CN117596050A - Data access control method and device and electronic equipment - Google Patents
Data access control method and device and electronic equipment Download PDFInfo
- Publication number
- CN117596050A CN117596050A CN202311610286.0A CN202311610286A CN117596050A CN 117596050 A CN117596050 A CN 117596050A CN 202311610286 A CN202311610286 A CN 202311610286A CN 117596050 A CN117596050 A CN 117596050A
- Authority
- CN
- China
- Prior art keywords
- management
- address
- server
- information
- control strategy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 51
- 238000011217 control strategy Methods 0.000 claims abstract description 92
- 238000007726 management method Methods 0.000 claims description 148
- 238000004891 communication Methods 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 238000001914 filtration Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000000802 evaporation-induced self-assembly Methods 0.000 description 1
- 238000009472 formulation Methods 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000007480 spreading Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000007704 transition Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5007—Internet protocol [IP] addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a data access control method, a data access control device and electronic equipment, wherein a policy acquisition request is sent to a server to acquire control policy information stored in the server in advance; generating an IP address set and an iptables rule according to the management and control strategy information; responding to the data access request to send out operation, and acquiring IP address information corresponding to the client; and managing and controlling the data access request according to the IP address information, the IP address set and the iptables rule. The method can acquire the management and control strategy information from the server, and generate the IP address set and the iptables rule according to the management and control strategy information, so that management and control of the data access request based on the domestic operating system are realized, and the data security can be ensured.
Description
Technical Field
The present invention relates to the field of data processing technologies, and in particular, to a data access control method and apparatus, and an electronic device.
Background
In the past, the enterprise office computer equipment is mostly provided with a Windows operating system, and the network access control software arranged on the Windows operating system can only run in the Windows operating system, and along with the popularization of the domestic operating system, such as a unified message UOS, in an enterprise, the network access control software which is suitable for the Windows computer end is not suitable for the domestic operating system, so that along with the spreading of the domestic operating system on the enterprise office computer, the network access control software which can be applied to the domestic operating system is vacant, thereby the network access of the computer end of the domestic operating system cannot be controlled, and further the data security cannot be ensured.
Disclosure of Invention
The invention aims to provide a data access control method, a data access control device and electronic equipment, which are used for controlling network access of a domestic operating system computer end so as to ensure data security.
The invention provides a data access control method, which is applied to a client, wherein the client operates in a domestic operating system, and the method comprises the following steps: sending a strategy acquisition request to a server to acquire management and control strategy information stored in the server in advance; generating an IP address set and an iptables rule according to the management and control strategy information; responding to the data access request to send out operation, and acquiring IP address information corresponding to the client; and managing and controlling the data access request according to the IP address information, the IP address set and the iptables rule.
Further, the management and control policy information includes: a policing policy version number, DNS server address, domain name black and white list, IP address black and white list, network transport protocol, and forbidden port number.
Further, the step of generating the IP address set and the iptables rule according to the management and control policy information includes: creating an IP address set according to the domain name black-and-white list and the IP address black-and-white list in the management and control strategy information; and generating iptables rules according to the management and control strategy information, and associating with the IP address set.
Further, after the step of obtaining the management and control policy information pre-stored in the server, the method further includes: and configuring server address information corresponding to the client according to the DNS server address in the management and control strategy information.
Further, the method further comprises: sending heartbeat information to a server to acquire the latest management and control strategy version number, and detecting whether the management and control strategy information is updated according to the latest management and control strategy version number; if the management and control policy information is updated, repeatedly executing the step of sending a policy acquisition request to the server to acquire the management and control policy information stored in the server in advance; and if the management and control strategy information is not updated, repeating the step of sending the heartbeat information to the server.
The invention provides a data access control device, which is arranged at a client, the client operates in a domestic operating system, and the device comprises: the first acquisition module is used for sending a strategy acquisition request to the server to acquire management and control strategy information stored in the server in advance; the generation module is used for generating an IP address set and an iptables rule according to the management and control strategy information; the second acquisition module is used for responding to the data access request to send out operation and acquiring IP address information corresponding to the client; and the management and control module is used for managing and controlling the data access request according to the IP address information, the IP address set and the iptables rule.
Further, the generating module is further configured to: creating an IP address set according to the domain name black-and-white list and the IP address black-and-white list in the management and control strategy information; and generating iptables rules according to the management and control strategy information, and associating with the IP address set.
Further, the device also comprises a configuration module; the configuration module is used for configuring server address information corresponding to the client according to the DNS server address in the management and control strategy information.
The invention provides an electronic device, which comprises a processor and a memory, wherein the memory stores machine executable instructions which can be executed by the processor, and the processor executes the machine executable instructions to realize the data access control method of any one of the above.
The present invention provides a machine-readable storage medium storing machine-executable instructions that, when invoked and executed by a processor, cause the processor to implement a data access management method of any of the above.
According to the data access management and control method, the device and the electronic equipment, a policy acquisition request is sent to a server to acquire management and control policy information stored in the server in advance; generating an IP address set and an iptables rule according to the management and control strategy information; responding to the data access request to send out operation, and acquiring IP address information corresponding to the client; and managing and controlling the data access request according to the IP address information, the IP address set and the iptables rule. The method can acquire the management and control strategy information from the server, and generate the IP address set and the iptables rule according to the management and control strategy information, so that management and control of the data access request based on the domestic operating system are realized, and the data security can be ensured.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are needed in the description of the embodiments or the prior art will be briefly described, and it is obvious that the drawings in the description below are some embodiments of the present invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flowchart of a data access control method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a data access control system according to an embodiment of the present invention;
FIG. 3 is a flowchart of another method for controlling data access according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a data access control device according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The technical solutions of the present invention will be clearly and completely described in connection with the embodiments, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
At present, with popularization of the domestic operating system in enterprises, the network access control client applied to the Windows computer end in the past is not suitable for the domestic operating system, so that network access of the domestic operating system computer end cannot be controlled, and further data security cannot be ensured; based on the above, the embodiment of the invention provides a data access control method, a data access control device and electronic equipment, and the technology can be applied to a data access control scene based on a domestic operating system.
For the sake of understanding the present embodiment, first, a data access control method disclosed in the present embodiment is described, where the method is applied to a client, and the client runs in a domestic operating system, for example, the domestic operating system may be a unified operating system (UOS Unity Operating System), etc.; as shown in fig. 1, the method comprises the steps of:
step S102, a strategy acquisition request is sent to a server to acquire management and control strategy information stored in the server in advance.
The management and control policy information generally comprises management and control policy version numbers and configuration items of edited management and control policies; in actual implementation, the server is also in communication connection with the front web, an administrator can edit each configuration item of the management and control strategy through the front web and submit the configuration item to the server, the server receives the management and control strategy submitted by the front web, automatically generates a corresponding management and control strategy version number according to the received management and control strategy, and stores the management and control strategy version number and each configuration item in the management and control strategy.
And step S104, generating an IP address set and iptables rule according to the management and control strategy information.
The above IP address set may also be referred to as IPs, where IPs may be used to store one or any combination of multiple IP addresses, port numbers, MAC (Media Access Control, local area network) addresses, network port names, etc., where IPs are mainly used by iptables rules, and may be used to improve flexibility of the iptables rules; the iptables rule may be used to indicate that when the header of a packet meets a specified condition, the packet is processed according to a specified operation mode, for example, when the packet matches the iptables rule, the packet may be processed according to an operation mode defined by the matching iptables rule, such as release (ACCEPT), REJECT (REJECT), DROP (DROP), etc. In actual implementation, after the client acquires the management and control policy information, the IP address set and the iptables rule may be automatically generated according to the management and control policy information.
And step S106, responding to the data access request to send out operation, and acquiring IP address information corresponding to the client.
The data access request may be a network request issued to an external network; in actual implementation, after a user program corresponding to a client sends a data access request, the data access request is processed by iptables rules before reaching an external network, and specifically, IP address information corresponding to the client sending the data access request can be obtained.
And step S108, according to the IP address information, the IP address set and the iptables rule, controlling the data access request.
According to the obtained IP address information corresponding to the client side sending the data access request and the generated IP address set and iptables rule, the data access request is managed and controlled, for example, the IP address information is matched with the IP address set, and the operation mode defined by the corresponding iptables rule is a DROP operation, so that the data access request cannot be sent to the outside, and the interception operation can be realized.
According to the data access management and control method, a policy acquisition request is sent to the server to acquire management and control policy information stored in the server in advance; generating an IP address set and an iptables rule according to the management and control strategy information; responding to the data access request to send out operation, and acquiring IP address information corresponding to the client; and managing and controlling the data access request according to the IP address information, the IP address set and the iptables rule. The method can acquire the management and control strategy information from the server, and generate the IP address set and the iptables rule according to the management and control strategy information, so that management and control of the data access request based on the domestic operating system are realized, and the data security can be ensured.
The embodiment of the invention also provides another data access control method, which is realized on the basis of the method of the embodiment, and comprises the following steps:
step one, a strategy acquisition request is sent to a server to acquire management and control strategy information stored in the server in advance.
The management and control strategy information comprises: a policing policy version number, DNS (Domain Name System ) server address, domain name black and white list, IP address black and white list, network transport protocol, and forbidden port number. The control policy version number may be a current latest version number; the DNS server functions to translate domain names into IP addresses that the machine can understand; the black-and-white list of the domain name may include a white list of the domain name and/or a black list of the domain name, and the white list of the domain name may be understood as a domain name allowing release, i.e. allowing access to an external network; the domain name blacklist can be understood as a domain name which needs to be intercepted, namely a domain name which does not allow access to an external network; likewise, the IP address black-and-white list may include an IP address white list, which may be understood as an IP address allowing release, i.e. an IP address allowing access to external networks, and/or an IP address black list; the IP address blacklist may be understood as an IP address that needs interception, i.e. an IP address that does not allow access to an external network; the network transmission protocol may include a network transmission protocol that is allowed to be used when accessing an external network; the forbidden port number is a port number which is not allowed to be used when the external network is accessed, and it can be understood that the interception of the data access request sent outwards by the forbidden port number is not passed.
And step two, configuring server address information corresponding to the client according to the DNS server address in the management and control strategy information.
In actual implementation, the client usually stores a/etc/resolv.conf file in advance, and the/etc/resolv.conf file can be modified according to the DNS server address in the management and control policy information, so as to set DNS server address information corresponding to the client, and specifically, the DNS server address corresponding to the client can be modified to be the same as the DNS server address in the management and control policy information.
And step three, creating an IP address set according to the domain name black-and-white list and the IP address black-and-white list in the management and control strategy information.
And step four, generating iptables rules according to the management and control strategy information, and associating with the IP address set.
The client may create different IPs, i.e. the above-mentioned IP address set, according to the black-and-white list of domain names and the black-and-white list of IP addresses in the management policy information. The client can also generate an iptables rule according to the management and control strategy information, and the created IP address set is associated to the iptables rule, so that different IP address sets can be corresponding to different operation modes.
And fifthly, responding to the data access request to send out operation, and acquiring IP address information corresponding to the client.
And step six, managing and controlling the data access request according to the IP address information, the IP address set and the iptables rule.
After a user sends a data access request through a client, the data access request is processed by iptables rules before reaching an external network, for example, a DROP operation can be executed on the data access request matched with the IP address set created in the above step, that is, the data access request cannot be sent to the outside, and interception operation and the like are realized.
And step seven, sending heartbeat information to the server to acquire the latest management and control strategy version number, and detecting whether the management and control strategy information is updated according to the latest management and control strategy version number.
The client can send heartbeat information to the server at regular time, the server can send the latest management and control strategy version number to the client after receiving the heartbeat information, the client can compare whether the latest management and control strategy version number is compared with the management and control strategy version number acquired at the previous time, and whether the management and control strategy information stored in the server is updated is judged according to the comparison result.
And step eight, if the management and control policy information is updated, repeating the step of sending a policy acquisition request to the server to acquire the management and control policy information stored in the server in advance.
If the client confirms that the latest management and control policy version number is different from the management and control policy version number acquired at the previous time through comparison, the management and control policy information stored in the server can be considered to be updated, at this time, the step of sending a policy acquisition request to the server to acquire the management and control policy information stored in the server in advance can be repeatedly executed, so that the latest management and control policy information is ensured to be acquired in time, and the data access request is managed and controlled according to the latest management and control policy.
And step nine, if the management and control strategy information is not updated, repeating the step of sending the heartbeat information to the server.
If the client determines that the latest management and control policy version number is the same as the management and control policy version number acquired last time through comparison, the management and control policy information stored in the server can be considered to be not updated, and at the moment, the step of sending heartbeat information to the server can be repeatedly executed, and whether the management and control policy version number stored in the server is updated or not can be timely determined.
According to the data access management and control method, the management and control strategy information is pulled from the server through the program, and the network access management and control of the domestic operating system is realized in the mode of setting the iptables rule according to the management and control strategy information, so that the network management and control strategy formulation can be conveniently, flexibly and efficiently carried out, and the requirement of the enterprise on the supervision software in the transition from the Windows system to the domestic operating system is met.
For easy understanding, refer to an architecture diagram of a data access management and control system shown in fig. 2, which includes a front-end web, a server (corresponding to the above-mentioned server), and a plurality of pc (corresponding to the above-mentioned client), where the front-end web is used to formulate and update a management and control policy and push the management and control policy to the server. And the administrator edits configuration items such as a DNS server, an IP address black-and-white list, a domain name black-and-white list, a network transmission protocol, a forbidden port number and the like in the management and control strategy in the front-end web, and submits the configuration items to the server end.
The server side is used for receiving the management and control strategy submitted by the front-end web, receiving the heartbeat of the pc side and returning the version number of the latest management and control strategy, receiving the strategy acquisition request sent by the pc side and returning the latest management and control strategy information.
The Server side is also used for storing the received management and control strategy, and the stored information comprises a management and control strategy version number, a DNS Server address, an IP address black-and-white list, a domain name black-and-white list, a network transmission protocol, a forbidden port number and the like.
The pc end is used for setting a network strategy of the user system, acquiring the latest management and control strategy of the server end, setting iptables rules according to the received management and control strategy, and filtering and intercepting the network request; sending heartbeat to a server end at regular time to acquire the version number of the latest management and control strategy, pulling the latest management and control strategy and updating the iptables rule; specifically, in the working process of the pc end, traffic needs to be filtered and intercepted according to an initiating process, a target address, a network protocol, an issuing port, a request path and the like of a network request, for example, a network request which is issued outwards through a 22 port and has a domain name of gitoub. After the pc end is put into use, the management and control strategy can be pulled to the Server end at regular time, and the filtering and intercepting strategy of the network request can be automatically updated according to the management and control strategy.
Referring to the flowchart of another data access control method shown in fig. 3, firstly, an administrator edits a control policy through a front-end web and issues the control policy to a server, and a user installs a pc end on a domestic operating system; secondly, the pc end sends a strategy acquisition request to the server end to request for acquiring a management and control strategy, the pc end modifies/etc/resolv.conf files according to the management and control strategy to update DNS server addresses corresponding to the pc end, the pc end creates different IPs according to a black-and-white list of a domain name and a black-and-white list of an IP address in the management and control strategy, and the pc end creates iptables rules according to the management and control strategy and sets filtering rules for request addresses in the IPs; thirdly, after the user program sends out a network request, applying an iptables rule, and filtering and intercepting the network request according to the rule according to the iptables rule; finally, the pc end sends heartbeat to the server end, whether a new management and control strategy exists is judged, if the new management and control strategy exists, the step that the pc end sends a strategy acquisition request to the server end to request to acquire the management and control strategy is repeatedly executed, and if the new management and control strategy does not exist, the step that the pc end sends heartbeat to the server end is repeatedly executed. The method can limit the network request sent by the user according to the network policy appointed by the administrator, thereby ensuring the data security and solving the problem of network access management and control software deficiency applied to the domestic operating system in the related technology.
The embodiment of the invention provides a data access control device, which is arranged at a client, and the client runs in a domestic operating system, as shown in fig. 4, and comprises: a first obtaining module 40, configured to send a policy obtaining request to a server to obtain management and control policy information stored in the server in advance; a generating module 41, configured to generate an IP address set and iptables rules according to the management and control policy information; a second obtaining module 42, configured to obtain IP address information corresponding to the client in response to the data access request; and the management and control module 43 is configured to manage and control the data access request according to the IP address information, the IP address set and the iptables rule.
The data access management and control device sends a policy acquisition request to the server to acquire management and control policy information stored in the server in advance; generating an IP address set and an iptables rule according to the management and control strategy information; responding to the data access request to send out operation, and acquiring IP address information corresponding to the client; and managing and controlling the data access request according to the IP address information, the IP address set and the iptables rule. The method can acquire the management and control strategy information from the server, and generate the IP address set and the iptables rule according to the management and control strategy information, so that management and control of the data access request based on the domestic operating system are realized, and the data security can be ensured.
Further, the management and control policy information includes: a policing policy version number, DNS server address, domain name black and white list, IP address black and white list, network transport protocol, and forbidden port number.
Further, the generating module 41 is further configured to: creating an IP address set according to the domain name black-and-white list and the IP address black-and-white list in the management and control strategy information; and generating iptables rules according to the management and control strategy information, and associating with the IP address set.
Further, the device also comprises a configuration module; the configuration module is used for configuring server address information corresponding to the client according to the DNS server address in the management and control strategy information.
Further, the device is also used for: sending heartbeat information to a server to acquire the latest management and control strategy version number, and detecting whether the management and control strategy information is updated according to the latest management and control strategy version number; if the management and control policy information is updated, repeatedly executing the step of sending a policy acquisition request to the server to acquire the management and control policy information stored in the server in advance; and if the management and control strategy information is not updated, repeating the step of sending the heartbeat information to the server.
The implementation principle and the generated technical effects of the data access control device provided by the embodiment of the invention are the same as those of the embodiment of the data access control method, and for the sake of brief description, reference may be made to corresponding contents in the embodiment of the data access control method where the embodiment of the data access control device is not mentioned.
An embodiment of the present invention further provides an electronic device, as shown in fig. 5, where the electronic device includes a processor 130 and a memory 131, where the memory 131 stores machine executable instructions that can be executed by the processor 130, and the processor 130 executes the machine executable instructions to implement the data access management method described above.
Further, the electronic device shown in fig. 5 further includes a bus 132 and a communication interface 133, and the processor 130, the communication interface 133, and the memory 131 are connected through the bus 132.
The memory 131 may include a high-speed random access memory (RAM, random Access Memory), and may further include a non-volatile memory (non-volatile memory), such as at least one magnetic disk memory. The communication connection between the system network element and at least one other network element is implemented via at least one communication interface 133 (which may be wired or wireless), and may use the internet, a wide area network, a local network, a metropolitan area network, etc. Bus 132 may be an ISA bus, a PCI bus, an EISA bus, or the like. The buses may be classified as address buses, data buses, control buses, etc. For ease of illustration, only one bi-directional arrow is shown in FIG. 5, but not only one bus or type of bus.
The processor 130 may be an integrated circuit chip with signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuitry in hardware or instructions in software in processor 130. The processor 130 may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU for short), a network processor (Network Processor, NP for short), etc.; but also digital signal processors (Digital Signal Processor, DSP for short), application specific integrated circuits (Application Specific Integrated Circuit, ASIC for short), field-programmable gate arrays (Field-Programmable Gate Array, FPGA for short) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components. The disclosed methods, steps, and logic blocks in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be embodied directly in the execution of a hardware decoding processor, or in the execution of a combination of hardware and software modules in a decoding processor. The software modules may be located in a random access memory, flash memory, read only memory, programmable read only memory, or electrically erasable programmable memory, registers, etc. as well known in the art. The storage medium is located in the memory 131, and the processor 130 reads the information in the memory 131, and in combination with its hardware, performs the steps of the method of the foregoing embodiment.
The embodiment of the invention also provides a machine-readable storage medium, which stores machine-executable instructions that, when being called and executed by a processor, cause the processor to implement the data access management and control method, and the specific implementation can be referred to the method embodiment and will not be described herein.
The data access control method, the data access control device and the computer program product of the electronic device provided by the embodiments of the present invention include a computer readable storage medium storing program codes, and instructions included in the program codes may be used to execute the method described in the foregoing method embodiment, and specific implementation may refer to the method embodiment and will not be repeated herein.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and not for limiting the same; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the invention.
Claims (10)
1. A method for controlling data access, wherein the method is applied to a client, and the client runs in a domestic operating system, and the method comprises:
sending a strategy acquisition request to a server to acquire management and control strategy information stored in the server in advance;
generating an IP address set and an iptables rule according to the management and control strategy information;
responding to the data access request to send out operation, and acquiring IP address information corresponding to the client;
and managing and controlling the data access request according to the IP address information, the IP address set and the iptables rule.
2. The method of claim 1, wherein the management policy information comprises: a policing policy version number, DNS server address, domain name black and white list, IP address black and white list, network transport protocol, and forbidden port number.
3. The method of claim 1, wherein generating the set of IP addresses and iptables rules from the management policy information comprises:
creating an IP address set according to the domain name black-and-white list and the IP address black-and-white list in the management and control strategy information;
and generating an iptables rule according to the management and control strategy information, and associating with the IP address set.
4. The method according to claim 1, wherein after the step of obtaining the management policy information stored in advance in the server, the method further comprises:
and configuring server address information corresponding to the client according to the DNS server address in the management and control strategy information.
5. The method according to claim 2, wherein the method further comprises:
sending heartbeat information to the server to acquire the latest management and control strategy version number, and detecting whether the management and control strategy information is updated according to the latest management and control strategy version number;
if the management and control policy information is updated, repeating the step of sending a policy acquisition request to a server to acquire the management and control policy information stored in the server in advance;
and if the management and control strategy information is not updated, repeating the step of sending heartbeat information to the server.
6. The utility model provides a data access management and control device which characterized in that, the device sets up in the customer end, the customer end is operated in domestic operating system, the device includes:
the first acquisition module is used for sending a strategy acquisition request to a server to acquire management and control strategy information stored in the server in advance;
the generation module is used for generating an IP address set and an iptables rule according to the management and control strategy information;
the second acquisition module is used for responding to the data access request to send out operation and acquiring the IP address information corresponding to the client;
and the management and control module is used for managing and controlling the data access request according to the IP address information, the IP address set and the iptables rule.
7. The apparatus of claim 6, wherein the generating module is further configured to:
creating an IP address set according to the domain name black-and-white list and the IP address black-and-white list in the management and control strategy information;
and generating an iptables rule according to the management and control strategy information, and associating with the IP address set.
8. The apparatus of claim 6, wherein the apparatus further comprises a configuration module;
the configuration module is used for configuring server address information corresponding to the client according to the DNS server address in the management and control strategy information.
9. An electronic device comprising a processor and a memory, the memory storing machine executable instructions executable by the processor, the processor executing the machine executable instructions to implement the data access management method of any of claims 1-5.
10. A machine-readable storage medium storing machine-executable instructions that, when invoked and executed by a processor, cause the processor to implement the data access management method of any one of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311610286.0A CN117596050A (en) | 2023-11-28 | 2023-11-28 | Data access control method and device and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311610286.0A CN117596050A (en) | 2023-11-28 | 2023-11-28 | Data access control method and device and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117596050A true CN117596050A (en) | 2024-02-23 |
Family
ID=89916388
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311610286.0A Pending CN117596050A (en) | 2023-11-28 | 2023-11-28 | Data access control method and device and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117596050A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118764320A (en) * | 2024-09-05 | 2024-10-11 | 北京连星科技有限公司 | Access control method, system, device and storage medium based on IPv6 address coloring |
-
2023
- 2023-11-28 CN CN202311610286.0A patent/CN117596050A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118764320A (en) * | 2024-09-05 | 2024-10-11 | 北京连星科技有限公司 | Access control method, system, device and storage medium based on IPv6 address coloring |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108011824B (en) | A message processing method and network device | |
| US11979281B2 (en) | Concurrent transactions on NETCONF devices across network services | |
| JPH0991225A (en) | Method and apparatus for acquisition of formatted dump data in network management | |
| US9270535B2 (en) | Inferred discovery of a data communications device | |
| EP3672314A1 (en) | Network management method, device and system | |
| US9122546B1 (en) | Rapid processing of event notifications | |
| US8595339B2 (en) | Network management apparatus and method | |
| CN117596050A (en) | Data access control method and device and electronic equipment | |
| CN113285918A (en) | ACL (access control list) filtering table item establishing method and device for network attack | |
| CN100433645C (en) | Network device management method and network management system | |
| CN113238923A (en) | Service behavior tracing method and system based on state machine | |
| CN114513419A (en) | Security policy configuration method and system | |
| EP1479192B1 (en) | Method and apparatus for managing configuration of a network | |
| CN115208671B (en) | Firewall configuration method, device, electronic equipment and storage medium | |
| CN116980229A (en) | Network policy configuration method, device, electronic equipment and storage medium | |
| CN114244555B (en) | Security policy adjusting method | |
| CN109981725A (en) | Communication method across security domains, server and readable storage medium | |
| CN111988446B (en) | Message processing method and device, electronic equipment and storage medium | |
| CN113556374B (en) | Method, equipment and system for acquiring manufacturer usage specification MUD file | |
| CN113316925B (en) | Determining spans of network configuration dependencies | |
| CN117057811B (en) | Automatic analysis method, device, equipment and medium for complaints of Internet of things | |
| CN114500582B (en) | Log collection method, device, storage medium and electronic device | |
| CN115914288B (en) | Message transmission method and device, storage medium and electronic device | |
| CN116069738B (en) | Root zone file generation method, terminal equipment and computer readable storage medium | |
| CN115589351B (en) | A query method, device and equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |