CN111865976A - Access control method, device and gateway - Google Patents
Access control method, device and gatewayDownload PDFInfo
- Publication number
- CN111865976A CN111865976ACN202010696556.4ACN202010696556ACN111865976ACN 111865976 ACN111865976 ACN 111865976ACN 202010696556 ACN202010696556 ACN 202010696556ACN 111865976 ACN111865976 ACN 111865976A
- Authority
- CN
- China
- Prior art keywords
- application
- access control
- destination
- domain name
- address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034methodMethods0.000titleclaimsabstractdescription49
- 230000004044responseEffects0.000claimsdescription11
- 238000004590computer programMethods0.000claimsdescription8
- 230000000903blocking effectEffects0.000claimsdescription6
- 230000010365information processingEffects0.000claimsdescription4
- 238000012546transferMethods0.000claimsdescription3
- 238000012545processingMethods0.000abstractdescription3
- 230000008569processEffects0.000description12
- 238000010586diagramMethods0.000description9
- 230000006870functionEffects0.000description7
- 230000009471actionEffects0.000description3
- 230000000694effectsEffects0.000description2
- 238000000605extractionMethods0.000description2
- 230000004048modificationEffects0.000description2
- 238000012986modificationMethods0.000description2
- 230000003287optical effectEffects0.000description2
- 238000004891communicationMethods0.000description1
- 238000011217control strategyMethods0.000description1
- 230000006872improvementEffects0.000description1
- 238000013507mappingMethods0.000description1
- 230000003068static effectEffects0.000description1
- 238000006467substitution reactionMethods0.000description1
Images
Classifications
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/66—Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/24—Traffic characterised by specific attributes, e.g. priority or QoS
- H04L47/2475—Traffic characterised by specific attributes, e.g. priority or QoS for supporting traffic characterised by the type of applications
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
Technical Field
The present application relates to the field of security access control, and in particular, to an access control method, an access control device, and a gateway.
Background
At present, network attacks are more and more, a great amount of network security devices are developed and applied to an actual environment, and due to the current rich and diverse applications and the popularization of networks, access control strategies based on applications are more and more under the https (hyper Text Transfer Protocol overlay secure layer) environment, but the solution is relatively limited.
With the high-performance security gateway becoming more common and the https environment becoming more and more popular, the problem becomes more and more prominent. The related art obtains communication data through the transparent proxy to perform access control on https traffic data, but the transparent proxy consumes a large amount of system computing resources.
Disclosure of Invention
Compared with the technical scheme that SSL is required to be unloaded in the related art, the access control method and the access control device can achieve fine-grained access control management based on the application type on the basis that the performance of gateway equipment is not greatly consumed.
In a first aspect, some embodiments of the present application provide an access control method, including: receiving flow data, wherein the flow data comprises a message encapsulated by an https protocol; determining an application category according to the message destination IP address, wherein the application category comprises: news, entertainment, or music; and determining to block or release the traffic data according to an access control rule and the application category.
Some embodiments of the application determine the application type through the destination IP address of the obtained http protocol-based message data to perform access control based on the application type, and compared with a related mode of controlling access flow based on the application type, resource consumption of access control equipment such as a gateway or a firewall is effectively reduced, and processing speed is increased.
In some implementations, before determining the application class according to the destination IP address of the packet, the access control method further includes: and generating an application classification information table comprising a plurality of destination IP addresses and application categories corresponding to the addresses in the destination IP addresses.
Some embodiments of the application can record the mapping relationship between the destination IP address and the application type through a pre-stored application classification information table, so that the application type can be conveniently queried in real time when access control devices such as a gateway or a firewall receive flow data.
In some embodiments, the generating an application classification information table including a plurality of destination IP addresses and an application category corresponding to each of the plurality of destination IP addresses includes: acquiring domain name information from a received DNS request message; obtaining application classification corresponding to a domain name website by searching the domain name information in a domain name classification library; and recording the destination IP address of the data message corresponding to the DNS response packet of the DNS request message and the application classification, and generating one piece of information in the application classification information table.
In some embodiments of the present application, the application type is determined based on the analysis of the DNS message data, and the destination IP address is determined based on the DNS response message, so as to store the correspondence table between the destination IP address and the application type.
In some embodiments, the access control rule comprises blocking at least the traffic data corresponding to one of a plurality of application categories.
In some embodiments of the present application, the access control rule at least includes a rule that restricts a certain type of application category, thereby improving the access control effect on the application category.
In a second aspect, some embodiments of the present application provide an access control device, comprising: the receiving module is configured to receive traffic data, wherein the traffic data comprises a message encapsulated by adopting an https protocol; an application category determination module configured to determine an application category according to a destination IP address of the packet, wherein the application category includes: news, entertainment, or music; an access control module configured to determine to block or pass the traffic data according to an access control rule and the application category.
In a third aspect, some embodiments of the present application provide a gateway configured to: analyzing the received DNS request message to obtain domain name information; obtaining application classification corresponding to a domain name website by searching the domain name information in a domain name classification library; and recording the destination IP address of the data message corresponding to the DNS response packet of the DNS request message and the application classification, and generating a piece of information in an application classification information table.
In some embodiments, the gateway is further configured to: when flow data based on an https protocol is received, searching the application classification information table by taking a target IP address as an element to obtain an application class corresponding to connection; and blocking or releasing the flow data corresponding to the identified application type according to the access control rule.
In a fourth aspect, some embodiments of the present application provide a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the method of the first aspect described above.
In a fifth aspect, some embodiments of the present application provide an information processing apparatus comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor, when executing the program, may implement the method of the first aspect.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic composition diagram of an access control system provided in an embodiment of the present application;
fig. 2 is a block diagram of an internal component of an access control device in an access control system according to an embodiment of the present application;
fig. 3 is a flowchart of an access control method executed by an access control apparatus according to an embodiment of the present application;
fig. 4 is a schematic flowchart of generating an application classification information table according to an embodiment of the present application;
fig. 5 is a block diagram illustrating components of an access control device according to an embodiment of the present disclosure;
fig. 6 is a schematic composition diagram of an information processing apparatus according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.
Some embodiments of the present application may address application-based access control to encrypted traffic without acting as a transparent proxy in an https environment. For example, in some embodiments of the present application, before the terminal accesses the server, a domain Name system (dns) request message is usually sent, and an application classification corresponding to the domain Name is searched and locked, so that an application-based access control policy can be applied to traffic accessing an address (e.g., a destination IP address) corresponding to the domain Name.
Referring to fig. 1, fig. 1 is a schematic diagram illustrating components of an access control system according to some embodiments of the present application.
The access control system of fig. 1 includes an access terminal 100 (for example, an intelligent processing device such as a computer or a mobile phone), anaccess control apparatus 600, a DNS domainname resolution server 200, and anhttps server 300.
Unlike the related art, theaccess control apparatus 600 of some embodiments of the present application is configured to: identifying a DNS request message sent by theaccess terminal 100, and analyzing the DNS request message to acquire an application class corresponding to a domain name; theaccess control device 600 obtains a destination IP address for the obtained DNS response packet for the DNS request packet fed back from theDNS nameresolution server 200, and stores a correspondence between the destination IP address and the application type to obtain an application type information table.
Unlike the related art, theaccess control device 600 according to some embodiments of the present application, upon receiving https traffic data from thehttps traffic server 300, acquires destination IP addresses of the traffic data, and identifies an application class corresponding to the traffic data based on the acquired destination IP addresses. After acquiring the application category, the access control device determines whether to allow the received https traffic data to pass through based on the access control rule.
As shown in fig. 1, theaccess control apparatus 600 may include agateway 400 and a firewall 500 in some embodiments, where thegateway 400 is configured to generate the above-mentioned application category information table based on the DNS packet, and is configured to obtain theapplication category 410 based on the destination IP address of the https traffic data, and the corresponding firewall 500 obtains theapplication category 410 from thegateway 400 and determines whether to allow the https traffic data to pass through according to a plurality of access control rules stored thereon.
It should be noted that in other embodiments of the present application, theaccess control apparatus 600 of fig. 1 may only include the firewall 500, and in this case, the firewall 500 may be configured to generate the above-mentioned application category information table based on the DNS packet, and configured to obtain theapplication category 410 based on the destination IP address of the https traffic data, and determine whether to run https traffic data passing according to the application access control rule and theapplication category 410. That is, theaccess control apparatus 600 of some embodiments of the present application includes thegateway 400 and the firewall 500 (as shown in fig. 1), and in other embodiments, theaccess control apparatus 600 of the present application may include only the firewall, and in this case, the firewall 500 is required to integrate the functions of thegateway 400 at the same time. The access control rule may be to restrict the passage of traffic data for a certain class of application, e.g. to prevent the passage of traffic data for entertainment class applications through a firewall.
Fig. 2 exemplarily illustrates agateway 400 included in theaccess control apparatus 600 of fig. 1 and a part of functional modules included in the firewall 500.
Thegateway 400 of fig. 2 includes an application classification lookup unit 401, an applicationclassification information base 402, and a destination IPaddress extraction unit 403. In some embodiments, the application classification searching unit 401 is configured to parse the DNS request packet received by thegateway 400 to obtain domain name information; and obtaining application classification information corresponding to the domain name website by searching a domain name classification library for the domain name. The applicationclassification information base 402 is configured to store a correspondence table between the application class and the IP address (IP address corresponding to the domain name carried in the DNS request packet) obtained by the query. The destination IPaddress extracting unit 403 is configured to, when receiving https (hypertext Transfer Protocol over secure session layer) traffic, search the application classification information table with the destination IP address as an element, and obtain an application class corresponding to the connection. Accordingly, firewall 500 of fig. 2 is configured to determine whether https traffic data is allowed to pass through based on pre-stored access control rule base 510 andapplication class 410 transmitted bygateway 400.
It should be noted that fig. 2 is only used to illustrate some functional units or storage units in thegateway 400 and the firewall 500 (for example, a database unit in thegateway 400 for storing application classification information or a storage unit in the firewall 500 for storing access control rules), and these functional units may be software functional modules solidified in the operating system of thegateway 400. In some embodiments, the functional units in thegateway 400 may be integrated in the firewall 500, that is, the firewall 500 may include the application classification lookup unit 401, the applicationclassification information base 402, the destination IPaddress extraction unit 403, and the access control rule base 510 at the same time.
An access control method performed on theaccess control apparatus 600 is exemplarily described below with reference to fig. 3.
As shown in fig. 3, some embodiments of the present application provide an access control method, including: s101, receiving flow data, wherein the flow data comprises a message encapsulated by an https protocol; s102, determining an application type according to the destination IP address of the message, wherein the application type comprises: news, entertainment, or music; s103, determining to block or release the traffic data according to the access control rule and the application category. For example, the destination IP address of the acquired packet is matched with the application information look-up table to acquire a specific application category or application type corresponding to the packet.
In order to obtain the application category corresponding to the destination IP address, in some implementations, before performing S102, the access control method further includes: and generating an application classification information table comprising a plurality of destination IP addresses and application categories corresponding to the addresses in the destination IP addresses. For example, the process of generating the application classification information table includes: acquiring domain name information from a received DNS request message; obtaining application classification corresponding to a domain name website by searching the domain name information in a domain name classification library; and recording the destination IP address of the data message corresponding to the DNS response packet of the DNS request message and the application classification, and generating one piece of information in the application classification information table.
In some embodiments, the access control rule of S103 comprises blocking at least said traffic data corresponding to one of a plurality of application classes. In some embodiments of the present application, the access control rule at least includes a rule that restricts a certain type of application category, thereby improving the access control effect on the application category.
The process of generating application classification information is illustrated below in conjunction with fig. 4.
S201, thegateway 400 processes the data message and confirms that the received data message is a DNS message.
S202, judging whether the message is a DNS request message, if the message belongs to the DNS request message, executing S206 to record a domain name in a domain name classification information table, and then executing S205; when the DNS message does not belong to the DNS request message, S203 is executed.
S203, searching the domain name request information in the domain name information table, and recording the corresponding relation.
S204, searching a domain name classification library and marking the item of the domain name.
S205, generates information in the application classification information table, which is the correspondence between the application classification and the destination IP address.
That is, the gateway of the embodiment of the present application is configured to: when receiving a DNS request message, analyzing the DNS request packet to acquire domain name information of the request; when a domain name classification library is searched according to the acquired domain name information to acquire application classification information to which the domain name information belongs, a DNS request packet is analyzed to acquire requested domain name information; searching a domain name classification library according to the obtained domain name information to obtain application classification information to which the domain name information belongs; and releasing the DNS request packet, and when a response packet corresponding to the DNS request packet is sent to a gateway (or a firewall), analyzing the DNS response packet to acquire the IP address information corresponding to the domain name (namely, acquiring the destination IP address of the data message corresponding to the DNS response packet). And establishing an application classification information table by taking the IP address information and the application classification information corresponding to the domain name as elements.
It should be noted that, as shown in theaccess control device 600 in fig. 1 as an example, when the firewall 500 receives traffic data encapsulated by the https protocol in the network, the destination IP in the message is used as an element to search the application classification information table, so as to obtain the application classification to which the traffic belongs. Firewall 500 then blocks or passes the application traffic according to policy rules.
Referring to fig. 5, fig. 5 shows an access control device according to an embodiment of the present application, it should be understood that the device corresponds to the method embodiment of fig. 3, and is capable of executing various steps related to the method embodiment, and specific functions of the device may be referred to the description above, and a detailed description is appropriately omitted here to avoid redundancy. The device comprises at least one software functional module which can be stored in a memory in the form of software or firmware or solidified in an operating system of the device, and the access control device comprises: a receivingmodule 501, configured to receive traffic data, where the traffic data includes a packet encapsulated by using an https protocol; an applicationclass determining module 502 configured to determine an application class according to a destination IP address of the packet, where the application class includes: news, entertainment, or music; anaccess control module 503 configured to determine to block or to pass the traffic data according to an access control rule and the application category. It should be noted that in some embodiments such as that of fig. 1, the receivingmodule 501 and the applicationclass determining module 502 are integrated in thegateway 400 of fig. 1, and theaccess control module 503 is integrated in the firewall 500. In other embodiments (i.e., where theaccess control apparatus 600 includes only a firewall) both thereceiving module 501 and the applicationclass determining module 502 and theaccess control module 503 are integrated into the firewall of fig. 1.
It should be noted that, as will be clear to those skilled in the art, for convenience and brevity of description, the specific working process of the apparatus described above may refer to the corresponding process in the method of fig. 3, and will not be described in detail herein. For example, for how to generate the application classification information table according to the DNS packet to execute the S102 process, reference may be made to the description in the above method, which is not described herein again.
Some embodiments of the present application provide a gateway (such asgateway 400 of fig. 1) configured to: analyzing the received DNS request message to obtain domain name information; obtaining application classification corresponding to a domain name website by searching the domain name information in a domain name classification library; and recording the destination IP address of the data message corresponding to the DNS response packet of the DNS request message and the application classification, and generating a piece of information in an application classification information table. In some embodiments, the gateway is further configured to: when flow data based on an https protocol is received, searching the application classification information table by taking a target IP address as an element to obtain an application class corresponding to connection; and blocking or releasing the flow data corresponding to the identified application type according to the access control rule.
It should be noted that, as will be clearly understood by those skilled in the art, for convenience and brevity of description, the specific working process of the gateway described above may refer to the corresponding process in the method in fig. 3, and redundant description is not repeated here.
Some embodiments of the present application provide a computer readable storage medium having stored thereon a computer program which, when executed by a processor, may implement the method described above with respect to fig. 3.
As shown in fig. 6, some embodiments of the present application provide aninformation processing apparatus 601, which includes amemory 610, aprocessor 620, and a computer program stored on thememory 610 and executable on theprocessor 620, wherein theprocessor 620 can implement the method shown in fig. 3 when executing the program (and read the program from thememory 610 and execute the program via the bus 630), and can also be used to implement the method described in the above embodiments.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method can be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Claims (9)
1. An access control method, characterized in that the access control method comprises:
receiving flow data, wherein the flow data comprises a message encapsulated by a hypertext transfer security protocol (https) protocol;
determining an application category according to the destination IP address of the message, wherein the application category comprises: news, entertainment, or music;
and determining to block or release the traffic data according to an access control rule and the application category.
2. The access control method of claim 1, wherein before determining the application class based on the destination IP address of the packet, the access control method further comprises: and generating an application classification information table comprising a plurality of destination IP addresses and application categories corresponding to the addresses in the destination IP addresses.
3. The access control method according to claim 2, wherein the generating an application classification information table including a plurality of destination IP addresses and an application category corresponding to each of the plurality of destination IP addresses includes:
acquiring domain name information from a received DNS request message;
obtaining application classification corresponding to a domain name website by searching the domain name information in a domain name classification library;
And recording the destination IP address of the data message corresponding to the DNS response packet of the DNS request message and the application classification, and generating one piece of information in the application classification information table.
4. The access control method of claim 1, wherein the access control rule comprises blocking at least the traffic data corresponding to one of a plurality of application classes.
5. An access control device, characterized in that the access control device comprises:
the receiving module is configured to receive traffic data, wherein the traffic data comprises a message encapsulated by adopting an https protocol;
an application category determination module configured to determine an application category according to a destination IP address of the packet, wherein the application category includes: news, entertainment, or music;
an access control module configured to determine to block or pass the traffic data according to an access control rule and the application category.
6. A gateway, characterized in that the gateway is configured to:
analyzing the received DNS request message to obtain domain name information;
obtaining application classification corresponding to a domain name website by searching the domain name information in a domain name classification library;
And recording the destination IP address of the data message corresponding to the DNS response packet of the DNS request message and the application classification, and generating a piece of information in an application classification information table.
7. The gateway of claim 6, wherein the gateway is further configured to: when flow data based on an https protocol is received, searching the application classification information table by taking a target IP address as an element to obtain an application class corresponding to connection; and blocking or releasing the flow data corresponding to the identified application type according to the access control rule.
8. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, is adapted to carry out the method of any one of claims 1 to 4.
9. An information processing apparatus comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor when executing the computer program is operable to implement the method of any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010696556.4ACN111865976A (en) | 2020-07-17 | 2020-07-17 | Access control method, device and gateway |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010696556.4ACN111865976A (en) | 2020-07-17 | 2020-07-17 | Access control method, device and gateway |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111865976Atrue CN111865976A (en) | 2020-10-30 |
Family
ID=73000977
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010696556.4APendingCN111865976A (en) | 2020-07-17 | 2020-07-17 | Access control method, device and gateway |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111865976A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113726689A (en)* | 2021-07-27 | 2021-11-30 | 新华三信息安全技术有限公司 | Security service processing method and device |
| CN115580441A (en)* | 2022-09-21 | 2023-01-06 | 华能核能技术研究院有限公司 | Network threat identification method and device based on service flow |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1466343A (en)* | 2002-06-12 | 2004-01-07 | 华为技术有限公司 | Implementation method of domain name system address translation application gateway based on internal server |
| CN102647341A (en)* | 2012-03-28 | 2012-08-22 | 北京星网锐捷网络技术有限公司 | A message processing method, device and system |
| CN108023877A (en)* | 2017-11-20 | 2018-05-11 | 烽火通信科技股份有限公司 | A kind of systems approach that the control of fire wall domain name is realized based on home gateway |
| CN110430188A (en)* | 2019-08-02 | 2019-11-08 | 武汉思普崚技术有限公司 | A kind of quick url filtering method and device |
| CN111314301A (en)* | 2020-01-17 | 2020-06-19 | 武汉思普崚技术有限公司 | Website access control method and device based on DNS (Domain name Server) analysis |
- 2020
- 2020-07-17CNCN202010696556.4Apatent/CN111865976A/enactivePending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1466343A (en)* | 2002-06-12 | 2004-01-07 | 华为技术有限公司 | Implementation method of domain name system address translation application gateway based on internal server |
| CN102647341A (en)* | 2012-03-28 | 2012-08-22 | 北京星网锐捷网络技术有限公司 | A message processing method, device and system |
| CN108023877A (en)* | 2017-11-20 | 2018-05-11 | 烽火通信科技股份有限公司 | A kind of systems approach that the control of fire wall domain name is realized based on home gateway |
| CN110430188A (en)* | 2019-08-02 | 2019-11-08 | 武汉思普崚技术有限公司 | A kind of quick url filtering method and device |
| CN111314301A (en)* | 2020-01-17 | 2020-06-19 | 武汉思普崚技术有限公司 | Website access control method and device based on DNS (Domain name Server) analysis |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113726689A (en)* | 2021-07-27 | 2021-11-30 | 新华三信息安全技术有限公司 | Security service processing method and device |
| CN115580441A (en)* | 2022-09-21 | 2023-01-06 | 华能核能技术研究院有限公司 | Network threat identification method and device based on service flow |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11816161B2 (en) | Asset search and discovery system using graph data structures | |
| US10097568B2 (en) | DNS tunneling prevention | |
| JP7045104B2 (en) | How to process data, devices and computer programs, and zone files for hierarchical Domain Name System | |
| JP5587732B2 (en) | Computer-implemented method, computer program, and system for managing access to a domain name service (DNS) database | |
| US9307036B2 (en) | Web access using cross-domain cookies | |
| US11290472B2 (en) | Threat intelligence information access via a DNS protocol | |
| US20130067530A1 (en) | DNS-Based Content Routing | |
| CN110430188B (en) | Rapid URL filtering method and device | |
| US9058490B1 (en) | Systems and methods for providing a secure uniform resource locator (URL) shortening service | |
| US10951645B2 (en) | System and method for prevention of threat | |
| CN111277461B (en) | Method, system and equipment for identifying content distribution network node | |
| EP3123696B1 (en) | Serving approved resources | |
| US20200287933A1 (en) | Dns prefetching based on triggers for increased security | |
| US12267299B2 (en) | Preemptive threat detection for an information system | |
| CN109361574B (en) | JavaScript script-based NAT detection method, system, medium and equipment | |
| US10931688B2 (en) | Malicious website discovery using web analytics identifiers | |
| CN111865976A (en) | Access control method, device and gateway | |
| CN114285821B (en) | Domain name resolution method, device, electronic device, storage medium and product | |
| CN110708309A (en) | Anti-crawler system and method | |
| US8694659B1 (en) | Systems and methods for enhancing domain-name-server responses | |
| US7860982B2 (en) | Internet connectivity verification | |
| US9634935B2 (en) | Method, name server, and system for directing network traffic utilizing profile records | |
| WO2016118153A1 (en) | Marking nodes for analysis based on domain name system resolution | |
| US20230078197A1 (en) | Enforcing data sovereignty policies for object-based storage | |
| US8732828B1 (en) | Referrer-specific network management |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication | Application publication date:20201030 |