CN116684113A - Service processing method and related device based on SDP (software defined boundary) - Google Patents

Abstract

The present application discloses a service processing method and a related device based on a software-defined boundary (SDP). In this method, after the user equipment passes SPA authentication and identity authentication on the SDP control system in a certain area, the SDP control system in this area sends the user token corresponding to the user equipment to the SDP control systems in other areas. The SDP control system in other areas obtains the device identification of the user equipment and the user group to which it belongs by analyzing the user token, and then determines the service access rights of the user equipment based on the user group, and sends the corresponding service access list to the SDP gateway in other areas. This ensures that the user equipment can access service resources through SDP gateways in different regions. Based on the method, the user equipment does not need to perform multiple SPA authentications when accessing service resources across regions, which simplifies the process of user equipment accessing service resources and improves the efficiency of user equipment accessing service resources.

Description

A service processing method and related device based on software-defined boundary SDP

technical field

The present application relates to the field of network technologies, and in particular to an SDP-based service processing method and related devices.

Background technique

Software Defined Perimeter (SDP) is a security framework developed by the Cloud Security Alliance, which can control access to resources according to the identity of the terminal. Under the SDP architecture, each terminal device must perform Single Packet Authorization (SPA) authentication before connecting to the server to ensure that each terminal device is allowed to access. The core idea of SDP is to hide core network assets and facilities through the SDP architecture, so that network assets and facilities are not directly exposed to the Internet, thereby avoiding external security threats.

Generally speaking, an SDP system includes an SDP controller and an SDP gateway. The SDP controller notifies the SDP gateway to open the specified service access port to the terminal device only after receiving the SPA data packet sent by the SDP client deployed on the terminal device and verifying that the SPA data packet is legal.

At present, the deployment of the SDP system is regional, and different SDP systems are usually deployed in different regions. After a terminal device passes SPA authentication in a certain SDP system, if the terminal device wants to access service resources protected by another SDP system, the terminal device often needs to perform SPA authentication in another SDP system again, resulting in the failure of the terminal device to access service resources. The process is cumbersome and inefficient.

Contents of the invention

The present application provides a service processing method based on SDP, which can make user equipment not need to perform multiple SPA authentications when accessing service resources across regions, simplify the process of user equipment accessing service resources, and improve the efficiency of user equipment accessing service resources.

The first aspect of the present application provides an SDP-based business processing method, the method is applied to a network system including a first SDP system and a second SDP system, the first SDP system includes a first control system and a first SDP gateway, and the second The SDP system includes a second control system and a second SDP gateway, and the first SDP system and the second SDP system are deployed in different areas. The method includes: the second control system receives the user token sent by the first control system, wherein the user token is sent by the first control system after the user equipment passes the SPA authentication and identity authentication on the first control system, and the user token The card is generated by the first control system based on the device identifier of the user equipment and the user group to which the user equipment belongs.

Then, the second control system parses the user token to obtain the device identification and user group.

The second control system provides a service access list to the second SDP gateway according to the service access authority corresponding to the user group, so that the second SDP gateway processes the service access request from the user equipment according to the service access list, wherein the service access list is used for Indicates the services that the user equipment can access.

In this solution, after the user equipment passes SPA authentication and identity authentication on the SDP control system in a certain area, the SDP control system in this area sends the user token corresponding to the user equipment to the SDP control systems in other areas. The SDP control system in other areas obtains the device identification of the user equipment and the user group to which it belongs by analyzing the user token, and then determines the service access rights of the user equipment based on the user group, and sends the corresponding service access list to the SDP gateway in other areas. This ensures that the user equipment can access service resources through SDP gateways in different regions. Based on the solution of this application, when the user equipment accesses service resources across regions, multiple SPA authentications are not required, which simplifies the process of user equipment accessing service resources, and improves the efficiency of user equipment accessing service resources.

Optionally, the method further includes: the second control system receiving the updated security score sent by the first control system, wherein the updated security score is sent after the first control system detects that the security score related to the user equipment is updated of. Wherein, the updated security score is used to indicate the current security situation of the user equipment. The higher the updated security score, the more secure the user device is; the lower the updated security score, the less secure the user device is.

The second control system determines the new service access authority corresponding to the user equipment according to the updated security score, and sends a authority change message to the second SDP gateway, where the authority change message is used to instruct the second SDP gateway to change the service access list.

In this solution, the current security situation of the user equipment is indicated based on the updated security score, so that the second control system can adjust the current service access authority of the user equipment according to the current security situation of the user equipment, thereby ensuring that users with lower security The device cannot access some services with high privacy.

Optionally, the updated security score is determined based on security information of the user equipment and/or traffic sent by the user equipment.

Optionally, the service access request sent by the user equipment includes a device identifier, a user token, and a target service that the user equipment requests to access.

The second control system receives the authentication request sent by the second SDP gateway. The authentication request is sent by the second SDP gateway after verifying the service access request of the user equipment according to the service access list. The authentication request includes the user token and the target business. Then, the second control system returns an authentication result corresponding to the authentication request to the second SDP gateway, so that the second SDP gateway accepts or rejects the service access request based on the authentication result.

In this solution, based on the double authentication of the second SDP gateway and the second control system, it can effectively ensure that the user equipment legally accesses the target service, and improves service access security.

Optionally, the first control system includes a first SDP controller and a first authentication system, and the second control system includes a second SDP controller and a second authentication system. The second control system receiving the user token sent by the first control system specifically includes: the second authentication system receiving the user token sent by the first authentication system.

The second control system provides a service access list to the second SDP gateway according to the service access authority corresponding to the user group, which specifically includes: the second SDP controller receives the device identification sent by the first SDP controller; The system sends a first message, the first message includes a device identifier, and the first message is used to request the service access authority of the user equipment; the second authentication system sends the second SDP controller according to the first message and the service access authority corresponding to the user group A service access list; the second SDP controller sends the service access list to the second SDP gateway.

Optionally, the first control system includes a first SDP controller and a first authentication system, the second control system includes a second SDP controller and a second authentication system, and the user token is based on the device identifier of the user equipment, the generated by the user group and the user ID corresponding to the user device. The second control system receiving the user token sent by the first control system specifically includes: the second authentication system receiving the user token sent by the first authentication system.

The second control system provides a service access list to the second SDP gateway according to the service access authority corresponding to the user group, which specifically includes: the second SDP controller receives the device identification and the user identification sent by the first SDP controller; The second authentication system sends the first message, the first message includes the device identifier and the user identifier, and the first message is used to request the service access authority of the user equipment; the second authentication system sends the service access authority corresponding to the first message and the user group to The second SDP controller sends the service access list; the second SDP controller sends the service access list to the second SDP gateway.

Optionally, the first control system includes a first SDP controller, a first authentication system, and a first environment awareness system, and the second control system includes a second SDP controller, a second authentication system, and a second environment awareness system.

The second control system receives the updated safety score sent by the first control system, which specifically includes: the second environment awareness system receives the updated safety score sent by the first environment awareness system, and the updated safety score is the first environment awareness system It is sent after detecting that the security score related to the user equipment is updated; the second control system determines the new service access authority corresponding to the user equipment according to the updated security score, and sends a permission change message to the second SDP gateway, including: The second environment awareness system sends the updated security score to the second authentication system; the second authentication system determines the new service access authority corresponding to the user equipment according to the updated security score, and sends an authority change message to the second SDP controller; The second SDP controller sends a permission change message to the second SDP gateway, where the permission change message is used to instruct the second SDP gateway to change the service access list.

Optionally, the updated security score is determined by the first environment awareness system according to the device score sent by the first SDP controller and/or the traffic sent by the user equipment, and the device score is determined by the first SDP controller according to the security information of the user equipment definite.

Optionally, the first SDP gateway and the second SDP gateway are respectively responsible for accessing different business services.

The second aspect of the present application provides an SDP-based service processing method, which is applied to an SDP system. The SDP system includes a control system, a first SDP gateway, and a second SDP gateway. The first SDP gateway and the second SDP gateway are deployed in different Area. The method includes: after the user equipment passes the SPA authentication and identity authentication on the control system, the control system determines the service access authority of the user equipment; the control system generates a first service access list according to the service access authority

and the second service access list, the first service access list is used to indicate the user equipment can access through the first SDP gateway

Service, the second service access list is used to indicate the service that the user equipment can access through the second SDP gateway; the control system

Send the first service access list to the first SDP gateway and send the second service access list to the second SDP gateway.

Optionally, the SDP-based service processing method further includes: the control system obtains the security information sent by the user equipment; the control system determines the security score of the user equipment according to the security information and/or the traffic sent by the user equipment; the control system determines the security score according to the security score The new service access authority corresponding to the user equipment, and send a first authority change message to the first SDP gateway and a second authority change message to the second SDP gateway, the first authority change message is used to instruct the first SDP gateway to change the first The service access list, the second permission change message is used to instruct the second SDP gateway to change the second service access list.

Optionally, the control system includes an SDP controller and an authentication system. The control system determines the service access authority of the user equipment, specifically including: the authentication system determines the service access authority of the user equipment according to the user group to which the user equipment belongs.

The control system generates the first service access list and the second service access list according to the service access authority, specifically including: the authentication system generates the first service access list and the second service access list according to the service access authority.

The control system sends the first service access list to the first SDP gateway and sends the second service access list to the second SDP gateway, specifically including: the authentication system sends the first service access list and the second service access list to the SDP controller; the SDP control The device sends the first service access list to the first SDP gateway and sends the second service access list to the second SDP gateway.

Optionally, the control system also includes an environment perception system. The SDP-based service processing method also includes: the environment perception system receives the equipment score sent by the SDP controller, and the equipment score is determined by the SDP controller according to the security information of the user equipment; the environment awareness system receives the equipment score and/or the traffic sent by the user equipment Determine the security score; the environment awareness system sends the security score to the authentication system; the authentication system determines the new service access authority corresponding to the user equipment based on the security score, and sends a permission change message to the SDP controller; the SDP controller sends a permission change message to the SDP gateway , the permission change message is used to instruct the SDP gateway to change the service access list.

Optionally, the first SDP gateway and the second SDP gateway are respectively responsible for accessing different business services.

The third aspect of the present application provides an SDP-based business processing system. The business processing system is applied to a network system including a first SDP system and a second SDP system. The first SDP system includes a first control system and a first SDP gateway. The second SDP system includes a business processing system and a second SDP gateway. The first SDP system and the second SDP system are deployed in different areas; the business processing system is used to receive the user token sent by the first control system, and the user token is the second It is sent by the control system after the user equipment passes the SPA authentication and identity authentication on the first control system, and the user token is generated based on the equipment identification of the user equipment and the user group to which the user equipment belongs; the business processing system is also used for parsing The user token, thereby obtaining the device identification and the user group; the service processing system is also used to provide the second SDP gateway with a service access list according to the service access authority corresponding to the user group, so that the second SDP gateway can use the service access list according to the The service access request of the user equipment is processed, and the service access list is used to indicate the services that the user equipment can access.

Optionally, the business processing system is further configured to receive the updated security score sent by the first control system, the updated security score is sent after the first control system detects that the security score related to the user equipment has been updated; the business processing The system determines the new service access rights corresponding to the user equipment according to the updated security score, and sends a rights change message to the second SDP gateway, where the rights change message is used to instruct the second SDP gateway to change the service access list.

Optionally, the updated security score is determined based on security information of the user equipment and/or traffic sent by the user equipment.

Optionally, the service access request includes the device identifier, the user token, and the target service that the user equipment requests to access; the service processing system is also used to receive the authentication request sent by the second SDP gateway, and the authentication request is sent by the second SDP gateway according to The service access list is sent after the service access request of the user equipment is verified, and the authentication request includes the user token and the target service; the service processing system is also used to return the authentication result of the authentication request to the second SDP gateway, so that the first Two, the SDP gateway accepts or rejects the service access request based on the authentication result.

Optionally, the first control system includes a first SDP controller and a first authentication system, and the business processing system includes a second SDP controller and a second authentication system; the second authentication system is used to receive the user token sent by the first authentication system card; the second SDP controller is used to receive the device identification sent by the first SDP controller; the second SDP controller is used to send the first message to the second authentication system, the first message includes the device identification, and the first message is used to request the user The service access authority of the device; the second authentication system is used to send the service access list to the second SDP controller according to the first message and the service access authority corresponding to the user group; the second SDP controller is used to send the service access list to the second SDP gateway .

Optionally, the first control system includes a first SDP controller and a first authentication system, the service processing system includes a second SDP controller and a second authentication system, and the user token is based on the device identifier of the user equipment, the Generated by the user ID corresponding to the user group and user equipment; the second authentication system is used to receive the user token sent by the first authentication system; the second SDP controller is used to receive the device ID and user ID sent by the first SDP controller; The second SDP controller is used to send a first message to the second authentication system, the first message includes the device identifier and the user identifier, and the first message is used to request the service access authority of the user equipment; the second authentication system is used to send the first message according to the first message and The service access authority corresponding to the user group sends the service access list to the second SDP controller; the second SDP controller is used to send the service access list to the second SDP gateway.

Optionally, the first control system includes a first SDP controller, a first authentication system, and a first environment awareness system, and the business processing system includes a second SDP controller, a second authentication system, and a second environment awareness system; the second environment The perception system is configured to receive the updated security score sent by the first environment perception system, and the updated security score is sent after the first environment perception system detects that the security score related to the user equipment has been updated; the second environment perception system uses To send the updated security score to the second authentication system; the second authentication system is used to determine the new service access authority corresponding to the user equipment according to the updated security score, and send an authority change message to the second SDP controller; the second The SDP controller is configured to send a permission change message to the second SDP gateway, and the permission change message is used to instruct the second SDP gateway to change the service access list.

Optionally, the updated security score is determined by the first environment awareness system according to the device score sent by the first SDP controller and/or the traffic sent by the user equipment, and the device score is determined by the first SDP controller according to the security information of the user equipment definite.

Optionally, the first SDP gateway and the second SDP gateway are respectively responsible for accessing different business services.

The fourth aspect of the present application provides an SDP-based business processing system, which is characterized in that the business processing system is applied to the SDP system, and the SDP system includes a business processing system, a first SDP gateway and a second SDP gateway, and the first SDP gateway and the second SDP gateway Two SDP gateways are deployed in different areas; after the user equipment passes the SPA authentication and identity authentication on the service processing system, the service processing system is used to determine the service access rights of the user equipment; the service processing system is used to generate the first A service access list and a second service access list, the first service access list is used to indicate the services that the user equipment can access through the first SDP gateway, and the second service access list is used to indicate the services that the user equipment can access through the second SDP gateway; The service processing system is configured to send the first service access list to the first SDP gateway and send the second service access list to the second SDP gateway.

Optionally, the service processing system is used to obtain the security information sent by the user equipment; the service processing system is used to determine the security score of the user equipment according to the security information and/or the traffic sent by the user equipment; the service processing system is used to determine the security score based on the security score The new service access authority corresponding to the user equipment, and send a first authority change message to the first SDP gateway and a second authority change message to the second SDP gateway, the first authority change message is used to instruct the first SDP gateway to change the first The service access list, the second permission change message is used to instruct the second SDP gateway to change the second service access list.

Optionally, the service processing system includes an SDP controller and an authentication system; the authentication system is used to determine the service access authority of the user equipment according to the user group to which the user equipment belongs; the authentication system is used to generate the first service access list and the second service access authority according to the service access authority. Two service access lists; the authentication system is used to send the first service access list and the second service access list to the SDP controller; the SDP controller is used to send the first service access list to the first SDP gateway and send the second service access list to the second SDP gateway Business access list.

Optionally, the service processing system further includes an environment awareness system; the environment awareness system is used to receive the equipment score sent by the SDP controller, and the equipment score is determined by the SDP controller according to the security information of the user equipment; the environment awareness system is used to receive the equipment score based on the equipment score and/or the flow sent by the user equipment to determine the security score; the environment awareness system is used to send the security score to the authentication system; the authentication system is used to determine the new service access permission corresponding to the user equipment according to the security score, and send the permission change to the SDP controller Message; the SDP controller is used to send a permission change message to the SDP gateway, and the permission change message is used to instruct the SDP gateway to change the service access list.

Optionally, the first SDP gateway and the second SDP gateway are respectively responsible for accessing different business services.

The fifth aspect of the present application provides a network device, including a processor and a memory; wherein the memory is used to store program codes, and the processor is used to call the program codes in the memory so that the network device executes any A method of implementation.

The sixth aspect of the present application provides a computer-readable storage medium, which stores instructions, and when the instructions are run on a computer, the computer executes the method according to any one of the implementation manners of the first aspect or the second aspect.

The seventh aspect of the present application provides a computer program product, which, when running on a computer, causes the computer to execute the method according to any one of the implementation manners of the first aspect or the second aspect.

The eighth aspect of the present application provides a chip, including one or more processors. Part or all of the processor is used to read and execute computer instructions stored in the memory, so as to execute the method in any possible implementation manner of any aspect above. Optionally, the chip further includes a memory. Optionally, the chip further includes a communication interface, and the processor is connected to the communication interface. The communication interface is used to receive data and/or information to be processed, and the processor obtains the data and/or information from the communication interface, processes the data and/or information, and outputs the processing result through the communication interface. Optionally, the communication interface is an input-output interface or a bus interface. The method provided in this application is implemented by one chip, or is implemented cooperatively by multiple chips.

The solutions provided by the third aspect to the eighth aspect above are used to realize or cooperate with the method provided by the first aspect or the second aspect above, so they can achieve the same or corresponding beneficial effects as those of the first aspect or the second aspect, here No further details will be given.

Description of drawings

FIG. 1 is a schematic diagram of a network deployment scenario provided by an embodiment of the present application;

FIG. 2 is a schematic flow diagram of an SDP-based service processing method provided in an embodiment of the present application;

FIG. 3 is a schematic flow diagram of a second control system sending a permission change message based on a security score provided in an embodiment of the present application;

FIG. 4 is a schematic flow diagram of detecting whether the security score of the user equipment is updated by the first control system provided by the embodiment of the present application;

FIG. 5 is a schematic diagram of another network deployment scenario provided by an embodiment of the present application;

FIG. 6 is a schematic flow diagram of another SDP-based service processing method provided in the embodiment of the present application;

FIG. 7 is a schematic diagram of another network deployment scenario provided by an embodiment of the present application;

FIG. 8 is a schematic flowchart of another SDP-based service processing method provided by the embodiment of the present application;

FIG. 9 is a schematic structural diagram of a network device 900 provided by an embodiment of the present application.

Detailed ways

Embodiments of the present application are described below in conjunction with the accompanying drawings. Apparently, the described embodiments are only part of the embodiments of the present application, not all of the embodiments. Those of ordinary skill in the art know that, with the development of technology and the emergence of new scenarios, the technical solutions provided in the embodiments of the present application are also applicable to similar technical problems.

The terms "first", "second" and the like in the specification and claims of the present application and the above drawings are used to distinguish similar objects, and are not necessarily used to describe a specific sequence or sequence.

The word "exemplary" is used exclusively herein to mean "serving as an example, embodiment, or illustration." Any embodiment described herein as "exemplary" is not necessarily to be construed as superior or better than other embodiments.

Some terms and concepts involved in the embodiments of the present application are firstly explained below.

(1) SPA certification

SPA authentication is an authentication technology applied in the SDP system. During the SPA authentication process, the client combines the time stamp when sending the packet, the Internet Protocol (IP) address of the client and the service password to generate a hash value. Then, the client packs the hash value into a User Datagram Protocol (UDP) packet and sends it to the server to specify the knocking port. In this way, the server generates a hash value according to the timestamp in the received UDP data packet, the IP address of the client, and the service password stored in the server, and compares it with the hash value in the received UDP data packet. If the hash value generated by the server is the same as the received hash value, the server opens the service port for the client to apply for access. Additionally, the server will record the last valid authorization packet received to prevent attackers from sending old packets for replay attacks if.

(2) Syslog

Syslog, commonly referred to as system log or syslog, is a standard used to transmit syslog messages or syslog messages over the Internet. A Syslog message is a message used to transmit system logs or system records.

The term concepts involved in the embodiment of the present application are introduced above, and the following will introduce the application scenarios of the SDP-based service processing method provided in the embodiment of the present application.

Please refer to FIG. 1. FIG. 1 is a schematic diagram of a network deployment scenario provided by an embodiment of the present application.

As shown in FIG. 1 , a first SDP system is deployed in area 1, and the first SDP system includes a first SDP gateway and a first control system. The first SDP gateway is connected to the service server in area one, and can control the user equipment's access to the service server in area one.

A second SDP system is deployed in area 2, and the second SDP system includes a second SDP gateway and a second control system. The second SDP gateway is connected to the service server in area 2, and can control the user equipment's access to the service server in area 2. Wherein, the business servers in area 1 and area 2 are used to provide one or more business services.

After the user equipment in area 1 passes the SPA authentication and identity authentication on the first control system, the first control system provides the service access list of the user equipment in area 1 to the first SDP gateway, so that the user equipment in area 1 The service server in area 1 can be accessed through the first SDP gateway.

In addition, after the user equipment in area 1 passes the SPA authentication and identity authentication on the first control system, the second control system executes the service processing method provided by the embodiment of this application, so that the user equipment in area 1 can no longer In the case of performing SPA authentication, the service server in area 2 is accessed across domains through the second SDP gateway.

The above describes the application scenarios of the SDP-based service processing method provided in the embodiment of the present application, and the specific implementation process of the SDP-based service processing method provided in the embodiment of the present application will be described in detail below.

Please refer to FIG. 2 . FIG. 2 is a schematic flow chart of an SDP-based service processing method provided by an embodiment of the present application. As shown in Fig. 2, the SDP-based service processing method includes the following steps 201-203. Wherein, the SDP-based service processing method shown in FIG. 2 is applied to the network system including the first SDP system and the second SDP system shown in FIG. 1 .

Step 201, the second control system receives the user token sent by the first control system. The user token is sent by the first control system after the user equipment passes the SPA authentication and identity authentication on the first control system. The user token is Generated based on the device ID of the user equipment and the user group to which the user equipment belongs.

In this embodiment, the user equipment passing the SPA authentication on the first control system means that the SPA message sent by the user equipment to the first control system has passed the authentication. Passing the identity authentication on the first control system for the user equipment means that the first control system confirms that the identity of the logged-in user on the user equipment has passed the authentication.

After the user equipment passes the SPA authentication and identity authentication on the first control system, the first control system will generate a user token according to the equipment identification of the user equipment and the user group to which the user equipment belongs, and send the user token to the second Control System. Wherein, the device identifier of the user equipment is a unique identifier generated by the first control system according to the information of the user equipment. The user group to which the user equipment belongs is determined by the first control system according to the identity of the user who logs in on the user equipment. In addition, the user equipment is located in the same area as the first control system, so the user equipment has passed SPA authentication and identity authentication on the first control system.

Exemplarily, the user token is obtained by the first control system encrypting the device identifier of the user equipment and the user group to which the user equipment belongs through symmetric encryption or asymmetric encryption. For example, assuming that the device ID of the user equipment is 2bc17646142b404b9895, the user group of the user equipment is a0000000035246, and the user token encrypted by the device ID of the user equipment and the user group to which the user equipment belongs is f35989e8fea1.

Step 202, the second control system parses the user token to obtain the device identifier and user group.

In this embodiment, the second control system is preset with a key for parsing the user token. In this way, after the second control system receives the user token sent by the first control system, the second control system analyzes the user token through the preset key, thereby obtaining the device identifier of the user equipment and the user token to which the user equipment belongs. user group.

Exemplarily, in the case that the first control system encrypts the user token through symmetric encryption, the key used to decrypt the user token in the second control system is the same as the key used to encrypt the user token in the first control system. The key for is the same key. In the case that the first control system encrypts the user token through asymmetric encryption, the first control system encrypts the user token based on the public key, and the second control system decrypts the user token through the private key.

Step 203, the second control system provides a service access list to the second SDP gateway according to the service access authority corresponding to the user group, so that the second SDP gateway processes the service access request from the user equipment according to the service access list, the service access list It is used to indicate the services that the user equipment can access.

Optionally, a service authority mapping table is preset in the second control system, and the service authority mapping table records the service access authority corresponding to each user group. Exemplarily, the service authority mapping table preset in the second control system is shown in Table 1.

Table 1

user group business access rights R & D team Business 1, Business 2, Business 3 Purchasing Group Business 4 HR group Business 5 Legal team Business 6 … …

After the second control system obtains the user group to which the user equipment belongs by parsing the user token, the second control system can determine the service access authority corresponding to the user group to which the user equipment belongs by querying the preset service authority mapping table. Since the user equipment has a corresponding relationship with the user group to which the user equipment belongs, and the user group to which the user equipment belongs has corresponding service access rights, the second control system can generate service access rights according to the service access rights corresponding to the user groups to which the user equipment belongs. list. Wherein, the service access list is used to indicate the service access rights corresponding to the user equipment, that is, the services that the user equipment can access. For example, as shown in Table 1, assuming that the user group to which the user equipment belongs is a research and development group, the services indicated in the service access list that the user equipment can access include service 1, service 2 and service 3.

After the second control system provides the service access list to the second SDP gateway, when the user equipment sends a service access request to the second SDP gateway across regions, the second SDP gateway can pair the service access list according to the service access list provided by the second control system The service access request sent by the user equipment is processed.

It should be noted that after the user equipment passes the SPA authentication and identity authentication in the first control system, the first control system sends the user token to the second control system so that the user equipment can no longer perform SPA authentication. In this case, the service is accessed across domains through the second SDP gateway. In practical applications, after other user equipments pass SPA authentication and identity authentication in the second control system, the second control system can also send user tokens to the first control system, so that other user equipments can no longer In the case of performing SPA authentication, the service is accessed across domains through the first SDP gateway, which will not be repeated in this embodiment.

In this solution, after the user equipment passes SPA authentication and identity authentication on the SDP control system in a certain area, the SDP control system in this area sends the user token corresponding to the user equipment to the SDP control systems in other areas. The SDP control system in other areas obtains the device ID of the user device and the user group to which it belongs by analyzing the user token, and then determines the service access rights of the user device based on the user group, and sends the corresponding service access list to the SDP gateway to ensure that the user Devices can access service resources through SDP gateways in different regions. Based on the solution of this application, when the user equipment accesses service resources across regions, multiple SPA authentications are not required, which simplifies the process of user equipment accessing service resources, and improves the efficiency of user equipment accessing service resources.

Optionally, the service access request sent by the user equipment to the second SDP gateway includes the equipment identifier of the user equipment, the user token, and the target service that the user equipment requests to access. The second SDP gateway queries whether the user equipment has the right to access the target service according to the service access list.

In the case where the second SDP gateway determines that the user equipment has the authority to access the target service according to the service access list, the service access request on behalf of the user equipment passes the verification of the service access list on the second SDP gateway, so the second SDP gateway sends the second The control system sends an authentication request. Wherein, the authentication request sent by the second SDP gateway to the second control system includes the user token and the target service, and the authentication request is used to request whether the user equipment has the right to access the target service.

After receiving the authentication request, the second control system determines whether the user corresponding to the user token has the authority to access the target service according to the user token and the target service in the authentication request, and returns the authentication request to the second SDP gateway A corresponding authentication result is requested, so that the second SDP gateway accepts or rejects the service access request based on the authentication result. For example, the second control system analyzes the user token to obtain the device identifier of the user equipment and the user group of the user equipment, and determines whether the user corresponding to the user token has the authority to access the target service by querying the access authority corresponding to the user group of the user equipment .

In addition, when the second SDP gateway determines that the user equipment does not have the right to access the target service according to the service access list, the second SDP discards the service access request sent by the user equipment, thereby denying the user equipment access to the target service.

To put it simply, the verification of the service access request by the second SDP gateway based on the service access list is actually a legality check on the user equipment, that is, to verify whether the user equipment has the right to access the target service. After the second SDP gateway verifies that the user equipment has the authority to access the target service, the second SDP gateway sends an authentication request including the user token to the second control system, so that the second control system further verifies the login on the user equipment Whether the user has the permission to access the target service. Based on the double authentication of the second SDP gateway and the second control system, it can effectively ensure that the user equipment legally accesses the target service, and improves service access security.

Exemplarily, it is assumed that user A has the right to access the target service, but user B does not have the right to access the target service. After user A logs in on the user equipment and passes the SPA authentication and identity authentication on the first control system, the second control system executes the above-mentioned steps 201-203 so that the second SDP gateway has a device ID related to the user equipment. business access list. If user B logs in on the same user equipment at this time, and sends a service access request requesting access to the target service to the second SDP gateway, then, if the service access list on the second SDP gateway is not updated in time, user B The service access request sent by the user equipment can pass the verification of the second SDP gateway. In this case, the second control system receives the authentication request sent by the second SDP gateway, and confirms that user B does not actually have the right to access the target service, and then returns the authentication result to the second SDP gateway to indicate that the second 2. The SDP gateway rejects the service access request sent by user B through the user equipment.

The above describes the process of how the second control system provides the service access list to the second SDP gateway after the user equipment passes the SPA authentication and identity authentication. For ease of understanding, the process of the user equipment passing the SPA authentication and identity authentication on the first control system will be introduced in detail below.

First, the user downloads the SDP client by accessing the SDP client download page on the user equipment, and the SDP client is used to enable the user equipment to communicate with the SDP system. After the SDP client is installed on the user equipment, the user performs a user registration process on the SDP client. During the registration process of the user, the user inputs his own user identity information, so that the SDP client can feed back the user identity information input by the user to the first control system. For example, the user enters information such as his user name and job position in the enterprise. In addition, the SDP client also uploads information of the user equipment to the first control system, such as user equipment information such as memory information, hard disk information, and processor information of the user equipment. The first control system generates a device identifier uniquely corresponding to the user equipment according to the user equipment information fed back by the SDP client, and establishes a correspondence between user identity information and the device identifier of the user equipment.

Moreover, the first control system can also determine the user group to which the user belongs according to the user identity information, wherein the user group to which the user belongs has corresponding service access rights. For example, the first control system determines that the user belongs to the research and development group according to information such as the user name and job position of the user in the enterprise, thereby determining that the service access rights corresponding to the user are business 1, business 2 and business 3.

To put it simply, after the user completes the registration, the first control system obtains the user's identity information, the information of the user device where the user device is logged in, the user group to which the user belongs, and the service access rights corresponding to the user, and establishes a relationship between various information. Correspondence between. For example, the corresponding relationship established by the first control system is specifically: user name—device identifier—user group—service access authority. In this way, the first control system can determine the corresponding user group and service access authority based on the user name or device identifier.

After the user registration is complete, the user enters the account and password on the SDP client on the user device to initiate SPA authentication. Wherein, the account number and password input by the user may be issued to the user by the administrator of the enterprise, and are used to identify the unique identity of the user. Specifically, the SDP client generates a SPA message based on the account and password input by the user, and sends the SPA message to the first control system.

After the first control system receives the SPA message, the first control system verifies the SPA message. When the SPA message passes the verification, the first control system determines that the user equipment has passed the SPA authentication, so the first control system performs user identity authentication on the account number and password carried in the SPA message. If the account number and password in the SPA message pass the user identity authentication, the first control system generates a user token according to the device identifier of the user equipment sending the SPA message and the user group to which the user equipment belongs.

After the user equipment passes the SPA authentication and identity authentication, the first control system generates a service access list according to the user group to which the user equipment belongs, and provides the service access list to the first SDP gateway, so that the first SDP gateway provides the service access list to the user based on the service access list. The service access request of the device is processed. In addition, the first control system returns the user token to the SDP client on the user equipment to notify the SDP client that it has passed SPA authentication and identity authentication and enables the SDP client to access corresponding services based on the user token.

Optionally, the first SDP gateway and the second SDP gateway are respectively responsible for accessing different business services. In this case, the service access list delivered by the first control system to the first SDP gateway is different from the service access list delivered by the second control system to the second SDP gateway. Specifically, the service access list issued by the first control system to the first SDP gateway is used to indicate the service that the user equipment can access among the service services accessed by the first SDP gateway, and the second control system sends the service access list to the second SDP gateway. The service access list delivered by the gateway is used to indicate the service that the user equipment can access among the service services accessed by the second SDP gateway.

Exemplarily, it is assumed that the services to which the user equipment has access rights on the entire network system include service 1, service 2 and service 3. Wherein, the first SDP gateway is responsible for accessing service 1 and service 2, and the second SDP gateway is responsible for accessing service 3. Then, the service access list issued by the first control system to the first SDP gateway is used to indicate that the services that the user equipment can access include service 1 and service 2; the service access list issued by the second control system to the second SDP gateway is The services used to indicate that the user equipment can access include service 3.

The above describes the process of the first control system and the second control system respectively providing the service access list to the corresponding SDP gateway. The following will introduce the process of the first control system and the second control system instructing the corresponding SDP gateway to provide updated service access lists.

Optionally, after the second control system delivers the service access list to the second SDP gateway, the second control system receives the updated security score sent by the first control system. Wherein, the updated security score is sent after the first control system detects that the security score related to the user equipment is updated. The updated security score is used to indicate the current security posture of the user device. The higher the updated security score, the more secure the user device is; the lower the updated security score, the less secure the user device is.

Then, the second control system determines the new service access authority corresponding to the user equipment according to the updated security score, and sends a authority change message to the second SDP gateway, where the authority change message is used to instruct the second SDP gateway to change the service access list. Since the updated security score can indicate the current security situation of the user equipment, the second control system can adjust the current service access rights of the user equipment according to the current security situation of the user equipment, thereby ensuring that user equipment with low security cannot access some Highly private business.

Exemplarily, the access conditions of various services are preset in the second control system. For example, the access condition of service 1 and service 2 is that the security score of the user equipment is higher than 80 points, and the access condition of service 3 is that the security score of the user equipment is higher than 90 points. Before the second control system receives the updated security score, the service access list provided by the second control system to the second SDP gateway indicates that the services that the user equipment can access include service 1, service 2 and service 3. After the second control system receives the updated security score, the second control system determines that the service access rights of the user equipment are service 1 and service 2 based on the updated security score being 85. Therefore, the second control system sends a rights modification message to the second SDP gateway, instructing the second SDP gateway to change the services accessible by the user equipment in the service access list to service 1 and service 2.

Similarly, after the first control system detects that the security score related to the user equipment has been updated, the first control system also determines the new service access authority corresponding to the user equipment according to the updated security score, and sends it to the first SDP gateway The authority change message is used to instruct the first SDP gateway to change the service access list.

Optionally, the updated security score is determined based on security information of the user equipment and/or traffic sent by the user equipment. Wherein, the security information of the user equipment is used to indicate the security situation of the user equipment itself. For example, the security information of the user equipment includes security information such as whether there is a high-risk port on the user equipment and whether a system running on the user equipment has a high-risk vulnerability. The traffic sent by the user equipment is used to indicate the behavior of the user equipment on the network. By analyzing the traffic sent by the user equipment, the security situation of the user equipment in the network environment can be determined, for example, whether the user equipment is currently being hijacked by an attacker to continuously send attack packets.

In this embodiment, after the user equipment passes the SPA authentication and identity authentication, the first control system generates an original security score for the user equipment, and the original security score is, for example, 100 points. Then, the first control system continuously detects whether the security score of the user equipment is updated, and sends the updated security score to the second control system when the security score of the user equipment is updated.

In addition, after the security score of the user equipment has been updated, the first control system retains the updated security score and continues to continuously detect whether the security score of the user equipment is updated again, so that when the security score of the user equipment is updated again Then notify the second control system. That is to say, every time the security score of the user equipment is updated, the first control system will send the updated security score to the second control system, so that the second control system can determine the latest service access authority of the user equipment.

Similarly, after the second control system receives the security score sent by the first control system, the second control system saves the received security score locally, and determines whether to update the security score by comparing it with the security score previously stored locally Service access rights of user equipment.

For example, please refer to FIG. 3 . FIG. 3 is a schematic flowchart of a second control system sending a permission change message based on a security score according to an embodiment of the present application. As shown in FIG. 3 , the process for the second control system to send a permission change message based on the security score includes the following steps 301-306.

Step 301, the second control system receives the safety score sent by the first control system.

Step 302, the second control system checks whether there is a safety score stored locally.

Step 303, if the second control system does not have a local safety score, the second control system adds a new safety score locally.

Step 304, if the second control system locally saves the safety score, the second control system judges whether the local safety score is the same as the received safety score.

Step 305, if there is no security score saved locally, or the local security score is different from the received security score, the second control system sends a permission change message to the second SDP gateway according to the received security score.

Specifically, the second control system determines the new service access authority corresponding to the user equipment according to the received security score, and sends a permission change message to the second SDP gateway to instruct the second SDP gateway to add the service access authority corresponding to the user equipment in the service access list to the second SDP gateway. Business access rights changed to new business access rights.

In addition, when the local safety score is not the same as the received safety score, the second control system also updates the local safety score according to the received safety score, so that the second control system can save the latest safety score locally .

Step 306, if the local security score is the same as the received security score, the second control system does not do anything, that is, the second control system does not send a permission change message to the second SDP gateway.

For ease of understanding, the detailed process of the first control system detecting whether the security score of the user equipment is updated will be introduced in detail below.

Please refer to FIG. 4 . FIG. 4 is a schematic flowchart of the first control system detecting whether the security score of the user equipment is updated according to the embodiment of the present application. As shown in FIG. 4 , the process of the first control system detecting whether the security score of the user equipment is updated includes the following steps 401-404.

Step 401, the first control system sends the security policy to the SDP client on the user equipment.

After the user equipment passes the SPA authentication and identity authentication, the first control system sends a security policy to the SDP client on the user equipment, where the security policy is used to instruct the SDP client to collect security information of the user equipment.

Step 402, the first control system receives the security information of the user equipment sent by the SDP client.

After the SDP client collects the security information of the user equipment by executing the security policy issued by the first control system, the SDP client sends the collected security information of the user equipment to the first control system.

For example, if the security policy sent by the first control system to the SDP client is a high-risk port policy, the SDP client executes the high-risk port policy, so as to send a high-risk port log to the first control system when the user equipment opens a high-risk port. Wherein, the SDK client sends the high-risk port log to the first control system through, for example, a syslog message in a User Datagram Protocol (User Datagram Protocol, UDP). The high-risk port log includes the device identifier of the user equipment, the threat type (ie high-risk port) of the threat event on the user device, and the threat degree of the threat event.

Step 403, the first control system determines a security score based on the security information of the user equipment and/or the traffic sent by the user equipment.

In a possible example, after receiving the security information of the user equipment sent by the SDP client, the first control system calculates the current security score of the user equipment based on a predefined scoring algorithm. For example, assuming that the default security score of the user equipment is 100 points, when there is a high-risk port on the user equipment, the security score of the user equipment needs to be deducted by 2 points, that is, the current security score of the user equipment is 98 points.

In another possible example, the first control system monitors the traffic sent by the user equipment within a period of time, and determines the security score of the user equipment by analyzing the traffic sent by the user equipment. For example, when the traffic sent by the user equipment meets the characteristics of a certain attack behavior, the first control system determines that the security score of the user equipment is the security score corresponding to the attack behavior.

In yet another possible example, the first control system determines the device score corresponding to the user equipment based on the security information of the user equipment, and determines the network environment score corresponding to the user equipment based on traffic sent by the user equipment. Finally, the first control system determines the security score of the user equipment in combination with the equipment score of the user equipment and the network environment score.

Step 404, the first control system compares the newly determined safety score with the locally saved safety score to detect whether the safety score is updated.

After the first control system determines that the security score of the user equipment is obtained, the first control system compares the newly determined security score with the locally saved security score to detect whether the security score is updated. When the safety score is updated, the first control system updates the locally saved safety score, and sends the updated safety score to the second control system. In addition, the first control system also determines the new service access authority corresponding to the user equipment according to the updated security score, and then sends an authority change message to the first SDP gateway.

Please refer to FIG. 5 . FIG. 5 is a schematic diagram of another network deployment scenario provided by an embodiment of the present application. As shown in Figure 5, the difference between the network system shown in Figure 5 and the network system shown in Figure 1 is that the first control system in Figure 5 includes a first SDP controller and a first authentication system, and the second control system The system includes a second SDP controller and a second authentication system.

The process of the second SDP controller and the second authentication system in the second control system executing the SDP-based service processing method provided by the embodiment of the present application will be described in detail below with reference to FIG. 5 .

Please refer to FIG. 6 . FIG. 6 is a schematic flowchart of another SDP-based service processing method provided by the embodiment of the present application. As shown in FIG. 6 , the SDP-based service processing method is applied to the network deployment scenario shown in FIG. 5 , and the SDP-based service processing method includes the following steps 601-604.

Step 601, the second authentication system receives the user token sent by the first authentication system.

In this embodiment, after the user equipment passes SPA authentication on the first SDP controller and identity authentication on the first authentication system, the second authentication system receives the user token sent by the first authentication system.

Step 602, the second authentication system parses the user token to obtain the device identifier of the user equipment and the user group to which the user equipment belongs.

In a possible example, the user token is generated based on the device identifier of the user equipment and the user group to which the user equipment belongs. Therefore, the second authentication system analyzes the user token to obtain the device identifier of the user equipment and the user group to which the user equipment belongs.

Optionally, the user token is generated based on the device identifier of the user equipment, the user group to which the user equipment belongs, and the user identifier corresponding to the user equipment. Therefore, the second authentication system analyzes the user token to obtain the device identifier of the user equipment, the user group to which the user equipment belongs, and the user identifier corresponding to the user equipment.

Step 603, the second SDP controller receives the device identifier sent by the first SDP controller.

After the user equipment passes the SPA authentication on the first SDP controller and the identity authentication on the first authentication system, the first authentication system sends the service access list of the user equipment in area 1 to the first SDP controller. After obtaining the service access list, the first SDP controller sends the device identifier of the user equipment to the second SDP controller.

Optionally, when the first SDP controller sends the device identifier of the user equipment to the second SDP controller, it also sends the user identifier corresponding to the user equipment to the second SDP controller, where the user identifier is used to indicate the login of the user equipment User ID.

Step 604, the second SDP controller sends a first message to the second authentication system, the first message includes the device identifier of the user equipment, and the first message is used to request the service access right of the user equipment.

Optionally, when the second SDP controller receives the device identifier of the user equipment and the user identifier sent by the first SDP controller, the first message sent by the second SDP controller to the second authentication system includes the user equipment device ID and user ID.

It can be understood that when multiple users log in to the user equipment at the same time, the device identifier of the user equipment corresponds to multiple user identifiers, and the device identifier of the user equipment also corresponds to multiple user groups. Therefore, based on the device identifier of the user equipment, the second authentication cannot uniquely determine the user group to which the user equipment belongs, and thus cannot determine the service access rights of the user equipment. In this case, the second SDP controller sends the device identifier and the user identifier of the user equipment to the second authentication system at the same time, so that the second authentication system can determine the service access rights corresponding to the user equipment.

Step 605, the second authentication system sends a service access list to the second SDP controller according to the first message and the service access rights corresponding to the user group.

When the second authentication system parses the user token to obtain the device identifier of the user equipment and the user group to which the user equipment belongs, the second authentication system determines the user group corresponding to the user equipment according to the device identifier of the user equipment in the first message, and then Determine the service access rights corresponding to the user equipment. In this way, the second authentication system sends the service access list to the second SDP controller according to the service access authority corresponding to the user equipment.

Optionally, when the second authentication system parses the user token to obtain the device identifier of the user equipment, the user group to which the user equipment belongs, and the user identifier corresponding to the user equipment, the second authentication system according to the ID of the user equipment in the first message The device identifier and the user identifier determine the user group corresponding to the user equipment, and then determine the service access rights corresponding to the user equipment. In this way, the second authentication system sends the service access list to the second SDP controller according to the service access authority corresponding to the user equipment.

Step 606, the second SDP controller sends the service access list to the second SDP gateway.

After obtaining the service access list sent by the second authentication system, the second SDP controller sends the service access list to the second SDP gateway.

