CN100423490C - Safety network apparatus for providing using interconnection network protocol with high security and method thereof - Google Patents
Safety network apparatus for providing using interconnection network protocol with high security and method thereof Download PDFInfo
- Publication number
- CN100423490C CN100423490C CNB2005100028968A CN200510002896A CN100423490C CN 100423490 C CN100423490 C CN 100423490C CN B2005100028968 A CNB2005100028968 A CN B2005100028968A CN 200510002896 A CN200510002896 A CN 200510002896A CN 100423490 C CN100423490 C CN 100423490C
- Authority
- CN
- China
- Prior art keywords
- vpn
- virtual private
- network
- private network
- port
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention relates to a network device and a method thereof for providing IPSec ('internet protocol security ') use with high security. The device comprises a virtual local area network (VLAN), a hardware address filter (MAC filter), a network domain address restrictor (IP Restriction) and a fixed dynamic host configuration protocol corresponding table (Static DHCP). Thereby, before a transmitted message is encrypted by the IPSec, namely that a use method for isolating a virtual private network (VPN) and the general network communication in the way of an entity is firstly implemented, and thereby, the security of using the IPSec is increased. The present invention can be applied to the domestic and the general virtual private networks.
Description
Technical field
A kind of high security that provides is provided uses IPSec (Internet Protocol Security, the Internet protocol security) network equipment and method thereof, particularly relate to a kind of can be before the message that encryption using ipsec transmitted, promptly completely cut off network equipment and the method thereof that VPN (virtual private network) is communicated by letter with general networking with entity, applicable to family expenses and VPN (virtual private network) in advance.
Background technology
Along with popularizing of the progress of network technology and computer, make that existing communication construction is subjected to great challenge originally, one of them promptly is to replace that tradition is dialed and connected by modulator-demodulator or special circuit connects the mode of network with VPN (virtual private network) (VPN).The user can be at two intercomputers by sharing or disclosed network transmits the message and the data of Various types of data, voice and image, just as the point-to-point private network of tradition.
And VPN (virtual private network) not only has the convenience of transfer of data, can also significantly reduce the hardware device and the required expense of contact of communicating by letter, and therefore, VPN (virtual private network) has suitable attraction on commerce is used.At present, the scope of application of VPN (virtual private network) is very extensive, and mainly comprising by the service provider provides the service of the VPN (virtual private network) that can manage voluntarily for the user, and enterprise's VPN (virtual private network) of setting up voluntarily and managing.
We can say that VPN (virtual private network) is between house worker or various places branch company and the parent company, and a channel of communication very easily is provided.Current employed VPN (virtual private network) as shown in Figure 1,3 computer installations are connected to gateway A (SG A) through home network, and are connected with the internet, then are a passage with ipsec capability between gateway A and the gateway B (SGB).Therefore, the VPN (virtual private network) main frame in the home network can be connected to company's internal network by above-mentioned IP Sec passage.
Though, the IPSec passage can give information really, data transmit between gateway A and gateway B, the fail safe when circulating, after but the package of message and data is sent out by the VPN (virtual private network) main frame, until received preceding interchannel by gateway A, because internal network port and VPN (virtual private network) configuring ports, as shown in Figure 2, the package of these message and data is very likely captured, is caught away by other computer in this home network.That is this VPN (virtual private network) main frame and the said firm's Intranet are for this home network, just as opening.
For example, serve monarch C of certain high-tech company, though have a holiday just at home, but it is required because of working, must lose no time to handle a public affair, and a mobile computer that has been set at the VPN (virtual private network) main frame is also just being arranged in his family, can be used for connecting the VPN (virtual private network) of company.Therefore, monarch C utilizes this personal computer to connect company's network, transmits the file data required with download.At this moment, another monarch D also just uses another personal computer online by grid line in the family just, therefore, if monarch D has utilized this personal computer, also just can catch easily naturally and catch monarch's C important secret.
For this reason; the artificial solution of this case invention is gone up rheme and is between VPN (virtual private network) main frame and the gateway A; can't be slipped by the safe of path that the IPSec path protection arrives; a kind of network equipment and method thereof that provides high security to use IPSec proposed; can carry out communicating by letter of the isolated VPN (virtual private network) (VPN) of entity and general networking, and then improve the fail safe of use IPSec.
Summary of the invention
Main purpose of the present invention is to provide a kind of network equipment and method thereof that provides high security to use IPSec, particularly can before encryption using ipsec message, promptly completely cut off the mechanism that VPN (virtual private network) (VPN) is communicated by letter with general networking with entity about a kind of in advance.
