CN106411852A - Distributed terminal access control method, and apparatus - Google Patents

Distributed terminal access control method, and apparatus Download PDF

Info

Publication number
CN106411852A
CN106411852A CN201610797251.6A CN201610797251A CN106411852A CN 106411852 A CN106411852 A CN 106411852A CN 201610797251 A CN201610797251 A CN 201610797251A CN 106411852 A CN106411852 A CN 106411852A
Authority
CN
China
Prior art keywords
switch
headend equipment
management server
message
rule
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610797251.6A
Other languages
Chinese (zh)
Other versions
CN106411852B (en
Inventor
周迪
赵晖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang Uniview Technologies Co Ltd
Original Assignee
Zhejiang Uniview Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang Uniview Technologies Co Ltd filed Critical Zhejiang Uniview Technologies Co Ltd
Priority to CN201610797251.6A priority Critical patent/CN106411852B/en
Publication of CN106411852A publication Critical patent/CN106411852A/en
Application granted granted Critical
Publication of CN106411852B publication Critical patent/CN106411852B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • H04L63/0218Distributed architectures, e.g. distributed firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved

Abstract

Embodiments of the present invention disclose a distributed terminal access control method, and an apparatus. According to the method, a corresponding service type-based control rule is set in each switch of a distributed monitoring system, and a corresponding control rule is updated based on change of the service type of a front-end device, so that each switch performs, according to a corresponding control rule, service-level access control on the front-end device connected with the switch, forwards a packet in accordance with the control rule normally, and discards a packet not in line with the control rule, therefore, terminal access is controlled accurately, the control rule in each switch is updated timely according to the change of the service type of the front-end device, and the storage burden on the server device caused by setting of a lot of control rules is prevented.

Description

A kind of distributed terminal admittance control method and device
Technical field
The application is related to monitoring data transmission field, particularly to a kind of distributed terminal admittance control method and device.
Background technology
With the development of IP (Internet Protocol, network interconnection agreement) video monitoring service, client supervises to video The security protection pay attention to day by day of control system.Usual invader can carry out port using hole scanner to target device first and sweep Retouch, TCP typically to each well-known port of target device and partly commonly uses serve port scope connection message, according to connecing The message receiving is responded type and whether is judged equipment using this port, and then passing through analysis provides serve port leak, enters one Step initiates Network Intrusion.
Propose in prior art based on the defence solution controlling rule, make monitoring system possess certain certainly defending Function, by service port automatic hidden, in system any headend equipment to requirements for access such as the operational controies of certain equipment in system, It is required for the filtration through controlling rule, network server is serviced by video management and concentrates mandate in advance, just allow client etc. The service port of equipment access target equipment, whole system forms the safety service environment of a closed loop, can effectively eliminate peace Full hidden danger.
Specifically, in the prior art, open " registered port " for headend equipment of video management server acquiescence and For " login-port " of client, only after terminal unit succeeds in registration, " IP address " of this leading portion equipment is just allowed to visit Ask other service ports of video management server.
Control the modes such as the available iptables of rule issues or service level code controls to realize, be described as follows.
As shown in figure 1, being a kind of application scenarios schematic diagram of monitoring system of the prior art.
In an initial condition, the control rule coming into force in video management server is:
This equipment destination interface Source device Controlling behavior
5060、80 All Allow " source device " access " this equipment destination interface "
After IPC1 succeeds in registration, the mask of video management server record IPC1, the control rule that itself is come into force It is changed to allow IPC1 to access this equipment all of the port, specific as follows:
Accordingly, the mask of service server record IPC1, the control rule that it is come into force is changed to allow IPC1 and regards Frequency management server accesses this equipment all of the port, specific as follows:
Applicant finds during realizing the application, and above-mentioned existing processing scheme at least there is a problem of as follows:
In video monitoring system, headend equipment is large number of, accordingly, needs configuration in the equipment such as video management server Rule also increases therewith, and the filtering rule limited amount that server apparatus itself are supported, typically all only support 1000 rules, When the quantity of headend equipment exceedes the maximum rule quantity of server apparatus support, server apparatus can be led to just cannot to provide Often business service.
Content of the invention
The embodiment of the present application provides a kind of distributed terminal admittance control method and device, by distributed monitoring system Each switch in be respectively provided with the corresponding control based on type of service rule, so that each switch is controlled according to corresponding respectively Rule, the headend equipment being connected for itself carries out the Access Control of service level, realizes the precise control of terminal access, it is to avoid A large amount of settings control rule to bear to the storage that server apparatus are brought.
In order to reach above-mentioned technical purpose, present applicant proposes a kind of distributed terminal admittance control method, be applied to Include less in the distributed monitoring system of management server, multiple switch and headend equipment, headend equipment is connect by switch Enter described distributed monitoring system, configuration in described switch controls rule, and methods described specifically includes:
When the headend equipment that described switch is connected starts new business, described switch is according to described management service What device sent controls the control rule that Policy Updates instruction is configured to itself to be updated, wherein, described control Policy Updates Instruction includes the access authority information that described management server is opened during described new business to the execution of described headend equipment;
Described switch judges the message of the described new business that the headend equipment itself being connected receiving is sent Forwarding information whether meet the described control rule after renewal;
If met, described service message is transmitted to corresponding interface by described switch, if do not met, described friendship Change planes and abandon described service message.
Preferably, configured in described switch control rule initial content be:
In receiving the message that the headend equipment itself being connected is sent, logon message is transmitted to described by a permission Management server, remaining message is all abandoned.
Preferably, before the headend equipment that described switch is connected starts new business operation, also include:
When the control rule that switch is configured is for initial content, described switch received itself being connected of identification Whether the message that the headend equipment connecing is sent is logon message;
If recognition result is yes, described switch is by the network address information of itself, and itself is set with described front end The standby port information being connected is added in described message, and described message is transmitted to described management server, so that described Management server is registered to described headend equipment, and after succeeding in registration, preserves the network address information of described switch With described port information;
When described switch receives the accreditation verification instruction that described management server returns, described accreditation verification is referred to Show and be sent to described headend equipment.
The preferably described processing procedure controlling Policy Updates instruction, specially:
When the headend equipment that described switch is connected starts new business, described management server determines described new Business in it is allowed to described headend equipment access equipment port;
Described management server generates using the network address information of described headend equipment as source address information, is permitted with described The network address information being permitted the equipment that described headend equipment accesses, as destination address information, allows described headend equipment with described The port information of the device port accessing is as the control regularization term of destination interface information;
The network address information of switch according to corresponding to described headend equipment for the described management server, to described exchange Machine send carry described control regularization term control Policy Updates instruction so that described switch to itself control rule in The corresponding content in port that described headend equipment is connected is updated.
Preferably, methods described also includes:
When the headend equipment winding-up that described switch is connected, described switch is sent out according to described management server The control redundant rule elimination instruction sent, in the control rule itself being configured, by the control rule corresponding with the business being moved to end Then content is deleted.
On the other hand, the embodiment of the present application also proposed a kind of switch, is applied at least to include management server, multiple In the distributed monitoring system of switch and headend equipment, headend equipment accesses described distributed monitoring system by switch, In described switch, configuration controls rule, and described switch specifically includes:
Communication module, for the headend equipment being connected with described switch, and described management server is communicated;
Management module, when the headend equipment for being connected in described switch starts new business, according to described communication What the described management server received by module sent controls the Policy Updates instruction control presently configured to described switch Rule processed is updated, and wherein, described control Policy Updates instruction includes described management server and described headend equipment is held The access authority information being opened during the described new business of row;
Judge module, the headend equipment that the described switch for judging received by described communication module is connected is sent out The forwarding information of the message of described new business sending, if meet the described control rule after described management module updates;
When processing module is to meet for the judged result in described judge module, notify communication module by described business Message is transmitted to corresponding interface, or, when the judged result of described judge module is not meet, abandoning described business report Literary composition.
Preferably, configured in described switch control rule initial content be:
In receiving the message that the headend equipment itself being connected is sent, logon message is transmitted to described by a permission Management server, remaining message is all abandoned.
Preferably,
Described judge module, is additionally operable to when the control rule that described switch is configured is for initial content, identification is described Whether the message that the headend equipment itself being connected received by communication module is sent is logon message;
Described communication module, is additionally operable to when the recognition result of described judge module is to be, by the network of described switch Address information, and the port information that described switch is connected with described headend equipment is added in described message, and by institute State message and be transmitted to described management server, so that described management server is registered to described headend equipment, and in registration After success, preserve the network address information of described switch and described port information, and, receiving described management server During the accreditation verification instruction returning, described accreditation verification instruction is sent to described headend equipment.
Preferably, the described processing procedure controlling Policy Updates instruction, specially:
When the headend equipment that described switch is connected starts new business, described management server determines described new Business in it is allowed to described headend equipment access equipment port;
Described management server generates using the network address information of described headend equipment as source address information, is permitted with described The network address information being permitted the equipment that described headend equipment accesses, as destination address information, allows described headend equipment with described The port information of the device port accessing is as the control regularization term of destination interface information;
The network address information of switch according to corresponding to described headend equipment for the described management server, to described exchange Machine send carry described control regularization term control Policy Updates instruction so that described switch to itself control rule in The corresponding content in port that described headend equipment is connected is updated.
Preferably,
Described management module, is additionally operable to when the headend equipment winding-up that described switch is connected, according to described logical The control redundant rule elimination instruction that described management server received by letter module sends, the control being configured in described switch In rule, the control Rule content corresponding with the business being moved to end is deleted.
Compared with prior art, the Advantageous Effects of the technical scheme that the embodiment of the present application is proposed include:
The embodiment of the present application discloses a kind of distributed terminal admittance control method and device, and the method is in distributed monitoring It is respectively provided with the corresponding rule of the control based on type of service in each switch of system, and the service class based on headend equipment Type change controls rule to be updated to corresponding, thus, make each switch control rule according to corresponding respectively, for itself The headend equipment being connected carries out the Access Control of service level, is normally forwarded to meeting the message controlling rule, and to not Meet and control the message of rule then to be abandoned, realize the precise control of terminal access, and make the control rule in each switch Type of service change based on headend equipment is upgraded in time, it is to avoid a large amount of settings control rule to be brought to server apparatus Storage burden.
Brief description
In order to be illustrated more clearly that the technical scheme of the application, the accompanying drawing of required use in embodiment being described below Be briefly described it should be apparent that, drawings in the following description are only some embodiments of the present application, general for this area For logical technical staff, on the premise of not paying creative work, other accompanying drawings can also be obtained according to these accompanying drawings.
Fig. 1 is a kind of application scenarios schematic diagram of monitoring system of the prior art;
A kind of schematic flow sheet of distributed terminal admittance control method that Fig. 2 is proposed by the embodiment of the present application;
A kind of networking structure schematic diagram of distributed monitoring system that Fig. 3 is proposed by the embodiment of the present application;
Distributed terminal admittance control method under a kind of concrete application scene that Fig. 4 is proposed by the embodiment of the present application Schematic flow sheet;
Under a kind of concrete scene that Fig. 5 proposes for the embodiment of the present application, IPC1 carries out the application scenarios of multiple business process Schematic diagram;
Video management server under a kind of concrete application scene that Fig. 6 is proposed by the embodiment of the present application is to multiple exchanges Machine configuration controls the schematic diagram of a scenario of regular (aforesaid white list);
A kind of structural representation of switch that Fig. 7 is proposed by the embodiment of the present application.
Specific embodiment
As the application background technology is stated, will control on rule setting and server in existing technology, accordingly Filter operation be required for being processed by server, increased the processing load of server, and, with the increasing of headend equipment Many, need the quantity controlling rule configuring also to increase substantially in server, not only increased server and carried out Rules Filtering Treating capacity, the quantity being additionally, since server storage rule itself limits, once the amounts required rule in front end is excessive, then can Lead to some to control rule cannot be configured on server, lead to control strategy cannot realize.
Present inventor wishes by method provided herein, in each switch of distributed monitoring system It is respectively provided with the corresponding rule of the control based on type of service, and the type of service change based on headend equipment is controlled to corresponding Rule processed is updated, on the one hand, process rule by configuring in a switch, and the filtration treatment burden dispersion of server is given Each switch processing, on the other hand, type of service change based on headend equipment, rule is controlled by management server Modification adjustment is it is ensured that the accurate execution of Access Control adjusts with timely.
As shown in Fig. 2 a kind of flow process of the distributed terminal admittance control method being proposed by the embodiment of the present application is illustrated Figure, the method is applied in the distributed monitoring system at least include management server, multiple switch and headend equipment, front end Equipment accesses described distributed monitoring system by switch, and configuration in described switch controls rule.Specifically, the method bag Include:
Step S201, when headend equipment that described switch is connected starts new business, described switch is according to institute The control rule that Policy Updates instruction is configured to itself that controls stating management server transmission is updated.
Wherein, to include described management server described new to the execution of described headend equipment for described control Policy Updates instruction Business when the access authority information that opened.
The process of this step is the renewal process controlling rule, that is, because the type of service change of headend equipment (starts New business), lead to control rule to be targetedly updated.After new business is started due to headend equipment, may be with New network equipment, or new interface generation message interaction, accordingly, it would be desirable to control Rule content to adjust to corresponding Whole.
Need it is further noted that before being adjusted, configured in described switch controls the initial of rule Content is:
In receiving the message that the headend equipment itself being connected is sent, logon message is transmitted to described by a permission Management server, remaining message is all abandoned.
According to this initial content, before not having the legal headend equipment authenticating to registration, switch only allows to registration The forwarding of message, because before headend equipment is registered to management server, in addition to registration, is impossible to have legal business Interaction, control rule by such, illegal message transmissions can be avoided to management server, also avoid background skill Leak problem described in art.
Accordingly, before this step, further comprise the registration process of headend equipment, be described as follows:
When the control rule that switch is configured is for initial content, described switch received itself being connected of identification Whether the message that the headend equipment connecing is sent is logon message.
If it is judged that being no, then directly abandon, and if recognition result is yes, described switch is by the network of itself Address information, and the port information itself being connected with described headend equipment is added in described message, and by described message It is transmitted to described management server.By this logon message, described management server is registered to corresponding headend equipment, and After succeeding in registration, preserve the entrained network address information of switch and port information in logon message, for use in rear Continuous control rule interaction.
When described switch receives the accreditation verification instruction that described management server returns, described accreditation verification is referred to Show and be sent to described headend equipment.So far, the registration process of headend equipment completes, the industry to this headend equipment for the management server side Service type is controlled, and when headend equipment needs to carry out new initiation of services, needs to make requests on to management server, accordingly , management server, when confirming that this business can start, has also just timely recognized that in headend equipment, type of service is New change, accordingly, also can trigger the adjustment process of management rule.
Specifically, during the adjustment of corresponding management rule, what aforesaid control Policy Updates indicated was specifically processed Journey is as follows:
The described processing procedure controlling Policy Updates instruction, specially:
As it was previously stated, management server side is controlled to the type of service of this headend equipment, when described switch is connected When the headend equipment connecing starts new business, management server has also determined that in described new business it is allowed to this front end sets The standby equipment accessing, and the device port allowing the access of this headend equipment.
Processed based on above, management server has timely recognized the up-to-date change of type of service in headend equipment, because This, triggering is corresponding to control rule adjustment process.
First, described management server generates using the network address information of described headend equipment as source address information, with The network address information of the described equipment allowing described headend equipment to access as destination address information, with described allow described before The port information of the device port that end equipment accesses is as the control regularization term of destination interface information.Wherein, the net of headend equipment Network address information pass through logon message or current business reorganization request can obtain it is allowed to described headend equipment access set Standby network address information, and the port information of the device port of permission described headend equipment access can be according to aforesaid step Suddenly to determine.
Then, the network address information of switch according to corresponding to described headend equipment for the described management server, to institute State switch and send the control Policy Updates instruction carrying described control regularization term, so that described switch controls rule to itself In then, the content corresponding with the port that described headend equipment is connected is updated.Wherein, the exchange corresponding to headend equipment The network address information of machine, and the information of the port being connected with described headend equipment is that switch is added to after logon message It is sent to management server.
By above-mentioned processing procedure, what switch configured to itself controls rule to complete the new industry for headend equipment The adjustment of business.
Step S202, described switch judge the described new industry that the headend equipment itself being connected receiving is sent Whether the forwarding information of the message of business meets the described control rule after renewal.
This step is switch and carries out Access Control according to the message that rule sends to headend equipment that controls after updating.
If met, execution step S203;
If do not met, execution step S204.
Described service message is transmitted to corresponding interface by step S203, described switch.
Step S204, described switch abandon described service message.
Need it is further noted that above-mentioned processing procedure is the control rule adjustment for Added Business, but in tool In the application scenarios of body, equally exist the situation that headend equipment discharges existing business, in such cases it need will be released Control rule corresponding to business is deleted, and detailed process is as follows:
As it was previously stated, management server side is controlled to the type of service of this headend equipment, when described switch is connected During the headend equipment winding-up connecing, management server has also determined that and has allowed this headend equipment to access in the business being released Equipment, and allow the device port that this headend equipment accesses, for such permission authority, in the business of release, also with Sample needs to delete.
Processed based on above, management server has timely recognized the up-to-date change of type of service in headend equipment, because This, described switch indicates according to the control redundant rule elimination that described management server sends, in the control rule itself being configured In, the control Rule content corresponding with the business being moved to end is deleted.
By such delete processing it is ensured that controlling rule to be carried out in time according to the type of service change of headend equipment Adjustment, meanwhile, delete in time useless control rule, it also avoid invalid packet and pass through these controlling that rule is produced to leak Hole is forwarded, and maintains the safety of monitoring system.
Compared with prior art, the Advantageous Effects of the technical scheme that the embodiment of the present application is proposed include:
The embodiment of the present application discloses a kind of distributed terminal admittance control method and device, and the method is in distributed monitoring It is respectively provided with the corresponding rule of the control based on type of service in each switch of system, and the service class based on headend equipment Type change controls rule to be updated to corresponding, thus, make each switch control rule according to corresponding respectively, for itself The headend equipment being connected carries out the Access Control of service level, is normally forwarded to meeting the message controlling rule, and to not Meet and control the message of rule then to be abandoned, realize the precise control of terminal access, and make the control rule in each switch Type of service change based on headend equipment is upgraded in time, it is to avoid a large amount of settings control rule to be brought to server apparatus Storage burden.
Below in conjunction with the accompanying drawing in the application, clear, complete description is carried out to the technical scheme in the application, show So, described embodiment is a part of embodiment of the application, rather than whole embodiments.Based on the enforcement in the application Example, the every other embodiment that those of ordinary skill in the art are obtained on the premise of not making creative work, all belong to Scope in the application protection.
Below, as a example the networking structure of the distributed monitoring system shown in by Fig. 3, to switch in distributed monitoring system Illustrated by the situation controlling rule to carry out headend equipment Access Control.
In this distributed monitoring system, video management server (IP address 192.168.1.11) is as management service Device, by switch SW4 (IP address 192.168.1.1), distributed is connected to three switches:SW1 (IP address 192.168.2.1), SW2 (IP address 192.168.3.1), SW3 (IP address 192.168.4.1), IPC1 (IP address 192.168.2.22) SW1 is accessed by port Ethernet 0/1, IPC2 (IP address 192.168.3.23) passes through port Ethernet 0/2 accesses SW2, and IPC3 (IP address 192.168.4.24) accesses SW3 by port Ethernet 0/3.Video The registered port of management server is 5061.
In the present embodiment, control rule specifically to illustrate taking acl rule as a example, in actual application scenarios, its He can be applied equally in the technical scheme that the embodiment of the present application is proposed at the rule that controls of form, and such change can't The protection domain of impact the application.
As shown in figure 4, the distributed terminal access control under a kind of concrete application scene being proposed by the embodiment of the present application The schematic flow sheet of method processed, the method specifically includes:
Step S401, the acl rule initializing on each switch.
In an initial condition, in other words in the case of the headend equipment that switch default secure accesses, acl rule is only permitted Permitted logon message to pass through.Acl rule in the case of being somebody's turn to do equally is configured by video management server or activates, as it was previously stated, video The GB registered port of management server receiving front-end equipment is udp port 5061.
Accordingly,, under initial situation, the content of the acl rule being configured in SW1 is specific as follows taking switch SW1 as a example:
I.e. port Ethernet 0/1 application 3001 rule is it is allowed to the logon message in any source is sent to 5061 ports.
SW2 with SW3 is identical with SW1 collocation method, and here is not repeated.
Step S402, switch receive the logon message of headend equipment.
Equally illustrate taking SW1 as a example.
IPC1 sends logon message to SW1, and purpose IP is the IP address of video management server, and destination interface is 5061, 34010600001320000001 is the target device coding of IPC1.Then the content example of corresponding logon message is specific as follows:
SW1 receives the above-mentioned message of IPC1 transmission from Ethernet0/1 port, finds key by analyzing message field (MFLD) Word REGISTER, confirms as logon message.
Step S403, switch enclose IP address and local port numbers (the switch physics end of itself in logon message Mouthful) after, forwarded to video management server.
SW1 encloses IP address and the local port numbers (switch physical port) of itself in above-mentioned logon message, tool Body is as shown in following overstriking and underline font styles.To logon message modification complete after, SW1 by amended message according to Message purpose IP is sent to video management server.
After step S404, video management server receive this logon message, authenticated.
Video management server carries out the authentication of logon message according to the facility information of interpolation, confirms this logon message institute Whether corresponding headend equipment is legitimate device.
If authenticating successfully, execution step S405.
If failed authentication, refuse the registration request of this headend equipment, be not concern of the application for this process Content, will not be described here.
It is (i.e. above-mentioned that step S405, video management server extract the information that switch added from logon message SWIP and SWPORT information), obtain access switch address and the physical port of IPC1.
Step S406, video management server send the message response that succeeds in registration to IPC1 by SW1.
So far, video management server completes the registration process of headend equipment IPC.
After this, when IPC starts each business, all can execution step S407.
Step S407, headend equipment initiate new service request to video management server.
Step S408, it is based on this new service request, video management server carries out authorization response to headend equipment.
Step S409, video management server send to switch and control Policy Updates instruction.
Video management server, according to the mandate situation of change of the new business of headend equipment, can issue ACL rule to switch Then, indicate that corresponding access switch controls rule to be updated to corresponding, decontrol on the access interface of headend equipment The white list list of related service authority, such as IP and port list.Based on the control rule after updating, mate white list list The message of (message source IP address, source port, purpose IP address, destination interface) will be allowed to pass through by switch, and other messages are then Abandon.
In specific application scenarios, the mode that video management server issues acl rule is specifically as follows by SNMP Message or telnet mode send it is also possible to select other modes to be transmitted as needed, such change can't affect The protection domain of the application.
Step S410, switch are adjusted to locally configured control rule according to the acl rule receiving.
Below, it is based respectively on different types of service, the concrete adjustment process controlling rule is illustrated as follows, For convenience of describing and contrasting, equally taking the control rule on SW1 as a example illustrate.
When IPC1 starts staging business, video management server determines that IPC1 need to access 21 ends of video management server Mouth (fixed allocation), therefore, issues corresponding acl rule, the control rule adjustment result in SW1 is as follows:
I.e. port Ethernet 0/1 applies 3002 rules it is allowed to the logon message in any source is sent to 5061 ports, The message that IPC1 sends is allowed to be sent to the web port 80 of video management server (IP is 192.168.1.11), ftp port 21.
When IPC1 starts UDP or tcp fact business, video management server determines that IPC1 need to access MS (media forwarding Server) 10000,10001,10002 ports, therefore, issue corresponding acl rule, the control rule adjustment result in SW1 As follows:
I.e. port Ethernet 0/1 applies 3002 rules it is allowed to the logon message in any source is sent to 5061 ports, The message that IPC1 sends is allowed to be sent to the web port 80 of video management server (IP is 192.168.1.11), ftp port 21 it is allowed to the message that IPC1 sends is sent to UDP and the tcp port of media forwarding server (IP is 192.168.1.21) 10000、10001、10002.
When configuration of IP C1 stores, video management server determines that IPC1 need to access the 3260 ports (fixation of storage device Port), therefore, issue corresponding acl rule, the control rule adjustment result in SW1 is as follows:
I.e. port Ethernet 0/1 applies 3002 rules it is allowed to the logon message in any source is sent to 5061 ports, The message that IPC1 sends is allowed to be sent to the web port 80 of video management server (IP is 192.168.1.11), ftp port 21 it is allowed to the message that IPC1 sends is sent to UDP and the tcp port of media forwarding server (IP is 192.168.1.21) 10000th, 10001,10002 it is allowed to the message that IPC1 sends is sent to the tcp port of storage device (IP is 192.168.1.31) 3260.
Further, based on above-mentioned acl rule, the present embodiment provides business and discharges the acl rule adjustment side under scene Formula.
If IPC1 now discharges live business, issue configuration and delete live business white list:
I.e. port Ethernet 0/1 applies 3002 rules it is allowed to the logon message in any source is sent to 5061 ports, The message that IPC1 sends is allowed to be sent to the web port 80 of video management server (IP is 192.168.1.11), ftp port 21 it is allowed to the message that IPC1 sends is sent to the tcp port 3260 of storage device (IP is 192.168.1.31).
Step S411, based on the acl rule after above-mentioned renewal, switch filters to the message receiving.
As shown in figure 5, under a kind of concrete scene proposing for the embodiment of the present application, IPC1 carries out answering of multiple business process Schematic diagram with scene.Switch SW1 carries out coupling according to rule above and filters it is allowed to IPC1 accesses white name to the message of IPC1 Port in single-row table and equipment, abandon the message not meeting white list.
Described above process is to illustrate taking SW1 as a example, and in specific application scenarios, each headend equipment can lead to Cross different switches to access, video management server issues white list rule and arrives multiple safety permission switches, realizes distribution The service level access of formula.
As shown in fig. 6, video management server under a kind of concrete application scene being proposed by the embodiment of the present application to Multiple switch configuration controls the schematic diagram of a scenario of regular (aforesaid white list).
As shown in fig. 6, after IPC2 initiates registration, SW2 changes IP address and the IPC2 access interface of the additional SW2 of logon message Ethernet0/2,
After IPC3 initiates registration, SW3 changes IP address and the IPC2 access interface Ethernet0/ of the additional SW2 of logon message 3,
After video management server register and authentication passes through, when starting IPC new business every time, issue corresponding IPC2 white list To SW2, issue corresponding IPC3 white list to SW3.SW2 and SW3 increases newly and configures corresponding acl rule.Specific processing procedure ginseng According to preceding description.
Specifically, the example of the acl rule of switch SW2 configuration is as follows:
I.e. port Ethernet 0/2 applies 3002 rules it is allowed to the logon message in any source is sent to 5061 ports, The message that IPC2 sends is allowed to be sent to the web port 80 of video management server (IP is 192.168.1.11), ftp port 21 it is allowed to the message that IPC2 sends is sent to UDP and the tcp port of media forwarding server (IP is 192.168.1.21) 10000th, 10001,10002 it is allowed to the message that IPC2 sends is sent to the tcp port of storage device (IP is 192.168.1.31) 3260.
The acl rule of switch SW3 configuration is as follows:
I.e. port Ethernet 0/3 applies 3002 rules it is allowed to the logon message in any source is sent to 5061 ports, The message that IPC3 sends is allowed to be sent to the web port 80 of video management server (IP is 192.168.1.11), ftp port 21 it is allowed to the message that IPC3 sends is sent to UDP and the tcp port of media forwarding server (IP is 192.168.1.21) 10000th, 10001,10002 it is allowed to the message that IPC3 sends is sent to the tcp port of storage device (IP is 192.168.1.31) 3260.
Compared with prior art, the Advantageous Effects of the technical scheme that the embodiment of the present application is proposed include:
The embodiment of the present application discloses a kind of distributed terminal admittance control method and device, and the method is in distributed monitoring It is respectively provided with the corresponding rule of the control based on type of service in each switch of system, and the service class based on headend equipment Type change controls rule to be updated to corresponding, thus, make each switch control rule according to corresponding respectively, for itself The headend equipment being connected carries out the Access Control of service level, is normally forwarded to meeting the message controlling rule, and to not Meet and control the message of rule then to be abandoned, realize the precise control of terminal access, and make the control rule in each switch Type of service change based on headend equipment is upgraded in time, it is to avoid a large amount of settings control rule to be brought to server apparatus Storage burden.
For being illustrated more clearly that the scheme that the application previous embodiment provides, based on the invention structure same with said method Think, the embodiment of the present application also proposed a kind of switch, and its structural representation is as shown in Figure 7.This application is at least wrapping Include in the distributed monitoring system of management server, multiple switch and headend equipment, headend equipment accesses institute by switch State distributed monitoring system, configuration in described switch controls rule, and described switch specifically includes:
Communication module 71, for the headend equipment being connected with described switch, and described management server is led to Letter;
Management module 72, when the headend equipment for being connected in described switch starts new business, according to described logical The control Policy Updates instruction that described management server received by letter module 71 sends is presently configured to described switch Control rule be updated, wherein, described control Policy Updates instruction includes described management server described front end is set The access authority information being opened during the described new business of standby execution;
Judge module 73, the headend equipment that the described switch for judging received by described communication module 71 is connected The forwarding information of the message of described new business being sent, if meet the described control rule after described management module 72 updates Then;
When processing module 74 is to meet for the judged result in described judge module 73, notify communication module 71 by institute State service message and be transmitted to corresponding interface, or, when the judged result of described judge module 73 is not meet, abandoning described Service message.
Preferably, configured in described switch control rule initial content be:
In receiving the message that the headend equipment itself being connected is sent, logon message is transmitted to described by a permission Management server, remaining message is all abandoned.
Preferably,
Described judge module 73, is additionally operable to, when the control rule that described switch is configured is for initial content, identify institute State whether the message that the headend equipment itself received by communication module 71 being connected sent is logon message;
Described communication module 71, is additionally operable to when the recognition result of described judge module 73 is to be, by described switch Network address information, and the port information that described switch is connected with described headend equipment is added in described message, and Described message is transmitted to described management server, so that described management server is registered to described headend equipment, and After succeeding in registration, preserve the network address information of described switch and described port information, and, receive described management clothes During the accreditation verification instruction that business device returns, described accreditation verification instruction is sent to described headend equipment.
Preferably, the described processing procedure controlling Policy Updates instruction, specially:
When the headend equipment that described switch is connected starts new business, described management server determines described new Business in it is allowed to described headend equipment access equipment port;
Described management server generates using the network address information of described headend equipment as source address information, is permitted with described The network address information being permitted the equipment that described headend equipment accesses, as destination address information, allows described headend equipment with described The port information of the device port accessing is as the control regularization term of destination interface information;
The network address information of switch according to corresponding to described headend equipment for the described management server, to described exchange Machine send carry described control regularization term control Policy Updates instruction so that described switch to itself control rule in The corresponding content in port that described headend equipment is connected is updated.
Preferably,
Described management module 72, is additionally operable to when the headend equipment winding-up that described switch is connected, according to described The control redundant rule elimination instruction that described management server received by communication module 71 sends, is configured in described switch Control in rule, the control Rule content corresponding with the business being moved to end is deleted.
Compared with prior art, the Advantageous Effects of the technical scheme that the embodiment of the present application is proposed include:
The embodiment of the present application discloses a kind of distributed terminal admittance control method and device, and the method is in distributed monitoring It is respectively provided with the corresponding rule of the control based on type of service in each switch of system, and the service class based on headend equipment Type change controls rule to be updated to corresponding, thus, make each switch control rule according to corresponding respectively, for itself The headend equipment being connected carries out the Access Control of service level, is normally forwarded to meeting the message controlling rule, and to not Meet and control the message of rule then to be abandoned, realize the precise control of terminal access, and make the control rule in each switch Type of service change based on headend equipment is upgraded in time, it is to avoid a large amount of settings control rule to be brought to server apparatus Storage burden.
Through the above description of the embodiments, those skilled in the art can be understood that the embodiment of the present invention Can be realized by hardware it is also possible to realize by by way of software plus necessary general hardware platform.Based on such reason Solution, the technical scheme of the embodiment of the present invention can be embodied in the form of software product, and this software product can be stored in one In individual non-volatile memory medium (can be CD-ROM, USB flash disk, portable hard drive etc.), including some instructions with so that a meter Calculate machine equipment (can be personal computer, server, or network equipment etc.) execution each implement scene of the embodiment of the present invention Described method.
It will be appreciated by those skilled in the art that accompanying drawing is a schematic diagram being preferable to carry out scene, the module in accompanying drawing or Flow process is not necessarily implemented necessary to the embodiment of the present invention.
It will be appreciated by those skilled in the art that module in device in implement scene can according to implement scene describe into Row is distributed in the device of implement scene it is also possible to carry out one or more dresses that respective change is disposed other than this implement scene In putting.The module of above-mentioned implement scene can merge into a module it is also possible to be further split into multiple submodule.
The embodiments of the present invention are for illustration only, do not represent the quality of implement scene.
Only the several of the embodiment of the present invention disclosed above are embodied as scene, but, the embodiment of the present invention not office It is limited to this, the business that the changes that any person skilled in the art can think of all should fall into the embodiment of the present invention limits scope.

Claims (10)

1. a kind of distributed terminal admittance control method is it is characterised in that be applied at least include management server, multiple exchange In the distributed monitoring system of machine and headend equipment, headend equipment accesses described distributed monitoring system by switch, described In switch, configuration controls rule, and methods described specifically includes:
When the headend equipment that described switch is connected starts new business, described switch is sent out according to described management server The control rule that Policy Updates instruction is configured to itself that controls sent is updated, wherein, described control Policy Updates instruction Include the access authority information that described management server is opened during described new business to the execution of described headend equipment;
Described switch judges turning of the message of described new business that the headend equipment itself being connected receiving is sent Whether photos and sending messages meet the described control rule after renewal;
If met, described service message is transmitted to corresponding interface by described switch, if do not met, described switch Abandon described service message.
2. the method for claim 1 is it is characterised in that configured in described switch controls regular initial content For:
In receiving the message that the headend equipment itself being connected is sent, only allow for logon message to be transmitted to described management Server, remaining message is all abandoned.
3. method as claimed in claim 2 is it is characterised in that the headend equipment that described switch is connected starts new business Before operation, also include:
When control that switch is configured rule is for initial content, what what described switch identification was received itself connected Whether the message that headend equipment is sent is logon message;
If recognition result is yes, described switch is by the network address information of itself, and itself and described headend equipment phase The port information connecting is added in described message, and described message is transmitted to described management server, so that described management Server is registered to described headend equipment, and after succeeding in registration, preserves network address information and the institute of described switch State port information;
When described switch receives the accreditation verification instruction that described management server returns, described accreditation verification instruction is sent out Give described headend equipment.
4. method as claimed in claim 3 it is characterised in that described control Policy Updates instruction processing procedure, specially:
When the headend equipment that described switch is connected starts new business, described management server determines in described new industry It is allowed to the equipment that accesses of described headend equipment in business, and allow the device port that described headend equipment accesses;
Described management server generates using the network address information of described headend equipment as source address information, with described permission institute The network address information of equipment stating headend equipment access, as destination address information, allows described headend equipment to access with described Device port port information as destination interface information control regularization term;
The network address information of switch according to corresponding to described headend equipment for the described management server, sends out to described switch Send carry described control regularization term control Policy Updates instruction so that described switch to itself control rule in described The corresponding content in port that headend equipment is connected is updated.
5. the method for claim 1 is it is characterised in that also include:
When the headend equipment winding-up that described switch is connected, described switch sends according to described management server Control redundant rule elimination instruction, in the control rule itself being configured, by the control rule corresponding with the business being moved to end Hold and deleted.
6. a kind of switch is it is characterised in that be applied at least include dividing of management server, multiple switch and headend equipment In cloth monitoring system, headend equipment accesses described distributed monitoring system by switch, and configuration in described switch controls Rule, described switch specifically includes:
Communication module, for the headend equipment being connected with described switch, and described management server is communicated;
Management module, when the headend equipment for being connected in described switch starts new business, according to described communication module What received described management server sent controls the Policy Updates instruction control rule presently configured to described switch Then it is updated, wherein, described control Policy Updates instruction includes described management server and executes institute to described headend equipment State the access authority information being opened during new business;
Judge module, the headend equipment that the described switch for judging received by described communication module is connected is sent The forwarding information of the message of described new business, if meet the described control rule after described management module updates;
When processing module is to meet for the judged result in described judge module, notify communication module by described service message It is transmitted to corresponding interface, or, when the judged result of described judge module is not meet, abandoning described service message.
7. switch as claimed in claim 6 is it is characterised in that configured in described switch controls the initially interior of rule Rong Wei:
In receiving the message that the headend equipment itself being connected is sent, only allow for logon message to be transmitted to described management Server, remaining message is all abandoned.
8. switch as claimed in claim 7 it is characterised in that
Described judge module, is additionally operable to, when the control rule that described switch is configured is for initial content, identify described communication Whether the message that the headend equipment itself being connected received by module is sent is logon message;
Described communication module, is additionally operable to when the recognition result of described judge module is to be, by the network address of described switch Information, and the port information that described switch is connected with described headend equipment is added in described message, and by described report Literary composition is transmitted to described management server, so that described management server is registered to described headend equipment, and is succeeding in registration Afterwards, preserve the network address information of described switch and described port information, and, return receiving described management server Accreditation verification instruction when, by described accreditation verification instruction be sent to described headend equipment.
9. switch as claimed in claim 8 it is characterised in that described control Policy Updates instruction processing procedure, specifically For:
When the headend equipment that described switch is connected starts new business, described management server determines in described new industry In the business it is allowed to port of the equipment of described headend equipment access;
Described management server generates using the network address information of described headend equipment as source address information, with described permission institute The network address information of equipment stating headend equipment access, as destination address information, allows described headend equipment to access with described Device port port information as destination interface information control regularization term;
The network address information of switch according to corresponding to described headend equipment for the described management server, sends out to described switch Send carry described control regularization term control Policy Updates instruction so that described switch to itself control rule in described The corresponding content in port that headend equipment is connected is updated.
10. switch as claimed in claim 6 it is characterised in that
Described management module, is additionally operable to when the headend equipment winding-up that described switch is connected, according to described communication mould The control redundant rule elimination instruction that described management server received by block sends, the control rule being configured in described switch In, the control Rule content corresponding with the business being moved to end is deleted.
CN201610797251.6A 2016-08-31 2016-08-31 Distributed terminal access control method and device Active CN106411852B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610797251.6A CN106411852B (en) 2016-08-31 2016-08-31 Distributed terminal access control method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610797251.6A CN106411852B (en) 2016-08-31 2016-08-31 Distributed terminal access control method and device

Publications (2)

Publication Number Publication Date
CN106411852A true CN106411852A (en) 2017-02-15
CN106411852B CN106411852B (en) 2020-01-14

Family

ID=58002047

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610797251.6A Active CN106411852B (en) 2016-08-31 2016-08-31 Distributed terminal access control method and device

Country Status (1)

Country Link
CN (1) CN106411852B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109218323A (en) * 2018-09-28 2019-01-15 山东超越数控电子股份有限公司 A kind of remote configuring method for firewall box
CN110830484A (en) * 2019-11-13 2020-02-21 深圳市信锐网科技术有限公司 Data message processing method and device, intranet switch and storage medium
CN112417402A (en) * 2020-11-27 2021-02-26 亿企赢网络科技有限公司 Authority control method, authority control device and storage medium
CN113489639A (en) * 2021-06-16 2021-10-08 杭州深渡科技有限公司 Gateway multi-interface data communication method and system

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1764971A1 (en) * 2005-09-20 2007-03-21 Accenture Global Services GmbH Third party access gateway for telecommunications services
CN101453377A (en) * 2008-12-15 2009-06-10 华为技术有限公司 Method, apparatus and system for suppressing redundant interaction of access node control protocol
CN102316119A (en) * 2011-10-12 2012-01-11 杭州华三通信技术有限公司 Security control method and equipment
CN102333099A (en) * 2011-10-27 2012-01-25 杭州华三通信技术有限公司 Security control method and equipment
CN102571511A (en) * 2010-12-29 2012-07-11 中国移动通信集团山东有限公司 Local area network access control system and method, and server
CN103684848A (en) * 2013-10-24 2014-03-26 浙江中控研究院有限公司 Non-management type industrial Ethernet switch capable of automatic configuration and realization method of switch
CN105009521A (en) * 2013-12-23 2015-10-28 华为技术有限公司 Message processing method and gateway
CN105491007A (en) * 2015-11-13 2016-04-13 浙江宇视科技有限公司 Video monitoring system safe admission method and apparatus
US20160191466A1 (en) * 2014-12-30 2016-06-30 Fortinet, Inc. Dynamically optimized security policy management
CN105812257A (en) * 2014-12-29 2016-07-27 中兴通讯股份有限公司 Business chain router management system and use method thereof
CN105871772A (en) * 2015-01-18 2016-08-17 吴正明 Working method of SDN network architecture aimed at network attack

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1764971A1 (en) * 2005-09-20 2007-03-21 Accenture Global Services GmbH Third party access gateway for telecommunications services
CN101453377A (en) * 2008-12-15 2009-06-10 华为技术有限公司 Method, apparatus and system for suppressing redundant interaction of access node control protocol
CN102571511A (en) * 2010-12-29 2012-07-11 中国移动通信集团山东有限公司 Local area network access control system and method, and server
CN102316119A (en) * 2011-10-12 2012-01-11 杭州华三通信技术有限公司 Security control method and equipment
CN102333099A (en) * 2011-10-27 2012-01-25 杭州华三通信技术有限公司 Security control method and equipment
CN103684848A (en) * 2013-10-24 2014-03-26 浙江中控研究院有限公司 Non-management type industrial Ethernet switch capable of automatic configuration and realization method of switch
CN105009521A (en) * 2013-12-23 2015-10-28 华为技术有限公司 Message processing method and gateway
CN105812257A (en) * 2014-12-29 2016-07-27 中兴通讯股份有限公司 Business chain router management system and use method thereof
US20160191466A1 (en) * 2014-12-30 2016-06-30 Fortinet, Inc. Dynamically optimized security policy management
CN105871772A (en) * 2015-01-18 2016-08-17 吴正明 Working method of SDN network architecture aimed at network attack
CN105491007A (en) * 2015-11-13 2016-04-13 浙江宇视科技有限公司 Video monitoring system safe admission method and apparatus

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109218323A (en) * 2018-09-28 2019-01-15 山东超越数控电子股份有限公司 A kind of remote configuring method for firewall box
CN110830484A (en) * 2019-11-13 2020-02-21 深圳市信锐网科技术有限公司 Data message processing method and device, intranet switch and storage medium
CN112417402A (en) * 2020-11-27 2021-02-26 亿企赢网络科技有限公司 Authority control method, authority control device and storage medium
CN112417402B (en) * 2020-11-27 2024-04-12 亿企赢网络科技有限公司 Authority control method, authority control device, authority control equipment and storage medium
CN113489639A (en) * 2021-06-16 2021-10-08 杭州深渡科技有限公司 Gateway multi-interface data communication method and system
CN113489639B (en) * 2021-06-16 2022-12-02 杭州深渡科技有限公司 Gateway multi-interface data communication method and system

Also Published As

Publication number Publication date
CN106411852B (en) 2020-01-14

Similar Documents

Publication Publication Date Title
EP3258663B1 (en) Verification method, apparatus and system for network application access
CN101203841B (en) Preventing fraudulent internet account access
EP3151144A1 (en) Method and network element for improved user authentication in communication networks
US8050275B1 (en) System and method for offering quality of service in a network environment
JP4791589B2 (en) System and method for providing dynamic network authorization, authentication and account
US20020110123A1 (en) Network connection control apparatus and method
JP2020516202A (en) Core network access provider
CN108781207B (en) Method and system for dynamically creating access control lists
CN106411852A (en) Distributed terminal access control method, and apparatus
CN108259432A (en) A kind of management method of API Calls, equipment and system
CN101557406A (en) User terminal authentication method, device and system thereof
CN107707435B (en) Message processing method and device
CN100438427C (en) Network control method and equipment
US11706628B2 (en) Network cyber-security platform
CN103957194B (en) A kind of procotol IP cut-in methods and access device
CN107360178A (en) A kind of method that network access is controlled using white list
CN105656927B (en) A kind of safety access method and system
CN109660535A (en) The treating method and apparatus of data in linux system
US11050606B2 (en) Automatically updating subscriber information in a content delivery network
US10524188B2 (en) Method and apparatus for cellular access point control
JP2005202970A (en) Security system and security method for firewall, and computer program product
JP6102351B2 (en) Content security management apparatus, method and program
CN113992412B (en) Implementation method of cloud native firewall and related equipment
JP2018029233A (en) Client terminal authentication system and client terminal authentication method
CN106453408A (en) Method and device for preventing counterfeited offline attack

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant