Summary of the invention
The technical problem to be solved in the present invention is to guarantee that network terminal safety inserts public network, can be user-friendly to again.
For solving the problems of the technologies described above, the invention provides a kind of network terminal safety that realizes and insert the method for public network, it is characterized in that, may further comprise the steps:
Step 1, the network terminal (NT:Net Terminal) user installation one network insertion controller (NTAC:NT Access Controller), the network insertion controller is serially connected on the link between the network terminal and the public network, inserts a network insertion Control Server (Server) on the public network;
Step 2, when network terminal user need be configured the firewall policy storehouse of network insertion controller, enter step 3; Otherwise enter step 10;
Step 3, network terminal user logging in network accessing control server are set up link between the network terminal, network insertion controller and network insertion Control Server;
Step 4, network insertion Control Server are verified network terminal user and network insertion controller;
Step 5, network terminal user submit configuring request information to the network insertion Control Server;
Step 6, network insertion Control Server generate a corresponding configuration set command packet according to configuring request information;
Step 7, network insertion Control Server send this configuration set command packet to the network terminal, and intercept and capture this configuration set command packet by the network insertion controller that is serially connected on the described data link of step 1;
Step 8, network insertion controller parse corresponding configuration order from the configuration order packet of intercepting and capturing, and carry out this configuration order, finish the renewal to the firewall policy configuration;
Step 9, the network terminal receive this configuration set command packet, confirm its integrality, and will confirm that the result turns back to the network insertion Control Server;
Step 10, network terminal user visit public network under the safeguard protection of the firewall policy of network insertion controller configuration.
For solving the problems of the technologies described above, the present invention also provides a kind of network terminal safety that realizes to insert the system of public network, comprise NT, NTAC, Server, Server is linked into public network, the configuring request information that Server submits to according to NT user is configured the firewall policy storehouse of NTAC, it is characterized in that, NTAC is serially connected in NT with on the data link between the public network, need not to be its distributing IP address, it in the overall network topology structure transparent equipment, the inner preservation is used for firewall policy that the packet of flowing through is detected and controls, initialization is set to " stopping firewall policy ", when stopping firewall policy the packet that flows to NT is carried out transparent forwarding, when starting firewall policy, the packet that only meets the firewall policy access rule is not met the packet conductively-closed of firewall policy access rule by transparent forwarding.
The present invention also provides a kind of network terminal safety that realizes to insert the network insertion controller of public network, comprise network processing unit, the firewall policy storehouse, the firewall policy dispensing unit, the packet inspection unit, network interface, one network interface connects with public network, one network interface connects with the network terminal, by intercepting and capturing the packet flow through and detect and control in the packet inspection unit, by the access rule of network processing unit packet is filtered and transparent forwarding, under network processing unit and the control of firewall policy dispensing unit, deposit the firewall policy information that receives in the firewall policy storehouse according to the firewall policy configuration; It can not be assigned with the IP address, and access network need not to be its distributing IP address.
Among the present invention, NTAC has a unique device id; NTAC is serially connected in NT with on the link between the public network, and all packets of the NTAC that flows through are detected and control, and it can not be assigned with the IP address, need not to be its distributing IP address, and in the overall network topology structure transparent equipment; NTAC is inner to be preserved and is used for firewall policy that packet is detected and controls, characteristics of firewall policy be default mask all flow to the packet of NT, have only when detect meet the packet that access rule allows just can be by transparent forwarding; This firewall policy can be stopped or start, when stopping firewall policy the packet that flows to NT is carried out transparent forwarding, when starting firewall policy, the packet that only meets the firewall policy access rule is by transparent forwarding, do not meet the packet conductively-closed of firewall policy access rule, the NTAC initialization is set to " stopping the NTAC fire compartment wall "; This firewall policy can be by Remote configuration and management, and NTAC intercepts and captures the configuration order from far-end network terminal accessing control server (Server), and this configuration order comprises: start and stop the NTAC firewall policy; Access rule in interpolation, modification and the deletion firewall policy storehouse.In the present invention, NTAC need not any software support at user side, the user only need be serially connected in this equipment on its network line and get final product, centralized management and maintenance by Server realization firewall policy need not network terminal user and possess relevant professional knowledge and technical ability, can be user-friendly to; NTAC is transparent to user and other network equipments, is not its distributing IP address, and is invisible in whole network topology structure, so other hostile networks user can't attack and destroy it, can guarantee network terminal safety.
Embodiment
In an embodiment of the present invention, a network terminal access controller (NTAC) is serially connected between the network terminal (NT) and the Internet, and is serially connected on the link of Internet and NT, the packet of the NTAC that flows through is detected and controls.NTAC is transparent equipment to NT and Internet in network topology structure, need not to be its distributing IP address.
Related NTAC has following feature:
NTAC can not be assigned with the IP address, is not its distributing IP address, is transparent establishing in the overall network topology structure;
NTAC has a unique EIC equipment identification code ID;
NTAC inside can be preserved and is used for firewall policy that the IP packet is detected and controls;
The NTAC initialization is set to " stopping the NTAC fire compartment wall ".
Characteristics of firewall policy be default mask all flow to the packet of NT, have only when detect meet the packet that access rule allows just can be by transparent forwarding.
NTAC intercepts and captures the configuration order from far-end network terminal accessing control server (Server), and this configuration order comprises:
1, starts and cease and desist order: start the NTAC firewall policy, NTAC enters operating state, the packet that flows to NT is detected and controls, according to the described access rule of firewall policy packet is filtered, the packet that meets access rule obtains transparent forwarding, does not meet the packet conductively-closed of access rule and abandons; Stop the NTAC firewall policy, the packet that flows to NT is only carried out transparent forwarding.
2, update command: add, revise and the deletion firewall policy, configuration and renewal firewall policy storehouse.
Related Server has following feature:
This Sever comprises a database management module, and this functions of modules comprises: administer and maintain a customer data base, for the user provides registration, login and authentication; Administer and maintain a NTAC device id database; Administer and maintain a credit access to netwoks tabulation, other network services on the network are examined in advance, and authorize corresponding credit grade, offering the user selects, here the credit grade of indication, can be the relevant industries standard, also can be the self-defining relevant criterion of Server place system.
The execution mode flow process that the user is configured NTAC by Server is as shown in Figure 3:
1, login Server-login by the HTTP page;
2, set up NT and connect (such as HTTPS) to the safety between the Server;
3, checking user-connect the submission username and password safely by this;
4, checking NTAC equipment-by this connects safely and submits the NTAC device id to;
The ID of NTAC produces ID number of factory definition, offers the user by the form of product description, when the user is configured NTAC at login Server, this ID need be provided, and binds together with username and password, is checked and is verified by Server.
" step 1 is to step 4 " can be generically and collectively referred to as the checking flow process of validated user and equipment.In this series of steps, the authorization information that the user need submit to comprises three key elements: the ID of the NTAC of user name, password and required configuration number.By carrying out this series of steps, between NT and Server, set up link.This link also is used for transmitting the configuration order packet that Server sends to NT, and NTAC is serially connected on this link, intercepts and captures this class configuration command packet automatically.
5, the user submits " configuring request information " to, and promptly the user submits individual demand to: the behavior description of submitting " firewall functionality that requires NTAC to finish " to;
Server provides other Internet Service Providers' relevant information and credit grade for the user provides the alternative network service list of a credit grade, inquires about and uses for the user.The user carries out reference when submitting individual demand to.
6, Server is converted to the collocation strategy of NTAC with user's individual demand, forms a corresponding configuration set command packet.
The function that Server provides the NTAC to connecting system to manage and safeguard, by webpage, the mode of short message or manual telephone system obtains each fire compartment wall customized information from the user, user's individual demand is converted to the collocation strategy of NTAC, forms corresponding configuration order packet.The safety management environment that the user who uses NTAC also can provide by Server, easily dispose and manage, this transfer process can be that Server finishes automatically, as for the request of submitting to by HTTP visit, also can generate, as the request of submitting to by hotline, short message or other immediate communication tools by the Customer Service Representative.
7, Server sends this configuration set command packet to NT
In the security consideration of NTAC; because this equipment is transparent in network; so can not attacked by the visitor of malice; simultaneously when needs dispose; initiate application by the NT that NTAC protected earlier; set up NT and connect to the safety between the Server, NTAC is serially connected on the link between Serve and the NT simultaneously, so can intercept and capture the configuration order packet from Server.
This configuration order packet has the self-defining data format of system, can be discerned automatically by NTAC.Add the self-defining specific data feature of system such as some field at this packet, or the combination of such specific data feature.
The combination of this specific data feature must comprise the relevant data content of device id that is configured object NTAC, it is the device id of corresponding NTAC in the detected configuration order packet of NTAC, under the condition consistent, just be considered to a possible effective configuration data bag with the device id of self.This is for security consideration, has prevented the behavior of " forging configuring request information " effectively.
An entire arrangement order is transmitted by a plurality of configuration order packets, and NTAC only receives that an entire arrangement order just can carry out, carry out an entire arrangement order like this, need NT to send solicited message to Server step by step many times, Server sends corresponding configuration order packet according to the solicited message of NT, has prevented the behavior of " forging the configuration order packet " so effectively.
8, NTAC detects the packet that flows to NT on the link in real time, at first detects this packet and whether meets the defined access rule of firewall policy, and incongruently shielded and abandoned, the transparent forwarding that meets, access rule includes but not limited to: IP address check; Protocol type is checked; Serve port is checked; The IP source address access time is provided with; To IP source address integrated flow setting in the certain hour section, detect this packet that meets access rule then and whether comprise the self-defining specific data feature of system, the identification of data packets that will comprise specific data feature is the configuration order packet, extracts relevant configuration information and carry out buffer memory from packet.NTAC parses configuration order according to a plurality of configuration order packets that constitute a complete configuration order, and carries out this configuration order, finishes the renewal to the firewall policy configuration;
When 9, the configuration order packet is resolved by NTAC, also can receive a configuration order packet so work as NT by transparent forwarding to NT, this configuration order packet of system default is successfully resolved by NTAC.When NT receives a plurality of configuration order packets that constitute an entire arrangement order, expression NTAC successful execution this configuration order, send configuration order by the affirmation information of successful execution by NT to Server then.
10, Server confirms the affirmation information that NT sends, and flow process finishes;
As shown in Figure 1, realize that network terminal safety inserts the system of public network, comprise NT, NT can be the single network terminal, and also the localized network that can be made up of a plurality of network terminals also comprises NTAC, Server; NTAC is serially connected in NT with on the data link between the public network, the inner preservation is used for firewall policy that packet is detected and controls, when stopping firewall policy the packet that flows to NT is carried out transparent forwarding, when starting firewall policy, the packet that only meets the firewall policy access rule is not met the packet conductively-closed of firewall policy access rule by transparent forwarding; Server is linked into public network, and the configuring request information that Server submits to according to NT user is configured the firewall policy storehouse of NTAC.
As shown in Figure 2, NTAC comprises network processing unit, firewall policy storehouse, firewall policy dispensing unit, packet inspection unit, network interface, one network interface connects with public network, one network interface connects with the network terminal, check through the packet of NTAC by the packet inspection cellular convection, by the access rule of network processing unit packet is filtered and transparent forwarding, under network processing unit and the control of firewall policy dispensing unit, deposit the firewall policy information that receives in the firewall policy storehouse according to the firewall policy configuration; It can not be assigned with the IP address, and access network need not to be its distributing IP address.
Provide a specific embodiment below.
At a certain network user, in order to carry out the needs of stock exchange, prepared a NT (PC) who is specifically designed to stock exchange, and this NT only is used to carry out the network access service of stock exchange, this customer requirements NT safety access network can not be subjected to other network users' attack.This user does not possess any background of related of network security, requires simultaneously need not to guarantee NT safety under the situation of any NT end software support.
Can satisfy above-mentioned user's application demand by system provided by the present invention:
Design a NTAC, be installed in series on the data link of customer access network, the most close subscriber network terminal is surveyed.This NTAC has the IP packet and detects controlled function.One of this plant maintenance " IP source address tabulation " has only when detected packet described " IP source address ", and when belonging to " IP source address tabulation ", this packet is able to transparent forwarding, otherwise this packet and shield and abandon.
Set up a Server, this Server is linked into internet, provide this user to register, offer user name of this user and login password, this Server safeguards the ID tabulation of a NTAC and is awarded " IP address list " at the access to netwoks provider place of credit grade simultaneously.
1. the user is serially connected in the most close NT side on the network data link by NT (PC) visit Internet network with NTAC.This NTAC is a transparent equipment with respect to NT and Internet.
At this moment, the tabulation of the firewall policy storehouse of NTAC is for empty, and firewall policy also is not activated, and NTAC is the IP packet on all data link of transparent forwarding.The user can visit the all-network equipment among the Internet, simultaneously also can be by the every other device access on the network.
2. the user logins Server (refer in particular in the native system set up Server), submits device id number (such as being " 88888888 "), registered user name and the password simultaneously of employed NTAC to.Server is configured to its own IP address in " the IP source address tabulation " of NTAC, and enables the firewall policy of NTAC.
At this moment, the tabulation of the firewall policy storehouse of NTAC is the IP address that has comprised Server in " IP source address tabulation ".NTAC is all IP packets from Server of transparent forwarding, and shielding and abandon the IP packet that send every other IP address.This time, NT can safety visit Internet, but can only visit Server.
3. the user continues to login Server, by being tabulated by credit network clothes services sites of inquiry Server maintenance and management, selects a website (is 11.11.11.11 such as its IP address) that can satisfy the stock exchange associated network services.Submit a configuration application to, application is added IP source address " 11.11.11.11 " in ID number firewall policy repository for the NTAC of " 88888888 " to.
4. under the security strategy of NTAC, the user begins to visit Internet.
At this moment, it is the website of " 11.11.11.11 " that NTAC allows user capture IP address, obtains the stock exchange associated network services that it provides.Shield the IP packet that send every other IP address simultaneously.Reached under the prerequisite that satisfies user's particular network access services demand, safety inserts the purpose of Internet.
The present invention is by be connected in series a NTAC between the NT network terminal and the public network, and this NTAC is by detecting and control the packet of flowing through, thereby guarantees that NT carries out the safeguard protection of network connection.NT user inserts Server by logging in network, can finish the user profile registration, customization personal fire wall strategy, and download and be updated to NTAC inside.The employed NTAC of each user has one independently and unique device numbering in Server, the user profile registration mainly is that the personal fire wall strategy with this device numbering and customization carries out related.Customization personal fire wall strategy can carry out differentiated control and setting according to user's self technology application level.When Server receives that user request is configured firewall policy and when upgrading, the firewall policy of user individual customization is downloaded to corresponding NTAC, this corresponding relation is to finish by the data packet format of define system uniqueness and agreement, such as some field of application data bag, the special command form that definition NTAC can discern.
The function that Server among the present invention provides the NTAC to connecting system to manage and safeguard, mode by webpage, short message or manual telephone system, obtain each fire compartment wall customized information, describe downloading among the corresponding NTAC then by the professional of Server end or by the specialty that Server generates the discernible correspondence of NTAC automatically from the user.Safety management (Security Manager) environment that the user who uses NTAC also can provide by Server is easily disposed and is managed.The function that administers and maintains of Server is based on the html web page page operation, is highly suitable for unprofessional user, and particularly individual family or small business be the most economical solution of integrated security efficiently.
In technical scheme of the present invention, NTAC is at user side, need not any background of related, also need not any software support, the user only need be serially connected in this equipment on its network line and get final product, centralized management and maintenance by network terminal accessing control server realization firewall policy need not network terminal user and possess relevant professional knowledge and technical ability, can be user-friendly to; NTAC is transparent to user and other network equipments, need not to be its distributing IP address, and is invisible in whole network topology structure, so other hostile networks user can't attack and destroy it, can guarantee network terminal safety; NTAC mainly finishes the detection and the control of the packet of flowing through, based on the hardware system of lower-performance, also or system-on-a-chip just can realize having relatively low cost.