For achieving the above object, a kind of network equipment and method thereof that provides high security to use IPSec of the present invention, this network equipment uses and comprises a Virtual Local Area Network (VLAN), a hardware address filter (MACfilter), a net domain addresses limiter (IP Restriction) and a fixed DHCP correspondence table (Static DHCP).This mechanism is after the message package is sent out by the VPN (virtual private network) main frame, before not by ipsec encryption, can carry out the isolated VPN (virtual private network) of entity by above-mentioned network equipment and communicate by letter with general networking, to improve the fail safe of using IPSec.
Describe the present invention below in conjunction with the drawings and specific embodiments, but not as a limitation of the invention.
Description of drawings
Fig. 1 is existing employed VPN (virtual private network) schematic diagram;
Fig. 2 is employed internal network port of existing network gateway and VPN (virtual private network) configuring ports schematic diagram;
Fig. 3 is a Virtual Local Area Network configuration diagram of the present invention;
Fig. 4 is a network equipment configuration diagram of the present invention; And
Fig. 5 uses flow chart for the mechanism of network equipment of the present invention.
Wherein, Reference numeral is as follows:
The 1-network equipment
The 2-computer installation
The 3-telecommunication network
The 4-IPSec passage
10-Virtual Local Area Network port
11-VPN (virtual private network) port
12-VPN (virtual private network) main frame
The 13-main frame
20-hardware address filter
30-net domain addresses limiter
The fixed DHCP correspondence table of 40-
Embodiment
Please refer to shown in Figure 3ly, be Virtual Local Area Network configuration diagram of the present invention.The present invention uses a network equipment 1 to connect a plurality of computer installations 2, make 2 of a plurality of these computer installations can form a LAN, also can make this computer installation 2 be connected to the internet by this network equipment 1, or can with the IPSec passage 4 of a telecommunication network 3 online formation one Virtual Local Area Networks (VLAN).
Please refer to shown in Figure 4, be network equipment configuration diagram of the present invention, this network equipment 1 of the present invention comprises a Virtual Local Area Network port one 0, a hardware address filter 20, a net domain addresses limiter 30 and one fixed DHCP correspondence table 40.Wherein this Virtual Local Area Network port one 0 comprises one first interval and one second interval, and this first interval disposes at least one VPN (virtual private network) port one 1, and this second interval disposes a plurality of LAN port ones 3.This VPN (virtual private network) port one 1 can be connected at least one VPN (virtual private network) main frame 12, and this LAN port one 3 can be connected to this computer installation 2.
Wherein this hardware address filter (MAC filter) 20 is connected in the VPN (virtual private network) port one 1 in this first interval, can be connected to this IPSec passage 4 via VPN (virtual private network) port one 1 with the hardware address (MAC) of guaranteeing only to have VPN (virtual private network) main frame 12, with online with this telecommunication network 3.
And this net domain addresses limiter (IP Restriction) 30 can be followed the trail of label (tag) by the Virtual Local Area Network of a message package, distinguish whether the message package is sent out by VPN (virtual private network) main frame 12, and determine that whereby whether accepting the message package is sent to this IPSec passage.The package head that this way can be avoided the message package is really had the disguise oneself as package head of VPN (virtual private network) main frame 12 of heart.
Mention among the present invention that a DHCP (DHCP) is when a VPN (virtual private network) main frame is connected to a gateway, so as to being used for assigning the method for this network equipment network address.In case this network equipment has been obtained after the network address, when each VPN (virtual private network) main frame will connect this gateway, this VPN (virtual private network) main frame all can use the identical network address.
Therefore, network equipment 1 of the present invention also can be used as the gateway in the VPN (virtual private network), and develops the mechanism that a fixed DHCP correspondence table (Static DHCP) 40.This fixed DHCP correspondence table 40 is by 30 corresponding drawing of this hardware address filter 20 and this net domain addresses limiter, when this network equipment 1 receives a request message that carries these VPN (virtual private network) main frame 12 hardware address, this network equipment 1 promptly gives the network address according to IPSec passage 4.Whereby, guarantee that this VPN (virtual private network) main frame 12 all uses particular network address (IP address) to be connected with IPSec passage 4 forever.
Please refer to shown in Figure 5ly, be the flow chart that high full property use IPSec mechanism is provided of network equipment of the present invention.At first the present invention needs this VPN (virtual private network) main frame 12 is connected to VPN (virtual private network) port one 1, and this moment, this VPN (virtual private network) main frame 12 sent a message package this VPN (virtual private network) port one 1 (Step 100) to this network equipment 1.
Then, this hardware address filter 20 can filter out the hardware address of this VPN (virtual private network) main frame 12, confirming the identity of this VPN (virtual private network) main frame 12, and this message package is sent to this net domain addresses limiter 30 (Step 110).
After this net domain addresses limiter 30 receives this message package, Virtual Local Area Network in this message package is followed the trail of label (tag), distinguish whether this message package is really sent out by this VPN (virtual private network) main frame 12, and whether decision to accept this message package (Step 120) whereby.
When this message package confirm errorless after, be about to this message package and be sent to this fixed DHCP correspondence table 40 and judge.This fixed DHCP correspondence table 40 is according to the network address in this message package, recognizes that this message package really sent out (Step 130) by VPN (virtual private network) main frame 12.Thus, the message package that this VPN (virtual private network) main frame 12 is sent just can be sent to this IPSec passage (Step 140) safely, has finished the high security transmission before the IPSec passage.
Be applied to aforementioned case, serve monarch C of certain high-tech company, be the emergency treatment public affair, and by the mobile computer that has been set at VPN (virtual private network) main frame 12 in the family, the VPN (virtual private network) of company in the connection.Because the Virtual Local Area Network port one 0 in the family is divided into first and second interval, the VPN (virtual private network) port one 1 in first interval, specialize in the VPN (virtual private network) that this mobile computer connects company, the LAN port one 3 in second interval then can make things convenient in the family other computer internet required.
Monarch C uses this mobile computer, sends the message package to connect the VPN (virtual private network) VPN of company by VPN (virtual private network) port one 1.At this moment, hardware address filter 20 confirms that the identity of this mobile computer is errorless, and the message package is transferred into net domain addresses limiter 30.Net domain addresses limiter 30 is followed the trail of label (tag) by the Virtual Local Area Network of message package, distinguishes that this message package is sent by this mobile computer of monarch C, and therefore the message package is accepted in decision.
The message package through confirm errorless after, the formula that then is fixed DHCP correspondence table 40 is judged, according to this message package with the net domain addresses, fixed DHCP correspondence table 40 identification message packages are really sent out by this mobile computer, so, the message package that this mobile computer is sent just can be sent to the IPSec passage safely, finished the high security transmission before the IPSec passage, reduced really and had the inclination the personage and utilize other computer of network in the C monarch family to catch the possibility of message data.
In sum, the present invention really can borrow above-mentioned disclosed technology, provides a kind of far different in the design of prior art, may be able to improve whole use value.
Certainly; the present invention also can have other various embodiments; under the situation that does not deviate from spirit of the present invention and essence thereof; those of ordinary skill in the art work as can make various corresponding changes and distortion according to the present invention, but these corresponding changes and distortion all should belong to the protection range of the appended claim of the present invention.
Claims (4)
1. the network equipment that high security internet usage protocol security is provided is characterized in that, described network equipment comprises:
One Virtual Local Area Network, comprising one first interval and one second interval, described first interval disposes at least one VPN (virtual private network) port, and described second interval disposes a plurality of LAN ports;
One hardware address filter only is connected in the VPN (virtual private network) port in described first interval, can be connected to a Internet protocol security passage only to make described VPN (virtual private network) port, with online with a telecommunication network;
One net domain addresses limiter uses a Virtual Local Area Network to follow the trail of label to distinguish the true and false of the message package of being sent out by above-mentioned VPN (virtual private network) port; And
One fixed DHCP correspondence table by described hardware address filter and corresponding the drawing of described net domain addresses limiter institute, can use the ad hoc networks domain addresses to be connected with the Internet protocol security passage so as to guaranteeing described VPN (virtual private network) port.
2. the network equipment that high security internet usage protocol security is provided according to claim 1 is characterized in that, described VPN (virtual private network) port can be connected at least one VPN (virtual private network) main frame.
3. the network equipment that high security internet usage protocol security is provided according to claim 1 is characterized in that, described LAN port can connect at least one computer installation.
4. the method that the network equipment of high security internet usage protocol security is provided is characterized in that, comprises the steps:
One VPN (virtual private network) main frame sends the VPN (virtual private network) port of message package to a network equipment;
One hardware address filter only carries out the filtration of the hardware address of described VPN (virtual private network) main frame to described VPN (virtual private network) port, and is errorless to confirm identity, and transmits described message package to net domain addresses limiter;
Described net domain addresses limiter is followed the trail of label by the Virtual Local Area Network of described message package, distinguishes whether described message package is very sent out by described VPN (virtual private network) main frame, and whether decision accepts described message package whereby; And
Described message package is sent to a Internet protocol security passage after the above-mentioned steps affirmation is errorless.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100028968A CN100423490C (en) | 2005-01-28 | 2005-01-28 | Safety network apparatus for providing using interconnection network protocol with high security and method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100028968A CN100423490C (en) | 2005-01-28 | 2005-01-28 | Safety network apparatus for providing using interconnection network protocol with high security and method thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1812333A CN1812333A (en) | 2006-08-02 |
| CN100423490C true CN100423490C (en) | 2008-10-01 |
Family
ID=36845039
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2005100028968A Expired - Fee Related CN100423490C (en) | 2005-01-28 | 2005-01-28 | Safety network apparatus for providing using interconnection network protocol with high security and method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100423490C (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1404267A (en) * | 2002-10-01 | 2003-03-19 | 华中科技大学 | Safe network transmission method and system |
| US20030093563A1 (en) * | 2001-10-10 | 2003-05-15 | Young Bruce Fitzgerald | Method and system for implementing and managing a multimedia access network device |
| US20030163579A1 (en) * | 2002-02-28 | 2003-08-28 | Knauerhase Robert C. | Dynamically configurable beacon intervals for wireless LAN access points |
| US20040250117A1 (en) * | 2003-04-29 | 2004-12-09 | Congdon Paul T. | Method and apparatus for access security services |
-
2005
- 2005-01-28 CN CNB2005100028968A patent/CN100423490C/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030093563A1 (en) * | 2001-10-10 | 2003-05-15 | Young Bruce Fitzgerald | Method and system for implementing and managing a multimedia access network device |
| US20030163579A1 (en) * | 2002-02-28 | 2003-08-28 | Knauerhase Robert C. | Dynamically configurable beacon intervals for wireless LAN access points |
| CN1404267A (en) * | 2002-10-01 | 2003-03-19 | 华中科技大学 | Safe network transmission method and system |
| US20040250117A1 (en) * | 2003-04-29 | 2004-12-09 | Congdon Paul T. | Method and apparatus for access security services |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1812333A (en) | 2006-08-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CA2600760C (en) | Security for mobile devices in a wireless network | |
| US7633909B1 (en) | Method and system for providing multiple connections from a common wireless access point | |
| US6934754B2 (en) | Methods and apparatus for processing network data transmissions | |
| CN1781099B (en) | Automatic configuration of client terminal in public hot spot | |
| US7325058B1 (en) | Method and system for controlling subscriber access in a network capable of establishing connections with a plurality of domain sites | |
| US20070127500A1 (en) | System, device, method and software for providing a visitor access to a public network | |
| CN101217435B (en) | L2TP over IPSEC remote access method and device | |
| US7451479B2 (en) | Network apparatus with secure IPSec mechanism and method for operating the same | |
| JP2007180998A (en) | Wireless network controller, and wireless network control system | |
| CN102480729A (en) | Method for preventing faked users and access point in radio access network | |
| CN106302371A (en) | A kind of firewall control method based on subscriber service system and system | |
| US20040168049A1 (en) | Method for encrypting data of an access virtual private network (VPN) | |
| CN103052064A (en) | Method, equipment and system for accessing private services of operator | |
| WO2012130041A1 (en) | Method and system for network resource sharing | |
| Tongkaw et al. | Multi-VLAN design over IPSec VPN for campus network | |
| CN1319336C (en) | Method for building special analog network | |
| EP1694024A1 (en) | Network apparatus and method for providing secure port-based VPN communications | |
| CN117119463A (en) | CPE security authentication method and system for 5G private network | |
| CN100423490C (en) | Safety network apparatus for providing using interconnection network protocol with high security and method thereof | |
| KR101114921B1 (en) | Processing apparatus and method for providing virtual private network service on mobile communication | |
| CN101197835A (en) | Virtual special network access method, system and device | |
| EP2879348A1 (en) | Safe internet access system | |
| CN107800569B (en) | VPN quick access system and method based on ONT | |
| Mahbub | Study of Voice over Internet Protocol (VoIP) in an Enterprise Network Through Simulation | |
| JP6664232B2 (en) | Wireless LAN access system, router device, and access control method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20081001 Termination date: 20190128 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |