CN118074978A - Access control method and device for terminal equipment, electronic equipment and storage medium - Google Patents

Access control method and device for terminal equipment, electronic equipment and storage medium Download PDF

Info

Publication number
CN118074978A
CN118074978A CN202410207694.XA CN202410207694A CN118074978A CN 118074978 A CN118074978 A CN 118074978A CN 202410207694 A CN202410207694 A CN 202410207694A CN 118074978 A CN118074978 A CN 118074978A
Authority
CN
China
Prior art keywords
terminal equipment
access
authentication
admission
equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410207694.XA
Other languages
Chinese (zh)
Inventor
饶先强
张芮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hubei Topsec Network Security Technology Co Ltd
Original Assignee
Hubei Topsec Network Security Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hubei Topsec Network Security Technology Co Ltd filed Critical Hubei Topsec Network Security Technology Co Ltd
Priority to CN202410207694.XA priority Critical patent/CN118074978A/en
Publication of CN118074978A publication Critical patent/CN118074978A/en
Pending legal-status Critical Current

Links

Landscapes

  • Information Transfer Between Computers (AREA)

Abstract

The embodiment of the application provides a terminal equipment access control method, a device, electronic equipment and a storage medium. The method comprises the following steps: receiving equipment information sent by the terminal equipment; the equipment information comprises one or more of target security software installation conditions, security patch installation conditions and blacklist service operation conditions in the terminal equipment; acquiring an admission strategy obtained after the equipment information is authenticated; the access policy is used for indicating one or more of access objects, message flow directions and access timeliness of the terminal equipment; and based on the admission policy, carrying out corresponding processing on the service message sent by the terminal equipment. Authentication is carried out from multiple aspects of the equipment, different access strategies are formulated according to different conditions of each aspect, and access rights of terminal equipment with different security conditions can be accurately controlled.

Description

Access control method and device for terminal equipment, electronic equipment and storage medium
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and an apparatus for controlling access of a terminal device, an electronic device, and a storage medium.
Background
Zero trust admission (Zero Trust Network Access, ZTNA) is a network security framework and policy aimed at ensuring that the end devices of the accessed network resources are secure. Unlike traditional boundary-defense-based network security models, zero-trust admission emphasizes dynamic access control and authentication for each session to provide more secure network access and better protection of internal resources. However, in the related art, the zero trust admission mechanism does not sufficiently consider the complexity and diversity of devices, resulting in the possible security problem of giving the devices excessive access rights.
Disclosure of Invention
The embodiment of the application aims to provide a terminal equipment access control method, a device, electronic equipment and a storage medium, which are used for realizing the technical effect of accurately controlling the access authority of terminal equipment.
An embodiment of the present application provides a method for controlling access of a terminal device, where the method includes:
Receiving equipment information sent by the terminal equipment; the equipment information comprises one or more of target security software installation conditions, security patch installation conditions and blacklist service operation conditions in the terminal equipment;
acquiring an admission strategy obtained after the equipment information is authenticated; the access policy is used for indicating one or more of access objects, message flow directions and access timeliness of the terminal equipment;
And based on the admission policy, carrying out corresponding processing on the service message sent by the terminal equipment.
In the implementation process, one or more of the installation condition of target security software, the installation condition of security patch and the running condition of blacklist service in the terminal equipment are utilized to authenticate the terminal equipment. On one hand, authentication is carried out from multiple aspects of equipment, different access strategies are formulated according to different conditions of each aspect, and access rights of terminal equipment with different security conditions can be accurately controlled. On the other hand, it is also possible to ensure that admitted terminal devices are sufficiently trusted as far as possible to avoid the problem of network attacks.
Further, before the receiving the device information sent by the terminal device, the method further includes:
receiving user information sent by the terminal equipment;
Acquiring a first authentication result of the user information;
and if the first authentication result indicates that the user information authentication is passed, sending a device detection item to the terminal device so that the terminal device returns the device information based on the device detection item.
In the implementation process, the authentication process of the user information is simpler than the authentication process of the equipment information, so that the authentication of the user information is performed first and then the authentication of the equipment information is performed, the authentication efficiency can be improved, and unnecessary authentication processes are avoided.
Further, the method further comprises:
And if the first authentication result indicates that the user information authentication fails, sending authentication failure prompt information to the terminal equipment.
In the implementation process, if the first authentication result indicates that the user information authentication fails, the terminal equipment is informed of authentication failure, so that subsequent equipment information authentication is not performed, unnecessary authentication processes are saved, and authentication efficiency is improved.
Further, the obtaining the admission policy obtained after authenticating the device information includes:
The equipment information is sent to a detection assembly for authentication, and a second authentication result is obtained;
And acquiring an admission strategy based on the second authentication result returned by the detection component.
In the implementation process, the detection component is utilized to authenticate the terminal equipment by one or more of the installation condition of target security software, the installation condition of security patch and the running condition of blacklist service in the terminal equipment. The detection component makes different access strategies according to different conditions of each aspect, can accurately control access rights of terminal equipment with different security conditions, and avoids potential safety hazards caused by overlarge rights of the terminal equipment.
Further, the obtaining the admission policy based on the second authentication result returned by the detection component includes:
if the second authentication result indicates that the terminal equipment does not install the target security software and/or the security patch of the first security level, the access policy comprises allowing access to a software download server;
If the second authentication result indicates that the terminal equipment is not provided with the security patch of the second security level, the access policy comprises allowing the service message sent by the terminal equipment to pass within a set time; wherein the first security level is higher than the second security level;
if the second authentication result indicates that the terminal equipment runs the blacklist service, the admission strategy comprises blocking a service message sent by the terminal equipment;
And if the second authentication result indicates that the terminal equipment is in a safe state, the admission strategy comprises allowing the service message sent by the terminal equipment to pass.
In the implementation process, different access policies are set respectively for multiple aspects of target security software installation conditions, security patch installation conditions and blacklist service operation conditions in the terminal equipment, and different access rights are given to the terminal equipment in different security states in a targeted manner so as to accurately control the access rights of the terminal equipment and avoid potential safety hazards caused by overlarge access rights.
Further, the method further comprises:
and if the second authentication result indicates that the terminal equipment is not provided with the security patch of the second security level and the authentication times exceed a preset time threshold, the access policy comprises allowing access to a software download server.
In the implementation process, the safety of the internal resources is further improved by counting the authentication times initiated by the terminal equipment without the safety patch of the second safety level.
Further, the method further comprises:
If the access policy comprises permission to access a software download server, sending software and/or security patch installation prompt information to the terminal equipment;
If the access policy comprises that the access to the resource server is allowed in the set time, sending authentication success prompt information and/or security patch installation prompt information to the terminal equipment;
If the admission strategy comprises blocking the service message sent by the terminal equipment, sending authentication failure prompt information to the terminal equipment;
And if the admission policy comprises that the service message sent by the terminal equipment is allowed to pass, sending prompt information of successful authentication to the terminal equipment.
In the implementation process, corresponding prompt information is sent to the terminal equipment aiming at different access strategies so as to guide the terminal equipment to obtain the access rights more efficiently.
A second aspect of an embodiment of the present application provides an admission control device for a terminal device, where the device includes:
the receiving module is used for receiving the equipment information sent by the terminal equipment; the equipment information comprises one or more of target security software installation conditions, security patch installation conditions and blacklist service operation conditions in the terminal equipment;
the acquisition module is used for acquiring an admission strategy obtained after the equipment information is authenticated; the access policy is used for indicating one or more of access objects, message flow directions and access timeliness of the terminal equipment;
and the processing module is used for correspondingly processing the service message sent by the terminal equipment based on the admission policy.
A third aspect of an embodiment of the present application provides an electronic device, including:
A processor;
A memory for storing processor-executable instructions;
wherein the processor, when invoking the executable instructions, performs the operations of the method of any of the first aspects.
A fourth aspect of the embodiments of the present application provides a computer readable storage medium having stored thereon computer instructions which when executed by a processor implement the steps of any of the methods of the first aspect.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and should not be considered as limiting the scope, and other related drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic diagram of an application scenario of a terminal device admission control method provided in an embodiment of the present application;
fig. 2 is a flow chart of a method for controlling admission of a terminal device according to an embodiment of the present application;
Fig. 3 is a flow chart of another method for controlling admission of a terminal device according to an embodiment of the present application;
Fig. 4 is a flow chart of another method for controlling admission of a terminal device according to an embodiment of the present application;
fig. 5 is a schematic diagram of an application scenario of a terminal device admission control method according to an embodiment of the present application;
fig. 6 is a flow chart of another method for controlling admission of a terminal device according to an embodiment of the present application;
fig. 7 is a block diagram of a terminal device admission control device according to an embodiment of the present application;
Fig. 8 is a hardware configuration diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the accompanying drawings in the embodiments of the present application.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only to distinguish the description, and are not to be construed as indicating or implying relative importance.
In conventional boundary-defense-based security policies, the external network is considered an untrusted region and the internal resources are protected by placing a protection wall on the network boundary to isolate the external network. However, boundary defense presents a risk of cyber attacks. The terminal device may access the internal resources through an uncontrolled network connection. While zero trust admission can effectively address these risk challenges.
By zero trust admission, any person, equipment and system inside and outside a default untrusted enterprise network is a trust basis for reconstructing access control based on identity authentication and authorization, so that identity trust, equipment trust, application trust and link trust are ensured. However, zero trust does not adequately account for the complexity, diversity, and special cases of devices, resulting in the potential for security issues that give devices excessive access rights.
To this end, the application provides a method for controlling admission of terminal equipment. Fig. 1 shows an application scenario of the present application. As shown in fig. 1, terminal device 110 may access server 130 through admission gateway 120. The server 130 may be a server cluster or a single server.
Alternatively, the server 130 may include a software download server and a resource server (not shown). The software download server is used for providing download resources of the security software and download resources of the security patch. The resource server is used for providing internal resources. In this manner, terminal device 110 may access the download server through admission gateway 120 to obtain download resources for security software and/or security patches, and may also access the resource server through admission gateway 120 to obtain internal resources.
Alternatively, the server 130 may provide both the download resources of the security software, the download resources of the security patch, and the internal resources. In this manner, terminal device 110 may access server 130 through admission gateway 120 to obtain one or more of download resources for security software, download resources for security patches, and internal resources.
In addition, admission gateway 120 is also communicatively coupled to detection component 140. The detection component is used for authenticating the terminal device 110, and a specific authentication procedure will be developed below. Alternatively, the admission gateway 120 and the detection component 140 may be two separate devices. Alternatively, the admission gateway 120 and the detection component 140 may be integrated in the same device.
Based on the application scenario shown in fig. 1, the method for controlling admission of terminal equipment provided by the present application can be applied to an admission gateway 120. As shown in fig. 2, the admission control method may include steps 210-230.
Step 210: and receiving the equipment information sent by the terminal equipment.
The device information comprises one or more of target security software installation conditions, security patch installation conditions and blacklist service operation conditions in the terminal device.
Of course, the device information may include several kinds of information other than the above, and those skilled in the art may set the kind of the device information according to actual needs.
The device information of the terminal device may be sent to the admission gateway by means of a device authentication message, for example. That is, one implementation of step 210 is: and receiving an equipment authentication message carrying equipment information sent by the terminal equipment.
The device authentication message may be sent from an authentication port of the terminal device to the admission gateway. The authentication port is used for sending the authentication message of the terminal equipment, so that the admission gateway can judge whether the received message is the authentication message or not by identifying the source port of the received message. If the source port of the received message is the authentication port, the received message can be determined to be the authentication message. Thus, one implementation of step 210 is: and receiving a device authentication message carrying device information sent by the terminal device from the authentication port.
Step 220: and obtaining an admission strategy obtained after the equipment information is authenticated.
The access policy is used for indicating one or more of access objects, message flow directions and access timeliness of the terminal equipment.
The device information is used for performing device authentication on the terminal device. Whether the terminal device is in a secure environment can be detected by one or more of a target security software installation condition, a security patch installation condition and a blacklist service operation condition contained in the device information.
After the equipment information is authenticated, the admission policy of the terminal equipment can be obtained. The access policy indicates one or more of access object, message flow and access timeliness of the terminal equipment.
The access object refers to an object that the terminal equipment allows access to, that is, an object that the service message sent by the terminal equipment allows flow. The objects include servers 130 as shown in fig. 1, including, for example, software download servers and/or resource servers.
The message flow direction refers to whether the message is allowed to be sent to the access object. The message flow may include a pass or a block.
The access timeliness refers to the access time length of the terminal equipment allowed to access the object. The access timeliness may include time-limited access and time-less access.
Therefore, the access authority of the terminal equipment can be accurately controlled through one or more of access object, message flow and access timeliness.
Step 230: and based on the admission policy, carrying out corresponding processing on the service message sent by the terminal equipment.
The service message may be sent to the access object indicated by the admission policy, for example.
The traffic message may be illustratively passed or blocked based on the message flow indicated by the admission policy.
For example, based on the access time limit indicated by the access policy, the service messages in the access time limit can be processed in a passing way, and the service messages exceeding the access time limit can be blocked.
If the admission gateway does not query the admission policy corresponding to the terminal device, the service message sent by the terminal device is blocked.
It can be seen that the method for controlling access of terminal equipment provided by the application uses one or more of the installation condition of target security software, the installation condition of security patch and the running condition of blacklist service in the terminal equipment to authenticate the terminal equipment. On one hand, authentication is carried out from multiple aspects of equipment, different access strategies are formulated according to different conditions of each aspect, and access rights of terminal equipment with different security conditions can be accurately controlled. On the other hand, it is also possible to ensure that admitted terminal devices are sufficiently trusted as far as possible to avoid the problem of network attacks.
In some embodiments, the admission method may be a zero trust-based admission control method for a terminal device. Under an admission mechanism based on zero trust, the user of the terminal equipment can be authenticated. As such, the admission method may further comprise steps 310-330 as shown in fig. 3, before performing step 210.
Step 310: and receiving the user information sent by the terminal equipment.
Illustratively, the user information may include, but is not limited to, a user identification, a user password, and the like. Wherein the user identification is used to uniquely identify the user identity, which may include, for example, but not limited to, a user name, a user ID (Identity Document), and the like.
The user information of the terminal device may be transmitted to the admission gateway by means of a user authentication message, for example. That is, one implementation of step 310 is: and receiving a user authentication message carrying user information sent by the terminal equipment.
The user authentication message may be sent from the authentication port to the admission gateway. Thus, one implementation of step 310 is: and receiving a user authentication message carrying user information sent by the terminal equipment from the authentication port.
Step 320: and acquiring a first authentication result of the user information.
Illustratively, the admission gateway may send user information, such as a user authentication message carrying the user information, to the detection component for authentication. The detection component can authenticate the user identification and user password in the user information, as well as the expiration date. Illustratively, the administrator may set the user identification and password in advance, and may optionally set the password validity period. If the user identification or the user password is judged to be wrong or the user password is not in the validity period, the user information authentication is not passed. If the user identification and the user password are judged to be correct and the user password is within the validity period, the user information authentication is passed.
After the detection component completes authentication of the user information, the obtained first authentication result can be returned to the access gateway.
Step 330: and if the first authentication result indicates that the user information authentication is passed, sending a device detection item to the terminal device so that the terminal device returns the device information based on the device detection item.
The equipment detection item is used for indicating the type of equipment information returned by the terminal equipment. And the device detection items can be appropriately increased, decreased and modified by the manager according to the requirements and/or the operating network environment. For example, the device detection item may further include a system version, a software version, and the like, so that the device information returned by the terminal device contains more abundant information.
And after the user information passes the authentication, the admission gateway sends a device detection item to the terminal device. And the terminal equipment responds to the equipment detection item and sends equipment information to the admission gateway.
Because the authentication process of the user information is simpler than the authentication process of the device information, the authentication of the user information is performed first and then the authentication of the device information is performed, so that the authentication efficiency can be improved, and unnecessary authentication processes are avoided. Of course, the authentication of the user information and the authentication of the device information may also be performed simultaneously, that is, the terminal device may send the user information and the device information simultaneously for authentication. The application does not limit the sequence of the authentication process of the two information.
Based on the above embodiment, the admission method may further include the steps of:
And if the first authentication result indicates that the user information authentication fails, sending authentication failure prompt information to the terminal equipment.
If the first authentication result indicates that the user information authentication is not passed, informing the terminal equipment that the authentication fails. At this time, the admission gateway may not inform the terminal device of the detection item, so that subsequent device information authentication is not performed, so as to save unnecessary authentication processes and improve authentication efficiency.
Optionally, if the first authentication result indicates that the authentication of the user information fails, and the admission gateway detects an admission policy of the terminal device corresponding to the failed user information stored locally, the admission policy is deleted to block transmission of the non-authentication message of the terminal device.
Regarding the acquisition procedure of the admission policy in step 220, in some embodiments, steps 221-222 as shown in fig. 4 may be included.
Step 221: and sending the equipment information to a detection assembly for authentication to obtain a second authentication result.
Illustratively, the admission gateway may send device information, such as a device authentication message carrying the device information, to the detection component for authentication. The detection component can authenticate one or more of a target security software installation, a security patch installation, and a blacklist service operation in the device information. And after the detection component completes the authentication of the equipment information, obtaining a second authentication result.
Step 222: and acquiring an admission strategy based on the second authentication result returned by the detection component.
After the detection component obtains the second authentication result, the admission policy of the terminal equipment can be determined, and the admission policy is returned to the admission gateway. The admission gateway receives and stores the admission policy.
It can be known that, in this embodiment, the detection component is used to authenticate the terminal device by using one or more of the installation condition of the target security software, the installation condition of the security patch, and the running condition of the blacklist service in the terminal device. The detection component makes different access strategies according to different conditions of each aspect, can accurately control access rights of terminal equipment with different security conditions, and avoids potential safety hazards caused by overlarge rights of the terminal equipment.
On the basis of the above embodiment, regarding the acquisition of the admission policy based on the second authentication result in step 222, the following cases are included.
Case 1: and if the second authentication result indicates that the terminal equipment does not install the target security software and/or the security patch of the first security level, the access policy comprises allowing access to a software download server.
The device information includes a target security software installation condition and a security patch installation condition in the terminal device, so that whether the target security software and the security patch of the first security level are installed in the terminal device can be detected through the device information. The security patch of the first security level may be a security patch with high security association with the terminal device, for example, a key patch. If the terminal equipment does not have the security target security software or the security patch of the first security level, the security vulnerability of the terminal equipment is larger at the moment, and the security risk is higher. Thus, access objects for the terminal device may be restricted by a corresponding admission policy. I.e. the admission policy is set to allow access to the software download server. Meanwhile, the terminal equipment is not allowed to access the resource server, namely, the service message sent to the resource server by the terminal equipment is blocked.
As described above, the software download server is configured to provide download resources of security software and download resources of security patches. Therefore, when the terminal equipment is not provided with the target security software or is not provided with the key patch which has great influence on the security performance of the equipment, the access authority of the terminal equipment is controlled to only access the software download server, so that the terminal equipment can download the required target security software and/or the key patch from the software download server. When the terminal equipment is installed, the authentication can be reinitiated so as to obtain the access authority of the internal resource.
Case 2: and if the second authentication result indicates that the terminal equipment is not provided with the security patch of the second security level, the access policy comprises allowing the service message sent by the terminal equipment to pass through within a set time.
Wherein the first security level is higher than the second security level.
The device information includes a security patch installation condition in the terminal device, so that whether the security patch of the second security level is installed in the terminal device can be detected by the device information. The security patch of the second security level may be a security patch having a low security association with the terminal device, for example, a normal patch, so that the security of the first security level is higher than the security of the second security level. If the terminal equipment is not provided with the security patch of the second security level, the security risk of the terminal equipment is lower although the terminal equipment has a loophole. Thus, the access age of the terminal device may be limited by a corresponding admission policy. I.e. the admission policy is set to allow traffic messages to pass within a set time.
The service message comprises a service message for accessing the resource server and a service message for accessing the software download server. Thus, in the set time, the terminal device can access the resource server to acquire the internal resource and can access the software download server to acquire the download resource of the security patch of the second security level. The terminal device should complete the downloading and installation of the security patch of the second security level within a set time.