Optionally, in addition to the first SDP controller and the first authentication system, the first control system also includes a first environment perception system. In addition to the second control system including the second SDP controller and the second authentication system, the second control system also includes a second environment perception system.

After the second control system provides the service access list to the second SDP gateway, the second environment awareness system receives the updated security score sent by the first environment awareness system. The updated security score is detected by the first environment awareness system. Sent after the security score related to the user device is updated. Wherein, the updated security score is determined by the first environment awareness system according to the device score sent by the first SDP controller and/or the traffic sent by the user equipment, and the device score is determined by the first SDP controller according to the security information of the user equipment of. For details on how to determine the updated security score, please refer to the description above, and will not repeat it here.

The second context awareness system then sends the updated security score to the second authentication system.

Secondly, after obtaining the updated security score, the second authentication system determines the new service access permission corresponding to the user equipment according to the updated security score, and sends a permission change message to the second SDP controller.

Finally, the second SDP controller sends a permission change message to the second SDP gateway, where the permission change message is used to instruct the second SDP gateway to change the service access list.

Please refer to FIG. 7 . FIG. 7 is a schematic diagram of another network deployment scenario provided by an embodiment of the present application. As shown in Fig. 7, the SDP system in Fig. 7 includes a control system, a first SDP gateway and a second SDP gateway. Wherein, the first SDP gateway is deployed in area 1, and the second SDP gateway is deployed in area 2, that is, the first SDP gateway and the second SDP gateway are deployed in different areas. In addition, both the first SDP gateway and the second SDP gateway are connected to the control system.

Please refer to FIG. 8 . FIG. 8 is a schematic flowchart of another SDP-based service processing method provided by the embodiment of the present application. As shown in FIG. 8 , the SDP-based service processing method is applied to the network deployment scenario shown in FIG. 7 , and the SDP-based service processing method includes the following steps 801-803.

Step 801, after the user equipment passes the SPA authentication and identity authentication on the control system, the control system determines the service access authority of the user equipment.

In step 801, the manner in which the control system determines the service access authority of the user equipment is similar to that of the first control system determining the service access authority of the user equipment in the embodiment described in FIG. Let me repeat.

Step 802, the control system generates a first service access list and a second service access list according to the service access rights, wherein the first service access list is used to indicate the services that the user equipment can access through the first SDP gateway, and the second service access list is used to Indicates services that the user equipment can access through the second SDP gateway.

Optionally, when the first SDP gateway and the second SDP gateway are responsible for accessing the same business service, the first business access list and the second business access list generated by the control system are the same. For example, when the control system confirms that the services that the user equipment has access rights include service 1, service 2 and service 3, and both the first SDP gateway and the second SDP gateway are responsible for accessing service 1, service 2 and service 3, the control Both the first service access list and the second service access list generated by the system are used to indicate that the services that the user equipment can access are service 1, service 2 and service 3.

Optionally, when the first SDP gateway and the second SDP gateway are respectively responsible for accessing different business services, the first service access list and the second service access list generated by the control system are different. For example, when the control system confirms that the services that the user equipment has access rights include service 1, service 2 and service 3, assume that the first SDP gateway is responsible for accessing service 1 and service 2, and the second SDP gateway is responsible for accessing service 3. Then, the first service access list generated by the control system is used to indicate that the services that the user equipment can access are service 1 and service 2; the second service access list generated by the control system is used to indicate that the service that the user equipment can access is service 3 .

Step 803, the control system sends the first service access list to the first SDP gateway and sends the second service access list to the second SDP gateway.

In this way, the first SDP gateway can process the service access request from the user equipment according to the first service access list. The second SDP gateway can also process the service access request from the user equipment according to the first service access list. After the user equipment passes SPA authentication and identity authentication on the control system, the user equipment can access SDP gateways in different regions, thereby realizing service access through the SDP gateway.

Optionally, after the control system sends the first service access list to the first SDP gateway and the second service access list to the second SDP gateway, the control system acquires the security information sent by the user equipment.

Then, the control system determines the security score of the user equipment according to the security information and/or the traffic sent by the user equipment. Wherein, the security score is used to indicate the current security situation of the user equipment. The higher the security score, the more secure the user device is; the lower the security score, the less secure the user device is.

Finally, the control system determines the new service access authority corresponding to the user equipment according to the security score, and sends a first authority change message to the first SDP gateway and a second authority change message to the second SDP gateway. The first authority change message is used to The first SDP gateway is instructed to modify the first service access list, and the second permission change message is used to instruct the second SDP gateway to modify the second service access list.

In this embodiment, the control system determines the security score and determines the new service access authority corresponding to the user equipment based on the security score, which is the same as the first control system in the above embodiment shown in FIG. The permission method is similar, please refer to the above description for details, and will not repeat them here.

Optionally, the control system shown in FIG. 7 specifically includes an SDP controller and an authentication system.

In the above step 801, the authentication system in the control system determines the service access rights of the user equipment according to the user group to which the user equipment belongs.

In the above step 802, the authentication system in the control system generates the first service access list and the second service access list according to the service access authority.

In the above step 803, the authentication system in the control system sends the first service access list and the second service access list to the SDP controller. Then, the SDP controller in the control system sends the first service access list to the first SDP gateway and sends the second service access list to the second SDP gateway.

Optionally, the control system shown in FIG. 7 also includes an environment perception system.

After the SDP controller sends the corresponding service access list to the first SDP gateway and the second SDP gateway, the environment awareness system receives the equipment score sent by the SDP controller, and the equipment score is determined by the SDP controller according to the security information of the user equipment. Wherein, the security information of the user equipment is collected by the SDP client on the user equipment and sent to the SDP controller.

The context awareness system then determines a security score based on the device score and/or the traffic sent by the user device and sends the security score to the authentication system. Wherein, for the method of determining the safety score by the environment perception system, please refer to the process of determining the safety score by the first control system above, which will not be repeated here.

Secondly, the authentication system determines the new service access rights corresponding to the user equipment according to the security score, and sends a rights change message to the SDP controller.

Finally, the SDP controller sends a permission change message to the SDP gateway, where the permission change message is used to instruct the SDP gateway to change the service access list.

The above describes the SDP-based service processing provided by the embodiment of the present application, and the execution subject for executing the above-mentioned SDP-based service processing method will be introduced below.

An embodiment of the present application provides an SDP-based business processing system, the business processing system is applied to a network system including a first SDP system and a second SDP system, the first SDP system includes a first control system and a first SDP gateway, and the first SDP system includes a first SDP gateway. The second SDP system includes a business processing system and a second SDP gateway, and the first SDP system and the second SDP system are deployed in different regions. Exemplarily, the service processing system provided in this embodiment is, for example, the second control system shown in FIG. 1 or FIG. 5 .

In the case that the business processing system provided in this embodiment is the second control system shown in Figure 1, the business processing method executed by the business processing system is as described in the embodiments corresponding to Figures 2-4, please refer to the above for details The embodiments corresponding to FIG. 2-FIG. 4 will not be repeated here.

In the case that the business processing system provided in this embodiment is the second control system shown in FIG. 5, the business processing method executed by the business processing system is as described in the embodiment corresponding to FIG. 6. For details, please refer to the corresponding The embodiment of this will not be repeated here.

In another possible embodiment, the embodiment of the present application further provides an SDP-based service processing system, the service processing system is applied to an SDP system, and the SDP system includes a service processing system, a first SDP gateway, and a second SDP gateway, The first SDP gateway and the second SDP gateway are deployed in different areas. Exemplarily, the business processing system provided in this embodiment is, for example, the control system shown in FIG. 7 .

In the case where the business processing system provided in this embodiment is the control system shown in FIG. 7, the business processing method executed by the business processing system is as described in the embodiment corresponding to FIG. 8. For details, please refer to the above implementation corresponding to FIG. example, which will not be repeated here.

Please refer to FIG. 9 , which is a schematic structural diagram of a network device 900 provided in an embodiment of the present application. Among them, the second control system in the embodiment shown in FIG. 1, the second SDP controller and the second authentication system shown in FIG. 5, and the control system shown in FIG. 7 can be deployed in the network shown in FIG. 9, for example. on device 900. Network device 900 is implemented by a generic bus architecture.

The network device 900 includes at least one processor 901 , a communication bus 902 , a memory 903 and at least one communication interface 904 .

Optionally, the processor 901 is a general-purpose CPU, NP, microprocessor, or one or more integrated circuits for implementing the solution of the present application, for example, an application-specific integrated circuit (application-specific integrated circuit, ASIC), which may Programmable logic device (programmable logic device, PLD) or its combination. The above-mentioned PLD is a complex programmable logic device (complex programmable logic device, CPLD), a field-programmable gate array (field-programmable gate array, FPGA), a generic array logic (generic array logic, GAL) or any combination thereof.

The communication bus 902 is used to transfer information between the aforementioned components. The communication bus 902 is divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is used in the figure, but it does not mean that there is only one bus or one type of bus.

Optionally, the memory 903 is a read-only memory (read-only memory, ROM) or other types of static storage devices that can store static information and instructions. Alternatively, the memory 903 is a random access memory (random access memory, RAM) or other types of dynamic storage devices that can store information and instructions. Alternatively, the memory 903 is an electrically erasable programmable read-only memory (electrically erasable programmable read-only memory, EEPROM), a compact disc read-only memory (CD-ROM) or other optical disc storage, optical disc storage ( including compact discs, laser discs, optical discs, digital versatile discs, Blu-ray discs, etc.), magnetic disk storage media or other magnetic storage devices, or are capable of carrying or storing desired program code in the form of instructions or data structures and can be programmed by a computer Any other medium accessed, but not limited to. Optionally, the memory 903 exists independently and is connected to the processor 901 through the communication bus 902 . Optionally, the memory 903 and the processor 901 are integrated together.

Communication interface 904 uses any transceiver-like device for communicating with other devices or a communication network. The communication interface 904 includes a wired communication interface. Optionally, the communication interface 904 also includes a wireless communication interface. Wherein, the wired communication interface is, for example, an Ethernet interface. The Ethernet interface is an optical interface, an electrical interface or a combination thereof. The wireless communication interface is a wireless local area network (wireless local area networks, WLAN) interface, a cellular network communication interface or a combination thereof.

In a specific implementation, as an embodiment, the processor 901 includes one or more CPUs, such as CPU0 and CPU1 shown in FIG. 9 .

In a specific implementation, as an embodiment, the network device 900 includes multiple processors, such as a processor 901 and a processor 905 as shown in FIG. 9 . Each of these processors is a single-core processor (single-CPU), or a multi-core processor (multi-CPU). A processor herein refers to one or more devices, circuits, and/or processing cores for processing data such as computer program instructions.

In some embodiments, the memory 903 is used to store the program code 99 for implementing the solution of the present application, and the processor 901 executes the program code 99 stored in the memory 903 . That is to say, the network device 900 implements the foregoing method embodiments through the processor 901 and the program code 99 in the memory 903 .

Each embodiment in this specification is described in a progressive manner, the same and similar parts of each embodiment can be referred to each other, and each embodiment focuses on the differences from other embodiments.

A reference to B means that A is the same as B or A is a simple variation of B.

The terms "first" and "second" in the description and claims of the embodiments of the present application are used to distinguish different objects, not to describe a specific order of objects, nor can they be interpreted as indicating or implying relative importance sex. For example, the first speed-limiting channel and the second speed-limiting channel are used to distinguish different speed-limiting channels, but not to describe the specific order of the speed-limiting channels, nor can it be understood that the first speed-limiting channel is faster than the second speed-limiting channel. important.

In the embodiments of the present application, unless otherwise specified, "at least one" means one or more, and "multiple" means two or more.

The above-mentioned embodiments may be fully or partially implemented by software, hardware, firmware or any combination thereof. When implemented using software, it may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on the computer, all or part of the processes or functions described in accordance with the embodiments of the present application will be generated. The computer can be a general purpose computer, a special purpose computer, a computer network, or other programmable devices. The computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from a website, computer, server or data center Transmission to another website site, computer, server, or data center by wired (eg, coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (eg, infrared, wireless, microwave, etc.). The computer-readable storage medium may be any available medium that can be accessed by a computer, or a data storage device such as a server or a data center integrated with one or more available media. The available medium may be a magnetic medium (for example, a floppy disk, a hard disk, or a magnetic tape), an optical medium (for example, DVD), or a semiconductor medium (for example, a Solid State Disk (SSD)).

The above embodiments are only used to illustrate the technical solutions of the present application, rather than to limit them; although the present application has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: it can still apply to the foregoing embodiments Modifications are made to the recorded technical solutions, or equivalent replacements are made to some of the technical features; and these modifications or replacements do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of each embodiment of the application.

Claims (30)

1. A service processing method based on a software defined boundary SDP, wherein the method is applied to a network system including a first SDP system and a second SDP system, the first SDP system includes a first control system and a first SDP gateway, the second SDP system includes a second control system and a second SDP gateway, and the first SDP system and the second SDP system are deployed in different areas, the method includes:

the second control system receives a user token sent by the first control system, wherein the user token is sent by the first control system after user equipment passes through single-packet authorization (SPA) authentication and identity authentication on the first control system, and the user token is generated based on equipment identification of the user equipment and a user group to which the user equipment belongs;

The second control system analyzes the user token so as to obtain the equipment identifier and the user group;

the second control system provides a service access list for the second SDP gateway according to the service access authority corresponding to the user group, so that the second SDP gateway processes the service access request from the user equipment according to the service access list, and the service access list is used for indicating services which can be accessed by the user equipment.

2. The method according to claim 1, wherein the method further comprises:

the second control system receives updated security scores sent by the first control system, wherein the updated security scores are sent after the first control system detects that the security scores related to the user equipment are updated;

and the second control system determines the new service access authority corresponding to the user equipment according to the updated security score, and sends an authority change message to the second SDP gateway, wherein the authority change message is used for indicating the second SDP gateway to change the service access list.

3. The method according to claim 2, wherein the updated security score is determined based on security information of the user equipment and/or traffic sent by the user equipment.

4. A method according to any of claims 1-3, wherein the service access request comprises the device identity, the user token and a target service for which access is requested by the user device, the method further comprising:

the second control system receives an authentication request sent by the second SDP gateway, wherein the authentication request is sent after the second SDP gateway verifies the service access request of the user equipment according to the service access list, and the authentication request comprises the user token and the target service;

and the second control system returns an authentication result corresponding to the authentication request to the second SDP gateway so that the second SDP gateway accepts or rejects the service access request based on the authentication result.

5. The method of any of claims 1-4, wherein the first control system comprises a first SDP controller and a first authentication system, and the second control system comprises a second SDP controller and a second authentication system;

the second control system receives the user token sent by the first control system, and the second control system comprises:

the second authentication system receives a user token sent by the first authentication system;

The second control system provides a service access list to the second SDP gateway according to the service access rights corresponding to the user group, including:

the second SDP controller receives the equipment identifier sent by the first SDP controller;

the second SDP controller sends a first message to the second authentication system, wherein the first message comprises the equipment identifier and is used for requesting the service access authority of the user equipment;

the second authentication system sends the service access list to the second SDP controller according to the first message and the service access authority corresponding to the user group;

the second SDP controller sends the service access list to the second SDP gateway.

6. The method of any of claims 1-4, wherein the first control system comprises a first SDP controller and a first authentication system, wherein the second control system comprises a second SDP controller and a second authentication system, and wherein the user token is generated based on a device identification of the user device, a user group to which the user device belongs, and a user identification corresponding to the user device;

the second control system receives the user token sent by the first control system, and the second control system comprises:

The second authentication system receives a user token sent by the first authentication system;

the second control system provides a service access list to the second SDP gateway according to the service access rights corresponding to the user group, including:

the second SDP controller receives the equipment identifier and the user identifier sent by the first SDP controller;

the second SDP controller sends a first message to the second authentication system, wherein the first message comprises the equipment identifier and the user identifier, and the first message is used for requesting the service access authority of the user equipment;

the second authentication system sends the service access list to the second SDP controller according to the first message and the service access authority corresponding to the user group;

the second SDP controller sends the service access list to the second SDP gateway.

7. The method of claim 2, wherein the first control system comprises a first SDP controller, a first authentication system, and a first context-aware system, and the second control system comprises a second SDP controller, a second authentication system, and a second context-aware system;

the second control system receiving the updated security score sent by the first control system, comprising:

The second environment sensing system receives the updated security score sent by the first environment sensing system, wherein the updated security score is sent after the first environment sensing system detects that the security score related to the user equipment is updated;

the second control system determines the new service access authority corresponding to the user equipment according to the updated security score, and sends an authority change message to the second SDP gateway, including:

the second environment awareness system sends the updated security score to the second authentication system;

the second authentication system determines new service access rights corresponding to the user equipment according to the updated security score and sends a rights change message to the second SDP controller;

and the second SDP controller sends the permission changing message to the second SDP gateway, wherein the permission changing message is used for indicating the second SDP gateway to change the service access list.

8. The method of claim 7, wherein the updated security score is determined by the first context awareness system based on a device score sent by the first SDP controller and/or traffic sent by the user device, the device score being determined by the first SDP controller based on security information of the user device.

9. A method according to any of claims 1-8, wherein the first SDP gateway and the second SDP gateway are each responsible for accessing different traffic services.

10. A service processing method based on SDP, wherein the method is applied to an SDP system, the SDP system includes a control system, a first SDP gateway and a second SDP gateway, the first SDP gateway and the second SDP gateway are deployed in different areas, the method includes:

after the user equipment passes SPA authentication and identity authentication on the control system, the control system determines the service access authority of the user equipment;

the control system generates a first service access list and a second service access list according to the service access authority, wherein the first service access list is used for indicating services which can be accessed by the user equipment through the first SDP gateway, and the second service access list is used for indicating services which can be accessed by the user equipment through the second SDP gateway;

the control system sends the first service access list to the first SDP gateway and the second service access list to the second SDP gateway.

11. The method according to claim 10, wherein the method further comprises:

the control system acquires the safety information sent by the user equipment;

the control system determines the security score of the user equipment according to the security information and/or the flow sent by the user equipment;

the control system determines a new service access authority corresponding to the user equipment according to the security score, and sends a first authority change message to the first SDP gateway and a second authority change message to the second SDP gateway, wherein the first authority change message is used for indicating the first SDP gateway to change the first service access list, and the second authority change message is used for indicating the second SDP gateway to change the second service access list.

12. A method according to claim 10 or 11, wherein the control system comprises an SDP controller and an authentication system;

the control system determines the service access authority of the user equipment, and comprises the following steps:

the authentication system determines the service access authority of the user equipment according to the user group to which the user equipment belongs;

the control system generates a first service access list and a second service access list according to the service access authority, and the control system comprises:

The authentication system generates a first service access list and a second service access list according to the service access authority;

the control system sending the first service access list to the first SDP gateway and the second service access list to the second SDP gateway, comprising:

the authentication system sends the first service access list and the second service access list to the SDP controller;

the SDP controller sends the first service access list to the first SDP gateway and sends the second service access list to the second SDP gateway.

13. The method of claim 12, wherein the control system further comprises an environmental awareness system;

the method further comprises the steps of:

the environment awareness system receives the equipment score sent by the SDP controller, wherein the equipment score is determined by the SDP controller according to the safety information of the user equipment;

the environment awareness system determines a security score according to the equipment score and/or the flow sent by the user equipment;

the environment awareness system sending the security score to the authentication system;

the authentication system determines new service access rights corresponding to the user equipment according to the security score and sends a rights change message to the SDP controller;

And the SDP controller sends the permission changing message to the SDP gateway, wherein the permission changing message is used for indicating the SDP gateway to change the service access list.

14. A method according to any of claims 10-13, wherein the first SDP gateway and the second SDP gateway are each responsible for accessing different traffic services.

15. The service processing system based on SDP is characterized in that the service processing system is applied to a network system comprising a first SDP system and a second SDP system, the first SDP system comprises a first control system and a first SDP gateway, the second SDP system comprises the service processing system and the second SDP gateway, and the first SDP system and the second SDP system are deployed in different areas;

the service processing system is used for receiving a user token sent by the first control system, wherein the user token is sent by the first control system after user equipment passes through single-packet authorization (SPA) authentication and identity authentication on the first control system, and the user token is generated based on equipment identification of the user equipment and a user group to which the user equipment belongs;

The service processing system is further configured to parse the user token, thereby obtaining the device identifier and the user group;

the service processing system is further configured to provide a service access list to the second SDP gateway according to a service access right corresponding to the user group, so that the second SDP gateway processes a service access request from the user device according to the service access list, where the service access list is used to indicate a service that can be accessed by the user device.

16. The business processing system of claim 15, wherein,

the service processing system is further configured to receive an updated security score sent by the first control system, where the updated security score is sent after the first control system detects that a security score related to the user equipment is updated;

and the service processing system determines the new service access authority corresponding to the user equipment according to the updated security score, and sends an authority change message to the second SDP gateway, wherein the authority change message is used for indicating the second SDP gateway to change the service access list.

17. The traffic processing system of claim 16, wherein the updated security score is determined based on security information of the user device and/or traffic sent by the user device.

18. The service processing system according to any of claims 15-17, wherein the service access request comprises the device identification, the user token and a target service for which access is requested by the user device;

the service processing system is further configured to receive the authentication request sent by the second SDP gateway, where the authentication request is sent after the second SDP gateway verifies, according to the service access list, that the service access request of the user equipment passes, and the authentication request includes the user token and the target service;

the service processing system is further configured to return an authentication result corresponding to the authentication request to the second SDP gateway, so that the second SDP gateway accepts or rejects the service access request based on the authentication result.

19. The service processing system of any of claims 15-18, wherein the first control system comprises a first SDP controller and a first authentication system, and wherein the service processing system comprises a second SDP controller and a second authentication system;

The second authentication system is used for receiving the user token sent by the first authentication system;

the second SDP controller is configured to receive the device identifier sent by the first SDP controller;

the second SDP controller is configured to send a first message to the second authentication system, where the first message includes the device identifier, and the first message is used to request a service access right of the user equipment;

the second authentication system is configured to send the service access list to the second SDP controller according to the first message and a service access right corresponding to the user group;

the second SDP controller is configured to send the service access list to the second SDP gateway.

20. The service processing system according to any of claims 15-18, wherein the first control system comprises a first SDP controller and a first authentication system, the service processing system comprises a second SDP controller and a second authentication system, and the user token is generated based on a device identification of the user device, a user group to which the user device belongs, and a user identification corresponding to the user device;

the second authentication system is used for receiving the user token sent by the first authentication system;

The second SDP controller is used for receiving the equipment identifier and the user identifier sent by the first SDP controller;

the second SDP controller is configured to send a first message to the second authentication system, where the first message includes the device identifier and the user identifier, and the first message is used to request a service access permission of the user equipment;

the second authentication system is configured to send the service access list to the second SDP controller according to the first message and a service access right corresponding to the user group;

the second SDP controller is configured to send the service access list to the second SDP gateway.

21. The business processing system of claim 16, wherein the first control system comprises a first SDP controller, a first authentication system, and a first context awareness system, and wherein the business processing system comprises a second SDP controller, a second authentication system, and a second context awareness system;

the second environment sensing system is used for receiving the updated security score sent by the first environment sensing system, and the updated security score is sent after the first environment sensing system detects that the security score related to the user equipment is updated;

The second environment awareness system is configured to send the updated security score to the second authentication system;

the second authentication system is used for determining new service access rights corresponding to the user equipment according to the updated security score and sending a rights change message to the second SDP controller;

the second SDP controller is configured to send the permission change message to the second SDP gateway, where the permission change message is used to instruct the second SDP gateway to change the service access list.

22. The traffic processing system of claim 21, wherein the updated security score is determined by the first context awareness system based on a device score sent by the first SDP controller and/or traffic sent by the user device, the device score being determined by the first SDP controller based on security information of the user device.

23. A service processing system according to any of claims 15-22, wherein the first SDP gateway and the second SDP gateway are each responsible for accessing different service services.

24. The SDP-based service processing system is characterized in that the service processing system is applied to an SDP system, the SDP system comprises the service processing system, a first SDP gateway and a second SDP gateway, and the first SDP gateway and the second SDP gateway are deployed in different areas;

After the user equipment passes SPA authentication and identity authentication on the service processing system, the service processing system is used for determining the service access authority of the user equipment;

the service processing system is used for generating a first service access list and a second service access list according to the service access authority, the first service access list is used for indicating services which can be accessed by the user equipment through the first SDP gateway, and the second service access list is used for indicating services which can be accessed by the user equipment through the second SDP gateway;

the service processing system is configured to send the first service access list to the first SDP gateway and send the second service access list to the second SDP gateway.

25. The business processing system of claim 24, wherein,

the service processing system is used for acquiring the safety information sent by the user equipment;

the service processing system is used for determining the security score of the user equipment according to the security information and/or the flow sent by the user equipment;

the service processing system is configured to determine a new service access right corresponding to the user equipment according to the security score, send a first right change message to the first SDP gateway and send a second right change message to the second SDP gateway, where the first right change message is used to instruct the first SDP gateway to change the first service access list, and the second right change message is used to instruct the second SDP gateway to change the second service access list.

26. A service processing system according to claim 24 or 25, characterized in that the service processing system comprises an SDP controller and an authentication system;

the authentication system is used for determining the service access authority of the user equipment according to the user group to which the user equipment belongs;

the authentication system is used for generating a first service access list and a second service access list according to the service access authority;

the authentication system is used for sending the first service access list and the second service access list to the SDP controller;

the SDP controller is configured to send the first service access list to the first SDP gateway and send the second service access list to the second SDP gateway.

27. The business processing system of claim 26, wherein the business processing system further comprises an environmental awareness system;

the environment awareness system is used for receiving the equipment score sent by the SDP controller, wherein the equipment score is determined by the SDP controller according to the security information of the user equipment;

the environment awareness system is used for determining a security score according to the equipment score and/or the flow sent by the user equipment;

The environment awareness system is configured to send the security score to the authentication system;

the authentication system is used for determining new service access rights corresponding to the user equipment according to the security score and sending a rights change message to the SDP controller;

the SDP controller is configured to send the permission change message to the SDP gateway, where the permission change message is configured to instruct the SDP gateway to change the service access list.

28. A service processing system according to any of claims 24-27, wherein the first SDP gateway and the second SDP gateway are each responsible for accessing different service services.

29. A network device comprising a processor and a memory, the memory for storing program code, the processor for invoking the program code in the memory to cause the network device to perform the method of any of claims 1-14.

30. A computer readable storage medium storing instructions which, when run on a computer, cause the computer to perform the method of any one of claims 1-14.