CN116633696B - Network computing node access controller system, management and control method and electronic equipment - Google Patents
Network computing node access controller system, management and control method and electronic equipment Download PDFInfo
- Publication number
- CN116633696B CN116633696B CN202310911925.0A CN202310911925A CN116633696B CN 116633696 B CN116633696 B CN 116633696B CN 202310911925 A CN202310911925 A CN 202310911925A CN 116633696 B CN116633696 B CN 116633696B
- Authority
- CN
- China
- Prior art keywords
- access
- control
- internet
- things
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 26
- 238000001514 detection method Methods 0.000 claims description 40
- 238000005259 measurement Methods 0.000 claims description 39
- 230000007246 mechanism Effects 0.000 claims description 17
- 238000011156 evaluation Methods 0.000 claims description 13
- 230000004044 response Effects 0.000 claims description 13
- 238000004891 communication Methods 0.000 claims description 12
- 238000004458 analytical method Methods 0.000 claims description 9
- 238000012545 processing Methods 0.000 claims description 9
- 238000004590 computer program Methods 0.000 claims description 8
- 238000010276 construction Methods 0.000 claims description 6
- 230000008602 contraction Effects 0.000 claims description 5
- 238000013210 evaluation model Methods 0.000 claims description 5
- 238000011897 real-time detection Methods 0.000 claims description 2
- 230000006855 networking Effects 0.000 abstract description 5
- 238000007726 management method Methods 0.000 description 45
- 238000010586 diagram Methods 0.000 description 8
- 238000001914 filtration Methods 0.000 description 6
- 230000007123 defense Effects 0.000 description 5
- 230000000694 effects Effects 0.000 description 5
- 238000012795 verification Methods 0.000 description 5
- 230000006399 behavior Effects 0.000 description 4
- 230000001276 controlling effect Effects 0.000 description 4
- 230000002155 anti-virotic effect Effects 0.000 description 2
- 238000013475 authorization Methods 0.000 description 2
- 230000002457 bidirectional effect Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 238000000926 separation method Methods 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 230000004888 barrier function Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000036541 health Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 230000001105 regulatory effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000002195 synergetic effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a network computing node access controller architecture for security management and control of the Internet of things, which comprises the following components: a control plane architecture and a data plane architecture; the control plane architecture includes: the network computing node access controller receives the management control of the external security management and control platform through the unified authentication and policy controller; the access control engine is in data connection with the unified authentication and policy controller; the data plane architecture is in data connection with the access control engine and is used for verifying the identity of an access subject and controlling the access of an access object. According to the scheme, the safety linkage capacity and the safety protection efficiency of the whole networking architecture can be effectively improved under the condition of various terminals of the Internet of things. In addition, the invention also relates to an Internet of things terminal safety protection management and control method based on zero trust and electronic equipment.
Description
Technical Field
The invention relates to the technical field of safety control of the Internet of things, in particular to a network computing node access controller system for safety control of the Internet of things, and further relates to a zero-trust-based safety protection control method of an Internet of things terminal and electronic equipment.
Background
With the continuous innovation and development of the internet of things technology, the traditional industrial form and social life style have been changed deeply, and a large number of new products, new services and new modes are generated. Hundreds of millions of devices are connected into the Internet of things, and the industrial scale of the Internet of things is continuously growing. However, with the wide deployment of the internet of things, the network security problem is increasingly prominent, so that the further deployment of the internet of things service is limited.
In the prior art, the urban river-protection type safety construction framework taking domain division and boundary protection as principles meets the requirement of network safety to a certain extent, and along with the popularization of new technologies such as cloud computing, 5G, edge computing and the like, the trends of service diversification, application on external opening, business ecological collaboration and the like develop, remote/mobile office becomes normal, the network boundary is gradually blurred to bring new risks, and the appearance of higher-level internal and external threats also further exposes the short boards of the traditional boundary safety and static access control.
Therefore, how to provide a network computing node access controller system for security management and control of the internet of things, which can effectively improve the security linkage capability and security protection efficiency of the networking architecture under the condition of various terminals of the internet of things, has become a technical problem to be solved by those skilled in the art.
Disclosure of Invention
In order to solve the technical problems, the invention provides a network computing node access controller system for safety control of the Internet of things, which can effectively improve the safety linkage capacity and the safety protection efficiency of the whole networking architecture under the condition of various terminals of the Internet of things.
The technical scheme provided by the invention is as follows:
the invention provides a network computing node access controller system for security management and control of the Internet of things, which comprises:
the network computing node is accessed to the controller, the control plane architecture and the data plane architecture;
the control plane architecture includes:
the network computing node access controller receives management control of an external security management and control platform through the unified authentication and policy controller;
the access control engine is in data connection with the unified authentication and policy controller and is used for controlling the data access authority;
the data plane architecture is in data connection with the access control engine and is used for verifying the identity of an access subject and controlling the access of an access object; the data plane architecture includes: the authentication access control module is used for realizing the control of authentication access by carrying out IP layer protocol analysis matching on the received service data packet;
the blacklist access control module is used for carrying out IP layer protocol analysis matching on the received authentication data packet according to the blacklist data so as to realize control of blacklist access;
the white list access control module is used for carrying out IP layer protocol analysis matching on the received authentication data packet according to the white list data so as to realize the control of white list access;
the role authority access control module is used for matching the received pkid business header according to the role data so as to realize the control of the role authority access;
the security mark detection module is used for carrying out format detection and hash value matching on the service data packet to realize the detection of the security mark;
the request protocol detection module is used for analyzing the request data of the service data packet according to the TDS protocol and realizing the detection of the request protocol;
the response protocol detection module is used for analyzing response data of the service data packet according to the TDS protocol to realize detection of the response protocol;
the request white list detection module is used for matching the actual content of the request service according to the white list service list so as to realize detection of the request white list;
the network computing node access controller system for the security control of the Internet of things is used for executing a security protection control method of the terminal of the Internet of things based on zero trust, and the control method comprises the following steps:
s1, installing a network computing node access controller on an Internet of things terminal;
s2, building identity authentication: giving digital identities to the terminals of the person and the Internet of things, constructing a combination of the terminals of the person and the Internet of things as an access subject, and setting minimum authority for the access subject;
s3, safety communication construction: the access subject, the network computing node access controller and the access object are in secure communication based on a national cryptographic algorithm, and remote processing and data exchange are carried out;
s4, setting up a service security access mechanism: based on the set minimum authority, performing contraction processing on the information exposure surface of the access subject;
s5, building a continuous trust evaluation mechanism: based on the digital identity, carrying out risk judgment on the context environment accessed by the access subject to the access object in real time;
performing dynamic access control based on the steps S2-S5;
the control method further comprises the following steps:
detecting the network configuration of the terminal of the Internet of things in real time, and carrying out credibility measurement on the integrity of the network configuration to obtain a measurement result;
performing dynamic access control according to the measurement result;
the real-time detection of the network configuration of the terminal of the Internet of things, the reliability measurement of the integrity of the network configuration, and the obtaining of the measurement result comprise the following steps:
checking the integrity of the hardware, the system and the configuration of the terminal of the Internet of things, and reporting the integrity to a safety management and control platform in real time;
the security management and control platform performs credibility measurement on the integrity of the network configuration to obtain a measurement result;
the dynamic access control according to the measurement result specifically comprises the following steps:
the security management and control platform performs dynamic access control on access and service access of the internet of things terminal through a measurement interface based on the measurement result; the security management and control platform performs dynamic access control on the authority and the connection state of the terminal of the Internet of things;
the control framework of the dynamic access control is a combined control framework based on RBAC access control and ABAC access control;
the control mode of the dynamic access control to the access subject is a service access hierarchical management mode based on trust level;
the dynamic access control specifically comprises the following steps:
according to the access context and the risk state of the environment, the access authority of the access subject is adjusted in real time, and the trust level of the adjusted access subject is evaluated;
the method for evaluating the trust level of the access subject specifically comprises the following steps of:
the dynamic access control center of the security management and control platform acquires the trust level of the access subject and acquires the security level of the core asset of the access object in real time;
comparing the trust level with the security level to obtain a level comparison result;
adjusting the access authority of the access subject according to the grade comparison result;
the dynamic access control specifically comprises the following steps:
and carrying out real-time dynamic trust evaluation on the access subject through a preset trust evaluation model and algorithm to obtain a real-time trust level.
In addition, the invention also provides a zero-trust-based internet of things terminal safety protection control method, which is based on the network computing node access controller system for internet of things safety control; the control method comprises the following steps: s1, installing a network computing node access controller on an Internet of things terminal; s2, building identity authentication: giving digital identities to the terminals of the person and the Internet of things, constructing a combination of the terminals of the person and the Internet of things as an access subject, and setting minimum authority for the access subject; s3, safety communication construction: the access subject, the network computing node access controller and the access object are in secure communication based on a national cryptographic algorithm, and remote processing and data exchange are carried out; s4, setting up a service security access mechanism: based on the minimum authority, performing contraction processing on the information exposure surface on the access subject; s5, building a continuous trust evaluation mechanism: based on the digital identity, carrying out risk judgment on the context environment accessed by the access subject to the access object in real time; dynamic access control is performed based on steps S2-S5.
Further, in a preferred mode of the present invention, the control method further includes: detecting the network configuration of the terminal of the Internet of things in real time, and carrying out credibility measurement on the integrity of the network configuration to obtain a measurement result; and performing dynamic access control according to the measurement result.
Further, in a preferred mode of the present invention, the "detecting the network configuration of the terminal of the internet of things in real time" performs a reliability measure on the integrity of the network configuration, and obtains a measurement result "specifically includes the following steps: checking the integrity of the hardware, the system and the configuration of the terminal of the Internet of things, and reporting the integrity to a safety management and control platform in real time; and the security management and control platform performs credibility measurement on the integrity of the network configuration to obtain a measurement result.
Further, in a preferred mode of the present invention, the "dynamic access control according to the measurement result" specifically includes the following steps: and the security management and control platform performs dynamic access control on the access and service access of the internet of things terminal through a measurement interface based on the measurement result.
Further, in a preferred mode of the present invention, the security management and control platform performs dynamic access control on the authority and the connection state of the terminal of the internet of things; the control framework of the dynamic access control is a combined control framework based on RBAC access control and ABAC access control; the control mode of the dynamic access control to the access subject is a service access hierarchical management mode based on trust level; the dynamic access control specifically comprises the following steps: and adjusting the access authority of the access subject in real time according to the access context and the risk state of the environment, and simultaneously evaluating the trust level of the adjusted access subject.
Further, in a preferred manner of the present invention, the "adjusting the access rights of the access subject in real time according to the access context and the risk status of the environment, and simultaneously evaluating the trust level of the adjusted access subject" specifically includes the following steps: the dynamic access control center of the security management and control platform acquires the trust level of the access subject and acquires the security level of the core asset of the access object in real time; comparing the trust level with the security level to obtain a level comparison result; and adjusting the access authority of the access subject according to the grade comparison result.
Further, in a preferred mode of the present invention, the dynamic access control specifically includes the steps of: and carrying out real-time dynamic trust evaluation on the access subject through a preset trust evaluation model and algorithm to obtain a real-time trust level.
In addition, the invention also provides electronic equipment, which comprises: the storage is used for storing a computer program, and the computer program is used for executing the zero trust-based internet of things terminal safety protection management and control method; a processor for executing the computer program. Compared with the prior art, the network computing node access controller system for the security management and control of the Internet of things is realized based on a software defined boundary (SDP) zero trust architecture, and a control plane and data plane separation architecture is adopted to realize efficient management and control and flow control. Firstly, the control plane realizes centralized control based on the network controller, and unified security policy allocation and distribution are realized by the security management and control platform through the network controller. Under the unified command of the safety management and control platform, the intelligent information sharing and cooperative operation of various safety devices under a large safety system are realized by linking with the safety devices such as fireproof clouds and the like, the method realizes global safety linkage and strategy, realizes global control of network traffic, achieves fine detection and agile response capability, and ensures safety linkage capability and detection efficiency. And secondly, the data plane bears fine granularity detection and filtering of the traffic, so that identity verification and access control of an access subject are realized, and the trusted traffic is ensured to access the protected host. The communication traffic sent by the host computer can reach the target host computer through the detection and filtration of the network computing node access controller, so that the traffic which is output and input is guaranteed to be strictly filtered, and meanwhile, the traffic of other areas or the request traffic of the Internet and the traffic of the adjacent host computers in the areas are strictly detected through the network computing node access controller to allow access, so that the traffic of the inside and outside is guaranteed to be controlled by the security policy of the same level, and the trusted access and transmission of the traffic are realized. In summary, the technical scheme provided by the invention can effectively improve the safety linkage capacity and the safety protection efficiency of the whole networking architecture under the condition of various terminals of the Internet of things. In addition, the invention also relates to an Internet of things terminal safety protection management and control method based on zero trust and electronic equipment.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic structural diagram of a network computing node access controller system for security management and control of the internet of things according to an embodiment of the present invention;
fig. 2 is a flowchart of a blacklist access control mechanism according to an embodiment of the present invention;
fig. 3 is a flowchart of a whitelist access control mechanism provided in an embodiment of the present invention;
fig. 4 is a diagram of a zero-trust SDP architecture of a network computing node controller according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of an authentication mechanism according to an embodiment of the present invention;
FIG. 6 is a diagram illustrating security access control according to an embodiment of the present invention;
FIG. 7 is a schematic diagram of continuous trust evaluation according to an embodiment of the present invention;
fig. 8 is a schematic diagram of dynamic access control according to an embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the technical solutions of the present invention, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
It will be understood that when an element is referred to as being "fixed" or "disposed" on another element, it can be directly on the other element or be indirectly on the other element; when an element is referred to as being "connected to" another element, it can be directly connected to the other element or be indirectly connected to the other element.
It is to be understood that the terms "length," "width," "upper," "lower," "front," "rear," "first," "second," "vertical," "horizontal," "top," "bottom," "inner," "outer," and the like are merely for convenience in describing and simplifying the description based on the orientation or positional relationship shown in the drawings, and do not indicate or imply that the devices or elements referred to must have a particular orientation, be constructed and operated in a particular orientation, and thus are not to be construed as limiting the invention.
Furthermore, the terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include one or more such feature. In the description of the present invention, the meaning of "a plurality" or "a number" means two or more, unless specifically defined otherwise.
It should be understood that the structures, proportions, sizes, etc. shown in the drawings are for the purpose of understanding and reading the disclosure, and are not intended to limit the scope of the invention, which is defined by the claims, but rather by the claims, unless otherwise indicated, and that any structural modifications, proportional changes, or dimensional adjustments, which would otherwise be apparent to those skilled in the art, would be made without departing from the spirit and scope of the invention.
As shown in fig. 1 to 7, a network computing node access controller system for security management and control of the internet of things provided by an embodiment of the present invention includes: the network computing node is accessed to the controller, the control plane architecture and the data plane architecture; the control plane architecture includes: the network computing node access controller receives management control of an external security management and control platform through the unified authentication and policy controller; the access control engine is in data connection with the unified authentication and policy controller and is used for controlling the data access authority; the data plane architecture is in data connection with the access control engine, and is used for verifying the identity of an access subject and controlling the access of an access object.
The invention provides a technical scheme of a network computing node access controller system for safety control of the Internet of things, wherein the network computing node access controller is realized based on a software defined boundary (SDP) zero trust architecture, and a control plane and data plane separation architecture is adopted to realize efficient control and flow control. Firstly, the control plane realizes centralized control based on the network controller, and unified security policy allocation and distribution are realized by the security management and control platform through the network controller. Under the unified command of the safety management and control platform, the intelligent information sharing and cooperative operation of various safety devices under a large safety system are realized by linking with the safety devices such as fireproof clouds and the like, the method realizes global safety linkage and strategy, realizes global control of network traffic, achieves fine detection and agile response capability, and ensures safety linkage capability and detection efficiency. And secondly, the data plane bears fine granularity detection and filtering of the traffic, so that identity verification and access control of an access subject are realized, and the trusted traffic is ensured to access the protected host. The communication traffic sent by the host computer can reach the target host computer through the detection and filtration of the network computing node access controller, so that the traffic which is output and input is guaranteed to be strictly filtered, and meanwhile, the traffic of other areas or the request traffic of the Internet and the traffic of the adjacent host computers in the areas are strictly detected through the network computing node access controller to allow access, so that the traffic of the inside and outside is guaranteed to be controlled by the security policy of the same level, and the trusted access and transmission of the traffic are realized. In summary, the technical scheme provided by the invention can effectively improve the safety linkage capacity and the safety protection efficiency of the whole networking architecture under the condition of various terminals of the Internet of things. In addition, the invention also relates to an Internet of things terminal safety protection management and control method based on zero trust and electronic equipment.
In the technical scheme provided by the invention, the control plane plate has a user login authentication function and is used for authenticating the identity of a user or a manager and determining the roles, the relevant authority and the strategy information of the user or the manager. Subsequent monitoring operations will be closely related to the user identity (role function). The supported authentication mode: simple password authentication, x.509 one-way authentication, x.509 two-way authentication, challenge-response authentication, and the like.
The module is responsible for receiving login, logout, heartbeat and random number request data packets sent by the security agent, wherein signature information of the security agent is contained in the data packets; the network computing node access controller signs the signature information of the security agent, and then packages the signature information to the authentication server; the new packet after the packet is assembled contains the node number of the controller and the signature information of the controller; after receiving the packet sent by the controller, the authentication server performs signature verification twice, and the signature verification result is signed by the controller and then forwarded to the security agent.
In the technical scheme provided by the invention, the control plane plate has 4 layers of protection altogether; wherein, two-layer protection: the node access controller supports an administrator to bind the IP/MAC address manually, and prevents the host from accessing the controller through the node when the IP address and the MAC address of the host are inconsistent with the IP/MAC binding table;
three-layer protection: the node access controller should have access control function, and the access control policy should support: a) Default prohibition principle, when no access control policy is configured, prohibiting all data from entering the function of the target network; b) Access control based on a source IP address, a destination IP address; c) Access control based on source port and destination port; d) Access control based on transport layer protocol type; e) Access control based on MAC address. Based on the service data forwarding permission of the authentication result, the authentication function enforces the security policy to the user terminal accessing the network through the linkage of the user, the equipment, the terminal and the security management and control platform, strictly controls the use behavior of the terminal user to the network equipment, and ensures that only authorized network equipment has permission to access to the service network.
Four layers of protection: based on the identification of the business application protocol, the message filtering of the transaction data intercepts the data which does not accord with the business transaction protocol.
Specifically, in an embodiment of the present invention, the data plane architecture includes: the authentication access control module is used for realizing the control of authentication access by carrying out IP layer protocol analysis matching on the received service data packet; the blacklist access control module is used for carrying out IP layer protocol analysis matching on the received authentication data packet according to the blacklist data so as to realize control of blacklist access; the white list access control module is used for carrying out IP layer protocol analysis matching on the received authentication data packet according to the white list data so as to realize the control of white list access; the role authority access control module is used for matching the received pkid business header according to the role data so as to realize the control of the role authority access; the security mark detection module is used for carrying out format detection and hash value matching on the service data packet to realize the detection of the security mark; the request protocol detection module is used for analyzing the request data of the service data packet according to the TDS protocol and realizing the detection of the request protocol; the response protocol detection module is used for analyzing response data of the service data packet according to the TDS protocol to realize detection of the response protocol; the request white list detection module is used for matching the actual content of the request service according to the white list service list so as to realize the detection of the request white list.
It should be noted that, in the data plane, the above modules have the following functional effects:
the access user limiting mechanism in the first authentication access control module is as follows: the remote access user may attempt to access the enterprise's internal network through any host that can be used, such as a user company configured, or a public host provided by an organization such as an airport or restaurant. Because corporate private hosts generally have more complete security policies configured than public hosts, users access enterprises using known trusted hosts is a better choice for ensuring network security. The controller supports a host binding function, and a user is forced to be successful only by accessing the enterprise intranet from a specified host. The high credibility of the access host improves the safety of remote access, and meanwhile, under the condition of confirming the safety of the host, illegal actions of accessing enterprises from other hosts after illegal users steal user accounts are absolutely prevented.
The information authenticating the access control module is as follows:
second, as shown in fig. 2, a blacklist access control mechanism flow is shown; the information of the blacklist access control module is as follows:
third, as shown in fig. 3, the flow of the whitelist access control mechanism is shown; the information of the white list access control module is as follows:
fourth, the information of the role authority access control module is as follows:
fifth, the information of the security mark detection module is as follows:
sixth, the information of the request protocol detection module is as follows:
seventh, the information of the response protocol detection module is as follows:
eighth, the information of the request white list detection module is as follows:
in addition, the invention also provides a zero-trust-based internet of things terminal safety protection control method, which is based on the network computing node access controller system for internet of things safety control; the control method comprises the following steps: s1, installing a network computing node access controller on an Internet of things terminal; s2, building identity authentication: giving digital identities to the terminals of the person and the Internet of things, constructing a combination of the terminals of the person and the Internet of things as an access subject, and setting minimum authority for the access subject; s3, safety communication construction: the access subject, the network computing node access controller and the access object are in secure communication based on a national cryptographic algorithm, and remote processing and data exchange are carried out; s4, setting up a service security access mechanism: based on the minimum authority, performing contraction processing on the information exposure surface on the access subject; s5, building a continuous trust evaluation mechanism: based on the digital identity, carrying out risk judgment on the context environment accessed by the access subject to the access object in real time; dynamic access control is performed based on steps S2-S5. The technical scheme of the zero trust-based internet of things terminal safety protection management and control method provided by the invention has the technical effects of the technical scheme.
It should be noted that, as shown in fig. 4, a zero-trust SDP architecture diagram of a network computing node controller is shown; firstly, dynamic access control is required to be realized based on a zero trust frame; specifically, based on development of a zero trust architecture framework, the defects and shortages of the traditional gateway type network security architecture are overcome, the network computing node controller is used as a zero trust hardware agent, a security protection mechanism is sunk to all the terminal nodes of the internet of things, the network computing node access controller and the fireproof cloud are linked, the security is truly ubiquitous, no matter the internal, external and any flow only needs to access the terminal nodes of the internet of things, the security policy detection and filtration of the same level are implemented, and the zero trust and the security policy are implemented to each cell of a network organism.
As shown in fig. 5, identity authentication is required as a security basis. Constructing an access control system based on identity rather than network location, firstly, assigning digital identity to people and devices in a network, constructing an access subject by combining the identified people and devices in a runtime mode, and setting minimum authority required by the access subject. And the multiple authentication strategies are implemented through unified management of the safety management and control platform, flexible adaptation and multiple safety guarantee are realized. Authentication and policy control of controller equipment and terminal equipment of the Internet of things are realized through the immortalized network computing node controller, and the legality of an operation system is ensured; and the legal authentication of the business behavior is realized by matching with a fireproof cloud system.
This is achieved: and the network computing node controller, the terminal equipment of the Internet of things, the terminal user, the access system and the consistency authentication of user behaviors can realize legal access after all authentication. Business data is received and transmitted between the Internet of things terminal and the Internet of things cloud platform, and based on a PKI/CA digital authentication system, bidirectional identity authentication and business data signature verification are carried out between the Internet of things terminal and the Internet of things platform, so that the safety of the data source of the Internet of things terminal and the data tamper resistance are ensured.
It should be noted that, further, secure communication based on the national cryptographic algorithm; and the remote processing and data exchange of the two-party service realize bidirectional identity authentication, data confidentiality and integrity protection. Namely, the identities of the two communication parties are reliable; the service data is prevented from leakage and sensitive information is prevented from interception, and the confidentiality of the data is protected; and the service data is tamper-proof and the data integrity is protected.
It should be noted that, as shown in fig. 6, a schematic diagram of service security access; the zero trust architecture focuses on the construction of a service protection surface, and the protection of resources is realized through the service protection surface. The protection surface is constructed to realize the contraction of the exposure surface, all services are required to be hidden by default, the minimum opening is carried out according to the authorization result, all service access requests are required to be encrypted in full flow and forcedly authorized, and a service security access related mechanism needs to work at an application protocol layer as much as possible.
Note that, as shown in fig. 7, a flowchart of the continuous trust evaluation is shown. The continuous trust evaluation is a key means for constructing trust from zero by a zero trust architecture, the trust evaluation capability based on identity is realized through a trust evaluation model and algorithm, meanwhile, risk judgment is required to be carried out on the accessed context environment, abnormal behavior identification is carried out on an access request, and the trust evaluation result is regulated.
Specifically, in an embodiment of the present invention, the control method further includes: detecting the network configuration of the terminal of the Internet of things in real time, and carrying out credibility measurement on the integrity of the network configuration to obtain a measurement result; and performing dynamic access control according to the measurement result.
Specifically, in the embodiment of the present invention, the "detecting the network configuration of the terminal of the internet of things in real time" performs a reliability measure on the integrity of the network configuration, and obtains a measurement result "specifically includes the following steps: checking the integrity of the hardware, the system and the configuration of the terminal of the Internet of things, and reporting the integrity to a safety management and control platform in real time; and the security management and control platform performs credibility measurement on the integrity of the network configuration to obtain a measurement result.
Specifically, in the embodiment of the present invention, the "dynamic access control according to the measurement result" specifically includes the following steps: and the security management and control platform performs dynamic access control on the access and service access of the internet of things terminal through a measurement interface based on the measurement result.
Specifically, in the embodiment of the invention, the security management and control platform performs dynamic access control on the authority and the connection state of the terminal of the internet of things; the control framework of the dynamic access control is a combined control framework based on RBAC access control and ABAC access control; the control mode of the dynamic access control to the access subject is a service access hierarchical management mode based on trust level; the dynamic access control specifically comprises the following steps: and adjusting the access authority of the access subject in real time according to the access context and the risk state of the environment, and simultaneously evaluating the trust level of the adjusted access subject.
Specifically, in the embodiment of the present invention, the "adjusting the access rights of the access subject in real time according to the access context and the risk status of the environment, and simultaneously evaluating the trust level of the adjusted access subject" specifically includes the following steps: the dynamic access control center of the security management and control platform acquires the trust level of the access subject and acquires the security level of the core asset of the access object in real time; comparing the trust level with the security level to obtain a level comparison result; and adjusting the access authority of the access subject according to the grade comparison result.
Specifically, in an embodiment of the present invention, the dynamic access control specifically includes the following steps: and carrying out real-time dynamic trust evaluation on the access subject through a preset trust evaluation model and algorithm to obtain a real-time trust level.
It should be noted that, as shown in fig. 8, dynamic access control is schematically illustrated. Detecting the network configuration of the terminal of the Internet of things in real time, checking the integrity of hardware, system and configuration of the terminal, reporting the integrity to a security management center in real time, measuring the reliability of the integrity, and carrying out dynamic access control of terminal access and service access based on a measurement interface.
Dynamic access control is an important manifestation of the secure closed loop capability of a zero trust architecture. Flexible access control baselines are realized through combined authorization of RBAC (role-based access control) and ABAC (attribute-based access control), hierarchical service access is realized based on trust levels, and meanwhile, when access contexts and environments have risks, real-time intervention on access rights is needed and whether trust of an access subject is degraded or not is evaluated.
In addition, the invention also provides electronic equipment, which comprises: the storage is used for storing a computer program, and the computer program is used for executing the zero trust-based internet of things terminal safety protection management and control method; a processor for executing the computer program. The technical scheme of the electronic equipment provided by the invention has the technical effects of the technical scheme.
It should be noted that the following problems exist in the prior art:
1. traditional boundary protection ideas are easily bypassed
In the conventional boundary protection thought, devices such as a firewall, an IPS, a gas barrier, a WAF and the like are usually deployed at the boundary position of an area, and the devices have the possibility of being bypassed, so that once the security devices are bypassed through technical means, the security means are similar to dummy devices, and an attacker can be driven in for a long time. These present a significant security risk to the protected system.
2. The traditional boundary protection thought is too extensive, and is difficult to realize fine protection
In the boundary safety concept, since the firewall, IPS, anti-virus wall, WAF and other devices are deployed at the boundary position of the area, only rough protection can be implemented in the area, i.e. the protection is limited for unified ports, services and the like, and many protected hosts cannot realize one-to-one personalized protection. This results in the protective means being a "nearly" piece of safety clothing, which cannot be precisely protected and fitted.
3. Traditional border protection focuses on "outer" and ignores "inner"
In the boundary security concept, the network location determines the degree of trust. Users outside the boundary of the secure area are by default not trusted (not secure), have no more access rights, and the network outside the boundary that wants to access the boundary needs to pass through security mechanisms such as firewalls, VPNs, etc. Users in the security area are safe and trusted by default, and do not perform excessive behavior monitoring and operation audit when performing business operation, so that the problem of excessive trust (considered to be safe and given too much authority) exists.
In fact, the fort is the easiest to break from the inside, and the inner and outer security protection cannot be achieved at the same time, which has a huge potential safety hazard in terms of security. And a large potential safety hazard is easy to form inside, so that a large safety risk is brought to the system.
4. Traditional boundary protection tends to be 'single fighting', and collaborative combat is difficult to realize
Firewalls, IPS, anti-virus walls, WAFs, etc. typically emphasize and boost the richness and effectiveness of their own security feature library and do not emphasize the ability to defend synergistically with other security products. This results in the situation that each security product is in a war, and it is difficult to form a resultant force. Lacking the concept and capabilities of synergistic defenses, this itself can lead to security vulnerabilities and inadequacies.
The technical scheme has the following technical effects that the following technical effects are achieved:
the invention breaks the traditional network safety boundary based on the software defined boundary (SDP) concept, and realizes one-to-one refined protection of the protected internet of things terminal. The access flow of the inside and the outside is protected by the security of the same level, the network computing node access controller under the same system is uniformly controlled by the network controller and the security management and control platform, and under the same control system, the network computing node access controller can realize information sharing, security linkage and cooperative combat with security equipment such as AI fireproof clouds, and exert stronger security protection capability.
1. Breaking the boundary, preventing the risk of being bypassed
In the traditional boundary security concept, security devices are deployed at the boundary of an area. By bypassing a safety device by technical means, the method is equivalent to breaking through the safety line of the whole area. The network computing node access controller can provide one-to-one protection for the protected equipment, and the concept of a safety boundary is broken. Even if one network computing node access controller is broken, only the safety of one protected device can be threatened, and other nodes still have respective network computing node access controllers to provide protection.
2. Realizing one-to-one refined protection
Traditional safety equipment is deployed at the boundary of an area to protect the safety of the area. It is difficult to make personalized fine protection for a certain node. The network computing node access controller is deployed at the front end of each protected node, the security policy of the network computing node access controller is configured based on the actual environment of the protected node, each node is protected by the security policy which is customized finely, and the security protection capability is greatly improved due to fine management and control.
3. Safe zero trust
Conventional security devices have no protection capability for traffic in the secure area because they are boundary-based for protection. The network computing node access controller deploys the front end of the protected node, and the flow of all access nodes is detected and filtered by the network computing node access controller, so that all access requests can be viewed from the same kernel no matter inside or outside, and zero trust is truly realized.
4. Defending with other security products, cooperating with one another
The network computing node access controller is positioned at the extreme end of the security protection system and provides the latest protection for the terminal of the Internet of things. Meanwhile, the running state, health condition and other information of the terminal node can be mastered in real time. The network computing node access controller shares and reports accurate terminal information to the network controller, and the network controller and the security management and control platform are subjected to unified dispatching command on security defense, so that a deep security defense system for co-operation common defense can be formed among the security management and control console, the network controller and the network computing node access controller, and team operation security defense capacity is formed. The larger the network size, the more abundant the security information is shared with each other, and the more complete and powerful the defensive power is.
Claims (2)
1. A network computing node access controller system for security management and control of the internet of things, the system comprising:
the network computing node is accessed to the controller, the control plane architecture and the data plane architecture;
the control plane architecture includes:
the network computing node access controller receives management control of an external security management and control platform through the unified authentication and policy controller;
the access control engine is in data connection with the unified authentication and policy controller and is used for controlling the data access authority;
the data plane architecture is in data connection with the access control engine and is used for verifying the identity of an access subject and controlling the access of an access object; the data plane architecture includes: the authentication access control module is used for realizing the control of authentication access by carrying out IP layer protocol analysis matching on the received service data packet;
the blacklist access control module is used for carrying out IP layer protocol analysis matching on the received authentication data packet according to the blacklist data so as to realize control of blacklist access;
the white list access control module is used for carrying out IP layer protocol analysis matching on the received authentication data packet according to the white list data so as to realize the control of white list access;
the role authority access control module is used for matching the received pkid business header according to the role data so as to realize the control of the role authority access;
the security mark detection module is used for carrying out format detection and hash value matching on the service data packet to realize the detection of the security mark;
the request protocol detection module is used for analyzing the request data of the service data packet according to the TDS protocol and realizing the detection of the request protocol;
the response protocol detection module is used for analyzing response data of the service data packet according to the TDS protocol to realize detection of the response protocol;
the request white list detection module is used for matching the actual content of the request service according to the white list service list so as to realize detection of the request white list;
the network computing node access controller system for the security control of the Internet of things is used for executing a security protection control method of the terminal of the Internet of things based on zero trust, and the control method comprises the following steps:
s1, installing a network computing node access controller on an Internet of things terminal;
s2, building identity authentication: giving digital identities to the terminals of the person and the Internet of things, constructing a combination of the terminals of the person and the Internet of things as an access subject, and setting minimum authority for the access subject;
s3, safety communication construction: the access subject, the network computing node access controller and the access object are in secure communication based on a national cryptographic algorithm, and remote processing and data exchange are carried out;
s4, setting up a service security access mechanism: based on the set minimum authority, performing contraction processing on the information exposure surface of the access subject;
s5, building a continuous trust evaluation mechanism: based on the digital identity, carrying out risk judgment on the context environment accessed by the access subject to the access object in real time;
performing dynamic access control based on the steps S2-S5;
the control method further comprises the following steps:
detecting the network configuration of the terminal of the Internet of things in real time, and carrying out credibility measurement on the integrity of the network configuration to obtain a measurement result;
performing dynamic access control according to the measurement result;
the real-time detection of the network configuration of the terminal of the Internet of things, the reliability measurement of the integrity of the network configuration, and the obtaining of the measurement result comprise the following steps:
checking the integrity of the hardware, the system and the configuration of the terminal of the Internet of things, and reporting the integrity to a safety management and control platform in real time;
the security management and control platform performs credibility measurement on the integrity of the network configuration to obtain a measurement result;
the dynamic access control according to the measurement result specifically comprises the following steps:
the security management and control platform performs dynamic access control on access and service access of the internet of things terminal through a measurement interface based on the measurement result; the security management and control platform performs dynamic access control on the authority and the connection state of the terminal of the Internet of things;
the control framework of the dynamic access control is a combined control framework based on RBAC access control and ABAC access control;
the control mode of the dynamic access control to the access subject is a service access hierarchical management mode based on trust level;
the dynamic access control specifically comprises the following steps:
according to the access context and the risk state of the environment, the access authority of the access subject is adjusted in real time, and the trust level of the adjusted access subject is evaluated;
the method for evaluating the trust level of the access subject specifically comprises the following steps of:
the dynamic access control center of the security management and control platform acquires the trust level of the access subject and acquires the security level of the core asset of the access object in real time;
comparing the trust level with the security level to obtain a level comparison result;
adjusting the access authority of the access subject according to the grade comparison result;
the dynamic access control specifically comprises the following steps:
and carrying out real-time dynamic trust evaluation on the access subject through a preset trust evaluation model and algorithm to obtain a real-time trust level.
2. An electronic device, comprising:
a memory for storing a computer program for the network computing node access controller system for internet of things security management of claim 1;
a processor for executing the computer program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310911925.0A CN116633696B (en) | 2023-07-25 | 2023-07-25 | Network computing node access controller system, management and control method and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310911925.0A CN116633696B (en) | 2023-07-25 | 2023-07-25 | Network computing node access controller system, management and control method and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116633696A CN116633696A (en) | 2023-08-22 |
| CN116633696B true CN116633696B (en) | 2024-01-02 |
Family
ID=87603033
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310911925.0A Active CN116633696B (en) | 2023-07-25 | 2023-07-25 | Network computing node access controller system, management and control method and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116633696B (en) |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CA1340592C (en) * | 1988-07-27 | 1999-06-08 | Hewlett-Packard Co. | Software agent used to provide information to a user for a plurality of computer |
| CA2524849A1 (en) * | 2005-10-28 | 2007-04-28 | Overcow Corporation | Method of providing secure access to computer resources |
| US10104077B1 (en) * | 2017-10-06 | 2018-10-16 | Xage Security, Inc. | Enabling multitenant data access on a single industrial network |
| WO2018214719A1 (en) * | 2017-05-26 | 2018-11-29 | 中国科学院沈阳自动化研究所 | Dynamic safety method and system based on multi-fusion linked responses |
| CN112507317A (en) * | 2020-12-07 | 2021-03-16 | 国网河北省电力有限公司电力科学研究院 | Electric power Internet of things safety protection method based on zero trust |
| CN113051602A (en) * | 2021-01-22 | 2021-06-29 | 东南大学 | Database fine-grained access control method based on zero trust architecture |
| CN115361186A (en) * | 2022-08-11 | 2022-11-18 | 哈尔滨工业大学(威海) | Zero trust network architecture for industrial internet platform |
| CN115426141A (en) * | 2022-08-19 | 2022-12-02 | 国网河南省电力公司电力科学研究院 | Cloud master station service dynamic access control method and system based on zero trust network |
| WO2023274295A1 (en) * | 2021-06-30 | 2023-01-05 | 上海云盾信息技术有限公司 | Cloud-based internet access control method and apparatus, medium, device, and system |
| CN115941236A (en) * | 2022-09-06 | 2023-04-07 | 国网浙江省电力有限公司绍兴供电公司 | Zero trust safety protection method for edge side of power distribution network |
| CN116248277A (en) * | 2023-03-10 | 2023-06-09 | 深圳市骏捷安全技术有限公司 | Zero-trust security processing method and system for authentication encryption of Internet of things equipment |
| CN116310238A (en) * | 2023-03-16 | 2023-06-23 | 华中师范大学 | Multi-user virtual avatar interaction behavior safety protection method and system |
-
2023
- 2023-07-25 CN CN202310911925.0A patent/CN116633696B/en active Active
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CA1340592C (en) * | 1988-07-27 | 1999-06-08 | Hewlett-Packard Co. | Software agent used to provide information to a user for a plurality of computer |
| CA2524849A1 (en) * | 2005-10-28 | 2007-04-28 | Overcow Corporation | Method of providing secure access to computer resources |
| WO2018214719A1 (en) * | 2017-05-26 | 2018-11-29 | 中国科学院沈阳自动化研究所 | Dynamic safety method and system based on multi-fusion linked responses |
| US10104077B1 (en) * | 2017-10-06 | 2018-10-16 | Xage Security, Inc. | Enabling multitenant data access on a single industrial network |
| CN112507317A (en) * | 2020-12-07 | 2021-03-16 | 国网河北省电力有限公司电力科学研究院 | Electric power Internet of things safety protection method based on zero trust |
| CN113051602A (en) * | 2021-01-22 | 2021-06-29 | 东南大学 | Database fine-grained access control method based on zero trust architecture |
| WO2023274295A1 (en) * | 2021-06-30 | 2023-01-05 | 上海云盾信息技术有限公司 | Cloud-based internet access control method and apparatus, medium, device, and system |
| CN115361186A (en) * | 2022-08-11 | 2022-11-18 | 哈尔滨工业大学(威海) | Zero trust network architecture for industrial internet platform |
| CN115426141A (en) * | 2022-08-19 | 2022-12-02 | 国网河南省电力公司电力科学研究院 | Cloud master station service dynamic access control method and system based on zero trust network |
| CN115941236A (en) * | 2022-09-06 | 2023-04-07 | 国网浙江省电力有限公司绍兴供电公司 | Zero trust safety protection method for edge side of power distribution network |
| CN116248277A (en) * | 2023-03-10 | 2023-06-09 | 深圳市骏捷安全技术有限公司 | Zero-trust security processing method and system for authentication encryption of Internet of things equipment |
| CN116310238A (en) * | 2023-03-16 | 2023-06-23 | 华中师范大学 | Multi-user virtual avatar interaction behavior safety protection method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116633696A (en) | 2023-08-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP2008508805A (en) | System and method for characterizing and managing electronic traffic | |
| CN115001870B (en) | Information security protection system, method and storage medium | |
| Nagar et al. | A framework for data security in cloud using collaborative intrusion detection scheme | |
| Oberoi et al. | SURVEY OF VARIOUS SECURITY ATTACKS IN CLOUDS BASED ENVIRONMENTS. | |
| Farhadi et al. | A systematic approach toward security in Fog computing: Assets, vulnerabilities, possible countermeasures | |
| Toosarvandani et al. | The risk assessment and treatment approach in order to provide LAN security based on ISMS standard | |
| Schlicher et al. | Towards reducing the data exfiltration surface for the insider threat | |
| CN116633696B (en) | Network computing node access controller system, management and control method and electronic equipment | |
| Lakbabi et al. | Network Access Control Technology-Proposition to contain new security challenges | |
| Racuciu et al. | Security threats and risks in cloud computing | |
| Liu et al. | Research on Campus Network Security Problem and Protection Strategy | |
| Meredith | A summary of the autonomic distributed firewalls (ADF) project | |
| Choi | IoT (Internet of Things) based Solution Trend Identification and Analysis Research | |
| Goyal et al. | Cloud Computing and Security | |
| Jeganathan et al. | Secure the cloud computing environment from attackers using intrusion detection system | |
| Kandukuri et al. | A Research Paper on Social Engineering and Growing Challenges in Cyber Security | |
| Kotkar et al. | Exploring security mechanisms to android device | |
| Yang et al. | Discussion on Computer Information Security in Network Environment | |
| Guowei et al. | Design Scheme of Network Security Access System Based on Zero Trust | |
| Dai | Secure digital library technology research based on VPN | |
| Pattnaik et al. | Security Paradigms in Cloud Computing | |
| Mutabazi et al. | Investigating the Challenges Companies in Rwanda Face when Implementing Zero-Trust Network | |
| Azad et al. | Verify and trust: A multidimensional survey of zero-trust security in the age of IoT | |
| Thames et al. | Implementing distributed internet security using a firewall collaboration framework | |
| Arneja et al. | Detailed Analysis of Antivirus based Firewall and Concept of Private Cloud Antivirus based Firewall |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |