Search

CN-122027287-A - SASE network architecture and security access method, device, equipment, medium and product

CN122027287ACN 122027287 ACN122027287 ACN 122027287ACN-122027287-A

Abstract

The invention discloses a SASE network architecture and a secure access method, a device, equipment, a medium and a product, wherein the network architecture comprises a control plane, a local access network layer and a remote access network layer, the control plane comprises a SASE controller, an SD-WAN controller and a session management function network element, the local access network layer comprises a private secure access point, an SD-WAN edge node and a user plane function network element, the remote access network layer comprises a SASE access point and a relay user plane function network element, the SASE controller is in communication connection with the user plane function network element and the relay user plane function network element through the session management function network element, or is in communication connection with a D-WAN edge node through the SD-WAN controller and the SASE access point, or is in communication connection with the D-WAN edge node through the SASE access point, and the access quality and the access security can be improved by fusing a 5G dual-domain private network into the SASE network.

Inventors

  • TANG YU
  • FENG YAO
  • XU XIAN

Assignees

  • 中移(苏州)软件技术有限公司
  • 中国移动通信集团有限公司

Dates

Publication Date
20260512
Application Date
20260212

Claims (10)

  1. 1. The SASE network architecture is characterized by comprising a control plane, a local access network layer and a remote access network layer; the control plane comprises a SASE controller, an SD-WAN controller and a session management function network element, wherein the local access network layer comprises a private security access point, an SD-WAN edge node and a user plane function network element; wherein the D-WAN edge node and the user plane function network element are in communication connection with the private security access point; the SASE controller is in communication connection with the user plane function network element and the relay user plane function network element through the session management function network element and is used for controlling a 5G dual-domain private network; The SASE controller is in communication connection with the D-WAN edge node through the SD-WAN controller and the SASE access point, or is in communication connection with the D-WAN edge node directly through the SASE access point, and is used for controlling an SD-WAN network.
  2. 2. The SASE network architecture of claim 1, wherein wireless clients in the campus access an intranet or a public network through the user plane function network element and the private security access point, and wired clients in the campus access the intranet or the public network through the D-WAN edge node and the private security access point.
  3. 3. The SASE network architecture of claim 1, wherein an off-campus wireless client accesses an intranet through the relay user plane function network element, the private security access point, or accesses the public network through the relay user plane function network element, and wherein an off-campus wired client accesses the intranet through the SASE access point, the D-WAN edge node, the private security access point, or directly accesses the public network.
  4. 4. The SASE network architecture of claim 1 wherein the SASE controller is configured to configure wireless access information by interfacing with the session management function network element, the wireless access information being used to indicate whether an off-campus wireless client is allowed to access an intranet or an intranet; the SASE controller is used for configuring and flow scheduling information of the lower SD-WAN network by docking the SD-WAN controller.
  5. 5. A secure access method applied to the SASE network architecture of any of claims 1-4, the method comprising: Configuring, by the SASE controller, a security access policy, the security access policy including at least one of: The off-campus access strategy is used for configuring whether to allow the wireless user side and the wired user side outside the campus to access the intranet of the campus; a security data calling strategy, wherein the security data calling strategy is used for configuring whether security data in a private security access point is allowed to be called by a SASE controller and the SASE access point; A security configuration management policy, where the security configuration management policy is used to configure whether to allow the security configuration of the private security access point and the security baseline configuration to be uniformly managed and issued by the SASE controller, and whether to allow the security network element version update in the private security access point and the security related feature database update in the security network element to be uniformly managed and upgraded by the SASE controller; And the intra-campus public network access strategy is used for configuring whether the intra-campus public network access accepts security inspection of the SASE access point.
  6. 6. The secure access method of claim 5, the method further comprising: in the case of data local persistence, the configuration of the security access policy includes: rejecting a wireless user terminal and a wired user terminal outside the park to access an intranet of the park; rejecting the secure data within the private secure access point to be invoked by the SASE controller and the SASE access point; rejecting the security configuration and the security baseline configuration of the private security access point to be uniformly managed and issued by the SASE controller, rejecting the version update of the security network element, and uniformly managing and upgrading the update of the security related feature database in the security network element by the SASE controller; Public network access in the campus is required to accept security scrutiny of SASE access points.
  7. 7. A secure access device for use in a SASE network architecture as claimed in any of claims 1 to 4, the device comprising: A security access policy configuration module, configured to configure a security access policy by the SASE controller, where the security access policy includes at least one of: The off-campus access strategy is used for configuring whether to allow the wireless user side and the wired user side outside the campus to access the intranet of the campus; a security data calling strategy, wherein the security data calling strategy is used for configuring whether security data in a private security access point is allowed to be called by a SASE controller and the SASE access point; A security configuration management policy, where the security configuration management policy is used to configure whether to allow the security configuration of the private security access point and the security baseline configuration to be uniformly managed and issued by the SASE controller, and whether to allow the security network element version update in the private security access point and the security related feature database update in the security network element to be uniformly managed and upgraded by the SASE controller; And the intra-campus public network access strategy is used for configuring whether the intra-campus public network access accepts security inspection of the SASE access point.
  8. 8. A secure access device comprising a processor, a memory and a computer program stored in the memory and configured to be executed by the processor, the processor implementing the secure access method according to any one of claims 5 to 6 when executing the computer program.
  9. 9. A computer readable storage medium, wherein the computer readable storage medium stores a computer program, wherein the computer program when run controls a device in which the computer readable storage medium is located to perform the secure access method according to any one of claims 5 to 6.
  10. 10. A computer program product comprising a computer program or instructions which, when executed by a processor, implements the secure access method of any of claims 5 to 6.

Description

SASE network architecture and security access method, device, equipment, medium and product Technical Field The present invention relates to the field of network security technologies, and in particular, to a SASE network architecture, and a security access method, apparatus, device, medium, and product. Background Currently, SASE (Secure ACCESS SERVICE EDGE ) uses SD-WAN (Software DEFINE WIDE AREA Network) as a Network carrier, emphasizes Network acceleration and Network isolation, and achieves speed and reliability approaching that of a conventional private line link using an internet Network. However, in actual situations, the requirements of large enterprises and institutions on data security are high, the data is required to be not discharged from parks or institutions, but the data is required to be accessed safely and special exception. The SD-WAN uses the Internet as a carrier, traffic needs to be encrypted and transmitted to the Internet, and the SD-WAN network access needs to use a special client, is not friendly to small wireless terminals and Internet of things equipment, and needs to cooperate with wireless access channels such as WIFI, mobile networks and the like for wireless equipment, so that various paths are complex to manage, and access quality and access safety cannot be guaranteed. Disclosure of Invention Aiming at the problems existing in the prior art, the embodiment of the invention provides a SASE network architecture, a security access method, a security access device, a security access equipment, a security access medium and a security access product, which can improve access quality and access security. In a first aspect, an embodiment of the present invention provides a SASE network architecture, including a control plane, a local access network layer, and a remote access network layer, where the control plane includes a SASE controller, an SD-WAN controller, and a session management function network element, and the local access network layer includes a private security access point, an SD-WAN edge node, and a user plane function network element; wherein the D-WAN edge node and the user plane function network element are in communication connection with the private security access point; the SASE controller is in communication connection with the user plane function network element and the relay user plane function network element through the session management function network element and is used for controlling a 5G dual-domain private network; The SASE controller is in communication connection with the D-WAN edge node through the SD-WAN controller and the SASE access point, or is in communication connection with the D-WAN edge node directly through the SASE access point, and is used for controlling an SD-WAN network. The wireless user terminal in the park accesses the intranet or the public network through the user plane functional network element and the private security access point, and the wired user terminal in the park accesses the intranet or the public network through the D-WAN edge node and the private security access point. The wireless user terminal outside the park accesses the intranet through the relay user plane functional network element, the user plane functional network element and the private security access point or accesses the public network through the relay user plane functional network element, and the wired user terminal outside the park accesses the intranet through the SASE access point, the D-WAN edge node and the private security access point or directly accesses the public network. As an improvement of the above scheme, the SASE controller is configured to configure wireless access information by interfacing with the session management function network element, where the wireless access information is used to indicate whether to allow the off-campus wireless user terminal to access the intranet or the intranet; the SASE controller is used for configuring and flow scheduling information of the lower SD-WAN network by docking the SD-WAN controller. For the prior art, the embodiment of the invention enables the SASE controller to be in communication connection with 5G network elements such as a user plane function network element, a relay user plane function network element and the like through a session management function network element by integrating the 5G dual-domain private network into the SASE network so as to control the 5G dual-domain private network, and simultaneously enables the wireless user terminal and the wired user terminal to be in communication connection with a D-WAN edge node through an SD-WAN controller and a SASE access point or be in communication connection with the D-WAN edge node directly through the SASE access point so as to control the SD-WAN network, thereby enabling the wireless user terminal and the wired user terminal to be accessed into an intranet or a public network of a park or a public network of the park