CN116566749B - Resource access method and system under condition of network target range scene isolation - Google Patents
Resource access method and system under condition of network target range scene isolation Download PDFInfo
- Publication number
- CN116566749B CN116566749B CN202310841530.8A CN202310841530A CN116566749B CN 116566749 B CN116566749 B CN 116566749B CN 202310841530 A CN202310841530 A CN 202310841530A CN 116566749 B CN116566749 B CN 116566749B
- Authority
- CN
- China
- Prior art keywords
- request
- resource
- access
- domain name
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000002955 isolation Methods 0.000 title claims abstract description 27
- 238000000034 method Methods 0.000 title claims abstract description 24
- 238000013507 mapping Methods 0.000 claims abstract description 39
- 238000012544 monitoring process Methods 0.000 claims abstract description 9
- 238000012545 processing Methods 0.000 claims description 19
- 230000009466 transformation Effects 0.000 claims description 12
- 238000002474 experimental method Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 238000004806 packaging method and process Methods 0.000 description 3
- 230000007123 defense Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000008676 import Effects 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 230000035515 penetration Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000002860 competitive effect Effects 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 238000012552 review Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000012549 training Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a resource access method and a system under the condition of network target scene isolation, wherein a software module for providing DHCP and DNS services in a network target scene is provided, and the mapping relation between a preset service address and a preset host name is increased; the preset host name is used as a domain name of a target access resource in a preset target range scene; monitoring a request of a preset service address, forwarding the request through a Linux socket, modifying the resource access request, adding a domain name of the request into a request path for identification, and forwarding the request to an access agent module; the access agent module forwards the request to the target resource center according to the configured forwarding rule, and the target resource center provides resource access according to the configured access strategy. The invention can access the resource without damaging the isolation capability of the scene of the shooting range, and has the advantages of convenient management, strong expansion capability, strong safety and the like.
Description
Technical Field
The invention relates to a resource access method and a system under the condition of network target range scene isolation, belonging to the technical field of network security and computer software.
Background
A network target is a virtual or physical environment dedicated to network security training and exercise. It simulates a real network environment and allows security professionals, penetration testers, and network administrators to conduct various security tests, attacks, and defenses experiments therein.
OpenStack is an open-source cloud computing platform that aims to provide an extensible infrastructure as a service solution for public, private, and hybrid clouds. In the current network target range environment, a virtual environment is generally constructed based on a cloud platform constructed by OpenStack, and the OpenStack provides target resources, a virtual network environment and the like for the network target range. In order to be able to provide a real attack and defense exercise, attack experiments, and fair competitive environment, it is necessary to provide an isolated environment for different range scenes, which requires that the range scenes are isolated from each other, and the range scenes are isolated from the host, and the range scenes are isolated from the outside.
The target range scene is usually composed of resources such as virtual machine targets, container targets, virtual routers, virtual machine switches, and packaging equipment. Users typically access the targets for related experiments or quiz events at the time of scene start, and sometimes access and download certain resources, such as tool libraries, vulnerability libraries, or software packages, during the experiments or quiz events, and the common embodiments are as follows: 1. packaging all required resources into a target mirror image template; 2. constructing a shared storage of storage resources; 3. copying the resource from the client browser to the target.
The first solution has the following problems: 1. the target resource is possibly provided by three parties and cannot be secondarily modified; 2. the resources used by the user in the target can be different from person to person, so that the resource is non-universal, and on one hand, the mirror image of the target can be very large when all the resources are packaged in, so that the transmission and the storage are not facilitated; on the other hand, the more resources are, the more targets are and the more bulky, the starting speed of a scene can be dragged; 3. reducing flexibility, as applications and environments change, it may be necessary to frequently create different versions of target images, increasing maintenance and management complexity.
The second scheme has the following problems: 1. the internal access shared storage of the target can damage the isolation of the scene of the target range, and is easy to be utilized and attacked; 2. additional maintenance of shared storage is required; and the shared storage protocols are numerous, which is unfavorable for supporting in the target.
The third solution has the following problems: the target access support scene is single, if the function of supporting file uploading is very easy to be utilized, and the uploading malicious tool is used for carrying out violent cracking on the game questions.
Disclosure of Invention
The invention aims to: aiming at the problems in the prior art, the invention aims to provide a resource access method and a system under the condition of network range scene isolation, and the purpose of accessing resources under the premise of not damaging the range scene isolation capability is achieved by providing domain name resolution and flow forwarding capability for targets.
The technical scheme is as follows: in order to achieve the aim of the invention, the invention adopts the following technical scheme:
a resource access method under the condition of network target range scene isolation comprises the following steps:
the method comprises the steps that a software module for providing DHCP and DNS services in a network target range is added with a metadata service address or a mapping relation between a preset resource service address and a preset host name; the preset host name is used as a domain name of a target access resource in a preset target range scene;
monitoring a metadata service address or a preset resource service address request, forwarding the request to a metadata service agent or a resource service processing module through a Linux socket, after receiving the request, identifying a resource access request through information in a request header, performing transformation processing, adding a domain name of the request to a request path for identification, and forwarding the domain name to an access agent module;
after the access agent module identifies the domain name with the identifier in the request, the request is forwarded to the target resource center according to the configured forwarding rule;
the target resource center provides resource access according to the configured access strategy.
Preferably, in the network target field based on OpenStack, a host name resolution function is extended through an adn-hosts instruction of dnsmasq; the routing automation configuration function of DHCP is extended by a DHCP-optsfile instruction.
Preferably, the access agent module is implemented by using ng in, and maps the identified domain name to the address of the access resource by configuring the forwarding rule of ng in.
Preferably, the visible range of the resource is controlled by configuring the domain name mapping relation, and all the resources can be accessed for the domain name of the global mode; for domain names in a network or subnet customization mode, only targets within the corresponding network or subnet can access the resources associated with the domain name.
Preferably, for the domain name of the global mode, adding a metadata service address or presetting a mapping relation between a resource service address and a preset host name in a name space of each network; and adding a metadata service address or a mapping relation between a preset resource service address and a preset host name for the corresponding network or sub-network for the domain name of the custom mode.
Preferably, the access policies of the resources are divided into a download-only mode and a modifiable mode.
A resource access system in a network range scene isolation situation, comprising:
the domain name mapping module is used for providing a software module of DHCP and DNS services in a network target range, and increasing a metadata service address or presetting a mapping relation between a resource service address and a preset host name; the preset host name is used as a domain name of a target access resource in a preset target range scene;
the request transformation module is used for monitoring a metadata service address or a request of a preset resource service address, forwarding the request to the metadata service agent or the resource service processing module through a Linux socket, and after the metadata service agent or the resource service processing module receives the request, carrying out transformation processing after identifying the resource access request through information in a request header, adding a domain name of the request into a request path for identification and forwarding the domain name to the access agent module;
the access agent module is used for forwarding the request to the target resource center according to the configured forwarding rule after identifying the domain name with the identifier in the request;
and the target range resource center is used for providing resource access according to the configured access strategy.
Further, the system further comprises: the configuration center is used for configuring the domain name mapping relation of resource access; the visible range of the resource is controlled by configuring the domain name mapping relation, and all the resources can be accessed for the domain name in the global mode; for domain names in a network or subnet customization mode, only targets within the corresponding network or subnet can access the resources associated with the domain name.
Further, the configuration center is further configured to configure access policies of the resources, and is divided into a download-only mode and a modifiable mode.
Preferably, in the domain name mapping module, for the domain name of the global mode, a metadata service address is added in a name space of each network or a mapping relation between a preset resource service address and a preset host name is preset; and adding a metadata service address or a mapping relation between a preset resource service address and a preset host name for the corresponding network or sub-network for the domain name of the custom mode.
The beneficial effects are that: according to the resource access method and system under the condition of network target range scene isolation, the target and the target range scene have corresponding domain name resolution capability without any adjustment, a user can obtain required resources only by simple domain name access in the target, the original network isolation capability is unchanged, and the resource access capability can be changed by configuring and adjusting the mapping relation between the resources and the domain name, and the network or the sub-network where the target is located. Compared with the prior art, the invention has the following advantages:
1. the management is convenient: the method can directly import and manage the compliant resources in the target range resource center without manually packaging and distributing the compliant resources to each target, thereby simplifying the management flow.
2. The isolation is strong: no extra network is needed to be opened, and the isolation of the original shooting range scene is not damaged.
3. The use is quick: the user end does not need additional configuration, does not need to transmit resources by means of a user browser tool, and can be used after being unpacked.
4. The expansion capability is strong: by configuring domain names, traffic forwarding rules and resource access strategies, the mapping relation among domain names, resources, networks or subnetworks can be realized, the visible range and access authority of the resources can be flexibly controlled, and the method has strong expansion capability.
5. The safety is strong: by encapsulating the relevant identifier in the request and forwarding through the configured policy, the security of resource access can be enhanced and unauthorized access can be prevented.
Drawings
Fig. 1 is a schematic diagram of an application scenario in an embodiment of the present invention.
Fig. 2 is a schematic diagram of a resource access processing flow according to an embodiment of the present invention.
Detailed Description
The technical scheme of the invention will be clearly and completely described below with reference to the accompanying drawings and specific embodiments.
The embodiment of the invention discloses a resource access method under the condition of network range scene isolation, which achieves the aim of accessing resources on the premise of not damaging the range scene isolation capability by providing domain name resolution (DNS) and traffic forwarding capability for targets. Firstly, a software module for providing DHCP and DNS services in a network target range increases the mapping relation between a metadata service address (or a preset resource service address) and a preset host name; the preset host name is used as a domain name of a target access resource in a preset target range scene; then monitoring a request of a metadata service address (or preset resource service address), forwarding the request to a metadata service agent (or resource service processing module) through a Linux socket, after receiving the request, identifying a resource access request through information in a request header, performing transformation processing, adding a domain name of the request into a request path for identification, and forwarding the domain name to an access agent module; after the access agent module identifies the domain name with the identifier in the request, the request is forwarded to the target resource center according to the configured forwarding rule; the target resource center provides resource access according to the configured access strategy.
As shown in fig. 1, the domain name mapping and the traffic forwarding capability are provided by the range management system, which is implemented by the lower layer of the range management system in this embodiment based on the OpenStack platform, generates a domain name mapping of targets to subscribed service addresses (metadata service address of the OpenStack platform is 169.254.169.254), and provides a proxy for the range platform resources. The user logs in to the interior of the target through the target range platform (user access portal), and the required resources can be obtained only through simple domain name access.
Based on the method of the embodiment of the invention, a target range manager or event manager can import the compliant resources through the target range platform through an administrator account number, and configure the domain name mapping relation (the visible range of the control resource) of resource access and the access strategy of the resources; the target range management system establishes mapping from domain names (such as cyberpeace. Resource. Com) to 169.254.169.254 for all targets in a target range scene, encapsulates relevant identifiers in the request, configures forwarding rules, and forwards the request to a resource center in a target range platform; the user accesses the target range platform through the browser, opens the target range scene to access into the target, and browses and downloads the resources preset by the administrator through accessing the domain name in the target. An administrator can dynamically adjust access rights for the resource and browse and export access history of the resource for compliance review.
The resource access strategy in the embodiment of the invention is divided into a download-only mode and a modifiable mode (a user can upload or modify resources); defaulting to download-only mode. The domain name mapping relation of resource access is divided into a global mode and a custom mode. The default is global mode, i.e. the cyberpeace. Custom mode: the corresponding relation of the network (or the sub-network), the domain name and the resource used by the target can be customized; for example, an administrator can customize the domain name corresponding to the network oj _ext to be cyberpeace.tools.com and the viewable resource range to be a tool library, so that a target in a target scene can access the resource in the tool library through the domain name of cyberpeace.tools.com as long as the distribution network is within the oj _ext range. Multiple policies of domain name mapping relationships may be used in superposition.
Specific implementation details of the default global domain name resolution mode and traffic forwarding are described below in conjunction with fig. 2.
1. In the network target range based on OpenStack, the DHCP function is realized by default through dnsmasq, which is open source software for providing DHCP and DNS services, and the mapping relation between a specific IP address and a corresponding host name of a target is supported on the premise of not changing the capability of the target in the network target range by modifying the capability of the dnsmasq. The main implementation references are as follows:
dnsmasq --addn-hosts =addn_hosts_file --dhcp-optsfile=opts_file
in dnsmasq, an addhostfile is used to specify a mapping relationship between an IP address and a corresponding hostname. The addn-hosts parameter allows an additional addn_hosts_file file to be specified to extend the hostname resolution function of dnsmasq. The adn_hosts_file content is exemplified as follows:
192.168.1.1 host-192-168-1-1.openstacklocal host-192-168-1-1
192.168.1.254 host-192-168-1-254.openstacklocal host-192-168-1-254
192.168.1.97 host-192-168-1-97.openstacklocal host-192-168-1-97
169.254.169.254 cyberpeace.resource.com cyberpeace.resource.com
the-dcp-optsfile parameter allows specifying the path of the DHCP option file opts_file containing the option information to be provided by the DHCP server. A static route to the destination 169.254.169.254/32 would be declared inside. The opts_file content is exemplified as follows:
tag:subnet-ddb0ea7e-3fc5-440f-9f3c-a0902f2bb59b,option:classless-static-route,169.254.169.254/32,10.10.10.1,0.0.0.0/0,10.10.10.201
tag:subnet-ddb0ea7e-3fc5-440f-9f3c-a0902f2bb59b,249,169.254.169.254/32,10.10.10.1,0.0.0.0/0,10.10.10.201
tag:subnet-ddb0ea7e-3fc5-440f-9f3c-a0902f2bb59b,option:router,10.10.10.201
thus, accessing cyberpeace.resource.com inside the target is equivalent to request 169.254.169.254, 169.254.169.254 being a special reserved address, serving as an address for the target metadata service, its network segment is 169.254.0.0/16, which is similar to private IP (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), cannot be used for internet routing, and is typically only used for direct network connection. It will be appreciated that the metadata service address 169.254.169.254 may be replaced with other predetermined service addresses.
For the domain name of the global mode, a dnsmasq process is started in the namespace of each network, and then the corresponding relationship between the same domain name and 169.254.169.254 is added to the adn_hosts_file of each dnsmasq process, so that targets of all networks have the same domain name resolution. For the domain name of the custom mode, a dnsmasq process is started for each network or subnet separately, and then according to the configuration rule, different corresponding relations between the domain name and 169.254.169.254 are added to the adn_hosts_file of each dnsmasq process, so that targets in different networks or subnets have different domain name resolutions.
2. The haproxy can monitor the request of 169.254.169.254 and run in a specific network namespace (the network namespace corresponding to the sending requester, the namespace is usually named as uuid of qdhcp+ network) and has a network isolation function; when a request comes, it is forwarded to a neutron-metadata-agent (metadata service proxy) by means of Linux socket.
In the neutron-metadata-agent, the ordinary request and the request for resource access are distinguished according to the Host in the request header, and the modified request header is exemplified as follows:
Content-Type: text/plain
Host: cyberpeace.resource.com
User-Agent: curl/7.29.0
X-Forwarded-For: 192.168.1.201
X-Neutron-Network-Id: e91f590a-9b1c-4713-ae61-0d71d6f0b921
then, modifying the request for resource access, adding the domain name of the request into the request path for identification, and forwarding the modified request to Nginx for processing. Examples of requests received by the modified nmginx are: http:// xxxxx 8081/cyberpeace.resource.com/; the normal request is still: http:// xxxxx 8081.
3. According to the customized Nginx forwarding rule, after identifying the domain name with the identifier of the related request, forwarding the request to a resource center of the target range platform; and the resource center provides corresponding resources according to the access strategy configured by the administrator in the configuration center.
The forwarding rules for Nginx are exemplified as follows:
server {
listen 8081;
server_name metadata_proxy;
location / {
proxy_pass http://127.0.0.1:8775;
}
location /cyberpeace.resource.com/ {
proxy_pass http://127.0.0.1:8088/resource;
autoindex_exact_size off;
autoindex_localtime on;
charset utf-8;
}
include /etc/nginx/conf.d/metadata/*.conf;
}
at this time, the normal request is sent along the original path, and the request for accessing the target resource is forwarded to the service provided by the target resource.
It can be understood that, in this embodiment, the channels of the metadata service flow of OpenStack are multiplexed, and the resource access request of the target of the isolation environment is transferred from the inside of the virtual machine to the outside of the host machine, and the traffic is forwarded to the resource center through the transformation request. The resource service processing module can be developed and provided by self, and the resource service address in domain name resolution is agreed to realize similar functions. In the embodiment, the flow forwarding is realized by using Nginx, other access proxy software can be adopted, or an access proxy module is automatically developed, and the flow forwarding is performed according to configured forwarding rules.
In addition, the embodiment of the invention can also support the strength of customizing the DNS to the network (network) layer where the target is located, for example, different domain names are configured under different networks to isolate and distinguish resources of the robbed-flag race, the attack-defense race, the penetration race and the theoretical race, and each resource is distinguished and isolated.
For example, for a network1 configured in the configuration center with a domain name of cyberpeace.tools.com, the accessible resource is a tool library, a network2 configured in the configuration center with a domain name of cyberpeace.rpm.com, the accessible resource is a software package, and the configuration center dynamically adjusts the forwarding policy of nmlnx, for example, as follows:
location /cyberpeace.tools.com/ {
proxy_pass http://127.0.0.1:8088/tools;
autoindex_exact_size off;
autoindex_localtime on;
charset utf-8;
}
location /cyberpeace.rpm.com/ {
proxy_pass http://127.0.0.1:8088/rpm;
autoindex_exact_size off;
autoindex_localtime on;
charset utf-8;
}
after the target scenario is started, if the target is allocated in the network1, the resources in the tool library can be accessed by accessing the domain name cyberpeace.tools.com, and if the target is in the network2, the target allocated in the network2 can access the software package resources by cyberpeace.rpm.com, both resources can be accessed if the target is in both networks.
An administrator can dynamically give the target visibility to the resources in real time, for example, domain names corresponding to the resources under different isolated networks are different, the administrator modifies the resource rules associated with the domain names through dynamic adjustment configuration items, and the accessible resources in the target can be correspondingly changed.
In the scheme of the invention, all targets are still in originally isolated shooting range scenes, no additional network is needed to be communicated, the configuration and topology of the original scenes are not needed to be changed, and a user can only access provided resources in the targets; if the resources are larger, when the scale of the target range scene is larger, the access speed of the resources can be improved by configuring a load balancing strategy.
Based on the same inventive concept, the embodiment of the invention discloses a resource access system under the condition of network shooting range scene isolation, which comprises the following components: the domain name mapping module is used for providing a software module of DHCP and DNS services in a network target range, and increasing a metadata service address or presetting a mapping relation between a resource service address and a preset host name; the request transformation module is used for monitoring a metadata service address or a request of a preset resource service address, forwarding the request to the metadata service agent or the resource service processing module through a Linux socket, and after the metadata service agent or the resource service processing module receives the request, carrying out transformation processing after identifying the resource access request through information in a request header, adding a domain name of the request into a request path for identification and forwarding the domain name to the access agent module; the access agent module is used for forwarding the request to the target resource center according to the configured forwarding rule after identifying the domain name with the identifier in the request; and the target range resource center is used for providing resource access according to the configured access strategy. The system may further include a configuration center for configuring domain name mappings for resource accesses and for configuring access policies for resources. Details of implementation of each module are referred to above in the method embodiment, and are not described herein.
Claims (10)
1. The resource access method under the condition of network target range scene isolation is characterized by comprising the following steps:
the method comprises the steps that a software module for providing DHCP and DNS services in a network target range increases the mapping relation between a metadata service address and a preset host name or the mapping relation between a preset resource service address and the preset host name; the preset host name is used as a domain name of a target access resource in a preset target range scene;
when the metadata service address is used, monitoring a request of the metadata service address, forwarding the request to a metadata service proxy through a Linux socket, after receiving the request, identifying an resource access request through information in a request header, performing transformation processing, adding a domain name of the request into a request path for identification, and forwarding the domain name to an access proxy module; when the preset resource service address is used, monitoring a request of the preset resource service address, forwarding the request to a resource service processing module through a Linux socket, after receiving the request, identifying a resource access request through information in a request header, performing transformation processing, adding a domain name of the request to a request path for identification, and forwarding the domain name to an access agent module;
after the access agent module identifies the domain name with the identifier in the request, the request is forwarded to the target resource center according to the configured forwarding rule;
the target resource center provides resource access according to the configured access strategy.
2. The method for resource access in case of network range scene isolation according to claim 1, wherein in the OpenStack-based network range, a hostname resolution function is extended by adn-hosts instructions of dnsmasq; the routing automation configuration function of DHCP is extended by a DHCP-optsfile instruction.
3. The method for accessing resources under the condition of network target scene isolation according to claim 1, wherein the access proxy module is implemented by using ng ix, and maps the identified domain name to the address of the access resource by configuring the forwarding rule of ng ix.
4. The method for accessing resources under the condition of network target scene isolation according to claim 1, wherein the visible range of the resources is controlled by configuring a domain name mapping relation, and all the resources can be accessed for domain names in a global mode; for domain names in a network or subnet customization mode, only targets within the corresponding network or subnet can access the resources associated with the domain name.
5. The method for accessing resources under isolated network range scene as recited in claim 4, wherein for domain name of global mode, metadata service address is added in name space of each network or mapping relation between resource service address and preset host name is preset; and adding a metadata service address or a mapping relation between a preset resource service address and a preset host name for the corresponding network or sub-network for the domain name of the custom mode.
6. A method of resource access in case of network range scene isolation according to claim 1, wherein the access policies of the resource are divided into a download-only mode and a modifiable mode.
7. A resource access system in a network range scene isolation situation, comprising:
the domain name mapping module is used for providing a software module of DHCP and DNS services in a network target range and increasing the mapping relation between a metadata service address and a preset host name or the mapping relation between a preset resource service address and the preset host name; the preset host name is used as a domain name of a target access resource in a preset target range scene;
the request transformation module is used for monitoring a request of the metadata service address when the metadata service address is used, forwarding the request to the metadata service agent through the Linux socket, after receiving the request, identifying the resource access request through information in a request header, performing transformation processing, adding a domain name of the request into a request path for identification, and forwarding the domain name to the access agent module; when the preset resource service address is used, monitoring a request of the preset resource service address, forwarding the request to a resource service processing module through a Linux socket, after receiving the request, identifying a resource access request through information in a request header, performing transformation processing, adding a domain name of the request to a request path for identification, and forwarding the domain name to an access agent module;
the access agent module is used for forwarding the request to the target resource center according to the configured forwarding rule after identifying the domain name with the identifier in the request;
and the target range resource center is used for providing resource access according to the configured access strategy.
8. A resource access system in a network range scene isolation situation as claimed in claim 7, comprising: the configuration center is used for configuring the domain name mapping relation of resource access; the visible range of the resource is controlled by configuring the domain name mapping relation, and all the resources can be accessed for the domain name in the global mode; for domain names in a network or subnet customization mode, only targets within the corresponding network or subnet can access the resources associated with the domain name.
9. A resource access system in a network range scene isolation situation as claimed in claim 7, comprising: the configuration center is used for configuring access strategies of resources and is divided into a download-only mode and a modifiable mode.
10. The system for accessing resources under isolated network target scene as recited in claim 7, wherein the domain name mapping module adds metadata service addresses or preset mapping relations between resource service addresses and preset host names to a name space of each network for domain names in a global mode; and adding a metadata service address or a mapping relation between a preset resource service address and a preset host name for the corresponding network or sub-network for the domain name of the custom mode.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310841530.8A CN116566749B (en) | 2023-07-11 | 2023-07-11 | Resource access method and system under condition of network target range scene isolation |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310841530.8A CN116566749B (en) | 2023-07-11 | 2023-07-11 | Resource access method and system under condition of network target range scene isolation |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116566749A CN116566749A (en) | 2023-08-08 |
| CN116566749B true CN116566749B (en) | 2023-10-24 |
Family
ID=87491931
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310841530.8A Active CN116566749B (en) | 2023-07-11 | 2023-07-11 | Resource access method and system under condition of network target range scene isolation |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116566749B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102984287A (en) * | 2012-11-19 | 2013-03-20 | 青岛海信传媒网络技术有限公司 | Microblog application server and microblog platform chained address sharing method thereof |
| CN108021428A (en) * | 2017-12-05 | 2018-05-11 | 华迪计算机集团有限公司 | A kind of method and system that network target range is realized based on Docker |
| CN110430288A (en) * | 2019-09-16 | 2019-11-08 | 腾讯科技(深圳)有限公司 | Node visit method, apparatus, computer equipment and storage medium |
| CN112187610A (en) * | 2020-09-24 | 2021-01-05 | 北京赛宁网安科技有限公司 | Network isolation system and method for network target range |
| CN115460106A (en) * | 2022-08-30 | 2022-12-09 | 南京赛宁信息技术有限公司 | Virtual machine monitoring method and system for improving resource utilization rate in network target range |
| CN116366323A (en) * | 2023-03-24 | 2023-06-30 | 北京赛宁网安科技有限公司 | Network target range scene isolated access method and system based on dynamic domain name |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI326173B (en) * | 2006-12-07 | 2010-06-11 | Ind Tech Res Inst | Apparatus and method of ip mobility management for persistent connections |
-
2023
- 2023-07-11 CN CN202310841530.8A patent/CN116566749B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102984287A (en) * | 2012-11-19 | 2013-03-20 | 青岛海信传媒网络技术有限公司 | Microblog application server and microblog platform chained address sharing method thereof |
| CN108021428A (en) * | 2017-12-05 | 2018-05-11 | 华迪计算机集团有限公司 | A kind of method and system that network target range is realized based on Docker |
| CN110430288A (en) * | 2019-09-16 | 2019-11-08 | 腾讯科技(深圳)有限公司 | Node visit method, apparatus, computer equipment and storage medium |
| CN112187610A (en) * | 2020-09-24 | 2021-01-05 | 北京赛宁网安科技有限公司 | Network isolation system and method for network target range |
| CN115460106A (en) * | 2022-08-30 | 2022-12-09 | 南京赛宁信息技术有限公司 | Virtual machine monitoring method and system for improving resource utilization rate in network target range |
| CN116366323A (en) * | 2023-03-24 | 2023-06-30 | 北京赛宁网安科技有限公司 | Network target range scene isolated access method and system based on dynamic domain name |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116566749A (en) | 2023-08-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11831496B2 (en) | Providing access to configurable private computer networks | |
| US20220231902A1 (en) | Authorizing communications between computing nodes | |
| US11563681B2 (en) | Managing communications using alternative packet addressing | |
| US9756018B2 (en) | Establishing secure remote access to private computer networks | |
| US10951586B2 (en) | Providing location-specific network access to remote services | |
| JP5998248B2 (en) | How to provide local secure network access to remote services | |
| US8046480B2 (en) | Embedding overlay virtual network addresses in underlying substrate network addresses | |
| US7865586B2 (en) | Configuring communications between computing nodes | |
| JP3819295B2 (en) | Public network access server with user configurable firewall | |
| JP2017204887A (en) | Configuring communication between compute nodes | |
| CN116566749B (en) | Resource access method and system under condition of network target range scene isolation | |
| CN116582556A (en) | Traffic data processing method, device, equipment and storage medium | |
| Garber | Steve deering on ip next generation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |