CN101436934B - Method, system and equipment for controlling user networking - Google Patents

Method, system and equipment for controlling user networking Download PDF

Info

Publication number
CN101436934B
CN101436934B CN 200810167685 CN200810167685A CN101436934B CN 101436934 B CN101436934 B CN 101436934B CN 200810167685 CN200810167685 CN 200810167685 CN 200810167685 A CN200810167685 A CN 200810167685A CN 101436934 B CN101436934 B CN 101436934B
Authority
CN
China
Prior art keywords
address
authentication
client
information
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN 200810167685
Other languages
Chinese (zh)
Other versions
CN101436934A (en
Inventor
林雁敏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ruijie Networks Co Ltd
Original Assignee
Fujian Star Net Communication Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fujian Star Net Communication Co Ltd filed Critical Fujian Star Net Communication Co Ltd
Priority to CN 200810167685 priority Critical patent/CN101436934B/en
Publication of CN101436934A publication Critical patent/CN101436934A/en
Application granted granted Critical
Publication of CN101436934B publication Critical patent/CN101436934B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Small-Scale Networks (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention discloses a method for controlling the net surfing of a user. The method comprises the following steps: an authentication request containing an address and authentication cipher information sent from a client is received; according to the matching relation between the stored address and an authentication cipher, whether the address and the authentication cipher in the authentication request are matched is judged; and when the address and the authentication cipher in the authentication request are not matched, the client is forbidden accessing the network. The embodiment of the invention discloses a system for controlling the net surfing of the user and equipment thereof. The method can effectively improve the security for preventing an illegal user from using an embezzled address to access the net.

Description

A kind of method, system and equipment of controlling user's online
Technical field
The present invention relates to network safety filed, relate in particular to a kind of method, system and equipment of the user's of control online.
Background technology
The IP address embezzlement refers to that the disabled user configures computer with the phenomenon of accesses network with unwarranted IP address.
The IP address embezzlement can produce the IP collision problem.The user of online is after configuration of IP address on the computer 1, computer 1 can send AARP (the Address Resolution Protocol that comprises the IP address, ARP) request message, to survey in the local area network (LAN) whether had the computer 2 that uses this IP address accesses network, if exist, computer 2 receives this ARP request message, find that the I P address in the ARP request message is identical with the IP address of self, the IP conflict occurs in prompting, and return the arp response message that comprises this IP address to computer 1, computer 1 receives the arp response message, find that the IP address in the arp response message is identical with the IP address of self, the IP conflict occurs in prompting, simultaneously, operating system disable transmission control protocol/Internet protocol (TCP/IP) stack of computer 1 causes computer 1 can't use this IP address online.
If the user of computer 1 is validated user, the user of computer 2 is the disabled user, so because the user of computer 2 has usurped the user's of computer 1 IP address, so that validated user can not normally be surfed the Net.
And the IP address embezzlement not only can impact the normal accesses network of validated user, because stolen IP address often has higher authority, steal also the IP address can bring a large amount of loss and potential safety hazards economically to validated user.
The method that prevents the IP address embezzlement in the prior art mainly contains following three kinds:
The first, the Switch control method.Use the single-address mode of operation of switch ports themselves, namely so that each port of switch only allows a main frame by this port access network, the access denied of other any main frames.This scheme requires all to use on network switches to provide the user to access, and this is not a solution that can generally adopt in switch relatively costly today.
The second, the router partition method.The Main Basis that adopts the router partition method is that MAC Address is unique and can not change as the whole world, Ethernet card address.Its implementation is the ARP table by each router of snmp protocol periodic scanning, obtain each list item in the current ARP table, the content of each list item is the mapping relations of IP address and MAC Address, the mapping relations of IP address and MAC Address in each list item and predefined legal IP address and the mapping relations of MAC Address are compared, if inconsistent, then determine to use the main frame of the IP address in this list item to be the unauthorized access main frame, and can take following three kinds of measures:
A, use the correct IP address ARP list item illegal with the mapping relations covering of MAC Address, illegal ARP list item in the mapping relations overlay router such as the correct IP address of manual use and MAC Address.
B, send the inaccessible deception bag of ICMP to the unauthorized access main frame, disturb its data to send.
The Access Control List of C, modification router is forbidden unauthorized access.As: forbid that the message that comprises illegal IP address and MAC Address transmits by router.
Another implementation method of router isolation is to use static ARP table, the i.e. mapping relations of static state setting IP address and MAC Address in router.Like this, when the IP address of unauthorized access main frame and the mapping relations in MAC Address and the static ARP table were inconsistent, the packet that router is transmitted according to correct static ARP table just can not arrive the unauthorized access main frame.
The router partition method can solve the problem of IP address embezzlement preferably, if but the disabled user destroys for its theoretical foundation, usurp simultaneously IP address and the MAC Address of validated user, and then helpless to such situation router partition method.
The third, the associated methods of fire compartment wall and acting server.Fire compartment wall is used for segregate internal network and external network, the user accesses external network and is undertaken by acting server, but need to carry out authentication, can access external network after only having authentication to pass through, so, even the disabled user has usurped the IP address of validated user because itself and do not know legal username and password, the disabled user can not be by the authentication of acting server, and nature can't be accessed external network.This method can not stop the IP address embezzlement of internal network.
To sum up, prior art is for the unwarranted address accesses network that stops the disabled user to use to usurp and the fail safe of the method for taking is lower, thereby can bring impact to the normal online of validated user.
Summary of the invention
The embodiment of the invention provides a kind of method, system and equipment of the user's of control online, is used for improving forbidding that the disabled user uses the fail safe of the unwarranted address accesses network of usurping.
The embodiment of the invention provides a kind of method of the user's of control online, and the method comprises:
Receive the authentication request that comprises address and authentication password information that client is sent;
According to the address of preserving and the matching relationship of authentication password, judge whether address and the authentication password in the described authentication request mates, when the address in described authentication request and authentication password do not mate, forbid described client online.
The embodiment of the invention provides a kind of system of the user's of control online, and this system comprises: access device and authentication management equipment;
Described access device comprises:
The authentication processing unit is used for receiving the authentication request that comprises address and authentication password information that client is sent, and described authentication request is sent to authentication management equipment;
Filter element is used for forbidding transmitting the message that comprises described address that receives when described authentication management equipment does not pass through the authentication of described authentication request;
Described authentication management equipment comprises:
Memory cell is used for the matching relationship between pre-save legal address and the authentication password;
Authentication ' unit, be used for receiving the authentication request that comprises address and authentication password information, according to the legal address of memory cell pre-save and the matching relationship between the authentication password, judge whether address and authentication password in the described authentication request mate, if, then authentication is passed through, otherwise authentication is not passed through.
Among the present invention, receive that client sends comprise the authentication request of address and authentication password information the time, matching relationship according to the address that sets in advance and authentication password, judge whether address and authentication password in the authentication request mate, and the address in authentication request and authentication password be not when mating, forbid this client online, because it is higher to usurp the degree of difficulty of authentication password, and authentication password can be made amendment at any time, and the present invention can effectively improve and prevents that the disabled user from using the fail safe of the address accesses network of usurping.
Description of drawings
The structural representation of the system that Fig. 1 provides for the embodiment of the invention;
The structural representation of the client that Fig. 2 provides for the embodiment of the invention;
The structural representation of the access device that Fig. 3 provides for the embodiment of the invention;
The structural representation of the authentication management equipment that Fig. 4 provides for the embodiment of the invention;
The structural representation of the gateway device that Fig. 5 provides for the embodiment of the invention;
The schematic flow sheet of the method that Fig. 6 provides for the embodiment of the invention;
Fig. 7 A is the system architecture schematic diagram in the embodiment of the invention one;
Fig. 7 B is the system architecture schematic diagram in the embodiment of the invention two;
Fig. 7 C is the system architecture schematic diagram in the embodiment of the invention three.
Embodiment
In order to forbid that the disabled user uses the unwarranted address accesses network of usurping, the embodiment of the invention provides a kind of system of the user's of control online, in the native system, the user needs to send authentication request by client to network side before online, and network side judges according to the legal address of preserving and the matching relationship of authentication password whether address and the authentication password in the authentication request mates, if coupling, then allow this client online, otherwise, forbid this client online.
Referring to Fig. 1, the system of the control user online that the embodiment of the invention provides specifically comprises:
Client 10 is equipped with the client certificate module, is used for sending the authentication request that comprises address information and authentication password information; This address information is configured in the address information of client for the user, comprise IP address and/or mac address information;
Access device 11 is used for receiving the authentication request that client is sent, and this authentication request is sent to authentication management equipment; When authentication management equipment passes through the authentication of this authentication request, allow described client-access network; When authentication management equipment does not pass through the authentication of this authentication request, forbid described client-access network;
Access device specifically can be switch, router etc.Access device can determine whether authentication is passed through according to receiving from the authentication result notice of authentication management equipment; Perhaps, access device judges whether receive authentication by result's notice in setting-up time, if receive, determines that then authentication management equipment passes through the authentication of authentication request, if do not receive, determines that then authentication management equipment does not pass through the authentication of authentication request; Perhaps; Access device judges whether receive authentication not by result's notice in setting-up time, if receive, determines that then authentication management equipment does not pass through the authentication of authentication request, if do not receive, determines that then authentication management equipment passes through the authentication of authentication request.
Access device allows or forbids described client-access network, specifically can be by access control list (ACL) setting be realized, if allow described client-access network, then in the permission forwarding-table item of ACL, increase the address information in the described authentication request, if forbid described client-access network, then forbid in the forwarding-table item increasing address information in the described authentication request at ACL.So, access device is when receiving from the E-Packeting of network side (for example from gateway device), judge that the destination address in this message belongs to the permission forwarding-table item of ACL or forbids forwarding-table item, if belong to the permission forwarding-table item, then forward the packet to described client, forbid then message being filtered forwarding-table item if belong to, be not transmitted to described client.Access device is when receiving from the E-Packeting of client, judge that the source address in this message belongs to the permission forwarding-table item of ACL or forbids forwarding-table item, if belong to the permission forwarding-table item, then forward the packet to network side (for example being transmitted to gateway device), forbid forwarding-table item if belong to, then message is filtered, be not transmitted to network side.
Authentication management equipment 12 is used for receiving the authentication request that access device is sent, and according to the address of preserving and the matching relationship of authentication password, judges whether address and the authentication password in this authentication request mates, if coupling, then authentication is passed through, otherwise authentication is not passed through.For example, IP address in the authentication request is 201.119.05.20, MAC Address is FAC11897564, authentication password is 123456, and IP address 201.119.05.20 and MAC Address FAC11897564 and authentication password 654321 are complementary in the matching relationship, at this moment, address and authentication password in the authentication request do not mate, and authentication is not passed through.
Authentication management equipment can also send to access device with authentication result, and access device determines according to this authentication result whether authentication management equipment passes through the authentication of authentication request.
Better, the IP collision problem that produces for fear of the IP address accesses network owing to the invalid user stealing validated user, described client also is used for: when receiving the ARP message, if the IP address in this ARP message is identical with the IP address that is configured in this client, then this ARP message is filtered, this ARP message is ARP request message or arp response message, when this ARP message is the ARP request message, illustrate that other disabled users want to use the IP address accesses network that is configured in this client, owing to this ARP request message is filtered, therefore can not point out the IP conflict in this client; When this ARP message is the arp response message, illustrating has other disabled users to use the IP address accesses network that is configured in this client, because this arp response message is filtered, therefore can not point out the IP conflict in this client, and can not cause this client operating system forbidding TCP/IP stack and so that this client can't be used legal IP address accesses network.
Better, for so that the keeper can be known the situation of address embezzlement, described client also is used for: report the address conflict report of the address information that comprises described ARP message to authentication management equipment; Described authentication management equipment also is used for: determine the client that the address clashes according to the address conflict report that receives, and the address information in the recording address conflict report is inquired about use for the keeper.Address information in the ARP message comprises IP address, MAC Address etc.
Better, the impact on validated user that produces for fear of the IP address accesses network owing to the invalid user stealing validated user, authentication management equipment 12 also is used for: when authentication is passed through, send the Static ARP information of described client to the gateway device that links to each other with described access device, this Static ARP information comprises the mapping relations etc. of the port of the address of described client and described access device accessing gateway equipment, wherein, authentication management equipment can obtain the address information of described client from the authentication request that client is sent, comprise IP address and/or MAC Address; Authentication management equipment can obtain the port information of described access device accessing gateway equipment from the access device configuration information that is configured in self.
Accordingly, this system further comprises:
Gateway device 13 be used for to receive the Static ARP information of the client that authentication management equipment sends, and records this Static ARP information; Receiving when E-Packeting, Static ARP information according to record determines whether to transmit this message, concrete: when receiving from the E-Packeting of network side, obtain the destination address that carries in this message, according to the Static ARP information of record, determine port corresponding to destination address that gets access to, if determine port, then forward the packet the access device to this port of access, if do not determine port, then forbid transmitting this message; When receiving from the E-Packeting of access device, obtain the source address of carrying in this message, Static ARP information according to record, determine port corresponding to source address that get access to, if the port of determining is consistent with the port that receives message, then forward the packet to network side, if the port of determining is inconsistent with the port that receives message, then forbid transmitting this message.
Referring to Fig. 2, the embodiment of the invention also provides a kind of client certificate module, can be applied to control in the system of user's online, and this client certificate module is installed in the client, specifically comprises:
Memory cell 20 is used for preserving address information and the authentication password information that configures;
Authentication ' unit 21 is used for sending the authentication request that comprises described address information and authentication password information to access device.
This client certificate module also comprises: information configuration unit 22 is used to the outside that the interface of configuration address information and authentication password information is provided, and address information and the authentication password information of configuration is kept in the memory cell 20.For example, provide the interface of Input Address information and authentication password information for external user, and address information and the authentication password information of user's input is kept in the memory cell 20.The user also can configure by alternate manner the address information of client, information configuration unit 22 correspondences from the configuration file of client, obtain this address information, and this address information is kept in the memory cell 20.
This client certificate module also comprises:
Conflict defence unit 23 is used for if the IP address in the described ARP message is identical with the IP address of described recording unit records, then described ARP message being filtered when receiving the ARP message.The ARP message that receives can cause for meeting ARP request message or the arp response message of IP conflict.
This client certificate module also comprises:
Conflict notification unit 24 is used for reporting the address conflict report to authentication management equipment after conflict defence unit filters the ARP message, and this address conflict report can comprise address information in the described ARP message, receive the temporal information of ARP message etc.
Referring to Fig. 3, the embodiment of the invention also provides a kind of access device, can be applied to control in the system of user's online, and this access device comprises:
Authentication processing unit 30 is used for receiving the authentication request that comprises address and authentication password information that client is sent, and described authentication request is sent to authentication management equipment;
Filter element 31 is used for determining whether to allow described client-access network according to the authentication result of described authentication management equipment.
Concrete, when described authentication management equipment passes through the authentication of described authentication request, allow described client-access network, receive from network side and the destination address that carries consistent with the address in the described authentication request E-Packet the time, give described client with this message repeating; Receive from client and the source address of carrying consistent with the address in the described authentication request E-Packet the time, with this message repeating to network side.When described authentication management equipment does not pass through the authentication of described authentication request, forbid described client-access network, receive from network side and the destination address that carries consistent with the address in the described authentication request E-Packet the time, this message is filtered, be not transmitted to client; Receive from client and the source address of carrying consistent with the address in the described authentication request E-Packet the time, this message is filtered, do not transmit to network side.
This access device also comprises:
Authenticated configuration unit 32, the parameter that is used to the outside to provide the interface of configuration authentication relevant parameter, this authentication relevant parameter to comprise whether to enable authentication function, with the communications parameter of authentication management equipment and client etc.;
Memory cell 33 is used for preserving the authentication relevant parameter that the authenticated configuration unit receives.Whether the authentication processing unit determine with authentication management equipment alternately carrying out address verification according to the parameter of whether enabling authentication function of this cell stores, and determine with the mutual mode of authentication management equipment according to communications parameter etc.
Referring to Fig. 4, the embodiment of the invention also provides a kind of authentication management equipment, can be applied to control in the system of user's online, and this authentication management equipment comprises:
Memory cell 40 is for the matching relationship of preserving address and authentication password;
Authentication ' unit 41, be used for receiving the authentication request that comprises address and authentication password information, according to the address of described authentication information memory cell preservation and the matching relationship of authentication password, judge whether address and authentication password in the described authentication request mate, if, then authentication is passed through, otherwise authentication is not passed through; And transmission authentication result.
This authentication management equipment also comprises:
Information binding unit 42 is used for when authentication is passed through the Static ARP information of sending the client of described authentication request being sent to gateway device, and this gateway device specifically can be the gateway device that the access device of the described authentication request of forwarding accesses.
This authentication management equipment also comprises:
Conflicting information unit 43, be used for receiving the address conflict report that client is sent, record the conflicting information in the report of described address conflict, and the IP address that provides the interface of the conflicting information of checking record, this conflicting information to comprise to clash for the outside, MAC Address, temporal information etc.
This authentication management equipment also comprises:
Gateway information dispensing unit 44 is used to the outside that the interface of configuration with the gateway device information of this authentication management devices communicating and the communications parameter of this authentication management equipment and gateway device etc. is provided.
Access information dispensing unit 45 is used to the outside that the interface of configuration with this authentication management equipment and the access device information of client communication and the communications parameter of this authentication management equipment and access device and client etc. is provided.
Authentication information unit 46 is used to the outside that the interface of the matching relationship of the legal address of configuration and authentication password is provided.
Memory cell 40 also is used for, the conflicting information of save confliction information unit record, and the various configuration informations that receive of gateway information dispensing unit and access information dispensing unit.Information binding unit can obtain the gateway device that the access device of transmitting described authentication request accesses from the access device information that memory cell is preserved, and concrete access interface, sends the Static ARP information that comprises this port information to this gateway device.
Referring to Fig. 5, the embodiment of the invention also provides a kind of gateway device, can be applied to control in the system of user's online, and this gateway device comprises:
Information binding management unit 50 is used to the outside that the configuring static ARP interface of relevant parameter is provided, and the Static ARP relevant parameter comprises communications parameter of whether enabling parameter, this gateway equipment and authentication management equipment that the Static ARP informational function is set etc.
Information binding unit 51 is used for receiving the Static ARP information that authentication management equipment issues, and records this Static ARP information.
Memory cell 52 is used for the Static ARP relevant parameter of preservation information binding management unit reception and the Static ARP information of information binding unit record.The parameter that the Static ARP informational function is set of whether enabling that information binding management unit is preserved according to memory cell determines whether to record the Static ARP information that authentication management equipment issues.
Referring to Fig. 6, the embodiment of the invention also provides a kind of method of the user's of control online, specifically comprises the steps:
Step 60: receive the authentication request that comprises address and authentication password information that client is sent; This address comprises IP address and/or MAC Address.
Step 61: according to the address of preserving and the matching relationship of authentication password, judge whether address and the authentication password in the authentication request mates; If, then arrive step 62, otherwise, to step 63;
Step 62: allow the client-access network;
In this step, allow the client-access network specifically to refer to, the network equipment is transmitted receiving the message that carries the address in the described authentication request, concrete, for the message from network side that receives, if the destination address that this message carries is consistent with the address in the described authentication request, then give described client with this message repeating; For the message from the net client that receives, if the source address that this message carries is consistent with the address in the described authentication request, then with this message repeating to network side.The network equipment comprises switch device, gateway device etc.
Better, for fear of the impact on validated user that the IP address accesses network owing to the invalid user stealing validated user produces, this step further comprises:
The Static ARP information of described client is set at gateway device, and this gateway device specifically can be the gateway device that the continuous access device of described client accesses.This Static ARP information comprises the mapping relations etc. of the port of the address of described client and described access device accessing gateway equipment.Wherein, the address of client comprises IP address and/or MAC Address.So, gateway device is receiving when E-Packeting, and determines whether to transmit this message according to the Static ARP information that arranges.
Better, for fear of the IP collision problem that the IP address accesses network owing to the invalid user stealing validated user produces, the method further comprises:
Client is when receiving the ARP message, if the address in the described ARP message is identical with the appropriate address that is configured in described client, then described ARP message is filtered.For so that the keeper can be known the situation of address embezzlement, client is after filtering the ARP message, also report the address conflict report to network side, comprise address information in the ARP message that receives and temporal information etc. in the report of this address conflict, the keeper can position the disabled user who usurps the IP address by checking these information.
Step 63: forbid the client-access network.
In this step, forbid that the client online specifically refers to, the message from network side and client that the network equipment will receive filters, and the address of carrying in this message is consistent with the address in the described authentication request.
Below in conjunction with specific embodiment method of the present invention is described:
Embodiment one:
Concrete system architecture in the present embodiment comprises the gateway device of access network, the switch device of accessing gateway equipment, the client of access switch equipment and the authentication management equipment that is positioned at the network optional position shown in Fig. 7 A.Switch device is controlled all lower clients that connect, and all clients must be through ability accesses network after the address verification of authentication management equipment.The idiographic flow of client-access network is as follows:
Step 701: the user is behind client configuration IP address and input authentication encrypted message, and client sends to switch device and comprises the MAC Address of this IP address, this client and the authentication request of authentication password information;
Step 702: switch device receives authentication request, and this authentication request is sent to authentication management equipment;
Step 703: authentication management equipment is according to the matching relationship of IP address, MAC Address and the authentication password preserved, determine whether IP address, MAC Address and authentication password in the authentication request mate, if coupling, then send result's notice that authentication is passed through to switch device, if do not mate, then send the unsanctioned result's notice of authentication to switch device;
Step 704: switch device receives the result that passes through of authentication when notifying, this result's notice is sent to client, and IP address and MAC Address in the record authentication request, after this for receive from the message repeating that comprises this IP address and MAC Address of gateway device to client, for receive from the message repeating that comprises this IP address and MAC Address of client to gateway device; Switch device receives the unsanctioned result of authentication when notifying, and this result's notice is sent to client, and IP address and MAC Address in the record authentication request, after this for the packet filtering that comprises this IP address and MAC Address that receives, does not transmit.
Embodiment two:
Concrete system architecture in the present embodiment comprises other HUB of client, access switch equipment of switch device, the access switch equipment of gateway device, the accessing gateway equipment of access network or non-administrator switches etc. and the authentication management equipment that is positioned at the network optional position shown in Fig. 7 B.Switch device is controlled all lower clients that connect, and all clients must be through ability accesses network after the address verification of authentication management equipment.Under other HUB or non-administrator switches, also be connected to client, the IP conflict that this mode may exist invalid user stealing IP address to cause, for fear of this IP conflict, client has the function of filtering the ARP message.The idiographic flow of client-access network is as follows:
Step 711: the disabled user receives the unsanctioned result's notice of authentication after the authentication password information of IP address A that client 1 configuration is usurped and input error;
Step 712: validated user is after client 2 configurations are through the IP address A that authorizes, client 2 is sent the ARP request message that comprises IP address A, because client 1 has also configured IP address A, therefore can receive this ARP request message and return the arp response message to client 2, the arp response message that comprises IP address A that client 2 will receive filters, thereby has avoided the operating system of client 2 to forbid the TCP/IP stack and cause computer 2 can't use IP address A accesses network; Client 2 can also report to authentication management equipment the address conflict report of the MAC Address that comprises client 1 etc., thereby checks that for the keeper user to usurping the IP address positions;
Step 713: client 2 comprises the MAC Address of IP address A, client 2 and the authentication request of the authentication password information that validated user is inputted to the switch device transmission;
Step 714: switch device receives authentication request, and this authentication request is sent to authentication management equipment;
Step 715: authentication management equipment determines that according to the matching relationship of IP address, MAC Address and the authentication password preserved IP address A, MAC Address and the authentication password in the authentication request is complementary, and sends result's notice that authentication is passed through to switch device;
Step 716: switch device receives the result that passes through of authentication when notifying, this result's notice is sent to client, and IP address and MAC Address in the record authentication request, after this for receive from the message repeating that comprises this IP address and MAC Address of gateway device to client 2, for receive from the message repeating that comprises this IP address and MAC Address of client 2 to gateway device.
Embodiment three:
Concrete system architecture in the present embodiment comprises other HUB of client, accessing gateway equipment of switch device, the access switch equipment of gateway device, the accessing gateway equipment of access network or non-switch of the present invention etc. and the authentication management equipment that is positioned at the network optional position shown in Fig. 7 C.Switch device is controlled all lower clients that connect, and all clients must be through ability accesses network after the address verification of authentication management equipment.Under other HUB or non-switch of the present invention, also be connected to client, the IP that this mode may exist the IP address online of invalid user stealing to cause conflicts and causes harmful effect (such as message off and on) to validated user, for fear of this harmful effect, authentication management equipment has the Static ARP information of client by authentication is arranged on function on the gateway device.The idiographic flow of client-access network is as follows:
Step 721: validated user comprises the MAC Address a of IP address A, client 1 and the authentication request of authentication password information at client 1 configuration authorized IP address A and after inputting correct authentication password information to the access device transmission; Access device sends to authentication management equipment with authentication request;
Step 722: after authentication management equipment passes through authentication request authentication, send the Static ARP information of client 1 to gateway device, comprise the mapping relations of the port numbers 1 of IP address A, MAC Address a and switch device accessing gateway equipment; Gateway device with the Static ARP information recording/ that receives in the ARP table;
Step 723: it is A that gateway device receives the purpose IP address of carrying from network side, when target MAC (Media Access Control) address is the message of a, Static ARP information according to record determines that IP address A, MAC Address a are corresponding with port a, then by port a message is sent to switch device, and be transmitted to client 1 by switch device;
Step 724: the disabled user uses the IP address A online of usurping in client 2, client 2 sends the message that comprises IP address A to connected non-switch of the present invention or HUB, and non-switch of the present invention or HUB send to gateway device by port b with message;
Step 725: gateway device receives message, determines that according to the Static ARP information of record IP address A is corresponding with port a, rather than corresponding with port b, thinks that this message is illegal, does not transmit this message; Same, gateway device receive from network side comprise the message of IP address A the time, Static ARP information according to record determines that IP address A is corresponding with port a, so by port a this message is sent to switch device, rather than non-switch of the present invention or HUB, the result is that the client 1 at validated user place has received message so, the client 2 at disabled user place can not receive the message from network side, thereby avoided because gateway device should send to message client 1, again message is sent to client 2, and the message impact off and on of bringing for client 1.
In the present embodiment, even if illegal client 2 is usurped IP address A online formerly, validated user uses IP address A online rear in client 1, because validated user is known correct authentication password information, therefore can be after by the authentication of authentication management equipment accesses network, and because authentication management equipment is after authentication is passed through, send the Static ARP information of client 1 to gateway device, gateway device carries out record to this Static ARP information, so after this gateway device receive again from network side comprise the message of IP address A the time, Static ARP information according to record is transmitted to client 1 with this message by switch device, rather than is transmitted to client 2 by non-switch of the present invention or HUB.And, it is not transmitted for the message gateway device from client 2 yet.As seen, the user of rear online has reseized the legitimate ip address of oneself.
To sum up, beneficial effect of the present invention is:
In the scheme that the embodiment of the invention provides, receive that client sends comprise the authentication request of address and authentication password information the time, matching relationship according to the address that sets in advance and authentication password, judge whether address and authentication password in the authentication request mate, and the address in authentication request and authentication password be not when mating, forbid this client online, because it is higher to usurp the degree of difficulty of authentication password, and authentication password can be made amendment at any time, can effectively improve by the method to prevent that the disabled user from using the fail safe of the address accesses network of usurping.
Simultaneously, in the scheme that the embodiment of the invention provides, client is filtered the ARP message that receives, and can avoid the IP conflict; Simultaneously, client reports conflicting information, so that the keeper can position the user who clashes according to this conflicting information.
And, in the scheme that the embodiment of the invention provides, the Static ARP information that authenticates the validated user that passes through is arranged on the gateway device harmful effect that can avoid other invalid user stealing address accesses network to cause to validated user.
Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, if of the present invention these are revised and modification belongs within the scope of claim of the present invention and equivalent technologies thereof, then the present invention also is intended to comprise these changes and modification interior.

Claims (7)

1. a method of controlling user's online is characterized in that, the method comprises:
Receive the authentication request that comprises address and authentication password information that client is sent;
According to the legal address of pre-save and the matching relationship between the authentication password, judge whether address and the authentication password in the described authentication request mates, when the address in described authentication request and authentication password do not mate, forbid described client-access network.
2. the method for claim 1 is characterized in that, when the address in described authentication request and authentication password coupling, the method further comprises:
The static address translation-protocol ARP information of described client is set at the network equipment;
The described network equipment receives when E-Packeting, and determines whether described message is transmitted according to the Static ARP information that arranges.
3. the method for claim 1 is characterized in that, the method further comprises:
Described client is when receiving the ARP message, if the source address in the described ARP message is identical with the appropriate address that is configured in described client, then described ARP message is filtered.
4. method as claimed in claim 3 is characterized in that, the method further comprises:
Described client reports the address conflict report that comprises the address information in the described ARP message to network side, network side records the information in the described address conflict report.
5. method as claimed in claim 1 or 2 is characterized in that, described address comprises IP address and/or MAC Address.
6. a system that controls user's online is characterized in that, this system comprises: access device and authentication management equipment;
Described access device comprises:
The authentication processing unit is used for receiving the authentication request that comprises address and authentication password information that client is sent, and described authentication request is sent to authentication management equipment;
Filter element is used for forbidding transmitting the message that comprises described address that receives when described authentication management equipment does not pass through the authentication of described authentication request;
Described authentication management equipment comprises:
Memory cell is used for the matching relationship between pre-save legal address and the authentication password;
Authentication ' unit, be used for receiving the authentication request that comprises address and authentication password information, according to the legal address of memory cell pre-save and the matching relationship between the authentication password, judge whether address and authentication password in the described authentication request mate, if, then authentication is passed through, otherwise authentication is not passed through.
7. system as claimed in claim 6 is characterized in that, described authentication management equipment also is used for:
When authentication is passed through, send the static address translation-protocol ARP information of described client to the gateway device that links to each other with described access device;
This system further comprises:
Gateway device is for the Static ARP information that receives and record described client; Receiving when E-Packeting, determining whether described message is transmitted according to the Static ARP information that arranges.
CN 200810167685 2008-10-20 2008-10-20 Method, system and equipment for controlling user networking Active CN101436934B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 200810167685 CN101436934B (en) 2008-10-20 2008-10-20 Method, system and equipment for controlling user networking

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 200810167685 CN101436934B (en) 2008-10-20 2008-10-20 Method, system and equipment for controlling user networking

Publications (2)

Publication Number Publication Date
CN101436934A CN101436934A (en) 2009-05-20
CN101436934B true CN101436934B (en) 2013-04-24

Family

ID=40711171

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200810167685 Active CN101436934B (en) 2008-10-20 2008-10-20 Method, system and equipment for controlling user networking

Country Status (1)

Country Link
CN (1) CN101436934B (en)

Families Citing this family (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102025526B (en) * 2009-09-18 2014-06-11 华为技术有限公司 Method, device and system for preventing Internet deception
CN102098297A (en) * 2010-12-29 2011-06-15 中兴通讯股份有限公司 Home gateway and authentication method thereof
CN102572000B (en) * 2010-12-31 2014-10-01 中国移动通信集团陕西有限公司 address monitoring method and device
CN102081670A (en) * 2011-01-20 2011-06-01 张金海 Data filtering method and data filtering device
CN102264050B (en) * 2011-07-19 2015-03-11 北京星网锐捷网络技术有限公司 Network access method, system and authentication server
CN102821097B (en) * 2012-07-17 2016-06-08 浙江宇视科技有限公司 A kind of access detection method and device
CN102970173B (en) * 2012-12-25 2015-07-15 迈普通信技术股份有限公司 Method and network management system for discovering illegal devices
CN106331010A (en) * 2015-06-29 2017-01-11 中兴通讯股份有限公司 Network file access control method and device
CN106936804B (en) * 2015-12-31 2020-04-28 华为技术有限公司 Access control method and authentication equipment
CN107104872B (en) * 2016-02-23 2020-11-03 华为技术有限公司 Access control method, device and system
CN107276819A (en) * 2017-07-06 2017-10-20 杭州敦崇科技股份有限公司 A kind of authentication method of the three-layer network based on snmp protocol
TWI714159B (en) * 2019-07-10 2020-12-21 東碩資訊股份有限公司 User authentication management system and method
CN110519410A (en) * 2019-08-29 2019-11-29 深信服科技股份有限公司 A kind of communication means, interchanger, storage medium, communication equipment and communication system
CN110855605B (en) * 2019-09-26 2022-05-13 山东鲁能软件技术有限公司 Safety protection method, system, equipment and readable storage medium for terminal equipment
CN111541744A (en) * 2020-04-08 2020-08-14 四川华能涪江水电有限有限责任公司 Communication system based on BYOD
CN112333145B (en) * 2020-09-21 2023-07-28 南方电网海南数字电网研究院有限公司 Power grid monitoring video integration and safety protection system and method
CN112019567A (en) * 2020-10-14 2020-12-01 深圳瀚飞科技开发有限公司 Repeated exclusion encryption system and communication method for networking communication equipment
CN112383555B (en) * 2020-11-17 2022-06-03 宏图智能物流股份有限公司 Network request validity verification method in logistics network
CN112492597B (en) * 2020-12-14 2023-03-24 中国联合网络通信集团有限公司 Authentication method and device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004025926A1 (en) * 2002-09-16 2004-03-25 Cisco Technology, Inc. Method and apparatus for preventing spoofing of network addresses
CN1630256A (en) * 2003-12-16 2005-06-22 华为技术有限公司 A realizing method for preventing IP address embezzlement during connection to Internet
CN101179583A (en) * 2007-12-17 2008-05-14 杭州华三通信技术有限公司 Method and equipment preventing user counterfeit internet

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004025926A1 (en) * 2002-09-16 2004-03-25 Cisco Technology, Inc. Method and apparatus for preventing spoofing of network addresses
CN1630256A (en) * 2003-12-16 2005-06-22 华为技术有限公司 A realizing method for preventing IP address embezzlement during connection to Internet
CN101179583A (en) * 2007-12-17 2008-05-14 杭州华三通信技术有限公司 Method and equipment preventing user counterfeit internet

Also Published As

Publication number Publication date
CN101436934A (en) 2009-05-20

Similar Documents

Publication Publication Date Title
CN101436934B (en) Method, system and equipment for controlling user networking
US10630725B2 (en) Identity-based internet protocol networking
US8407462B2 (en) Method, system and server for implementing security access control by enforcing security policies
CN101277308B (en) Method for insulating inside and outside networks, authentication server and access switch
CN102271132B (en) Control method and system for network access authority and client
US9306953B2 (en) System and method for secure unidirectional transfer of commands to control equipment
CN201479143U (en) Intranet safety management system
US20070294416A1 (en) Method, apparatus, and computer program product for enhancing computer network security
US8069473B2 (en) Method to grant access to a data communication network and related devices
CN101488951A (en) Method, equipment and communication network for preventing from address resolution protocol attack
CN101986598B (en) Authentication method, server and system
EP1760988A1 (en) Multi-level and multi-factor security credentials management for network element authentication
CN113472758A (en) Access control method, device, terminal, connector and storage medium
JP2007208759A (en) Authentication security system obtained by combining mac address with user authentication
US10298588B2 (en) Secure communication system and method
CN102316119B (en) Security control method and equipment
CN201571068U (en) Network system and protection management device
Khoussainov et al. LAN security: problems and solutions for Ethernet networks
CN102932363A (en) Control method and device of intranet computer (PC) to access outer net
US20100005181A1 (en) Method and system for controlling a terminal access and terminal for controlling an access
US20060059334A1 (en) Method to grant access to a data communication network and related devices
CN101616087A (en) Be associated to the router of safety means
CN101436954B (en) Business policy request verification system, business policy application and revocation method
Cisco Configuring Network Security
Cisco Configuring Network Security

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP01 Change in the name or title of a patent holder
CP01 Change in the name or title of a patent holder

Address after: 350015 M9511 Industrial Park, fast road, Mawei District, Fujian, Fuzhou

Patentee after: RUIJIE NETWORKS Co.,Ltd.

Address before: 350015 M9511 Industrial Park, fast road, Mawei District, Fujian, Fuzhou

Patentee before: Beijing Star-Net Ruijie Networks Co.,Ltd.