange function of the credible protocol, calculates the credible index of the adjacent network equipment, and informs all the adjacent network equipment 2 (including the TCD) of the adjacent network equipment 1 of the credible index based on the data exchange function of the credible protocol; by analogy, the trust index of each network device in the trusted environment zone can be transferred to other network devices, and each network device in the trusted environment zone can obtain the trust index of all network devices in the trusted environment zone.

After obtaining the trustworthiness indexes of all network devices in the trustworthiness environment zone, the first two network devices with the highest trustworthiness indexes can be respectively used as a new TCD and a new BTCD. After the election of the new TCD and the new BTCD is complete, all network devices within the intranet environment may send the stored neighbor tables to the new TCD, which then saves a copy of these neighbor tables to the new BTCD so that it can take over for the TCD at any time. After that, the new TCD may perform the management functions of its intranet environment, including but not limited to any of the steps in the embodiment shown in fig. 1, which will not be described herein again.

In the embodiment of the application, by the selection of the network device, the TCD and the backup center trusted device with the highest credibility in the trusted environment region can be selected, and the TCD and the backup center trusted device are adjusted in time according to the change of the intranet environment, so that the higher credibility of the TCD and the backup center trusted device is ensured, the intranet environment is effectively controlled, and the security of the intranet environment is improved.

In some possible cases, the trustworthiness index of the network device is derived based on at least one of a device priority of the network device, an interface bandwidth of the network device, a number of resource servers to which the network device is connected, a number of network segments to which the network device is connected, and an interface latency of the network device.

The device priority is the priority of the network device which is defined by the administrator independently; the interface Bandwidth (Bandwidth) refers to the amount of data that can be transmitted by an interface in a unit time (generally, 1 second), that is, the operating speed of the interface; bandwidth refers to the amount of data that can be transmitted in a unit of time (typically 1 second); the number of connected resource servers, that is, the number of resource servers that can be accessed by the network device and the number of connected network segments can be understood as the number of IP addresses connected to the network device, and can be determined by the neighbor table; the interface delay is the delay time required for the data request of the interface to return the data after reaching the server.

If the credibility index is determined based on the priority of the equipment, the higher the priority of the equipment is, the higher the credibility index is; if the credibility index is determined based on the interface bandwidth, the higher the interface bandwidth is, the higher the credibility index is; if the credibility index is determined based on the interface delay, the lower the interface delay is, the higher the credibility index is; if the credibility index is determined based on the number of the connected resource servers, the more the number of the connected resource servers is, the higher the credibility index is; if the confidence index is determined based on the number of connected network segments, the greater the number of connected network segments, the higher the confidence index.

In a possible implementation manner, one of the parameters may be selected to be used as the calculation of the confidence index, and when a certain parameter of the network devices is the same or cannot be obtained, the calculation of the confidence index using the other parameter may be switched, so as to determine the first two network devices with the highest confidence indexes. For example, the device priority may be preferentially used as a trustworthiness index to compare trustworthiness indices of network devices; if the device priorities are the same or not set, comparing the credibility indexes of the network devices by using the interface delay as the credibility index; if the interface delays are the same, comparing the credibility indexes of the network equipment by using the interface bandwidth as a credibility index; if the interface bandwidths are the same, comparing the credibility indexes of the network equipment by using the number of the connection resource areas (resource servers) as credibility indexes; if the number of connected resource zones is the same, the trustworthiness index of the network devices is compared using the number of connected network segments as trustworthiness index.

For example, assuming that there are a network device a, a network device B, and a network device C in the trusted environment zone, the interface bandwidths of the respective network devices (a, B, C), i.e., the trusted index a, the trusted index B, and the trusted index C, may be calculated first, where assuming that there are 6 interfaces per network device, then:

confidence index a = Port1 bandwidth + Port2 bandwidth + Port3 bandwidth

Confidence index B = Port1 bandwidth + Port2 bandwidth + Port3 bandwidth

Confidence index C = Port1 bandwidth + Port2 bandwidth + Port3 bandwidth

Assuming that the confidence index a > confidence index B > confidence index C, it can be determined that the device a is TCD and the device B is BTCD.

If the interface bandwidth (latency) is the same, considering the number of network devices connected to the resource server, the more the connection, the TCD is elected, and the next time BTCD is elected. Similarly, when the number of connected resource servers is the same, the number of connected network segments is considered, and the TCD and BTCD are selected as the number of the connected resource servers.

By selecting various parameters of the network equipment one by one as credibility indexes to compare the credibility of the network equipment, more reliable network equipment can be selected from a credible environment area to be used as TCD and BCTD, and therefore the credibility of the intranet is guaranteed.

Optionally, multiple parameters may also be selected, and the confidence index may be calculated based on a weighting manner, which is not limited in the embodiment of the present application. For example, the interface bandwidth and the number of connected network segments are selected to determine a confidence index, which can be expressed as: confidence index = a interface bandwidth + b number of connected network segments, where a, b are weights that may be set as needed.

By the method, the TCD and the BTCD with high credibility can be selected reasonably according to the condition of the network equipment in the credible environment, and can be switched timely and flexibly to manage the intranet environment and maintain the stability of the intranet environment.

According to the embodiment of the application, the intranet resource region can be safely, reliably and efficiently accessed through the establishment of the trusted environment. The problems of information security caused by the fact that the intranet authorizes the untrusted device to access the resource area, such as data theft, server use for illegal attack and information leakage, are prevented.

Based on the description of the method embodiment, the embodiment of the application also discloses an intranet environment establishment device. Referring to fig. 4, a schematic structural diagram of an intranet environment establishment apparatus is shown, in which an intranet environment establishment apparatus 400 includes:

an obtaining module 410, configured to obtain neighbor tables of all network devices in the intranet environment, where a neighbor table is used to store neighbor information of one network device, where the neighbor information refers to information of an adjacent network device connected to the one network device;

a setting module 420, configured to, when it is determined that a first network device exists in the intranet environment based on the neighbor table, set a state of the first network device to an unregistered state, and place the first network device in an access isolation area, where the first network device is a network device newly accessed to the intranet environment, and the network device in the unregistered state can only communicate with a neighboring network device of the network device in the unregistered state;

the setting module 420 is further configured to, when the user terminal accessing the intranet environment through the first network device passes authentication, set the state of the first network device to a trusted registration state, and move the first network device from the access isolation area to a trusted environment area, where the network device in the trusted environment area may communicate with any network device in the trusted environment area.

In an optional implementation manner, the intranet environment establishing apparatus 400 further includes a path module 430, configured to:

In an optional implementation, the setting module 420 is further configured to:

and under the condition that the user terminal accessing the resource server through the trusted path is not authenticated, moving the first network device from the trusted environment area to the access isolation area, setting the state of the first network device to a temporary untrusted state, and marking the trusted path as an untrusted path, wherein the network device in the temporary untrusted state can communicate with the adjacent network device of the network device in the temporary untrusted state only after waiting for a preset time period, and can communicate with the adjacent network device of the network device in the temporary untrusted state only.

In an optional implementation manner, the setting module 420 is further configured to set the state of the first network device to an untrusted state if the number of times that the user terminal accessing the intranet environment through the first network device fails to be authenticated is greater than a preset number of times, where the network device in the untrusted state cannot communicate with a neighboring network device of the network device in the untrusted state.

In an optional implementation manner, the obtaining module 410 is further configured to obtain, based on an intranet trusted protocol, abnormal information of a network device in the trusted environment region, where the abnormal information is used to indicate that a fault or a network layer attack exists in the network device;

the setting module 420 is further configured to, if the abnormal information of the second network device in the trusted environment zone meets a preset device isolation condition, move the second network device from the trusted environment zone to the access isolation zone, set the state of the second network device to the temporary untrusted state, where the network device in the temporary untrusted state can communicate with the adjacent network device of the network device in the temporary untrusted state only after waiting for a preset duration and can communicate with the adjacent network device of the network device in the temporary untrusted state only.

In an optional implementation manner, the intranet environment establishing apparatus 400 further includes an election module 440 configured to:

In an optional implementation manner, the election module 440 is specifically configured to:

According to an embodiment of the present application, each step involved in the methods shown in fig. 2 and fig. 3 may be performed by each module in the intranet environment setup apparatus 400 shown in fig. 4, and is not described herein again.

The intranet environment establishing apparatus 400 in this embodiment of the application may be used as a trusted center device, and obtain neighbor tables of all network devices in the intranet environment, where one neighbor table is used to store neighbor information of one network device, where the neighbor information refers to information of an adjacent network device connected to the one network device; setting the state of a first network device to be an unregistered state and placing the first network device in an access isolation area under the condition that the first network device exists in the intranet environment based on the neighbor table, wherein the first network device is a network device newly accessed into the intranet environment, and the network device in the unregistered state can only communicate with the adjacent network device of the network device in the unregistered state; when the user terminal accessing the intranet environment through the first network device passes authentication, setting the state of the first network device to a trusted registration state, and moving the first network device from the access isolation area to a trusted environment area, where the network device in the trusted environment area may communicate with any network device in the trusted environment area; the trusted intranet environment can be established, the credibility of the network equipment is monitored, the untrusted network equipment in the intranet environment is placed in the access isolation area and is set to be in an unregistered state, the resource server can be accessed only after the untrusted network equipment is set to be in a trusted registration state through authentication, and the stability and the safety of the intranet environment are guaranteed.

Based on the description of the method embodiment and the device embodiment, the embodiment of the application further provides an electronic device. As shown in fig. 5, the electronic device 500 includes a memory 502 and a processor 501, where a computer-readable storage medium in the memory 502 stores a computer program, and when the computer program is executed by the processor 501, the processor 501 is enabled to perform any step in the foregoing method embodiments, which is not described herein again.

An embodiment of the present application further provides a computer storage medium (Memory), which is a Memory device in an electronic device and is used for storing programs and data. It is understood that the computer storage medium herein may include a built-in storage medium in the router, and may also include an extended storage medium supported by the router. The computer storage medium provides a storage space storing one or more instructions, which may be one or more computer programs (including program code) adapted to be loaded and executed by the router to implement any of the steps of the method embodiments as described herein before.

It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described apparatuses and modules may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.

In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the division of the modules into only one logical functional division may be implemented in practice in another way, for example, multiple modules or components may be combined or integrated into another system, or some features may be omitted, or not implemented. The shown or discussed mutual coupling, direct coupling or communication connection may be an indirect coupling or communication connection of devices or modules through some interfaces, and may be in an electrical, mechanical or other form.

Modules described as separate parts may or may not be physically separate, and parts displayed as modules may or may not be physical modules, may be located in one place, or may be distributed on a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment.

In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. The procedures or functions according to the embodiments of the present application are wholly or partially generated when the computer program instructions are loaded and executed on a computer. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored on or transmitted over a computer-readable storage medium. The computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by wire (e.g., coaxial cable, fiber optic, digital Subscriber Line (DSL)), or wirelessly (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that includes one or more available media.

Claims

1. An intranet environment establishment method is characterized in that the method is applied to a trusted center device in an intranet environment, the intranet environment comprises at least one network device, and the method comprises the following steps:

acquiring neighbor tables of all network devices in the intranet environment, wherein one neighbor table is used for storing neighbor information of one network device, the neighbor information refers to information of adjacent network devices connected with the one network device, the adjacent network devices refer to network devices which are in direct connection relation with the network devices on physical connection, the neighbor tables are established based on a neighbor device discovery function in an intranet trusted protocol, and discovery messages used by the neighbor device discovery function consist of a TCP (transmission control protocol) protocol header, a label, a message type, a timer and a check column;

setting the state of first network equipment to be in an unregistered state and placing the first network equipment in an access isolation area under the condition that the first network equipment is determined to exist in the intranet environment based on the neighbor table, wherein the first network equipment is network equipment newly accessed into the intranet environment, the network equipment in the unregistered state can only communicate with adjacent network equipment of the network equipment in the unregistered state, the access isolation area is an isolation area in a logical sense, and the network equipment in the access isolation area can only request to access public and non-confidential resources through the adjacent network equipment;

and under the condition that the user terminal which accesses the intranet environment through the first network equipment passes authentication, setting the state of the first network equipment into a trusted registration state, and moving the first network equipment from the access isolation area to a trusted environment area, wherein the network equipment in the trusted environment area can communicate with any network equipment in the trusted environment area, and the network equipment in the trusted environment area can access all resources in the intranet environment.

2. An intranet environment establishing method according to claim 1, wherein after the neighbor tables of all network devices in the intranet environment are obtained, the method further comprises:

the method further comprises the following steps:

3. The intranet environment establishment method according to claim 2, wherein after the untrusted path corresponding to the user terminal is marked as a trusted path, the method further comprises:

and under the condition that the user terminal accessing the resource server through the trusted path is not authenticated, moving the first network device from the trusted environment area to the access isolation area, setting the state of the first network device to a temporary untrusted state, and marking the trusted path as the untrusted path, wherein the network device in the temporary untrusted state can communicate with the adjacent network device of the network device in the temporary untrusted state and can communicate with the adjacent network device of the network device in the temporary untrusted state only after waiting for a preset time length.

4. An intranet environment establishment method according to claim 1, wherein the method further comprises:

5. The intranet environment establishment method according to claim 1, further comprising:

and if the abnormal information of the second network equipment in the trusted environment zone meets a preset equipment isolation condition, moving the second network equipment from the trusted environment zone to the access isolation zone, and setting the state of the second network equipment to be in a temporary untrusted state, wherein the network equipment in the temporary untrusted state can communicate with the adjacent network equipment of the network equipment in the temporary untrusted state after waiting for a preset time length, and can communicate with the adjacent network equipment of the network equipment in the temporary untrusted state only.

6. An intranet environment establishment method according to claim 1, wherein after moving the first network device from the access isolation zone to a trusted environment zone, the method further comprises:

and initiating election to elect a new trusted central device and a new backup central trusted device from the network devices in the trusted environment area, wherein the backup central trusted device is used for executing the method executed by the trusted central device in case of failure of the trusted central device.

7. The intranet environment establishment method according to claim 6, wherein the initiating election to elect a new trusted central device and a new backup central trusted device from the network devices in the trusted environment zone comprises:

8. An intranet environment establishing method according to claim 7, wherein the trust index of a third network device is obtained based on at least one of a device priority of the third network device, an interface bandwidth of the third network device, a number of resource servers connected to the third network device, a number of network segments connected to the third network device, and an interface delay condition of the third network device, and the third network device is any network device in the trusted environment area.

9. An electronic device, comprising a memory and a processor, the memory storing a computer program which, when executed by the processor, causes the processor to perform the steps of an intranet environment establishing method according to any one of claims 1-8.

10. A computer-readable storage medium, in which a computer program is stored, which, when executed by a processor, causes the processor to carry out the steps of a method for establishing an intranet environment according to any one of claims 1 to 8.