CN107070951A - A kind of intranet security guard system and method - Google Patents
A kind of intranet security guard system and method Download PDFInfo
- Publication number
- CN107070951A CN107070951A CN201710388921.3A CN201710388921A CN107070951A CN 107070951 A CN107070951 A CN 107070951A CN 201710388921 A CN201710388921 A CN 201710388921A CN 107070951 A CN107070951 A CN 107070951A
- Authority
- CN
- China
- Prior art keywords
- virtual
- address
- module
- intranet
- network termination
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5007—Internet protocol [IP] addresses
- H04L61/5014—Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
Abstract
The invention discloses a kind of intranet security guard system and method, the system includes:The preceding safety check module of the isolation that networks, virtual ip address distribution module, distributed real-time monitoring module and intelligence learning module, interior network termination is given by way of smart allocation virtual ip address, interior network termination is allowd to access Intranet and outer net by virtual ip address or virtual hostname, outer network termination can not obtain the topological structure of Intranet, and go out the frequency that virtual ip address needs to convert by Intranet terminal behavior intellectual analysis.Breach traditional Intranet static allocation mode, by the access IP address for virtually changing interior network termination, so that interior network termination is hidden under virtual environment, build virtual network topology, outer network termination can not accurately obtain the real information of interior network termination, the mutually isolated state of intranet host, so that the various attacks in effective defending against network, the security of Intranet is strengthened, so as to really realize the security protection of Intranet.
Description
Technical field
The present invention relates to technical field of network security, more particularly to a kind of intranet security guard system and method.
Background technology
With the fast development of network technology, we increasingly pay attention in the concern to network security.However, computer and net
The complexity of network attack constantly rises, and uses traditional fire wall and IDS (Intrusion Detection Systems, invasion
Detecting system) it is increasingly difficult to detect and stop.With spreading unchecked that virus, worm, wooden horse, back door and mixing are threatened, content layer
Just becoming customary with the security threat of Internet.Complicated worm and mail virus such as Slammer, Blaster,
How Sasser, Sober, MyDoom etc. can quickly propagate, generally with regard to that can have swept the globe within several hours.
In order to resist security threat, safe practice is also constantly being evolved, including deep-packet detection fire wall, application gateway are anti-
The new technologies such as wall with flues, information filtering, anti-rubbish mail, SSL VPN, network anti-virus and IPS are constantly employed.
But, defence software such as antivirus software can not solve situation about being attacked as attacker with legal software, and
And fire wall is mainly defence outer net, the fire wall of outer net is defendd just to perform practically no function in the case that attacker is enterprises.
Therefore, exposed static network topology structure, attacker is easy for that the address of inside terminals can be obtained, taken targetedly
Attack, causes internal network to paralyse, meanwhile, the IP address of interior network termination is static immutable, at any time may be used between each interior network termination
With mutual communication and access, virus is caused mutually to be propagated between interior network termination.So as to how really to realize the problem of intranet security is protected
It is urgently to be resolved hurrily.
The content of the invention
The embodiments of the invention provide a kind of intranet security guard system and method, timeliness is possessed by the distribution of intelligence
Virtual ip address so that interior network termination keeps separate, interior network termination itself can with independent access outer net, but interior network termination it
Between can not communicate, so as to really realize the security protection of Intranet.
In a first aspect, the embodiments of the invention provide a kind of intranet security guard system, the system includes:Network before isolating
Safety check module, virtual ip address distribution module, distributed real-time monitoring module and intelligence learning module, wherein,
The preceding safety check module of the isolation that networks, for carrying out security evaluation before interior network termination access network, judges whether
Allow the Intranet accessing terminal to network, if so, then sending the request command of distribution virtual ip address and virtual hostname, and trigger
Virtual ip address distribution module;Otherwise, the Intranet accessing terminal to network is forbidden, and feeds back to the interior network termination to send alarm;
Virtual ip address distribution module, for receiving the request command that safety check module is sent before the isolation that networks, and gives
Intranet terminal distribution virtual ip address and virtual hostname, and the change frequency determined according to intelligence learning module is to corresponding
Interior network termination carries out the change of virtual ip address and virtual hostname;
Distributed real-time monitoring module, the actual time safety status data for obtaining interior network termination is collected interior network termination and used
The operation behavior at family;
Intelligence learning module, is divided for the actual time safety status data of internal network termination and the operation behavior of user
Analysis, assesses the operating environment and operating habit of the user, determines the corresponding interior network termination virtual ip address of the user and virtual main
The change frequency of machine name.
Preferably, the system further comprises:Encryption/decryption module, virtual ip address and virtual master for internal network termination
Machine name is encrypted or/and decrypted.
Preferably, when different interior network terminations needs to exchange visits, the system further comprises:Virtual hostname parses mould
Block, virtual ip address parsing module and end message list library module, wherein,
Fictitious host computer name analysis module, the virtual hostname for inquiring about interior network termination;
Virtual ip address parsing module, the virtual ip address for inquiring about interior network termination;
End message list library module, for the information of storing intranet terminal, wherein, the information of interior network termination is included but not
It is limited to MAC Address, user name accesses IP address, virtual ip address, virtual hostname, mechanism ID.
Preferably, the system further comprises:DHCP service module, for supporting interior network termination to obtain outer net DHCP service
Parsing, dialogue, route agent, packet encapsulation request, recursive query.
Preferably, the system further comprises:Virtual address rule library module, for irregularity with storing virtual IP address
Location.
Second aspect, the embodiments of the invention provide a kind of intranet security means of defence, this method includes:
S1:Security evaluation is carried out before interior network termination access network by safety check module before the isolation that networks, judgement is
It is no to allow the Intranet accessing terminal to network, if so, then sending the request command of distribution virtual ip address and virtual hostname, and touch
Send out S2;Otherwise, the Intranet accessing terminal to network is forbidden, and feeds back to the interior network termination to send alarm;
S2:The request command that safety check module is sent before the isolation that networks is received by virtual ip address distribution module, and
To Intranet terminal distribution virtual ip address and virtual hostname;
S3:The actual time safety status data of interior network termination is obtained by distributed real-time monitoring module, interior network termination is collected
The operation behavior of user;
S4:Divided by the actual time safety status data of the internal network termination of intelligence learning module and the operation behavior of user
Analysis, assesses the operating environment and operating habit of the user, determines the corresponding interior network termination virtual ip address of the user and virtual main
The change frequency of machine name.
S5:The change frequency determined by virtual ip address distribution module according to intelligence learning module is whole to corresponding Intranet
End carries out the change of virtual ip address and virtual hostname.
Preferably, this method further comprises:Virtual ip address and virtual master by the internal network termination of encryption/decryption module
Machine name is encrypted or/and decrypted.
Preferably, when different interior network terminations needs to exchange visits, this method further comprises:
The void of one of them interior network termination is inquired about by virtual Domain hostname resolution module and virtual ip address parsing module
Intend IP address, virtual hostname;
Call the visual information of interior network termination by end message list library module, the access IP of queried access outer net
Location, so as to be communicated between different interior network terminations.
Preferably, this method further comprises:Interior network termination is supported to obtain outer net DHCP service by DHCP service module
Parsing, dialogue, route agent, packet encapsulation request, recursive query.
Preferably, this method further comprises:Virtual ip address is stored by the regular library module irregularity of virtual address.
The embodiments of the invention provide a kind of intranet security guard system and method, pass through smart allocation virtual ip address
Mode gives interior network termination so that interior network termination can access Intranet and outer net, outer net by virtual ip address or virtual hostname
Terminal can not obtain the topological structure of Intranet, and go out the frequency that virtual ip address needs to convert by Intranet terminal behavior intellectual analysis
Rate.The present invention breaches traditional Intranet static allocation mode, by the access IP address for virtually changing interior network termination so that interior
Network termination is hidden under virtual environment, builds virtual network topology, and outer network termination can not accurately obtain interior network termination
Real information, the mutually isolated state of intranet host (can match somebody with somebody) manually, so that the various attacks in effective defending against network,
The security of Intranet is strengthened, so as to really realize the security protection of Intranet.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
There is the accompanying drawing used required in technology description to be briefly described, it should be apparent that, drawings in the following description are the present invention
Some embodiments, for those of ordinary skill in the art, on the premise of not paying creative work, can also basis
These accompanying drawings obtain other accompanying drawings.
Fig. 1 is a kind of general structure schematic diagram for intranet security guard system that one embodiment of the invention is provided;
Fig. 2 is the preceding safety inspection mould of networking isolation in a kind of intranet security guard system that one embodiment of the invention is provided
The structural representation of block;
Fig. 3 is the knot of virtual address distribution module in a kind of intranet security guard system that one embodiment of the invention is provided
Structure schematic diagram;
Fig. 4 is the workflow of DHCP service module in a kind of intranet security guard system that one embodiment of the invention is provided
Cheng Tu;
Fig. 5 is a kind of flow chart for intranet security means of defence that one embodiment of the invention is provided.
Embodiment
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with the embodiment of the present invention
In accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is
A part of embodiment of the present invention, rather than whole embodiments, based on the embodiment in the present invention, those of ordinary skill in the art
The every other embodiment obtained on the premise of creative work is not made, belongs to the scope of protection of the invention.
The embodiments of the invention provide a kind of intranet security guard system, the system can include:The preceding safety of the isolation that networks
Module, virtual ip address distribution module, distributed real-time monitoring module and intelligence learning module are checked, wherein,
The preceding safety check module of the isolation that networks, for carrying out security evaluation before interior network termination access network, judges whether
Allow the Intranet accessing terminal to network, if so, then sending the request command of distribution virtual ip address and virtual hostname, and trigger
Virtual ip address distribution module, otherwise, forbids the Intranet accessing terminal to network, and feeds back to the interior network termination to send alarm;
Virtual ip address distribution module, for receiving the request command that safety check module is sent before the isolation that networks, and gives
Intranet terminal distribution virtual ip address and virtual hostname, and the change frequency determined according to intelligence learning module is to corresponding
Interior network termination carries out the change of virtual ip address and virtual hostname;
Distributed real-time monitoring module, the actual time safety status data for obtaining interior network termination is collected interior network termination and used
The operation behavior at family;
Intelligence learning module, is analyzed for the operation behavior to user, assesses operating habit and the operation of the user
Environment, determines the change frequency of the user corresponding interior network termination virtual ip address and virtual hostname.
In this embodiment, interior network termination is given by way of smart allocation virtual ip address so that interior network termination can be with
Intranet and outer net are accessed by virtual ip address or virtual hostname, outer network termination can not obtain the topological structure of Intranet, and lead to
Cross Intranet terminal behavior intellectual analysis and go out the frequency that virtual ip address needs to convert.The present invention breaches traditional Intranet static state point
With mode, by the access IP address for virtually changing interior network termination so that interior network termination is hidden under virtual environment, build empty
Intend network topology structure, outer network termination can not accurately obtain the real information of interior network termination, the mutually isolated state of intranet host
(can match somebody with somebody manually), so that the various attacks in effective defending against network, strengthen the security of Intranet, so as to really realize
The security protection of Intranet.
To become apparent from illustrating technical scheme, intranet security provided in an embodiment of the present invention is protected with reference to accompanying drawing
System describes in detail.
In this embodiment, the overall pattern of intranet security guard system as shown in Figure 1, intranet security guard system can be with
Including:The preceding safety check module of the isolation that networks, virtual ip address distribution module, distributed real-time monitoring module, intelligence learning mould
The regular library module of block, encryption/decryption module, DHCP service module, virtual address, fictitious host computer name analysis module, virtual ip address solution
Analyse module and end message list library module.
The preceding safety check module of the isolation that networks carries out security evaluation before interior network termination access network, determines whether this
Intranet accessing terminal to network, if so, then sending the request command of distribution virtual ip address and virtual hostname, and triggers virtual IP address
Address distribution module, otherwise, forbids the Intranet accessing terminal to network, and feeds back to the interior network termination to send alarm.It refer to Fig. 2
In a particular embodiment, the preceding safety check module of isolation that networks carries out Intranet terminal security assessment, and intellectual analysis goes out interior network termination
Security value (s), determine whether Intranet accessing terminal to network, if safety value be less than security baseline value set in advance,
Forbid this Intranet accessing terminal to network, and feed back to the interior network termination to send alarm.Interior network termination can be even notified to carry out
Rectification, complies with safety condition.If safety value reaches internal environment requirement, tagged encryption is sent to virtually
Location distribution module sends request command.
As shown in figure 3, virtual address distribution module receives the request command that safety check module is sent before the isolation that networks,
Decoding request data, call the regular library module of virtual address, Intranet terminal request are sent again, is received after feedback, virtual address
Distribution module is automatically assigned to send the interior network termination of request command, so that interior network termination obtains extranet access authority, Jin Erfang
Ask internet.And DHCP service module supports interior network termination to obtain the parsing, dialogue, route agent of outer net DHCP service
(Agent), packet encapsulation request, recursive query etc..Wherein dhcp address acquisition process refer to Fig. 4.So simultaneously, distribution
Formula real-time monitoring module obtain in network termination actual time safety status data, and network after in network termination violation situation, and
Safe condition baseline parameter is controlled to adjust, the operation behavior of the internal network termination of user is collected, and operation behavior is fed back into intelligence
Module library, intelligence learning module then provides machine learning method, and intellectual analysis goes out user and accesses different web sites, database operation
Behavior, judges the operating habit and operating environment of different Intranet terminal users, it is determined that at random change virtual ip address frequency with
And the complexity of virtual ip address.When needing to exchange visits between network termination in difference, then need to call virtual Domain host name to analyse
Module and virtual ip address parsing module are inquired about the virtual ip address of one of them interior network termination, virtual hostname and called end
The partially visible information of client information list library module, inquires about the real IP address of the Intranet terminal access outer net, and then realize not
With the communication and data interaction between interior network termination.In this process, virtual ip address parsing module and virtual hostname solution
The information that analysis module is parsed will could realize exchanging visit with the information matches in end message list library module.
What deserves to be explained is, in whole process, virtual address distribution module plans as a whole all Intranets for meeting all conditions
Terminal, unified match information simultaneously allocates co-ordination between modules, is that eligible interior network termination issues available virtual IP
Address.Virtual address rule library module is then all virtual address thesaurus, and the dynamic that irregularity storage is generated at random is empty
Intend address, prevent hacker shoots from stealing.And virtual address rule library module supports custom feature, and user can be with sets itself
Rule, generation custom rule storehouse.Virtual ip address supports Ipv4, Ipv6, mac address, domain name and custom list number etc.
Form.Then virtual ip address is encrypted and decrypted for encryption/decryption module.
Overall, intranet security guard system provided in an embodiment of the present invention is multilayer proofing system, can substantially be divided into four
Layer:
First layer:Isolate inspection layer
1st, assessment unit, statistics Intranet terminal security situation is assessed according to intelligence database;
2nd, alarm unit, the data of assessment unit statistics provide analysis result by Intelligent treatment computing, feed back to Intranet
Terminal carries out prompting alarm;
3rd, recognition unit, the new access device of backstage automatic identification processing;
The second layer:Virtual ip address Distribution Layer
1st, when Intranet terminal security assessment numerical value reaches certain safe range, transmission virtual IP address is encrypted in virtual address storehouse automatically
Address, prompting can distribute virtual ip address;
2nd, terminal obtains feedback information, and virtual ip address is obtained automatically;
3rd, address is using expiring, and terminal sends request, is redistributed according to actual environment;
The real-time behavioral data analysis layer of third layer
1st, the administration behaviour of the internal network termination of analysis system;
2nd, the attack of analysis outer net and the internal network termination of Intranet;
3rd, the operation behavior of Intranet terminal user is analyzed;
4th, automatic suspension is not reallocated virtual ip address in violation of rules and regulations;
4th layer of intelligence learning module
1st, the conversion frequency and virtual ip address making environment, determine virtual ip address of intellectual analysis Intranet terminal user behaviour
Complexity.
The embodiments of the invention provide a kind of intranet security means of defence, this method may comprise steps of:
S1:Security evaluation is carried out before interior network termination access network by safety check module before the isolation that networks, judgement is
It is no to allow the Intranet accessing terminal to network, if so, then sending the request command of distribution virtual ip address and virtual hostname, and touch
S2 is sent out, otherwise, forbids the Intranet accessing terminal to network, and feed back to the interior network termination to send alarm.
In the particular embodiment, step S1 can carry out interior network termination by safety check module before the isolation that networks first
Security evaluation, intellectual analysis goes out the security value (s) of interior network termination, judges whether the interior network termination allows access network, if peace
Total value is less than security baseline value set in advance, then forbids the Intranet accessing terminal to network, if safety value reaches inner loop
Border requires that request command is sent to virtual ip address distribution module by then tagged encryption, and request distribution is available virtually
Location and virtual hostname.
S2:The request command that safety check module is sent before the isolation that networks is received by virtual ip address distribution module, and
To Intranet terminal distribution virtual ip address and virtual hostname.
In the particular embodiment, step S2 can pass through virtual address distribution module reception request command, decoding request
Data, call the regular library module of virtual address, send confirm Intranet terminal request again, receive after feedback, virtual ip address point
Hair module is automatically assigned to send the interior network termination of request, so that interior network termination obtains extranet access authority, realizes internet
Access.
S3:The actual time safety status data of interior network termination is obtained by distributed real-time monitoring module, interior network termination is collected
The operation behavior of user.
S4:The operation behavior of user is analyzed by intelligence learning module, operating habit and the behaviour of the user is assessed
Make environment, determine the change frequency of the user corresponding interior network termination virtual ip address and virtual hostname.
S5:The change frequency determined by virtual ip address distribution module according to intelligence learning module is whole to corresponding Intranet
End carries out the change of virtual ip address and virtual hostname.
When needing to exchange visits between different interior network terminations, this method may further include:
S6:One of them interior network termination is inquired about by virtual Domain hostname resolution module and virtual ip address parsing module
Virtual ip address and virtual hostname and by end message list library module calling section visual information, network termination in inquiry
Access the real IP address of outer net.
To sum up, various embodiments of the present invention, at least have the advantages that:
1st, in an embodiment of the present invention, interior network termination is given by way of smart allocation virtual ip address so that Intranet
Terminal can access Intranet and outer net by virtual ip address or virtual hostname, and outer network termination can not obtain the topology knot of Intranet
Structure, and go out the frequency of virtual ip address needs conversion and the complicated journey of virtual ip address by Intranet terminal behavior intellectual analysis
Degree.The present invention breaches traditional Intranet static allocation mode, by the access IP address for virtually changing interior network termination so that interior
Network termination is hidden under virtual environment, builds virtual network topology, and outer network termination can not accurately obtain interior network termination
Real information, the mutually isolated state of intranet host (can match somebody with somebody) manually, so that the various attacks in effective defending against network,
The security of Intranet is strengthened, so as to really realize the security protection of Intranet.
2nd, in an embodiment of the present invention, the automatic hidden of interior network termination in a network is realized, interior network termination is realized
Access independent, improve interior network termination and Intranet resists the ability of external hackers attack, it is therefore prevented that the disease of single interior network termination
Poison penetrates into the risk of this Intranet.
3rd, in an embodiment of the present invention, due to network termination virtual ip address in distribution, self-built virtual Intranet terminal topology,
So as in extranet access Intranet, realize that outer net attack is passive.
4th, in an embodiment of the present invention, Intranet unlawful practice is traced to the source, by monitoring in real time, by Intranet number of terminals it is believed that
Network termination in breath, such as user name, ID, inquiry and the specific violation of positioning, realizes dangerous quick exclusion, ensures the safety of Intranet.
5th, in an embodiment of the present invention, protection is encrypted by strict encryption technology in virtual ip address, adds
Outer net obtains the difficulty of interior network termination virtual ip address, so as to be further ensured that the security of interior network termination.
6th, in an embodiment of the present invention, in no progress manual queries in the case of network termination configuration, interior network termination
Between can not communicate, realize that Intranet terminal access isolation is independent, prevent virus to be diffused into by single interior network termination in whole
In network termination.
It should be noted that herein, such as first and second etc relational terms are used merely to an entity
Or operation makes a distinction with another entity or operation, and not necessarily require or imply exist between these entities or operation
Any this actual relation or order.Moreover, term " comprising ", "comprising" or its any other variant be intended to it is non-
It is exclusive to include, so that process, method, article or equipment including a series of key elements not only include those key elements,
But also other key elements including being not expressly set out, or also include solid by this process, method, article or equipment
Some key elements.In the absence of more restrictions, the key element limited by sentence " including one ", is not arranged
Except also there is other identical factor in the process including the key element, method, article or equipment.
One of ordinary skill in the art will appreciate that:Realizing all or part of step of above method embodiment can pass through
Programmed instruction related hardware is completed, and foregoing program can be stored in the storage medium of embodied on computer readable, the program
Upon execution, the step of including above method embodiment is performed;And foregoing storage medium includes:ROM, RAM, magnetic disc or light
Disk etc. is various can be with the medium of store program codes.
It is last it should be noted that:Presently preferred embodiments of the present invention is the foregoing is only, the skill of the present invention is merely to illustrate
Art scheme, is not intended to limit the scope of the present invention.Any modification for being made within the spirit and principles of the invention,
Equivalent substitution, improvement etc., are all contained in protection scope of the present invention.
Claims (10)
1. a kind of intranet security guard system, it is characterised in that the system includes:Network safety check module before isolation, virtual
IP address distribution module, distributed real-time monitoring module and intelligence learning module, wherein,
The preceding safety check module of the isolation that networks, for carrying out security evaluation before interior network termination access network, is determined whether
The Intranet accessing terminal to network, if so, then sending the request command of distribution virtual ip address and virtual hostname, and triggers virtual
IP address distribution module;Otherwise, the Intranet accessing terminal to network is forbidden, and feeds back to the interior network termination to send alarm;
Virtual ip address distribution module, for receiving the request command that safety check module is sent before the isolation that networks, and to Intranet
Terminal distribution virtual ip address and virtual hostname, and the change frequency determined according to intelligence learning module is to corresponding Intranet
Terminal carries out the change of virtual ip address and virtual hostname;
Distributed real-time monitoring module, the actual time safety status data for obtaining interior network termination collects Intranet terminal user's
Operation behavior;
Intelligence learning module, is analyzed for the actual time safety status data of internal network termination and the operation behavior of user, is commented
Estimate the operating environment and operating habit of the user, determine the user corresponding interior network termination virtual ip address and virtual hostname
Change frequency.
2. intranet security guard system according to claim 1, it is characterised in that the system further comprises:Encryption and decryption
Module, virtual ip address and virtual hostname for internal network termination are encrypted or/and decrypted.
3. intranet security guard system according to claim 1, it is characterised in that when different interior network terminations needs to exchange visits
When, the system further comprises:Fictitious host computer name analysis module, virtual ip address parsing module and end message list storehouse mould
Block, wherein,
Fictitious host computer name analysis module, the virtual hostname for inquiring about interior network termination;
Virtual ip address parsing module, the virtual ip address for inquiring about interior network termination;
End message list library module, for the information of storing intranet terminal, wherein, the information of interior network termination includes but is not limited to
MAC Address, user name accesses IP address, virtual ip address, virtual hostname, mechanism ID.
4. intranet security guard system according to claim 1, it is characterised in that the system further comprises:DHCP takes
It is engaged in module, for supporting interior network termination to obtain the parsing of outer net DHCP service, dialogue, route agent, packet encapsulation request, passing
Return inquiry.
5. the intranet security guard system according to 1 to 4 any claim, it is characterised in that the system further comprises:
Virtual address rule library module, virtual ip address is stored for irregularity.
6. a kind of intranet security means of defence, it is characterised in that this method includes:
S1:Security evaluation is carried out before interior network termination access network by safety check module before the isolation that networks, judges whether to permit
Perhaps the Intranet accessing terminal to network, if so, then sending the request command of distribution virtual ip address and virtual hostname, and is triggered
S2;Otherwise, the Intranet accessing terminal to network is forbidden, and feeds back to the interior network termination to send alarm;
S2:The request command that safety check module is sent before the isolation that networks is received by virtual ip address distribution module, and to interior
Network termination distributes virtual ip address and virtual hostname;
S3:The actual time safety status data of interior network termination is obtained by distributed real-time monitoring module, Intranet terminal user is collected
Operation behavior;
S4:Analyzed by the actual time safety status data of the internal network termination of intelligence learning module and the operation behavior of user,
The operating environment and operating habit of the user is assessed, the user corresponding interior network termination virtual ip address and virtual hostname is determined
Change frequency.
S5:The change frequency determined by virtual ip address distribution module according to intelligence learning module is entered to network termination in corresponding
The change of row virtual ip address and virtual hostname.
7. intranet security means of defence according to claim 6, it is characterised in that this method further comprises:By adding
The virtual ip address and virtual hostname of the internal network termination of deciphering module are encrypted or/and decrypted.
8. intranet security means of defence according to claim 6, it is characterised in that when different interior network terminations needs to exchange visits
When, this method further comprises:
The virtual IP address of one of them interior network termination is inquired about by virtual Domain hostname resolution module and virtual ip address parsing module
Address, virtual hostname;
Call the visual information of interior network termination by end message list library module, the access IP address of queried access outer net, with
Make to be communicated between different interior network terminations.
9. intranet security means of defence according to claim 6, it is characterised in that this method further comprises:Pass through
DHCP service module support in network termination obtain the parsing of outer net DHCP service, dialogue, route agent, packet encapsulation request,
Recursive query.
10. the intranet security means of defence according to 6 to 9 any claims, it is characterised in that this method is further wrapped
Include:Virtual ip address is stored by the regular library module irregularity of virtual address.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710388921.3A CN107070951A (en) | 2017-05-25 | 2017-05-25 | A kind of intranet security guard system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710388921.3A CN107070951A (en) | 2017-05-25 | 2017-05-25 | A kind of intranet security guard system and method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN107070951A true CN107070951A (en) | 2017-08-18 |
Family
ID=59610748
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710388921.3A Pending CN107070951A (en) | 2017-05-25 | 2017-05-25 | A kind of intranet security guard system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107070951A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110287252A (en) * | 2019-06-27 | 2019-09-27 | 南方电网科学研究院有限责任公司 | A kind of data safety guard system |
| CN110677404A (en) * | 2019-09-25 | 2020-01-10 | 四川新网银行股份有限公司 | User access control method for Linux host |
| CN111181926A (en) * | 2019-12-13 | 2020-05-19 | 中国人民解放军战略支援部队信息工程大学 | Security device based on mimicry defense idea and operation method thereof |
| CN113568703A (en) * | 2021-06-16 | 2021-10-29 | 盐城一方信息技术有限公司 | Computer network security system based on virtualization technology |
| CN113783724A (en) * | 2021-08-27 | 2021-12-10 | 国网江苏省电力有限公司南通供电分公司 | Terminal access monitoring early warning platform |
| CN114338597A (en) * | 2021-11-30 | 2022-04-12 | 奇安信科技集团股份有限公司 | Network access method and device |
| CN115065557A (en) * | 2022-08-05 | 2022-09-16 | 国网浙江省电力有限公司 | Data security interaction method suitable for multiple systems |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070266127A1 (en) * | 2006-05-10 | 2007-11-15 | Richter Andrew H | Internal virtual local area network (lan) |
| CN101110730A (en) * | 2007-06-25 | 2008-01-23 | 中兴通讯股份有限公司 | Method for implementing Ethernet multicast based on internetwork grouping management agreement |
| CN101567888A (en) * | 2008-12-29 | 2009-10-28 | 郭世泽 | Safety protection method of network feedback host computer |
| CN101588360A (en) * | 2009-07-03 | 2009-11-25 | 深圳市安络大成科技有限公司 | Associated equipment and method for internal network security management |
| CN102833107A (en) * | 2012-08-29 | 2012-12-19 | 北京神州绿盟信息安全科技股份有限公司 | Safety access method and system |
| CN102882850A (en) * | 2012-09-03 | 2013-01-16 | 广东电网公司电力科学研究院 | Cryptographic device and method thereof for isolating data by employing non-network way |
| CN105025016A (en) * | 2015-06-30 | 2015-11-04 | 公安部第一研究所 | Internal-network terminal admission control method |
| CN105721457A (en) * | 2016-01-30 | 2016-06-29 | 耿童童 | Network security defense system and network security defense method based on dynamic transformation |
-
2017
- 2017-05-25 CN CN201710388921.3A patent/CN107070951A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070266127A1 (en) * | 2006-05-10 | 2007-11-15 | Richter Andrew H | Internal virtual local area network (lan) |
| CN101110730A (en) * | 2007-06-25 | 2008-01-23 | 中兴通讯股份有限公司 | Method for implementing Ethernet multicast based on internetwork grouping management agreement |
| CN101567888A (en) * | 2008-12-29 | 2009-10-28 | 郭世泽 | Safety protection method of network feedback host computer |
| CN101588360A (en) * | 2009-07-03 | 2009-11-25 | 深圳市安络大成科技有限公司 | Associated equipment and method for internal network security management |
| CN102833107A (en) * | 2012-08-29 | 2012-12-19 | 北京神州绿盟信息安全科技股份有限公司 | Safety access method and system |
| CN102882850A (en) * | 2012-09-03 | 2013-01-16 | 广东电网公司电力科学研究院 | Cryptographic device and method thereof for isolating data by employing non-network way |
| CN105025016A (en) * | 2015-06-30 | 2015-11-04 | 公安部第一研究所 | Internal-network terminal admission control method |
| CN105721457A (en) * | 2016-01-30 | 2016-06-29 | 耿童童 | Network security defense system and network security defense method based on dynamic transformation |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110287252A (en) * | 2019-06-27 | 2019-09-27 | 南方电网科学研究院有限责任公司 | A kind of data safety guard system |
| CN110677404A (en) * | 2019-09-25 | 2020-01-10 | 四川新网银行股份有限公司 | User access control method for Linux host |
| CN111181926A (en) * | 2019-12-13 | 2020-05-19 | 中国人民解放军战略支援部队信息工程大学 | Security device based on mimicry defense idea and operation method thereof |
| CN111181926B (en) * | 2019-12-13 | 2022-04-05 | 中国人民解放军战略支援部队信息工程大学 | Security device based on mimicry defense idea and operation method thereof |
| CN113568703A (en) * | 2021-06-16 | 2021-10-29 | 盐城一方信息技术有限公司 | Computer network security system based on virtualization technology |
| CN113568703B (en) * | 2021-06-16 | 2024-04-05 | 江苏言安信息技术有限公司 | Computer network security system based on virtualization technology |
| CN113783724A (en) * | 2021-08-27 | 2021-12-10 | 国网江苏省电力有限公司南通供电分公司 | Terminal access monitoring early warning platform |
| CN114338597A (en) * | 2021-11-30 | 2022-04-12 | 奇安信科技集团股份有限公司 | Network access method and device |
| CN115065557A (en) * | 2022-08-05 | 2022-09-16 | 国网浙江省电力有限公司 | Data security interaction method suitable for multiple systems |
| CN115065557B (en) * | 2022-08-05 | 2022-11-04 | 国网浙江省电力有限公司 | Data security interaction method suitable for multiple systems |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107070951A (en) | A kind of intranet security guard system and method | |
| CN107454109B (en) | Network privacy stealing behavior detection method based on HTTP traffic analysis | |
| CN102082836B (en) | DNS (Domain Name Server) safety monitoring system and method | |
| CN112291232B (en) | Safety capability and safety service chain management platform based on tenants | |
| CN111600856B (en) | Safety system of operation and maintenance of data center | |
| JP4373779B2 (en) | Stateful distributed event processing and adaptive maintenance | |
| CN104144063B (en) | Web portal security monitoring and alarming system based on log analysis and firewall security matrix | |
| US7743420B2 (en) | Dynamic learning method and adaptive normal behavior profile (NBP) architecture for providing fast protection of enterprise applications | |
| CN104219200B (en) | A kind of apparatus and method for taking precautions against DNS cache attack | |
| Martins et al. | Towards a systematic threat modeling approach for cyber-physical systems | |
| EP2866411A1 (en) | Method and system for detecting unauthorized access to and use of network resources with targeted analytics | |
| CN104079528A (en) | Method and system of safety protection of Web application | |
| CN104509034A (en) | Pattern consolidation to identify malicious activity | |
| CN104166812A (en) | Database safety access control method based on independent authorization | |
| CN105635046B (en) | A kind of filtering of database command row blocks auditing method and device | |
| CN107733706A (en) | The illegal external connection monitoring method and system of a kind of no agency | |
| CN108259432A (en) | A kind of management method of API Calls, equipment and system | |
| CN110493195A (en) | A kind of network access control method and system | |
| CN107786532A (en) | The system and method that Virtual honeypot is used in industrial automation system and cloud connector | |
| CN103634786A (en) | Method and system for security detection and repair of wireless network | |
| CN114598525A (en) | IP automatic blocking method and device for network attack | |
| CN107566363A (en) | A kind of SQL injection attack guarding method based on machine learning | |
| CN109995720A (en) | Heterogeneous device manages method, apparatus, system, equipment and medium concentratedly | |
| CN107360198A (en) | Suspicious domain name detection method and system | |
| CN102045366A (en) | Method for actively discovering network attacked by viruses |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB03 | Change of inventor or designer information |
Inventor after: Xiao Zhihua Inventor after: Yang Yong Inventor after: Zhang Zhirui Inventor before: Xiao Zhihua Inventor before: Yang Yong Inventor before: Zhang Zhirui |
|
| CB03 | Change of inventor or designer information | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170818 |
|
| RJ01 | Rejection of invention patent application after publication |