Alternatively, when the set time is exceeded, the admission policy is invalidated, and the admission gateway may delete the invalidated admission policy. Thus, if the terminal device sends the service message after exceeding the set time, the access gateway intercepts the service message because the access gateway can not inquire the corresponding access policy. If the terminal device needs to access the relevant server again, the authentication process needs to be restarted.
Case 3: and if the second authentication result indicates that the terminal equipment runs the blacklist service, the admission strategy comprises blocking the service message sent by the terminal equipment.
The device information includes the blacklist service operation condition in the terminal device, so whether the blacklist service is operated in the terminal device can be detected by the device information. The blacklist service may be, for example, a program service that poses a security threat to the terminal device. Therefore, when it is detected that the terminal device has performed the blacklist service, the terminal device is regarded as a high risk device. The flow direction of the service message sent by the terminal device can be limited by a corresponding admission policy. I.e. the admission policy is set to block the service message sent by the terminal device.
The service message comprises a service message for accessing the resource server and a service message for accessing the software download server. Thus, for the terminal device running the blacklist service, it cannot access the resource server and the software download server. After the terminal device should stop running the blacklist service, the authentication process is restarted to acquire the access right of the server.
Case 4: and if the second authentication result indicates that the terminal equipment is in a safe state, the admission strategy comprises allowing the service message sent by the terminal equipment to pass.
Illustratively, if the second authentication result indicates that the terminal device installs the target security software, the security patch of the first security level, the security patch of the second security level, and the blacklist service is not running, the terminal device is determined to be in a secure state. At this time, the corresponding admission policy may be determined to allow the service packet to pass through.
The service message comprises a service message for accessing the resource server and a service message for accessing the software download server. Thus, for the terminal device in the secure state, the resource server can be accessed to acquire the internal resource, and the software download server can be accessed to acquire the download resource.
As can be seen, in this embodiment, different access policies are set for multiple aspects of the installation condition of the target security software, the installation condition of the security patch, and the running condition of the blacklist service in the terminal device, so that different access rights are given to the terminal device in different security states in a targeted manner, so as to accurately control the access rights of each terminal device, and avoid potential safety hazards caused by overlarge access rights.
On the basis of the above embodiments, in some embodiments, the method may further include the steps of:
and if the second authentication result indicates that the terminal equipment is not provided with the security patch of the second security level and the authentication times exceed a preset time threshold, the access policy comprises allowing access to a software download server.
In case 2 mentioned above, if the terminal device does not install the security patch of the second security level, the corresponding admission policy is to allow the service message to pass within the set time. In some cases, however, the terminal device may initiate authentication repeatedly to obtain access rights for a plurality of times within a set time, resulting in internal resources or a certain security risk.
Therefore, the embodiment proposes that the detection component may record the number of times of authentication initiated by the terminal device when detecting that the terminal device does not install the security patch of the second security level. If the terminal equipment does not install the security patch of the second security level and the authentication times initiated by the terminal equipment exceeds a preset time threshold, setting the access policy to allow access to the software download server. Meanwhile, the terminal equipment is not allowed to access the resource server, namely, the service message sent to the resource server by the terminal equipment is blocked. Thus, the terminal equipment can only obtain the access right of the internal resource by reinitiating authentication after downloading the security patch of the second security level from the software download server.
It can be known that, in this embodiment, the security of the internal resource is further improved by counting the number of authentications initiated by the terminal device that does not install the security patch of the second security level.
In addition, on the basis of the embodiment, the admission gateway can also send different prompt messages to the terminal device according to different conditions of the admission policy.
Illustratively, in case 1 above, if the admission policy includes allowing access to the software download server, the admission gateway may send software and/or security patch installation hint information to the terminal device.
For example, the installation hint may carry the IP (Internet Protocol ) address and port of the software download server. In this way, the terminal device can download the required software and/or security patch under the direction of the installation prompt.
Illustratively, in case 2 above, if the admission policy includes allowing access to the resource server for a set time, the admission gateway may send authentication success prompt information and/or security patch installation prompt information to the terminal device.
For example, the installation prompt may carry an IP address and port of the software download server. In this way, the terminal device can download the required security patch under the direction of the installation prompt information. In this way, the terminal device can access the resource server to acquire the internal resource under the guidance of the prompt information of successful authentication, and can download the required security patch under the guidance of the installation prompt information.
Illustratively, in case 3 above, if the admission policy includes blocking the service packet sent by the terminal device, the admission gateway may send an authentication failure prompt message to the terminal device.
For example, the authentication failure hint information may include a reason for the authentication failure, such as a running blacklist service. Therefore, the terminal equipment can stop running the blacklist service under the guidance of the authentication failure prompt information, and access authority of the server is obtained by reinitiating the authentication process.
Illustratively, in case 4 above, if the admission policy includes allowing the service packet sent by the terminal device to pass, sending authentication success prompt information to the terminal device.
For example, the authentication success prompt may carry the IP address and port of the resource server and/or the software download server. In this way, the terminal device can access the resource server and/or the software download server under the guidance of the prompt message of successful authentication.
As can be seen, in this embodiment, corresponding prompt information is sent to the terminal device according to different admission policies, so as to guide the terminal device to obtain the access rights more efficiently.
In addition, the application also provides a terminal access control method based on zero trust, which is applied to the application scene shown in fig. 5. As shown in fig. 5, terminal device 510 may access resource server 531 and software download server 532 through admission gateway 520. In addition, admission gateway 520 is also communicatively coupled to zero trust detection device 540. The zero trust detection device 540 includes a user component 541 and a device component 542 for user information authentication and device information authentication, respectively.
The admission gateway 520 is configured to forward or intercept the service packet according to an admission policy. An admission policy is preset in the admission gateway 520 to release the authentication message sent by the authentication port to the zero trust detection device 540. When the admission gateway 520 receives the authentication message sent by the authentication port, the authentication message is forwarded to the zero trust detection device 540 for authentication processing. When the admission gateway 520 receives a service packet that does not match the admission policy, the service packet is intercepted.
As shown in fig. 6, when terminal device 510 accesses and initiates authentication (step 601), admission gateway 520 may forward the user authentication message to zero trust detection device 540 for authentication. The user component 541 in the zero trust detection device 540 may authenticate the user information in the user authentication message, including authenticating the user name, user password, and expiration date in the user information. A first authentication result is obtained and returned to the admission gateway 520.
Admission gateway 520 may determine whether the user information is authenticated based on the first authentication result (step 602). If the user information authentication is passed, continuing to perform equipment authentication; if the user information is not authenticated, the admission gateway 520 blocks all service messages of the terminal device 510 (step 610), and returns an authentication failure prompt message to the terminal device 510. If the admission policy of the terminal device 510 is included in the admission gateway 520, the admission policy is deleted to block the passage of non-authentication messages.
If the user information authentication is passed, the admission gateway 520 may send a device detection item to the terminal device 510. The terminal device 510 may send a device authentication message carrying device information according to the device detection item. The device information includes, but is not limited to, target security software installation conditions, security patch installation conditions, and blacklist service operation conditions in the terminal device 510.
Admission gateway 520 may forward the device authentication message to zero trust detection device 540 for authentication. The device component 542 in the zero trust detection device 540 can determine from the device information whether the terminal device is running a blacklist service (step 603).
If it is determined that the blacklist service is running, it is determined that the admission policy of the terminal device 510 is to block the service packet sent by the terminal device 510. In this way, the admission gateway 520 blocks all traffic messages of the terminal device 510 (step 610), and transmits authentication failure notification information to the terminal device 510.
If it is determined that the blacklist server is not running, the device component 542 further determines whether the terminal device 510 installs the target security software based on the device information (step 604).
If it is determined that the target security software is not installed, then it is determined that the admission policy of the terminal device 510 is such that access to the software download server is allowed (step 609), and a software installation hint is returned to the terminal device 510.
If it is determined that the target security software is installed, the device component 542 further determines whether the security patch is installed by the terminal device 510 based on the device information (step 605).
If it is determined that the security patch is installed, it is determined that the admission policy of the terminal device 510 is to allow the service message sent by the terminal device 510 to pass (step 607), and an authentication success prompt message is returned to the terminal device 510.
If it is determined that a security patch is not installed, it is further determined whether the security patch that is not installed is significant (step 606).
If it is determined that the security patch is an important critical patch, then the admission policy of the terminal device 510 is determined to be that which allows access to the software download server (step 609), and a software installation hint is returned to the terminal device 510.
If it is determined that the security patch is a trivial normal patch, then it is determined that the admission policy of the terminal device 510 is to allow access to the resource server for a set time (step 608), and authentication success prompt information and patch installation prompt information are sent to the terminal device 510.
It can be seen that in the authentication stage of the user and the terminal equipment, the security of the terminal equipment is judged by judging whether to install the security patch, the target security software and whether to run the blacklist service, so that the access object, the flow direction and the access timeliness of the service message are controlled, the accurate access authority control is realized, and the potential safety hazard caused by overlarge access authority is avoided.
Based on any embodiment, the application also provides a terminal equipment admission control device, which can be applied to an admission gateway. As shown in fig. 7, the admission control device 700 includes:
A receiving module 710, configured to receive device information sent by the terminal device; the equipment information comprises one or more of target security software installation conditions, security patch installation conditions and blacklist service operation conditions in the terminal equipment;
An obtaining module 720, configured to obtain an admission policy obtained after the device information is authenticated; the access policy is used for indicating one or more of access objects, message flow directions and access timeliness of the terminal equipment;
And a processing module 730, configured to perform corresponding processing on the service packet sent by the terminal device based on the admission policy.
In some embodiments, the receiving module 710 is further configured to: receiving user information sent by the terminal equipment;
the acquisition module 720 is further configured to: acquiring a first authentication result of the user information;
The admission control device 700 further comprises: and the sending module is used for sending a device detection item to the terminal device if the first authentication result indicates that the user information authentication passes, so that the terminal device returns the device information based on the device detection item.
In some embodiments, the sending module is further to: and if the first authentication result indicates that the user information authentication fails, sending authentication failure prompt information to the terminal equipment.
In some embodiments, the obtaining module 720 is specifically configured to:
The equipment information is sent to a detection assembly for authentication, and a second authentication result is obtained;
And acquiring an admission strategy based on the second authentication result returned by the detection component.
In some embodiments, the obtaining module 720 is specifically configured to:
if the second authentication result indicates that the terminal equipment does not install the target security software and/or the security patch of the first security level, the access policy comprises allowing access to a software download server;
If the second authentication result indicates that the terminal equipment is not provided with the security patch of the second security level, the access policy comprises allowing the service message sent by the terminal equipment to pass within a set time; wherein the first security level is higher than the second security level;
if the second authentication result indicates that the terminal equipment runs the blacklist service, the admission strategy comprises blocking a service message sent by the terminal equipment;
And if the second authentication result indicates that the terminal equipment is in a safe state, the admission strategy comprises allowing the service message sent by the terminal equipment to pass.
In some embodiments, the acquisition module 720 is further to:
and if the second authentication result indicates that the terminal equipment is not provided with the security patch of the second security level and the authentication times exceed a preset time threshold, the access policy comprises allowing access to a software download server.
In some embodiments, the sending module is further to:
If the access policy comprises permission to access a software download server, sending software and/or security patch installation prompt information to the terminal equipment;
If the access policy comprises that the access to the resource server is allowed in the set time, sending authentication success prompt information and/or security patch installation prompt information to the terminal equipment;
If the admission strategy comprises blocking the service message sent by the terminal equipment, sending authentication failure prompt information to the terminal equipment;
And if the admission policy comprises that the service message sent by the terminal equipment is allowed to pass, sending prompt information of successful authentication to the terminal equipment.
The implementation process of the functions and roles of each module in the above device is specifically shown in the implementation process of the corresponding steps in the above method, and will not be described herein again.
Based on the method for controlling admission of a terminal device according to any of the above embodiments, the present application further provides a schematic structural diagram of an electronic device as shown in fig. 8. At the hardware level, as in fig. 8, the electronic device includes a processor, an internal bus, a network interface, a memory, and a non-volatile storage, although it may include hardware required for other services. The processor reads the corresponding computer program from the nonvolatile memory into the memory and then runs the computer program to realize the admission control method of the terminal equipment according to any embodiment.
The application also provides a computer storage medium storing a computer program which when executed by a processor is operable to perform a method for controlling admission of a terminal device as described in any of the above embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The apparatus embodiments described above are merely illustrative, for example, of the flowcharts and block diagrams in the figures that illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form a single part, or each module may exist alone, or two or more modules may be integrated to form a single part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and variations will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the protection scope of the present application. It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.
The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

Claims (10)

1. A method for admission control of a terminal device, the method comprising:
Receiving equipment information sent by the terminal equipment; the equipment information comprises one or more of target security software installation conditions, security patch installation conditions and blacklist service operation conditions in the terminal equipment;
acquiring an admission strategy obtained after the equipment information is authenticated; the access policy is used for indicating one or more of access objects, message flow directions and access timeliness of the terminal equipment;
And based on the admission policy, carrying out corresponding processing on the service message sent by the terminal equipment.
2. The method of claim 1, wherein prior to said receiving the device information sent by the terminal device, the method further comprises:
receiving user information sent by the terminal equipment;
Acquiring a first authentication result of the user information;
and if the first authentication result indicates that the user information authentication is passed, sending a device detection item to the terminal device so that the terminal device returns the device information based on the device detection item.
3. The method according to claim 2, wherein the method further comprises:
And if the first authentication result indicates that the user information authentication fails, sending authentication failure prompt information to the terminal equipment.
4. The method of claim 1, wherein the obtaining the admission policy obtained after authenticating the device information comprises:
The equipment information is sent to a detection assembly for authentication, and a second authentication result is obtained;
And acquiring an admission strategy based on the second authentication result returned by the detection component.
5. The method of claim 4, wherein the obtaining the admission policy based on the second authentication result returned by the detection component comprises:
if the second authentication result indicates that the terminal equipment does not install the target security software and/or the security patch of the first security level, the access policy comprises allowing access to a software download server;
If the second authentication result indicates that the terminal equipment is not provided with the security patch of the second security level, the access policy comprises allowing the service message sent by the terminal equipment to pass within a set time; wherein the first security level is higher than the second security level;
if the second authentication result indicates that the terminal equipment runs the blacklist service, the admission strategy comprises blocking a service message sent by the terminal equipment;
And if the second authentication result indicates that the terminal equipment is in a safe state, the admission strategy comprises allowing the service message sent by the terminal equipment to pass.
6. The method of claim 5, wherein the method further comprises:
and if the second authentication result indicates that the terminal equipment is not provided with the security patch of the second security level and the authentication times exceed a preset time threshold, the access policy comprises allowing access to a software download server.
7. The method of claim 5, wherein the method further comprises:
If the access policy comprises permission to access a software download server, sending software and/or security patch installation prompt information to the terminal equipment;
If the access policy comprises that the access to the resource server is allowed in the set time, sending authentication success prompt information and/or security patch installation prompt information to the terminal equipment;
If the admission strategy comprises blocking the service message sent by the terminal equipment, sending authentication failure prompt information to the terminal equipment;
And if the admission policy comprises that the service message sent by the terminal equipment is allowed to pass, sending prompt information of successful authentication to the terminal equipment.
8. An admission control device for a terminal device, the device comprising:
the receiving module is used for receiving the equipment information sent by the terminal equipment; the equipment information comprises one or more of target security software installation conditions, security patch installation conditions and blacklist service operation conditions in the terminal equipment;
the acquisition module is used for acquiring an admission strategy obtained after the equipment information is authenticated; the access policy is used for indicating one or more of access objects, message flow directions and access timeliness of the terminal equipment;
and the processing module is used for correspondingly processing the service message sent by the terminal equipment based on the admission policy.
9. An electronic device, the electronic device comprising:
A processor;
A memory for storing processor-executable instructions;
wherein the processor, when invoking the executable instructions, performs the operations of the method of any of claims 1-7.
10. A computer readable storage medium having stored thereon computer instructions which when executed by a processor implement the steps of the method of any of claims 1-7.
CN202410207694.XA 2024-02-26 2024-02-26 Access control method and device for terminal equipment, electronic equipment and storage medium Pending CN118074978A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410207694.XA CN118074978A (en) 2024-02-26 2024-02-26 Access control method and device for terminal equipment, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410207694.XA CN118074978A (en) 2024-02-26 2024-02-26 Access control method and device for terminal equipment, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN118074978A true CN118074978A (en) 2024-05-24

Family

ID=91110288

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410207694.XA Pending CN118074978A (en) 2024-02-26 2024-02-26 Access control method and device for terminal equipment, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN118074978A (en)

Similar Documents

Publication Publication Date Title
US10778444B2 (en) Devices and methods for application attestation
US8839397B2 (en) End point context and trust level determination
US8069471B2 (en) Internet security dynamics assessment system, program product, and related methods
US9436820B1 (en) Controlling access to resources in a network
US20170012978A1 (en) Secure communication method and apparatus
US11233790B2 (en) Network-based NT LAN manager (NTLM) relay attack detection and prevention
US9058504B1 (en) Anti-malware digital-signature verification
US20070294759A1 (en) Wireless network control and protection system
EP3726406B1 (en) Preventing account lockout through request throttling
CN108259406B (en) Method and system for verifying SSL certificate
CN112711759A (en) Method and system for preventing replay attack vulnerability security protection
CN106295350B (en) identity verification method and device of trusted execution environment and terminal
CN112653714A (en) Access control method, device, equipment and readable storage medium
WO2014047147A1 (en) Certifying server side web applications against security vulnerabilities
CN111935095A (en) Source code leakage monitoring method and device and computer storage medium
JP5722778B2 (en) Server system and method for providing at least one service
CN113672897A (en) Data communication method, device, electronic equipment and storage medium
CN114745202A (en) Method for actively defending web attack and web security gateway based on active defense
CN117155716B (en) Access verification method and device, storage medium and electronic equipment
CN114422248B (en) Attack processing method, system, network security device and storage medium
CN105100030B (en) Access control method, system and device
CN118074978A (en) Access control method and device for terminal equipment, electronic equipment and storage medium
CN114978544A (en) Access authentication method, device, system, electronic equipment and medium
CN112422292B (en) Network security protection method, system, equipment and storage medium
CN116418538A (en) Single-packet authorization state detection method, terminal equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination