CN114900372B - Resource protection system based on zero trust security sentinel system - Google Patents
Resource protection system based on zero trust security sentinel system Download PDFInfo
- Publication number
- CN114900372B CN114900372B CN202210794860.1A CN202210794860A CN114900372B CN 114900372 B CN114900372 B CN 114900372B CN 202210794860 A CN202210794860 A CN 202210794860A CN 114900372 B CN114900372 B CN 114900372B
- Authority
- CN
- China
- Prior art keywords
- sentinel
- client
- server
- sentry
- certificate
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000003993 interaction Effects 0.000 claims abstract description 11
- 238000012795 verification Methods 0.000 claims abstract description 11
- 238000007726 management method Methods 0.000 claims description 37
- 238000012544 monitoring process Methods 0.000 claims description 15
- 230000002159 abnormal effect Effects 0.000 claims description 10
- 238000013024 troubleshooting Methods 0.000 claims description 8
- 238000012550 audit Methods 0.000 claims description 6
- 238000004422 calculation algorithm Methods 0.000 claims description 5
- 230000004044 response Effects 0.000 claims description 5
- 229910002056 binary alloy Inorganic materials 0.000 claims description 3
- 230000000694 effects Effects 0.000 claims description 3
- 238000013515 script Methods 0.000 claims description 3
- 238000000034 method Methods 0.000 description 12
- 230000006870 function Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 238000013475 authorization Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000002085 persistent effect Effects 0.000 description 2
- 230000004888 barrier function Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000007429 general method Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/02—Standardisation; Integration
- H04L41/024—Standardisation; Integration using relational databases for representation of network management data, e.g. managing via structured query language [SQL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Databases & Information Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a resource protection system based on a zero trust security sentinel system, and belongs to the technical field of zero trust resource protection. The system comprises an operation management platform, a password storage service module, a sentry module, a CA certificate module, an information verification module and a data interaction module; the operation management platform is used for executing the operation of a system administrator and adding a basic component; the password storage service module is used for providing password storage service and storing sensitive information of the basic component; the sentinel module is used for creating a server-side sentinel and a client-side sentinel; the CA certificate module is used for generating, verifying and revoking a sentry certificate; the information checking module is used for checking the identity information; and the data interaction module is used for the server sentry to take out the available connection from the connection pool, decode the encrypted data packet and forward the decoded data packet to the basic component, and form trusted data interaction with the basic component.
Description
Technical Field
The invention relates to the technical field of zero trust resource protection, in particular to a resource protection system based on a zero trust security sentinel system.
Background
Micro-services, a common software development technology in recent years, is well liked by developers, and advocates dividing a single application into a set of small services, and the services are coordinated and matched with each other to provide final value for users. The operation of microservices generally needs to rely on some basic components, such as: mysql, redis, mongodb, etc., the cryptographic information for the connection and authentication of the underlying components is typically stored directly in the configuration file or environment variables of the microservice. The method has a plurality of defects, on one hand, the code quality of each micro service cannot be completely guaranteed, and the risk of information leakage exists; on the other hand, the sensitive information of the identity authentication can be acquired by operation and maintenance personnel or development personnel, and the risk of manual misoperation exists; the leakage of the connection information of the database can be continuously attacked by vulnerability scanning by illegal personnel, and the network security company Imperva shows that approximately half of the scanned database contains CVE vulnerabilities in research, so that the method is very important for data access authorization and security protection. Most enterprises do not, however, perform sufficient protection.
The method can not well solve the problems, firstly, the management problem is solved, a unified management system is lack of centralized management and control, and the client IP is difficult to update in real time when the number of the client IP is huge; secondly, the security protection has a leak, when the client-side micro-service is broken, the basic component is transparent to an attacker, and the premise of the security protection is that the high security of the client-side micro-service is relied on. From the perspective of unified management and control and self-security closed loop, an effective resource protection system is lacked in the current technical means.
Disclosure of Invention
The invention aims to provide a resource protection system based on a zero trust security sentinel system so as to solve the problems in the background technology.
In order to solve the technical problems, the invention provides the following technical scheme: the resource protection system based on the zero trust security sentinel system comprises an operation management platform, a password storage service module, a sentinel module, a CA certificate module, an information verification module and a data interaction module;
the operation management platform is used for executing the operation of a system administrator and adding a basic component; the password storage service module is used for providing password storage service and storing sensitive information of the basic component; the sentinel module is used for creating a server-side sentinel and a client-side sentinel; the CA certificate module is used for generating, verifying and revoking the sentry certificate, and the identity validity of the client-side sentry and the server-side sentry is verified through the CA certificate module when the client-side sentry and the server-side sentry communicate with each other; the information checking module is used for decoding the encrypted data packet transmitted by the client sentry after the server sentry receives the encrypted data packet, checking the submitted identity information, stopping the flow if the checking fails, and outputting a protocol format error response packet corresponding to the basic component; after the verification is successful, responding to the successfully authenticated data packet, and continuously performing command authentication, audit, log recording and abnormal alarm operation; and the data interaction module is used for the server sentry to take out the available connection from the connection pool, decode the encrypted data packet and forward the decoded data packet to the basic component, and form trusted data interaction with the basic component.
According to the technical scheme, a system administrator adds a protected basic component through the operation management platform, the operation management platform generates a unique component ID for the protected basic component, sensitive information of the component ID is constructed, and the sensitive information is encrypted and stored in the password storage service module;
the sensitive information comprises connection, authentication identity, component type, virtual identity and real identity of the basic component.
According to the technical scheme, a system administrator creates a server-side sentinel certificate through a sentinel module;
a system administrator selects a basic component to be protected from the added protected basic component list, calls a CA certificate module to generate an x509 certificate used by a server sentry, and records the ID information of the protected basic component in the certificate;
creating server-side sentinel configuration information, wherein the server-side sentinel configuration information comprises authentication identity information based on a basic component protocol, a log output address, a command limitation type, a black and white list and a limited command list;
the authentication identity information based on the basic component protocol comprises a pem-formatted certificate, a private key of the pem-formatted certificate, a password storage address, a password storage service verification token and a server sentry monitoring address;
and a system administrator downloads the server-side sentry certificate and the server-side sentry binary program through the operation management platform and deploys the server-side sentry.
According to the above technical scheme, the sentinel module further comprises:
after the server-side sentinel is started, a tls port monitoring service is started according to the server-side sentinel monitoring address, the pem-format server-side sentinel certificate and the private key of the pem-format server-side sentinel certificate in the server-side sentinel configuration information;
after the password storage address and the password storage service authentication token are successfully started, the password storage service module is requested to load an identity list, wherein the identity list comprises a virtual identity and a real identity;
and establishing connection with the basic component example in advance according to each real identity and connection information, throwing out error logs according to the log platform address recorded by the log output address when the connection is abnormal, and putting the connection into a connection pool for standby when the connection is normal.
According to the technical scheme, deployment of the sentry at the service end comprises two modes, namely:
deploying the service-end sentinels at the near end of the protected basic component, and efficiently communicating the service-end sentinels and the protected basic component in an unix domain shared memory mode;
and deploying the sentry at the service end in the internal network environment with the same basic components, and communicating in a tcp mode.
The two deployment modes depend on the number of the clusters, and when only one or a plurality of hosts exist, a sentry at a service end is deployed at the near end of the protected basic component; under the condition of a machine room, when a cluster exists, a sentry at a server is deployed in an intranet environment with the same basic components, and the sentry at the server is communicated in a tcp (transmission control protocol) mode; deployment of the service-side sentinel at the proximal end of the protected base component is safer and better in performance than deployment of the service-side sentinel in the same intranet environment as the base component.
According to the technical scheme, a system administrator creates a client sentinel certificate through a sentinel module, selects one or more server sentinels authorized to be accessed by the client sentinel from an added server sentinel list, calls a CA certificate module to generate an x509 certificate used by the client sentinel, and records client sentinel configuration information in the certificate;
the client sentinel configuration information includes: the client sentinel certificate in the pem format, the private key of the client sentinel certificate in the pem format, the address of the server sentinel and the monitoring address of the client sentinel;
and a system administrator downloads the client certificate and the client sentry binary program through the operation management platform, and deploys the client certificate and the client sentry binary program at the near end of the client for connection of client services.
According to the above technical scheme, the sentinel module further comprises:
the client-side sentry starts local port monitoring according to the client-side sentry monitoring address;
after the client-side sentinel is successfully started, according to the server-side sentinel address recorded by the server-side sentinel address, the client-side sentinel certificate in the pem format private key and the server-side sentinel, mtls connection is initiated, the mtls handshake phase is encrypted by using a state secret algorithm, and both the client-side sentinel and the server-side sentinel mutually verify the validity of the certificate of the other party: the validity comprises whether the component information is overdue, whether the component information is revoked and whether the component information in the certificate is legal;
after the handshake phase is finished, the client sentry and the server sentry establish long connection and send heartbeat packets at regular time to keep the connection activity.
According to the above technical solution, the information checking module includes:
the client program takes a locally deployed client sentinel as a basic component to be accessed finally, and the client sentinel is connected and used through a standard driver to send an authentication data packet;
after the client sentry receives the connection of the client program, the client sentry creates a new operation flow channel from the encrypted connection, and encrypts and forwards an authentication data packet sent by the client program to the server sentry;
the sentry at the service end receives the encrypted data packet and then decodes the encrypted data packet, checks the submitted identity information, and terminates the process if the check fails, and outputs a protocol format error response packet corresponding to the basic component; after the verification is successful, responding to the successfully authenticated data packet;
the client-side sentinel transmits the data packet responded by the server-side sentinel to the client-side program, and the client-side executes the command request after the authentication is successful.
According to the above technical solution, the data interaction module includes:
the client-side sentinel continuously encrypts the data packet of the client side and transmits the data packet to the server-side sentinel;
the sentry at the service end continuously performs command authentication, audit, log recording and abnormal alarm operation;
the server sentry takes out the available connection from the connection pool, decodes the encrypted data packet and forwards the decoded data packet to the basic component;
and the connection establishment and disconnection are managed by the connection pool. Meanwhile, the initial connection number, the upper and lower limit number of the connection, the maximum use times of each connection, the maximum idle time and the like in the connection pool can be controlled by setting parameters of the connection pool. The number of database connections, usage, etc. may also be monitored by its own management mechanism.
The connection pool comprises a minimum connection number and a maximum connection number;
the minimum connection number is the database connection always kept by the connection pool, so if the usage of the application program for the database connection is not large, a large amount of database connection resources are wasted; the maximum connection number is the maximum connection number that can be applied by the connection pool, and if the number of database connection requests exceeds the number of times, the following database connection requests are added into the waiting queue, which affects the following database operation.
The strategy ensures the effective reuse of the database connection and avoids the system resource overhead caused by frequent establishment and release of the connection.
Compared with the prior art, the invention has the following beneficial effects:
1. the deployment of double-end sentinels realizes that mysql example information is completely hidden for the micro-service, even if the micro-service is broken, the leaked information is irrelevant, the safety of the mysql is not influenced, the sentinel at the service end verifies the identity information of the micro-service in advance when the connection is established, the flow is directly terminated when an error occurs, and the wrong identity information never reaches the mysql example; a service-side sentinel forms a protective barrier for the mysql instance, and the threat that the basic component directly faces the attack is eliminated;
2. the communication from the micro service to the mysql is encrypted and protected by two-end sentinels through a national network algorithm, so that the sniffing attack of an intranet machine is prevented;
3. the system has rich authority management mechanisms, identity authority, table operation authority and sql statement execution authority, and a series of authority verification operations are all completed by a server sentry; the function of a high-performance connection pool is achieved, the connection pool is established between the sentinel at the server end and the mysql example, and the resource consumption caused by frequently creating and destroying the mysql example is reduced;
4. strictly examining each executed SQL statement, checking the permission of the SQL statement, verifying the syntax security of the SQL statement, standardizing dangerous statements and increasing condition limits;
5. the administrator can backtrack the dangerous command operation log record through the platform; invasion defense and abnormal alarm can be realized; the sentinel would record the source information for the abnormal connection, for example: ip addresses, authentication information, system fingerprints, etc.;
6. the problem of public cloud intranet access is solved through a sentinel, a temporary server login account does not need to be created, and public network server access addresses are hidden for developers;
7. the system has fine-grained authority control, is limited to the level of executing commands, can limit developers to only execute allowed commands through sentinels, and eliminates the risk of misoperation; the system has an efficient real-time control right, the right can be recovered at any time through one-key authorization and revoking the right of the platform, and when problem troubleshooting is completed, a manager directly revokes a client sentinel certificate on a management platform, so that the client sentinel fails.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the principles of the invention and not to limit the invention. In the drawings:
FIG. 1 is a schematic diagram of the general architecture of the resource protection system based on the zero trust security sentinel system of the present invention;
fig. 2 is a data communication flow chart of the resource protection system based on the zero trust security sentry system of the invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, belong to the protection scope of the present invention.
Referring to fig. 1-2, the present invention provides the following embodiments:
in the first embodiment: a resource protection system based on a zero trust security sentinel system is provided, and some nouns in the system are explained as follows:
sentinels: the system is divided into client-side sentinels and server-side sentinels (C/S architecture); the sentry at the service end is deployed at the near end of the basic component, replaces the basic component to verify the authority, and acts on the flow of the basic component; the client sentinel is deployed at the near end of the microservice or the user to provide a connection function, and the client sentinel looks like a basic component per se at the client and proxies traffic transfer of the client. The sentry at the service end not only provides the authority authentication function, but also supports: the method has the functions of cross-network cdn, encryption of a national secret algorithm, log recording, index monitoring, command security examination, command standardization examination, abnormal alarm and the like;
the basic component ID is the unique ID of the basic component, which is equivalent to the identity number of the basic component;
password storage service module: storing sensitive information of the basic component;
virtual identity information: identity information generated by the management platform is verified by a sentry at a server side, such as an account password of the mysql component, a login password of the redis component and the like; the virtual identity and the real identity are in one-to-one correspondence, for example, a mysql example has an identity with root as an account number and a password, the created virtual identity account number and the password are sentinel, and finally the virtual identity and the real identity are bound in a map table and stored in a password storage service;
command authority control: the service-side sentry can analyze the basic component protocol to obtain specific executed commands, and a white list of commands released by the service-side sentry can be obtained through the management platform, wherein the white list comprises table access authority control of mysql with fine granularity and the like;
CDN cross-network deployment: when the server-side sentinel needs to be exposed to the public network to provide access capability, the support is deployed behind the public CDN, and the server-side sentinel is hidden by the CDN to defend against network attack.
In this embodiment, a system administrator adds a protected basic component by operating a management platform, where the management platform generates a unique component ID for the basic component, and the added information includes: the connection, the authentication identity, the component type and the like of the basic component are added, meanwhile, the virtual identity information of the component is added, sensitive information such as the connection, the virtual identity, the real identity and the like is stored in the password storage service in an encrypted mode, the field information of the basic component table is shown in the table 1, and the confidential storage data information (mysql authentication information is taken as an example) is shown in the table 2.
TABLE 1 base Assembly Table field information
TABLE 2 confidential stored data information
A system administrator creates a server-side sentinel certificate through a sentinel module, the administrator selects a basic component to be protected from an added basic component list, a CA certificate module is called to generate an x509 certificate used by a server-side sentinel, and ID information of the protected basic component is recorded in the certificate; creating server-side sentinel configuration information which comprises identity authentication information based on a basic component protocol, a port for starting monitoring, a log output address, command auditing and the like, wherein field information is shown in a table 3:
TABLE 3 service-side sentry configuration file field
A system administrator downloads a server-side sentinel certificate and a server-side sentinel binary program through an operation management platform, deploys the server-side sentinel at the near end of the basic assembly, for example, on a server where the basic assembly is located, and the server-side sentinel and the basic assembly are efficiently communicated in a unix domain shared memory mode or deployed in an intranet environment with the same basic assembly and communicated in a tcp mode;
after the sentry at the service end is started, a tls port monitoring service is started according to the fields of listen.addr, cert, privatekey and the like in the configuration file;
requesting the password storage service to load an identity list according to the fields of the confidential.
And establishing connection with the basic component example in advance according to each real identity and connection information, throwing error logs according to log platform addresses recorded by log.
A system administrator creates a client sentinel certificate through the sentinel module, selects one or more server sentinels authorized to be accessed by the client sentinel from the added server sentinel list, calls the CA system to generate an x509 certificate used by the client sentinel, records the address information of all accessible server sentinels in the certificate, and the field information is shown in a table 4
TABLE 4 client sentinel configuration File field
A system administrator downloads a client certificate and a client sentry binary program through a management platform and deploys the client certificate and the client sentry binary program at the near end of a client; for example, deployed on a server of a client service, providing a locally snooped address, such as: 127.0.0.1;
enabling a sentry at a client to start a local port to monitor according to a listen.
After the client sentinel is started successfully, the client sentinel address recorded in the sentnel field, the cert field, the privatekey field and the server sentinel initiate mtls connection, the mtls handshake phase is encrypted by using a cryptographic algorithm, and the client sentinel and the server sentinel verify the validity of the certificate of the other party mutually: whether the component information is overdue, whether the component information is cancelled, whether the component information in the certificate is legal, and the like;
after the handshake phase is finished, the client-side sentinel and the server-side sentinel establish long connection and send heartbeat packets regularly to keep the connection activity;
the client program takes the locally deployed client sentinel as a basic component to be accessed finally, and the basic component is connected and used through a standard driver, and firstly an authentication data packet is sent;
after the client sentry receives the connection of the client program, the client sentry creates a new operation flow channel from the encrypted connection, and encrypts and forwards an authentication data packet sent by the client program to the server sentry;
the sentry at the service end receives the encrypted data packet and then decodes the encrypted data packet, checks the submitted identity information, terminates the flow if the check fails, outputs a protocol format error response packet corresponding to the basic component, and responds to an authentication success data packet if the check succeeds;
the client-side sentry transmits a data packet responded by the server-side sentry to a client-side program, and the client-side executes a command request after the authentication is successful;
next, the client-side sentinel continuously encrypts the data packet of the client side and transmits the data packet to the server-side sentinel;
the sentry at the service end continuously performs command authentication, audit, log recording and abnormal alarm operation;
the service end sentinel takes out the available connection from the connection pool, decodes the encrypted data packet and forwards the data packet to the basic component.
The above-described process is illustrated in fig. 2.
In the second and third embodiments, cases for securing mysql access and using security are mainly described. mysql acts as a persistent storage facility for services, the security of which determines the security of the entire system.
In the second embodiment: protecting the database, increasing authority control and SQL safety audit.
The existing enterprise system based on the micro-service architecture depends on a mysql persistent storage facility, and a plurality of micro-services share the mysql instance; a system administrator connects mysql instances through a navica tool in advance to create database names and login identity information for each micro service; and configuring the created identity information and the created connection information in a configuration file of each micro service. And when the micro service is started, the mysql instance is directly connected with the configuration information for operation.
The existing problems of such a set of enterprise systems based on microservice architecture are:
the security of the mysql example cannot be guaranteed, and connection and identity information can be revealed when the micro-service has a bug; the authority control is based on an authority system of the mysql, the authority control means is single, and customized authority management cannot be completed; if the ssl encryption is not configured on the mysql instance, the communication from the microservice to the mysql instance is a plaintext and can be attacked by sniffing; after ssh encryption is configured for the mysql, the resource occupation of the mysql example can be increased; and the system is not audited by sql, so that misoperation caused by code bug cannot be prevented.
In the second embodiment, the method includes:
a system administrator operates a basic component management module of a management platform, adds mysql basic components, configures connection and account passwords (a plurality of account passwords can be set), and generates virtual identity information;
creating a server-side sentinel, selecting a mysql basic component, and generating a server-side sentinel x509 certificate;
downloading a binary system server sentinel, a configuration file and a certificate through an interface to deploy the server sentinel, and after the server sentinel is started, requesting real mysql connection information and a mysql instance to establish a connection pool according to a password storage service address in the configuration file, so that the resource consumption caused by frequently establishing and destroying the mysql instance is reduced;
creating a client-side sentinel certificate and a configuration file through a management platform, and selecting an accessed server-side sentinel;
deploying a client sentinel on a server where the micro-service is located, and injecting a connection address of the client sentinel and identity information generated by a platform into a micro-service configuration file;
the micro-service regards a sentinel at the client as a basic component to carry out mysql instance connection operation and execute business logic.
In the second embodiment, each executed SQL statement needs to be strictly inspected, the SQL statement authority is checked, and the syntax security of the SQL statement is verified, for example, for dangerous statements: delete, update statements; mandatory check statement standardization, for example: conditional restrictions (where id =1, where id in (2,3,4)) must be added, etc.; all the steps are executed after the zero trust security sentinel system is accessed, all the operations can be completed by an administrator or an automatic operation and maintenance system through the steps, and the access can be completed by the client-side micro-service without secondary development or any code change.
In the third embodiment: temporary authorized access and fine-grained authority control.
The manager finds that the memory occupation of the redis service which the online system depends on is high for a long time, and needs to enable developers who use the redis service to investigate specific reasons. Because the redis service runs in the internal network of the online environment, no public network connection address exists, and the problem of connecting developers to the redis service for troubleshooting cannot be solved. A common method is that a server account number which can be connected with a redis service is temporarily generated for a developer, and the redis service is connected and operated by logging in the server.
According to the general method, the developer has over-high authority, all redis commands can be executed after the developer is connected to the redis service, and the risk of misoperation exists; the problem is checked through the server, efficiency is low, and when program scripts are needed, script running environments need to be installed.
Therefore, the system is introduced, and the specific operation is as follows:
a system administrator operates a basic component management module of a management platform, increases a redis basic component, configures connection and account passwords, configures virtual identities for connecting the redis service, and configures command authority allowed by a sentry at a service end;
creating a server-side sentinel, selecting a redis basic component, and generating a server-side sentinel x509 certificate;
downloading a binary system server sentinel, a configuration file and a certificate through an interface, deploying the server sentinel in a public cloud intranet, and after the server sentinel is started, requesting real redis connection information and a redis instance to establish a connection pool according to a password storage service address in the configuration file;
creating a client sentinel certificate and a configuration file through a management platform, selecting an accessed server sentinel, and creating a client sentinel configuration file;
sending the client sentinel binary file, the certificate and the configuration file to a developer;
a developer locally operates a client sentinel, the client sentinel is used as a redis service, and the client sentinel is connected with the client sentinel through a redis-cli or a script to perform troubleshooting work;
and after the problem troubleshooting is finished, the administrator revokes the client certificate through the management platform and destroys the sentry at the service end to terminate the access authority of the developer.
The steps can be seen that after the system is introduced, the access problem of the public cloud intranet is solved through sentinels, a temporary server login account does not need to be created, and the access address of the public network server is hidden for developers; fine-grained authority control can be achieved, the execution command level is limited, the redis problem is only checked possibly by involving a few query commands (such as get, ttl and info), and the like, developers can be limited to execute only allowed commands through sentinels, and the risk of misoperation is eliminated.
Meanwhile, the client-side sentinels run on the local computers of the developers, the problem troubleshooting efficiency is convenient, the authority can be recovered at any time, and after the problem troubleshooting is completed, the managers directly revoke the client-side sentinel certificates on the management platform, so that the client-side sentinels are invalid.
It should be noted that, in this document, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
Finally, it should be noted that: although the present invention has been described in detail with reference to the foregoing embodiments, it will be apparent to those skilled in the art that changes may be made in the embodiments and/or equivalents thereof without departing from the spirit and scope of the invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (7)
1. Resource protection system based on zero trust security sentry system, its characterized in that: the system comprises an operation management platform, a password storage service module, a sentry module, a CA certificate module, an information verification module and a data interaction module;
the operation management platform is used for executing the operation of a system administrator and adding a basic component; the password storage service module is used for providing password storage service and storing sensitive information of the basic component; the sentinel module is used for creating a server-side sentinel and a client-side sentinel; the CA certificate module is used for generating, verifying and revoking the sentry certificate, and the identity legitimacy of the other party is verified by the CA certificate module when the client sentry and the server sentry communicate; the information checking module is used for decoding the encrypted data packet transmitted by the client sentry after the server sentry receives the encrypted data packet, checking the submitted identity information, stopping the flow if the checking fails, and outputting a protocol format error response packet corresponding to the basic component; after the verification is successful, responding to the successfully authenticated data packet, and continuously performing command authentication, audit, log recording and abnormal alarm operation; the data interaction module is used for the server sentry to take out the available connection from the connection pool, decode the encrypted data packet and forward the decoded data packet to the basic component, and form trusted data interaction with the basic component;
the information checking module comprises:
the client program takes a locally deployed client sentinel as a basic component to be finally accessed, and the client sentinel is connected and used through a standard driver to send an authentication data packet;
after the client-side sentinel receives the connection of the client-side program, the client-side sentinel creates a new operation flow channel from the encrypted connection, and encrypts and forwards an authentication data packet sent by the client-side program to the server-side sentinel;
the sentry at the service end decodes the encrypted data packet after receiving the encrypted data packet, verifies the submitted identity information, terminates the flow if the verification fails, and outputs a protocol format error response packet corresponding to the basic component; after the verification is successful, responding to the successfully authenticated data packet;
the client-side sentry transmits a data packet responded by the server-side sentry to a client-side program, and the client-side executes a command request after the authentication is successful;
the data interaction module comprises:
the client sentry continuously encrypts a data packet of the client and forwards the data packet to the server sentry;
the sentry at the service end continuously performs command authentication, audit, log recording and abnormal alarm operation;
the server sentry takes out the available connection from the connection pool, decodes the encrypted data packet and forwards the decoded data packet to the basic component;
when the system is initialized, the connection pool stores the connection of the basic component as an object in the memory, when a server-side sentry needs to access the basic component, a new connection is not required to be established, but an established idle connection object is taken out from the connection pool, an encrypted data packet is decoded and sent to the basic component, and after the use is finished, the server-side sentry does not close the connection but puts the connection back into the connection pool for the next access request;
a system administrator adds a redis basic component, configures connection and account passwords, configures virtual identities connected with the redis service and configures command authorities allowed by sentry at a service end by operating a management platform;
creating a server-side sentinel, selecting a redis basic component, and generating a server-side sentinel x509 certificate;
downloading a binary system server-side sentinel, a configuration file and a certificate, deploying the server-side sentinel in a public cloud intranet, and after the server-side sentinel is started, requesting real redis connection information and a redis instance to establish a connection pool according to a password storage service address in the configuration file;
establishing a client sentinel certificate and a configuration file through an operation management platform, selecting an accessed server sentinel, and establishing a client sentinel configuration file;
sending the client sentinel binary file, the certificate and the configuration file to a developer;
a developer locally operates a client sentinel, the client sentinel is used as a redis service, and the client sentinel is connected with the client sentinel through a redis-cli or a script to perform troubleshooting work;
and after the problem troubleshooting is finished, the administrator revokes the client certificate through operating the management platform and destroys the sentry at the service end to terminate the access authority of the developer.
2. The resource protection system based on the zero trust security sentinel system of claim 1, wherein:
a system administrator adds a protected basic component through the operation management platform, the operation management platform generates a unique component ID for the protected basic component, constructs sensitive information of the component ID, and encrypts and stores the sensitive information in the password storage service module;
the sensitive information comprises connection, authentication identity, component type, virtual identity and real identity of the basic component.
3. The zero trust security sentinel system-based resource protection system of claim 2, wherein:
a system administrator creates a server-side sentinel certificate through the sentinel module;
a system administrator selects a basic component to be protected from the added protected basic component list, a CA certificate module is called to generate an x509 certificate used by a sentry at a service end, and ID information of the protected basic component is recorded in the certificate;
creating server-side sentinel configuration information, wherein the server-side sentinel configuration information comprises authentication identity information, log output addresses, command limitation types, black and white lists and limited command lists based on a basic component protocol;
the authentication identity information based on the basic component protocol comprises a pem-formatted certificate, a private key of the pem-formatted certificate, a password storage address, a password storage service verification token and a server-side sentry monitoring address;
and a system administrator downloads the server-side sentry certificate and the server-side sentry binary program through the operation management platform and deploys the server-side sentry.
4. The zero trust security sentinel system-based resource protection system of claim 3, wherein: the sentinel module further comprises:
after the server-side sentinel is started, a tls port monitoring service is started according to the server-side sentinel monitoring address, the pem-format server-side sentinel certificate and the private key of the pem-format server-side sentinel certificate in the server-side sentinel configuration information;
after the password storage service module is successfully started, requesting the password storage service module to load an identity list according to a password storage address and a password storage service authentication token, wherein the identity list comprises a virtual identity and a real identity;
and establishing connection with the basic component example in advance according to each real identity and connection information, throwing out error logs according to the log platform address recorded by the log output address when the connection is abnormal, and putting the connection into a connection pool for standby when the connection is normal.
5. The zero trust security sentinel system-based resource protection system of claim 4, wherein:
the deployment of the sentry at the service end comprises two modes, namely:
deploying the service-end sentinels at the near end of the protected basic component, and communicating the service-end sentinels and the protected basic component in an unix domain shared memory mode;
and deploying the sentry at the service end in the internal network environment with the same basic components, and communicating in a tcp mode.
6. The resource protection system based on the zero trust security sentinel system of claim 4, wherein:
a system administrator creates a client-side sentinel certificate through a sentinel module, selects one or more server-side sentinels authorized to be accessed by the client-side sentinels from an added server-side sentinel list, calls a CA certificate module to generate an x509 certificate used by the client-side sentinels, and records client-side sentinel configuration information in the certificate;
the client sentinel configuration information includes: the client sentinel certificate in the pem format, the client sentinel certificate private key in the pem format, the server sentinel address and the client sentinel monitoring address;
and a system administrator downloads the client certificate and the client sentry binary program through the operation management platform, and deploys the client certificate and the client sentry binary program at the near end of the client for connection of client services.
