Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with aspects of the application as detailed in the accompanying claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will also be understood that the term "and/or" as used herein refers to and encompasses any or all possible combinations of one or more of the corresponding listed items.
It should be understood that although the terms first, second, third, etc. may be used herein to describe various information, these information should not be limited by these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the application. The word "if" as used herein may be interpreted as "at … …" or "at … …" or "responsive to a determination", depending on the context.
The communication method provided by the embodiment of the application is described in detail below. Referring to fig. 1, fig. 1 is a flowchart of a communication method according to an embodiment of the present application. The method is applied to network equipment, and the communication method provided by the embodiment of the application can comprise the following steps.
Step 110, receiving a service message sent by the client through the SSL VPN tunnel, where the service message includes a resource access request message, and the resource access request message includes a destination address;
specifically, the gateway has established an SSL VPN tunnel with the client. When a user wants to acquire network resources, a client generates a resource access request message, wherein the resource access request message comprises a destination address. After the client generates the resource access request message, the tunnel header of the SSL VPN tunnel is encapsulated at the outer layer of the resource access request message, the tunnel header comprises the source end address and the destination end address of the SSL VPN tunnel, and the client obtains the service message.
And the client sends the service message to the gateway through the SSL VPN tunnel. The service message comprises a resource access request message. The gateway receives the service message.
Step 120, according to the destination address, searching whether a table entry of a first application matched with the destination address exists in an application access authority table;
specifically, according to the description of step 110, after receiving the service packet, the gateway first performs decapsulation processing on the service packet, and strips the tunnel header to obtain the resource access request packet. Then, the gateway obtains the destination address from the resource access request message.
According to the destination address, the gateway searches a local application access authority table. The application access authority table comprises at least one table item, and each table item comprises an application identifier and an address corresponding to the application identifier. The application indicated by the application identifier is accessible resources authorized for the user after the controller performs identity authentication on the user corresponding to the terminal where the client is located and the identity authentication passes; at the same time, the application is under gateway protection.
The gateway searches whether an entry of the first application matched with the destination address exists in the application access authority table. If there is no entry in the application access rights table for the first application that matches the destination address, the gateway performs step 130.
Optionally, if the table entry of the first application matching the destination address exists in the application access authority table, the gateway forwards the resource access request message to a resource server corresponding to the first application.
In the following embodiments, a process of authenticating the identity of the user corresponding to the terminal where the client is located by the controller and a process of authorizing the user to access the resource by the controller will be described, and will not be described again.
130, if no entry of the first application matched with the destination address exists, judging whether the destination address belongs to an address range of the global application;
specifically, according to the description of step 120, if there is no entry of the first application matching the destination address in the application access authority table, the gateway continues to determine whether the destination address belongs to the address range of the global application.
If the destination address belongs to the address range of the global application, the gateway performs step 140.
Optionally, if the destination address does not belong to the address range of the global application, the resource access request is discarded.
It should be noted that, the gateway builds the global application locally according to the notification message issued by the controller. The process of the gateway establishing the global application is described in the subsequent embodiments and will not be repeated here.
And 140, if the destination address belongs to the address range of the global application, sending a resource access request to a resource server corresponding to the global application.
Specifically, according to the description of step 130, if the destination address belongs to the address range of the global application, the gateway sends a resource access request to the resource server corresponding to the global application. The number of the resource servers corresponding to the global application is at least one, and the gateway can send a resource access request to each resource server. If the resource server can process the resource access request, the resource server performs corresponding processing and sends a resource access response to the gateway; otherwise, the resource server discards the resource access request.
In the embodiment of the application, the global application is a temporary accessible resource authorized for the controller for the user, and is used for temporarily opening resources within a certain range in order to avoid the situation that the user cannot acquire the resource content when the manager does not configure the authorized relationship between the user and the resource for the controller in a short time. In the embodiment of the application, the temporary accessible resource is a non-important resource with low safety performance; the short time may be specifically 1 day, 2 days, or the like.
Therefore, by applying the communication method provided by the application, the gateway receives the service message sent by the client through the SSL VPN tunnel, wherein the service message comprises a resource access request message which comprises a destination address; according to the destination address, in an application access authority table, the gateway searches whether a table item of a first application matched with the destination address exists or not; if the table item of the first application matched with the destination address does not exist, the gateway judges whether the destination address belongs to the address range of the global application; if the destination address belongs to the address range of the global application, the gateway sends a resource access request to a resource server corresponding to the global application.
In this way, if the destination address belongs to the address range of the global application under the condition that the application table item matched with the destination address does not exist, the gateway still determines that the authentication is successful, and forwards the service message to the resource server corresponding to the global application. The method solves the problem that the SDP gateway cannot authenticate the service message sent by the client under the condition that the prior manager does not configure the resource scene of the user authorization opening to the SDP controller in a short time, so that the user cannot acquire the resource content.
Optionally, in the embodiment of the present application, the method further includes a process that the gateway receives the notification message sent by the controller and establishes the global application.
Specifically, the administrator inputs configuration instructions to the controller, the configuration instructions including a global resource address range. And after receiving the configuration instruction, the controller acquires the global resource address range from the configuration instruction. The controller generates a notification message that includes the global resource address range. The controller sends a notification message to the gateway.
And after receiving the notification message, the gateway acquires the global resource address range from the notification message. The gateway stores the global resource address range locally and creates a global application locally using the global resource address range.
Optionally, in the embodiment of the present application, a process that the gateway issues the routing information to the client is further included.
Specifically, after the client establishes communication connection with the gateway, the client generates a handshake request and sends the handshake request to the gateway. After receiving the handshake request, the gateway sends a handshake response to the client according to the handshake request. The handshake response comprises routing information including an address range of the global application, an application address authorized by the controller, and next hop information indicating an SSL VPN tunnel (tunnel specifically AC) of the SDP gateway.
After receiving the handshake response, the client obtains the address range of the global application, the application address authorized by the controller and the next hop information from the handshake response. The client generates a resource access route locally, wherein the resource access route comprises a destination address field and a next hop field, and the destination address field stores an address range of a global application and an application address authorized by the controller; the next hop field stores the SSL VPN tunnel portal of the gateway.
It should be noted that, the notification message and the handshake response are messages that the gateway interacts with the controller and the client after the existing client accesses the zero trust network. In the embodiment of the application, on the basis of the existing message, the global resource address range is carried in the notification message, and the address range of the global application is carried in the handshake response, so that the gateway creates the global application locally, and the client generates the route reaching the global application locally.
In the above-described embodiments, the communication method is briefly described. The communication method provided by the embodiment of the application is described in detail below. Referring to fig. 2 and fig. 3, fig. 2 is a signaling diagram of a service processing flow provided in an embodiment of the present application; fig. 3 is a signaling diagram of another service processing flow according to an embodiment of the present application.
In fig. 2, the zero trust network includes an SDP controller, a plurality of SDP gateways, and a plurality of terminals, each of which is configured with an SDP client. In the embodiment of the present application, an SDP gateway and an SDP client are described as examples. After the SDP controller and the SDP gateway are connected to the zero-trust network, the administrator inputs a configuration instruction to the SDP controller, where the configuration instruction includes a global resource address range (e.g., 10.0.0.1-10.0.255.255) and application attribute information protected by each SDP gateway. The application attribute information may specifically include an application name, an address, and the like.
After receiving the configuration instruction, the SDP controller stores the global resource address range and the application attribute information protected by each SDP gateway in a local place.
The SDP gateway starts a registration flow and sends a registration message to the SDP controller. According to the registration message, the SDP controller registers the SDP gateway locally. After the local registration is successful, the SDP controller sends a registration success message to the SDP gateway. Meanwhile, the SDP controller obtains the global resource address range and the application attribute information of all the applications protected by the SDP gateway from the local. The SDP controller generates a notification message comprising a global resource address range, application attribute information. The SDP controller sends a notification message to the SDP gateway.
After receiving the notification message, the SDP gateway obtains the global resource address range and the application attribute information from the notification message. The SDP gateway stores the global resource address range locally and creates global applications locally using the global resource address range.
Further, the SDP controller takes the global resource address range as an application, and issues the global resource address range to the SDP gateway through a notification message. The notification message also includes an application name, an application identification, an application type, a list of services. The service list includes protocol type, subnet, port. The following examples:
the application name is fixed as "default" and "Access Tbye" is 4, which indicates global application, and Protocol is 5, which multiplexes the existing protocols, which indicates matching all Protocol types. After receiving the notification message, the SDP gateway creates a corresponding global application locally according to the message content.
The SDP gateway stores the application attribute information of all the applications protected by the SDP gateway locally, and establishes an application attribute table locally through the application attribute information. The application attribute table includes information such as an application name, an address, etc. of each application protected by the SDP gateway.
After the terminal is accessed to the zero trust network, an SDP client configured in the terminal starts an authentication process. The SDP client sends SPA message and login request to the SDP controller. After the SDP controller performs identity authentication on the user corresponding to the terminal and the identity authentication passes, the SDP controller authorizes accessible resources (which may be part of or all of applications protected by each SDP gateway) for the user, an IP address allocated for an SDP client, a user token, and the like.
The SDP controller again sends a notification message to the SDP gateway, which includes the user online event, the user name, the user token, the terminal identification, the IP address assigned for the SDP client, and the list of accessible applications. At the same time, the SDP controller also sends a login response to the SDP client, wherein the login response is used for notifying the SDP client of successful login information. The login response also includes the user token, SDP gateway information accessible to the SDP client, and a corresponding resource list. Wherein the accessible gateway information comprises an address of the SDP gateway.
After receiving the notification message, the SDP gateway establishes and maintains an application access permission table locally. The application access permission table is used for recording the relation between each online user and the resources authorized by the SDP controller. The application access rights table includes accessible application information, such as application names, addresses, etc. of the accessible applications. The application access rights table also includes relevant information on the user side, such as the user token, the terminal identification, the IP address of the SDP client, etc.
Of course, if there is a change in the risk of the online user, the controller may also adjust the resource authority authorized by the online user, and send a notification message again to the SDP gateway, where the notification message includes the user token and the accessible application list after the authority adjustment. After receiving the notification message, the SDP gateway updates the local application access permission table.
If the user no longer accesses the network resources, the SDP client sends an offline request to the SDP controller. After receiving the offline request, the SDP controller carries out offline processing on the SDP client. The SDP controller again sends a notification message to the SDP gateway, which includes the user token and offline information.
After receiving the notification message, the SDP gateway acquires and deletes the corresponding table entry in the application access permission table according to the user token. Meanwhile, the SDP gateway disconnects the SSL VPN tunnel established with the SDP client.
In fig. 3, after receiving a login response sent by the SDP controller, the SDP client obtains a user token, accessible gateway information, and a corresponding resource list from the login response.
Based on the accessible gateway information, the SDP client generates and sends an SPA message to the SDP gateway, which is used to establish a communication connection, e.g., a TCP connection, with the SDP gateway. After the SDP client establishes communication connection with the SDP gateway, a handshake request is generated and sent to the SDP gateway.
After receiving the handshake request, the SDP gateway sends a handshake response to the SDP client according to the handshake request. The handshake response includes the IP address and routing information assigned by the SDP controller for the SDP client. It is understood that the handshake response may also include DNS information. The routing information includes an address range of the global application, an application address authorized by the SDP controller, and next hop information, wherein the next hop information indicates an SSL VPN tunnel portal of the SDP gateway.
After the SDP client receives the handshake response, the SDP client acquires the IP address and the routing information from the SDP client. And utilizing the IP address, the SDP client establishes an SSL VPN tunnel with the SDP gateway. Meanwhile, the SDP client creates a virtual network card locally and configures an IP address as a network address of the virtual network card. The SDP client obtains the address range of the global application, the application address authorized by the SDP controller and the next hop information from the routing information. The SDP client generates a resource access route locally, wherein the resource access route comprises a destination address field and a next hop field, and the destination address field stores an address range of a global application and an application address authorized by an SDP controller; the next hop field stores the SSL VPN tunnel portal of the SDP gateway.
When a user wants to access network resources through an SDP client, the SDP client generates a resource access request message, and the resource access request message comprises a destination address. After the SDP client generates a resource access request message, the tunnel header of the SSL VPN tunnel is encapsulated at the outer layer of the resource access request message to obtain a first service message.
And the SDP client sends a first service message to the SDP gateway through the SSL VPN tunnel. The first service message includes a resource access request message. The SDP gateway receives the first service message.
After receiving the first service message, the SDP gateway firstly performs decapsulation processing on the first service message, and peels off the tunnel header to obtain a resource access request message. The SDP gateway then obtains the destination address from the resource access request message. According to the destination address, the SDP gateway searches whether a table entry of the first application matched with the destination address exists in a local application access authority table.
If the application access authority table contains the table item of the first application matched with the destination address, the SDP gateway forwards the resource access request message to the resource server corresponding to the first application. If the table item of the first application matched with the destination address does not exist in the application access authority table, the SDP gateway continues to judge whether the destination address belongs to the address range of the global application.
If the destination address does not belong to the address range of the global application, the SDP discards the resource access request.
If the destination address belongs to the address range of the global application, the SDP gateway sends a resource access request to a resource server corresponding to the global application.
After the SDP gateway sends the resource access request to the resource server, the resource server processes the resource access request, and then generates and sends a resource access response message to the SDP gateway. And after the SDP gateway receives the resource access response message, the tunnel head of the SSL VPN tunnel is packaged at the outer layer of the resource access response message to obtain a second service message.
The SDP gateway sends a second service message to the SDP client. And receiving a response of the resource access request by the SDP client through the second service message.
Based on the same inventive concept, the embodiment of the application also provides a communication device corresponding to the communication method. Referring to fig. 4, fig. 4 is a communication device provided by an embodiment of the present application, where the device is applied to a gateway, and the gateway has established an SSL VPN tunnel with a client, and the device includes:
a receiving unit 410, configured to receive, through the SSL VPN tunnel, a service packet sent by the client, where the service packet includes a resource access request packet, and the resource access request packet includes a destination address;
a searching unit 420, configured to search, according to the destination address, in an application access authority table, whether an entry of a first application matching the destination address exists;
a judging unit 430, configured to judge whether the destination address belongs to an address range of the global application if there is no entry of the first application that matches the destination address;
and the sending unit 440 is configured to send a resource access request to a resource server corresponding to the global application if the destination address belongs to an address range of the global application.
Optionally, the receiving unit 410 is further configured to receive a notification message sent by the controller, where the notification message includes a global resource address range;
the apparatus further comprises: a creating unit (not shown in the figure) for locally storing the global resource address range and locally creating the global application using the global resource address range;
the global resource address range is configured in the controller by a manager through a configuration instruction.
Optionally, the receiving unit 410 is further configured to receive a handshake request sent by the client;
the sending unit 440 is further configured to send, according to the handshake request, a handshake response to the client, where the handshake response includes routing information, and the routing information includes an address range of the global application, an application address authorized by the controller, and next hop information, so that the client generates a resource access route;
wherein the next hop information indicates an SSL VPN tunnel portal of the gateway.
Optionally, the sending unit 440 is further configured to forward the resource access request packet to a resource server corresponding to the first application if there is an entry of the first application that matches the destination address;
the first application is that the controller authenticates the identity of the user corresponding to the terminal where the client is located, and after the identity authentication is passed, the controller authorizes the open resource for the user.
Optionally, the apparatus further comprises: a discarding unit (not shown in the figure) configured to discard the resource access request if the destination address does not belong to the address range of the global application.
Therefore, by using the communication method and device provided by the application, the gateway receives the service message sent by the client through the SSL VPN tunnel, wherein the service message comprises a resource access request message which comprises a destination address; according to the destination address, in an application access authority table, the gateway searches whether a table item of a first application matched with the destination address exists or not; if the table item of the first application matched with the destination address does not exist, the gateway judges whether the destination address belongs to the address range of the global application; if the destination address belongs to the address range of the global application, the gateway sends a resource access request to a resource server corresponding to the global application.
In this way, if the destination address belongs to the address range of the global application under the condition that the application table item matched with the destination address does not exist, the gateway still determines that the authentication is successful, and forwards the service message to the resource server corresponding to the global application. The method solves the problem that the SDP gateway cannot authenticate the service message sent by the client under the condition that the prior manager does not configure the resource scene of the user authorization opening to the SDP controller in a short time, so that the user cannot acquire the resource content.
Based on the same inventive concept, the embodiment of the present application also provides a network device, as shown in fig. 5, including a processor 510, a transceiver 520, and a machine-readable storage medium 530, where the machine-readable storage medium 530 stores machine executable instructions capable of being executed by the processor 510, and the processor 510 is caused to perform the communication method provided by the embodiment of the present application by the machine executable instructions. The communication device shown in fig. 4 may be implemented by using a hardware structure of a network device as shown in fig. 5.
The computer readable storage medium 530 may include a random access Memory (hereinafter referred to as "RAM") or a nonvolatile Memory (hereinafter referred to as "Non-volatile Memory") such as at least one magnetic disk Memory. Optionally, the computer readable storage medium 530 may also be at least one storage device located remotely from the aforementioned processor 510.
The processor 510 may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU), a network processor (Network Processor, NP), etc.; it may also be a digital signal processor (English: digital Signal Processor; DSP; for short), an application specific integrated circuit (English: application Specific Integrated Circuit; ASIC; for short), a Field programmable gate array (English: field-Programmable Gate Array; FPGA; for short), or other programmable logic device, discrete gate or transistor logic device, discrete hardware components.
In an embodiment of the present application, processor 510 is enabled by reading machine-executable instructions stored in machine-readable storage medium 530, which cause processor 510 itself to be implemented and transceiver 520 to be invoked to perform the communication methods described in the previous embodiments of the present application.
Additionally, embodiments of the present application provide a machine-readable storage medium 530, the machine-readable storage medium 530 storing machine-executable instructions that, when invoked and executed by the processor 510, cause the processor 510 itself and the invoking transceiver 520 to perform the communication methods described in the foregoing embodiments of the present application.
The implementation process of the functions and roles of each unit in the above device is specifically shown in the implementation process of the corresponding steps in the above method, and will not be described herein again.
For the device embodiments, reference is made to the description of the method embodiments for the relevant points, since they essentially correspond to the method embodiments. The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purposes of the present application. Those of ordinary skill in the art will understand and implement the present application without undue burden.
For the communication device and the machine-readable storage medium embodiments, since the method content involved is substantially similar to the method embodiments described above, the description is relatively simple, and reference will only be made to part of the description of the method embodiments.
The foregoing description of the preferred embodiments of the application is not intended to be limiting, but rather to enable any modification, equivalent replacement, improvement or the like to be made within the spirit and principles of the application.