7. The zero trust security sentinel system based resource protection system according to claim 6, wherein: the sentinel module further comprises:
the client-side sentry starts local port monitoring according to the client-side sentry monitoring address;
after the client-side sentinel is started successfully, the server-side sentinel address recorded according to the server-side sentinel address, the pem-format client-side sentinel certificate private key and the server-side sentinel initiate mtls connection, mtls are encrypted in an mtls handshake stage by using a national cipher algorithm, and both the client-side sentinel and the server-side sentinel mutually verify the validity of the certificate of the other party: the validity comprises whether the component information is overdue, whether the component information is cancelled and whether the component information in the certificate is legal;
after the handshake phase is finished, the client sentry and the server sentry establish long connection and send heartbeat packets at regular time to keep the connection activity.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210794860.1A CN114900372B (en) | 2022-07-07 | 2022-07-07 | Resource protection system based on zero trust security sentinel system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210794860.1A CN114900372B (en) | 2022-07-07 | 2022-07-07 | Resource protection system based on zero trust security sentinel system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114900372A CN114900372A (en) | 2022-08-12 |
| CN114900372B true CN114900372B (en) | 2022-10-14 |
Family
ID=82729867
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210794860.1A Active CN114900372B (en) | 2022-07-07 | 2022-07-07 | Resource protection system based on zero trust security sentinel system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114900372B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115580433A (en) * | 2022-09-06 | 2023-01-06 | 武汉船舶通信研究所(中国船舶重工集团公司第七二二研究所) | Dynamic authority system, device and authority management method thereof |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110674192A (en) * | 2019-10-09 | 2020-01-10 | 浪潮云信息技术有限公司 | Redis high-availability VIP (very important person) drifting method, terminal and storage medium |
| CN114138568A (en) * | 2021-12-08 | 2022-03-04 | 兴业银行股份有限公司 | Scheduling method and system for client fault transfer in Redis sentinel mode |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040255037A1 (en) * | 2002-11-27 | 2004-12-16 | Corvari Lawrence J. | System and method for authentication and security in a communication system |
| US8347359B2 (en) * | 2007-12-28 | 2013-01-01 | Bruce Backa | Encryption sentinel system and method |
| CN107016087B (en) * | 2017-04-05 | 2018-05-22 | 杭州铭师堂教育科技发展有限公司 | Hierarchical database high-availability system based on sentry's model |
| CN112069237B (en) * | 2020-07-22 | 2023-12-05 | 北京思特奇信息技术股份有限公司 | Management system of cluster database connection pool |
| CN112800087A (en) * | 2021-01-04 | 2021-05-14 | 苏州北联新翼众创空间管理服务有限公司 | WeChat applet-based service cloud platform system |
| CN114430350B (en) * | 2022-04-01 | 2022-06-24 | 南京智人云信息技术有限公司 | Network security communication system based on block chain intelligent contract |
-
2022
- 2022-07-07 CN CN202210794860.1A patent/CN114900372B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110674192A (en) * | 2019-10-09 | 2020-01-10 | 浪潮云信息技术有限公司 | Redis high-availability VIP (very important person) drifting method, terminal and storage medium |
| CN114138568A (en) * | 2021-12-08 | 2022-03-04 | 兴业银行股份有限公司 | Scheduling method and system for client fault transfer in Redis sentinel mode |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114900372A (en) | 2022-08-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112422532B (en) | Service communication method, system and device and electronic equipment | |
| US8838965B2 (en) | Secure remote support automation process | |
| US6490679B1 (en) | Seamless integration of application programs with security key infrastructure | |
| US8971537B2 (en) | Access control protocol for embedded devices | |
| JP2023514736A (en) | Method and system for secure communication | |
| CN110535851A (en) | A kind of customer certification system based on oauth2 agreement | |
| CN112822675A (en) | MEC environment-oriented OAuth 2.0-based single sign-on mechanism | |
| US20030217148A1 (en) | Method and apparatus for LAN authentication on switch | |
| CN109995792A (en) | A kind of safety management system storing equipment | |
| CN112016073B (en) | Construction method of server zero trust connection architecture | |
| CN101068255A (en) | User identification method and device in safety shell protocol application | |
| CN114900372B (en) | Resource protection system based on zero trust security sentinel system | |
| US11611541B2 (en) | Secure method to replicate on-premise secrets in a cloud environment | |
| CN111953491B (en) | SSH Certificate and LDAP based two-step authentication auditing method | |
| CN118740420A (en) | A security protection system and method for an Internet of Things server | |
| US20240121083A1 (en) | Secure restoration of private key | |
| CN116248405A (en) | A zero-trust-based network security access control method and a gateway system and storage medium using the method | |
| CN116248302A (en) | An SSL VPN communication tunnel module, application monitoring module and mobile terminal security access system | |
| Fugkeaw et al. | Multi-Application Authentication based on Multi-Agent System. | |
| CN109598114B (en) | Cross-platform unified user account management method and system | |
| JP2005165671A (en) | Authentication server multiplexing system and multiplexing method thereof | |
| CN118174874B (en) | A unified authentication token generation method and device | |
| IES20070726A2 (en) | Automated authenticated certificate renewal system | |
| CN118400409A (en) | Intranet penetration network system based on C-S architecture | |
| Hei et al. | A Reliable Kerberos Ticket Management and Encryption Enhancement Solution |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |