CN108616490B - Network access control method, device and system - Google Patents
Network access control method, device and system Download PDFInfo
- Publication number
- CN108616490B CN108616490B CN201611146932.2A CN201611146932A CN108616490B CN 108616490 B CN108616490 B CN 108616490B CN 201611146932 A CN201611146932 A CN 201611146932A CN 108616490 B CN108616490 B CN 108616490B
- Authority
- CN
- China
- Prior art keywords
- address information
- network
- network access
- accessed
- service server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
Abstract
An embodiment of the present invention provides a network access control system, including: the network access system comprises a client, a network control device, a proxy server and a service server, wherein the client sends a network access request to the network control device, the network control device judges whether target address information belongs to a first white list, and if the target address information belongs to the first white list, the network control device sends the network access request to the proxy server corresponding to the target address information. And the proxy server judges whether the address information of the service server to be accessed belongs to a second white list, and if so, the proxy server sends the network access request to the service server to be accessed. Therefore, the network access method provided by the invention only needs to set the address information and the port of the used proxy server at the network control equipment, and then sets the address information and the port of the service server allowed to access at the proxy server, thereby simplifying the configuration of enterprise network management personnel on the network control equipment.
Description
Technical Field
The invention relates to the technical field of data processing, in particular to a network access control method, device and system.
Background
With the continuous development of science and technology, the access requirements of users to the network are more and more common. However, enterprises may need to control access to corporate networks for some purposes.
If the enterprise staff is prohibited from surfing the Internet to watch news, online shopping, game playing and the like during working hours, the working efficiency of the enterprise staff is further improved; for another example, enterprise employees are prohibited from using the network to leak company core confidential files, company internal documents, and the like, or external malicious users are prevented from invading the internal network of the company to steal the company secrets.
Therefore, as shown in fig. 1, an enterprise network administrator a typically performs control of access to the enterprise network by setting a black and white list by a network control device 1 (such as a switch, a router, a firewall, etc.) at an exit of the enterprise network.
The inventor finds that the control of the enterprise external network access is concentrated on the exit device of the enterprise network, however, the black-and-white list usually includes a plurality of information such as user IP, domain name, website, etc., which may change frequently with the upgrade or maintenance of the server of the software operation as service (SAAS) provider, and once the enterprise network manager is not notified in time to reset the parameters of the network control device at the network exit of the enterprise, or the parameters are set incorrectly, the enterprise network may not access normally. Therefore, the existing enterprise network control mode is troublesome, and the requirement on the skills of enterprise network managers is high.
Therefore, how to provide a network access control method, device and system, which can not only realize network control for enterprise employees, but also simplify the setting of enterprise network exits becomes a problem to be considered by those skilled in the art.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method, an apparatus, and a system for controlling network access, which can implement network control on enterprise employees and simplify settings at an enterprise network exit.
In order to achieve the above purpose, the embodiments of the present invention provide the following technical solutions:
a network access control system, comprising: client, network control equipment, proxy server and service server,
the client sends a network access request to a network control device, wherein the network access request comprises: address information of a service server to be accessed and target address information, wherein the target address information is address information of a pre-configured proxy server;
the network control equipment judges whether the target address information belongs to a first white list, if so, the network control equipment sends the network access request to a proxy server corresponding to the target address information, and the first white list comprises a list of address information of the proxy server allowed to be accessed;
the proxy server judges whether the address information of the service server to be accessed belongs to a second white list, if so, the proxy server sends the network access request to the service server to be accessed, and the second white list comprises a list of address information of the service server allowed to be accessed.
A network access control method, comprising:
receiving a network access request sent by a network control device, wherein the network access request comprises: address information of a service server to be accessed and target address information, wherein the target address information is address information of a pre-configured proxy server;
the network access request is an access request of which the target address information belongs to a first white list, and the first white list comprises a list of address information of proxy servers allowing access;
and judging whether the address information of the service server to be accessed belongs to a second white list, if so, sending the network access request to the service server to be accessed, wherein the second white list comprises a list of address information of service servers allowed to be accessed.
A network access control device, comprising:
a first receiving module, configured to receive a network access request sent by a network control device, where the network access request includes: address information of a service server to be accessed and target address information, wherein the target address information is address information of a pre-configured proxy server;
the network access request is an access request of which the target address information belongs to a first white list, and the first white list comprises a list of address information of proxy servers allowing access;
and the judging module is used for judging whether the address information of the service server to be accessed belongs to a second white list, if so, the network access request is sent to the service server to be accessed, and the second white list comprises a list of address information of the service server allowed to be accessed.
It can be seen that, the network access control system provided in this embodiment only needs to set the address information and the port of the proxy server used at the network control device, and then sets the address information and the port of the service server allowed to be accessed at the proxy server, which simplifies the configuration of the network control device by the enterprise network administrator.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
FIG. 1 is a schematic diagram of an application interface in the prior art;
fig. 2 is a block diagram of a network access control system according to an embodiment of the present invention;
fig. 3 is a signaling flowchart of a network access control system according to an embodiment of the present invention;
fig. 4 is a signaling flowchart of another network access control system according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a network access control apparatus according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of another network access control apparatus according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of another network access control apparatus according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of another network access control apparatus according to an embodiment of the present invention;
fig. 9 is a schematic structural diagram of another network access control apparatus according to an embodiment of the present invention;
fig. 10 is a block diagram of a hardware structure of a network access control apparatus according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
An embodiment of the present invention provides a network access control system, including: the network access system comprises a client, a network control device, a proxy server and a service server, wherein the client sends a network access request to the network control device, the network control device judges whether target address information belongs to a first white list, and if the target address information belongs to the first white list, the network control device sends the network access request to the proxy server corresponding to the target address information. And the proxy server judges whether the address information of the service server to be accessed belongs to a second white list, and if so, the proxy server sends the network access request to the service server to be accessed. Therefore, the network access method provided by the invention only needs to set the address information and the port of the used proxy server at the network control equipment, and then sets the address information and the port of the service server allowed to access at the proxy server, thereby simplifying the configuration of enterprise network management personnel on the network control equipment.
Referring to fig. 2, fig. 2 is a block diagram of a network access control system according to an embodiment of the present invention, where a network access control method according to an embodiment of the present invention may be implemented based on the system shown in fig. 2, and referring to fig. 2, the network access control system according to an embodiment of the present invention may include: a client 2, a network control device 1, a proxy server 3 and a service server 4.
The client 2 may be a client device used by at least one enterprise employee B to send a service request, such as a notebook, a desktop, a tablet computer, a mobile phone, and other devices that can be used by the enterprise employee to surf the internet, and the network control device 1 may be a device located at an exit of the enterprise network, such as a switch, a router, a firewall device, and the like. The proxy server may be another server interposed between the network control device 1 and the service server 4.
Generally, when enterprise employees browse a webpage, a client accesses a service server according to needs, and then the service server receives a webpage access request and transmits information of a destination site to the client for a user to browse.
However, after using a proxy server, when a business employee wants to access some site resources, the client first sends a web page access request to the proxy server, and the proxy server then obtains the information to be accessed and returns it to the client. It should be noted that, at the proxy server side, the user identity may be authenticated and network access control may be implemented.
The service server 4 may be a single server, or a server group consisting of a plurality of servers, or a cloud computing service center, and the service server 4 is configured to download network data resources, such as game data and software application data (QQ, wechat, etc.).
Specifically, based on the system shown in fig. 2, fig. 3 shows a signaling flow chart of the network access control system provided in the embodiment of the present invention, where the network access control system includes: the signaling interaction process comprises a client 2, a network control device 1, a proxy server 3 and a service server 4, and may include:
step S100, the client sends a network access request to the network control equipment.
The network access request may include address information of a client, address information of a service server to be accessed, data content to be transmitted, and target address information, where the target address information is address information of a proxy server. In this embodiment, when using a client to perform network access, an employee needs to pre-configure information of a proxy server to be used. Thus, when the client sends the network access request, the client will preprocess the original network access request, that is, on the basis of the address information of the client, the address information of the service server to be accessed and the data content to be transmitted, which are contained in the original access request, the related information of the proxy server is added to the original access request, for example, the address information of the proxy server is added.
Step S101, the network control equipment judges whether the target address information meets a first preset condition, and if yes, the network control equipment sends the network access request to a proxy server corresponding to the target address information.
It should be noted that before the network control device is used, it needs to be configured with a white list by an enterprise network administrator, but the white list in this scheme is different from the white list in the prior art, and the white list in this scheme only needs to be a list of address information of the proxy server that is allowed to be used. The white list in the prior art needs address information, port information and other data of all service servers which are allowed to be accessed. According to different service types, the list content of the white list required to be configured by the network control device in the prior art is multiple, and if a certain enterprise allows a client to access a flight video, a QQ, and a WeChat, the white list in the prior art needs to record at least address information and port information of a service server corresponding to the flight video, address information and port information of a service server corresponding to the QQ, and address information and port information of a service server corresponding to the WeChat.
Of course, if the more network access services the enterprise allows, its network manager needs to configure the address information of the accessible service server into the white list of the current network control device. Due to the wide variety of services, enterprise network managers need to manage and maintain more white-listed data. In order to provide better service, a service server of a station is updated at any time from the perspective of a service provider, and address information and port information of a corresponding service server may change, which requires that an enterprise network manager change the address information and port information of the corresponding service server in a white list of a network control device, otherwise, the enterprise network manager cannot normally access the service server.
In this embodiment, the network manager of the enterprise only needs to configure the address information of the proxy server in the white list, and then the network control device determines whether the destination address information sent by the client is the address information of the proxy server that is allowed to access and recorded in the white list of the network control device. And if the network access request belongs to the target address information, the network control equipment releases the network access request, namely, the network access request is sent to the proxy server corresponding to the target address information. If the target address information sent by the client does not belong to the address information of the proxy server allowing access, which is recorded in the white list of the network control device, the network control device can directly ignore the network access request or return a response message representing an access error to the client. Of course, other preset actions may be executed, and the setting may be performed according to the actual needs of the enterprise.
It should be noted that, in this step, when the network control device determines that the destination address information sent by the client belongs to the address information of the proxy server allowed to be accessed, which is recorded in the white list of the network control device, the network access request needs to be sent to the proxy server corresponding to the destination address information. At this time, because the relationship that the inside of the enterprise client sends the network access request to the outside of the enterprise, the address information and the port information of the client can be replaced with the address information and the port information of the network control device, that is, the IP addresses in the local area network are unified into a public IP outside the enterprise, for example, the IP address of the client 2a is "10.168.23.100", the port is "1000", the IP address of the client 2b is "10.168.23.99", and the port is "1000", and when the target address information in the network access request belongs to the white list, the IP address information of the network access request is converted into the IP address information of the network control device no matter the client 2a or the client 2 b. And simultaneously recording a piece of tracking information for recording the mapping relation between the address information of the client and the address information of the network control equipment.
Step S102, the proxy server judges whether the address information of the service server to be accessed meets a second preset condition, if so, the proxy server sends the network access request to the service server to be accessed.
After receiving the network access request, the proxy server parses the network access request, which is introduced above, the network access request may include, at the client side: the method comprises the steps of address information of a client, address information of a service server to be accessed, data content to be transmitted and target address information, wherein the target address information is address information of a proxy server. However, the network access request has converted the address information of its own client into the address information of the network control device after passing through the network control device of the enterprise, that is, the network access request at this time includes: address information of the network control device, address information of the service server to be accessed, and data content to be transmitted.
Then, when the proxy server judges that the address information of the service server to be accessed belongs to the address information of the service server allowed to be accessed, which is recorded in the white list of the proxy server, the network access request needs to be sent to the service server corresponding to the address information of the service server to be accessed.
If the proxy server judges that the address information of the service server to be accessed does not belong to the address information of the service server allowed to be accessed, which is recorded in the white list of the proxy server, the proxy server can directly ignore the network access request or return a response message representing an access error to the network control equipment, and then the network control equipment sends the response message to the client.
In summary, it can be seen that, the network access control system provided in this embodiment only needs to set the address information and the port of the proxy server used at the network control device, and then sets the address information and the port of the service server allowed to be accessed at the proxy server, which simplifies the configuration of the network control device by the enterprise network administrator. And the white list of the address information of the business server allowed to be accessed is configured at the proxy server, and after the business server of the SAAS service provider is upgraded and maintained, the white list is updated and replaced only by professional personnel of the SAAS service provider, so that the timeliness and the accuracy of the white list updating are ensured, and enterprise network management personnel do not need to perform any operation. When the network control devices of a plurality of enterprises all use the same proxy server, when the address information of a certain business server is changed, only the address information corresponding to the business server in the white lists of different enterprises in the proxy server needs to be uniformly changed. For example, the proxy server corresponding to the network control device of enterprise a is proxy server a, the proxy server corresponding to the network control device of enterprise B is also proxy server a, the white list required to be maintained by enterprise a includes QQ and WeChat, the white list required to be maintained by enterprise B includes QQ and Tencent video, when the service server corresponding to QQ is upgraded and the address information is replaced, the proxy server can correspondingly replace the address of the QQ business server without any operation of enterprise network management personnel, however, in the prior art, the network manager of the enterprise a needs to replace the address information of the service server of the QQ in the white list of the network control device, meanwhile, the network manager of the enterprise B also needs to replace the address information of the service server corresponding to the QQ of the white list of the network control device, which is relatively complicated to operate.
In another embodiment of the present application, a flow of data feedback of the network access system is described. Referring to fig. 4, the signaling interaction procedure includes:
step S103, the service server to be accessed generates feedback data based on the data content to be transmitted, and sends the feedback data to the proxy server.
Step S104, the proxy server searches the address information of the network control equipment corresponding to the address information of the proxy server according to the second mapping table; and sending the feedback data to the searched network control equipment corresponding to the address information of the network control equipment.
Step S105, the network control equipment searches address information of a client corresponding to the address information of the network control equipment according to the first mapping table; and sending the feedback data to the client corresponding to the address information of the client.
It should be noted that, during the data feedback process, it can be understood as returning along the original path. In the process of network access, the network control device and the proxy server both carry out white list screening on the address information received by the network control device and the proxy server, so that when data is returned, whether the current address information is the address information in the white list or not can not be repeatedly compared. And finally sending the feedback data to the client.
Specifically, this embodiment provides a detailed description of an example of a network access control system provided by the present invention, and if the network control device is a switch, it is assumed that:
a. the client has an address of "10.168.23.100" in the enterprise intranet, port: 1000, parts by weight;
b. the exit network address of the enterprise network is "183.61.38.179", port 1001;
the network address of the SAAS service proxy server is as follows: 180.149.32.47, the ports are: 8080, a step of; SOCKSV5 is supported, and account number verification is not required;
the network address of the saas service server 1 is: 140.205.94.189, the ports are: 443;
the domain name of the saas service server 2 is: com, port is: 80
On the basis of the address information, the network access process is as follows:
the white list of network accesses configured on the proxy server by the SAAS facilitator is similar as follows:
white list of target server:
140.205.94.189, port: 443;
domain name: com, port: 80;
the specific form may be subject to the configuration standard of the actual proxy server, and the above configuration means that when the destination address sent by the data packet is one of the white lists, the data packet is a legal data packet.
2. The enterprise administrator enters the management page of the enterprise switch of the enterprise, and the white list configuration is similar as follows:
white list of target server:
180.149.132.47, ports are: 8080, a step of;
3. the company employee sets up a use proxy server on the SAAS application client, and configures the use proxy server, similarly as follows:
network setting:
type (2): address of SOCKS V5: 180.149.32.47 port 8080.
4. The client needs to send the content "Hello" to the SAAS service server 1(140.205.94.189: 443). The original packet contains the following information (source address 10.168.23.100, port 1000, destination address 140.205.94.189, port 443, and packet content "Hello"). Because the configuration of the proxy service is used, all packets on the client will be encapsulated in one layer on the original packets, plus the relevant information of the proxy server (including destination address 180.149.32.47, port: 8080, proxy protocol version information, etc.). The new packet may instead be sent to the proxy server's network address (180.149.32.47: 8080).
5. The destination address of the new data packet is determined at the switch, and because the destination network address is (180.149.32.47:8080), the configuration is already in the white list, so the data packet is considered to be a legal data packet, and the permission is allowed. Because of the relationship of sending data from inside to outside of the enterprise network, a NAT address translation process needs to be performed: the source port number (1000) and the source private IP address (10.168.23.100) in the packet are translated to the switch's own port number (1001) and the public IP address (183.61.38.179), and the packet is then sent to the destination host (180.149.32.47:8080) of the external network, while a piece of trace information is recorded in the address translation mapping table (10.168.23.100: 1000-183.61.38.179: 1001). Where the new source address is legitimate and unique on the internet and can be correctly located.
6. The proxy server receives the data request and resolves the actual data of the packet, including (the replaced new source address 183.61.38.179, the new port 1001, the destination address 140.205.94.189, the port 443, and the packet text "Hello"). Because the destination address and port combination (140.205.94.189:443) is in the white list, packets that would be judged legitimate can be forwarded to the destination address normally. The proxy server would replace the source address in the packet with 180.149.32.47 and the port with 1002 and record the mapping (183.61.38.179: 1001-180.149.32.47: 1002). In the new data packet, the sender information of the packet is completely replaced with the proxy server.
7. When the service server of SAAS services processes the data, it needs to return data "Reply" to the client, and organizes the related data packet, including the following contents (source address 140.205.94.189, port 443, destination address being proxy address 180.149.32.47, port 8080, and packet text "Reply").
8. After the proxy server receives the data returned by the service server, the actual target network address is found according to the mapping relation maintained in the proxy server, and the target address in the data packet (namely the proxy server address) is replaced by the actual target address information (183.61.38.179:1001), namely the target address is used. A layer of encapsulation is then performed on the data returned by the server, plus the information of the proxy server, including (source address: 180.149.32.47, port 8080, proxy protocol version information, etc.) and sends the data to the network address of the destination, i.e., the enterprise's egress ip address.
9. The data packet returned by the proxy server passes through the switch, and the switch judges the source address of the data packet. Since the source address is a proxy address, it will be passed. Similarly, this step also requires NAT address translation, which translates the port number (1001) and public IP address (183.61.38.179) of the received packet into the port number (1000) of the destination host and the private IP address (10.168.23.100) of the destination host in the internal network according to the record in the mapping table, and forwards the packet to the destination host.
10. After receiving the data packet, the client analyzes the real data packet contents, which mainly include (source address 140.205.94.189, port 443, and packet text content "Reply"), and thus receives the data returned by the SAAS service server 1.
In the above, the case that the client accesses the allowed network address information is introduced, and now, with reference to the specific example, the case that the client accesses the non-allowed network address information is proposed to be introduced, as follows:
assume that the white list configuration of step 1 and step 2 in case 1 has been completed.
1. The company staff sets a use proxy server on a certain disabled client side such as a Sing microblog, and configures the use proxy server, similarly as follows:
type (2): address of SOCKS V5: 180.149.32.47 port 8080.
2. The client needs to send the content "Hello" to the Sing microblog traffic server 1(100.100.10.10: 443). The original packet contains the following information (source address 10.168.23.100, port 8000, destination address 100.100.10.10, port 443, and packet content "Hello"). Because the configuration of the proxy service is used, all packets on the client will be encapsulated in one layer on the original packets, plus the relevant information of the proxy server (including destination address 180.149.32.47, port: 8080, proxy protocol version information, etc.). The new packet may instead be sent to the proxy server's network address (180.149.32.47: 8080).
3. Similar to case 1, the switch would consider the request destination address to be legitimate and would forward it normally.
4. The proxy server receives the data request and resolves the actual destination address 100.100.10.10, port 443. Because the destination address and port combination (100.100.10.10:443) is not on the white list, the packet is determined to be an illegal packet and is discarded directly.
5. The client cannot normally receive the repackage of the Xinlang microblog, so that the network application is successfully limited.
For another example:
assume that the white list configuration of step 1 and step 2 in case 1 has been completed.
1. Company employees want to use some type of disabled client, such as a browser, but do not have a proxy server.
2. The employee uses the browser to access http:// www.taobao.com.
3. The switch determines that the destination address (www.taobao.com) is not configured in the white list, determines that the request destination address is illegal, and directly discards the request destination address.
4. The client cannot normally receive the packet back from the panning, so the network application is successfully limited.
In the following, the network access control device provided by the embodiment of the present invention is introduced, and the network access control device described below may be referred to in correspondence with the network access control system described above.
Fig. 5 is a block diagram of a network access control device according to an embodiment of the present invention, and referring to fig. 5, the network access control device may include:
a first receiving module 100, configured to receive a network access request sent by a network control device, where the network access request includes: address information of a service server to be accessed and target address information, wherein the target address information is address information of a pre-configured proxy server;
the network access request is an access request of which the target address information belongs to a first white list, and the first white list comprises a list of address information of proxy servers allowing access;
a determining module 200, configured to determine whether the address information of the service server to be accessed belongs to a second white list, and if so, send the network access request to the service server to be accessed, where the second white list includes a list of address information of service servers allowed to be accessed.
Optionally, as shown in fig. 6, the method further includes:
a processing module 300, configured to replace the address information of the network control device with the target address information, and generate a second mapping table of the address information of the network control device and the target address information.
Optionally, as shown in fig. 7, the method further includes:
a sending module 400, configured to send the data content to be transmitted to the service server to be accessed.
Optionally, as shown in fig. 8, the method further includes:
a second receiving module 500, configured to receive feedback data generated by the to-be-accessed service server based on the to-be-transmitted data content.
Optionally, as shown in fig. 9, the method further includes:
a searching module 600, configured to search, according to the second mapping table, address information of the network control device corresponding to the address information of the proxy server;
and sending the feedback data to the searched network control equipment corresponding to the address information of the network control equipment.
The embodiment of the present invention further provides a network access control device, which may include the network access control apparatus described above.
Alternatively, fig. 10 shows a block diagram of a hardware structure of the network access control device, and referring to fig. 10, the network access control device may include: a processor 1, a communication interface 2, a memory 3 and a communication bus 4;
wherein, the processor 1, the communication interface 2 and the memory 3 complete the communication with each other through the communication bus 4;
optionally, the communication interface 2 may be an interface of a communication module, such as an interface of a GSM module;
a processor 1 for executing a program;
a memory 3 for storing a program;
the program may include program code including computer operating instructions.
The processor 1 may be a central processing unit CPU or an application specific Integrated circuit asic or one or more Integrated circuits configured to implement embodiments of the present invention.
The memory 3 may comprise a high-speed RAM memory, and may further comprise a non-volatile memory (non-volatile memory), such as at least one disk memory.
Among them, the procedure can be specifically used for:
receiving a network access request sent by a network control device, wherein the network access request comprises: address information of a service server to be accessed and target address information, wherein the target address information is address information of a pre-configured proxy server;
the network access request is an access request of which the target address information belongs to a first white list, and the first white list comprises a list of address information of proxy servers allowing access;
and judging whether the address information of the service server to be accessed belongs to a second white list, if so, sending the network access request to the service server to be accessed, wherein the second white list comprises a list of address information of service servers allowed to be accessed.
To sum up, an embodiment of the present invention provides a network access control system, including: the network access system comprises a client, a network control device, a proxy server and a service server, wherein the client sends a network access request to the network control device, the network control device judges whether target address information belongs to a first white list, and if the target address information belongs to the first white list, the network control device sends the network access request to the proxy server corresponding to the target address information. And the proxy server judges whether the address information of the service server to be accessed belongs to a second white list, and if so, the proxy server sends the network access request to the service server to be accessed. Therefore, the network access method provided by the invention only needs to set the address information and the port of the used proxy server at the network control equipment, and then sets the address information and the port of the service server allowed to access at the proxy server, thereby simplifying the configuration of enterprise network management personnel on the network control equipment.
The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (18)
1. A network access control system, comprising: client, network control equipment, proxy server and service server,
the client is configured to send a network access request to a network control device, where the network access request includes: address information of a service server to be accessed and target address information, wherein the target address information is address information of a pre-configured proxy server;
the network control equipment is used for judging whether the target address information belongs to a first white list, if so, the network control equipment converts the IP address information of the network access request into the IP address information of the network control equipment and sends the network access request converted by the IP address information to a proxy server corresponding to the target address information, and the first white list comprises a list of address information of proxy servers allowed to be accessed;
the proxy server is used for judging whether the address information of the service server to be accessed belongs to a second white list, if so, the proxy server sends the network access request to the service server to be accessed, and the second white list comprises a list of address information of the service server allowed to be accessed.
2. The network access control system of claim 1, wherein the network access request further comprises: the address information of the client side is transmitted,
after judging that the target address information belongs to the first white list, the network control device is further configured to: and replacing the address information of the client with the address information of the network control equipment, and generating a first mapping table of the address information of the client and the address information of the network control equipment.
3. The net access control system of claim 2, wherein the proxy server, after determining that the address information of the service server to be accessed belongs to the second white list, is further configured to:
and replacing the address information of the network control equipment with the target address information, and generating a second mapping table of the address information of the network control equipment and the target address information.
4. The net access control system of claim 3, wherein the net access request further comprises: the content of the data to be transmitted,
correspondingly, the sending, by the proxy server, the network access request to the service server to be accessed includes:
and the proxy server sends the data content to be transmitted to the service server to be accessed.
5. The net access control system of claim 4, wherein the service server to be accessed generates a feedback data based on the data content to be transmitted, and sends the feedback data to the proxy server.
6. The network access control system according to claim 5, wherein the proxy server searches, according to the second mapping table, address information of the network control device corresponding to the address information of the proxy server;
and sending the feedback data to the searched network control equipment corresponding to the address information of the network control equipment.
7. The network access control system according to claim 6, wherein the network control device searches, according to the first mapping table, address information of a client corresponding to the address information of the network control device;
and sending the feedback data to the client corresponding to the address information of the client.
8. A network access control method, comprising:
after receiving a network access request which is sent by a network control device and is converted from the IP address information of the network access request into the IP address information of the network control device, the network access request comprises: address information of a service server to be accessed and target address information, wherein the target address information is address information of a pre-configured proxy server;
the network access request is an access request of which the target address information belongs to a first white list, and the first white list comprises a list of address information of proxy servers allowing access;
and judging whether the address information of the service server to be accessed belongs to a second white list, if so, sending the network access request to the service server to be accessed, wherein the second white list comprises a list of address information of service servers allowed to be accessed.
9. The method according to claim 8, further comprising, after determining that the address information of the service server to be accessed belongs to a second white list:
and replacing the address information of the network control equipment with the target address information, and generating a second mapping table of the address information of the network control equipment and the target address information.
10. The network access control method of claim 9, wherein the network access request further comprises: the content of the data to be transmitted,
correspondingly, the sending the network access request to the service server to be accessed includes:
and sending the data content to be transmitted to the service server to be accessed.
11. The network access control method of claim 10, further comprising:
and receiving feedback data generated by the service server to be accessed based on the data content to be transmitted.
12. The network access control method of claim 11, further comprising:
searching address information of the network control equipment corresponding to the address information of the proxy server according to the second mapping table;
and sending the feedback data to the searched network control equipment corresponding to the address information of the network control equipment.
13. A network access control apparatus, comprising:
a first receiving module, configured to receive a network access request that is sent after a network control device converts IP address information of the network access request into IP address information of the network control device, where the network access request includes: address information of a service server to be accessed and target address information, wherein the target address information is address information of a pre-configured proxy server;
the network access request is an access request of which the target address information belongs to a first white list, and the first white list comprises a list of address information of proxy servers allowing access;
and the judging module is used for judging whether the address information of the service server to be accessed belongs to a second white list, if so, the network access request is sent to the service server to be accessed, and the second white list comprises a list of address information of the service server allowed to be accessed.
14. The network access control device of claim 13, further comprising:
and the processing module is used for replacing the address information of the network control equipment with the target address information and generating a second mapping table of the address information of the network control equipment and the target address information.
15. The network access control device of claim 14, further comprising:
and the sending module is used for sending the data content to be transmitted to the service server to be accessed.
16. The network access control device of claim 15, further comprising:
and the second receiving module is used for receiving feedback data generated by the service server to be accessed based on the data content to be transmitted.
17. The network access control device of claim 16, further comprising:
the searching module is used for searching the address information of the network control equipment corresponding to the address information of the proxy server according to the second mapping table;
and sending the feedback data to the searched network control equipment corresponding to the address information of the network control equipment.
18. A computer-readable storage medium, having stored thereon a computer-executable program which, when loaded and executed by a processor, implements the network access control method of any one of claims 8 to 12.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611146932.2A CN108616490B (en) | 2016-12-13 | 2016-12-13 | Network access control method, device and system |
| PCT/CN2017/112080 WO2018107943A1 (en) | 2016-12-13 | 2017-11-21 | Network access control method, apparatus and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611146932.2A CN108616490B (en) | 2016-12-13 | 2016-12-13 | Network access control method, device and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108616490A CN108616490A (en) | 2018-10-02 |
| CN108616490B true CN108616490B (en) | 2020-11-03 |
Family
ID=62557918
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611146932.2A Active CN108616490B (en) | 2016-12-13 | 2016-12-13 | Network access control method, device and system |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN108616490B (en) |
| WO (1) | WO2018107943A1 (en) |
Families Citing this family (32)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110858173A (en) * | 2018-08-23 | 2020-03-03 | 北京搜狗科技发展有限公司 | Data processing method and device and data processing device |
| CN109672665B (en) * | 2018-11-14 | 2021-10-15 | 北京奇艺世纪科技有限公司 | Access control method, device and system and computer readable storage medium |
| CN109842672B (en) * | 2018-12-13 | 2022-11-11 | 平安普惠企业管理有限公司 | Service request distribution method and device, computer equipment and storage medium |
| CN112637106B (en) * | 2019-09-24 | 2023-01-31 | 成都鼎桥通信技术有限公司 | Method and device for terminal to access website |
| CN110768849B (en) * | 2019-11-06 | 2022-08-05 | 深信服科技股份有限公司 | Network data viewing method and system |
| CN111064675B (en) * | 2019-11-08 | 2023-04-28 | 中移(杭州)信息技术有限公司 | Access flow control method, device, network equipment and storage medium |
| CN110941838B (en) * | 2019-11-12 | 2024-03-01 | 深圳昂楷科技有限公司 | Database access method and device and electronic equipment |
| CN111177631A (en) * | 2019-12-31 | 2020-05-19 | 苏宁云计算有限公司 | Method and system for accessing intranet service by extranet platform |
| CN111460460B (en) * | 2020-04-02 | 2023-12-05 | 北京金山云网络技术有限公司 | Task access method, device, proxy server and machine-readable storage medium |
| CN112039869B (en) * | 2020-08-27 | 2023-01-24 | 建信金融科技有限责任公司 | Method, device, storage medium and equipment for establishing network access relationship |
| CN111913732B (en) * | 2020-08-28 | 2023-07-11 | 深圳赛安特技术服务有限公司 | Service updating method and device, management server and storage medium |
| CN112087819B (en) * | 2020-09-10 | 2022-05-10 | 上海连尚网络科技有限公司 | Information request method, equipment and computer readable medium |
| CN112134866A (en) * | 2020-09-15 | 2020-12-25 | 腾讯科技(深圳)有限公司 | Service access control method, device, system and computer readable storage medium |
| CN112422429B (en) * | 2020-11-18 | 2022-04-22 | 贝壳技术有限公司 | Data request processing method and device, storage medium and electronic equipment |
| CN112702319B (en) * | 2020-12-11 | 2023-03-24 | 杭州安恒信息技术股份有限公司 | Access request port standardization method and device, electronic equipment and storage medium |
| CN112653759A (en) * | 2020-12-22 | 2021-04-13 | 北京东方嘉禾文化发展股份有限公司 | Network access device and control method thereof |
| CN112583845B (en) * | 2020-12-24 | 2023-11-07 | 深信服科技股份有限公司 | Access detection method, device, electronic equipment and computer storage medium |
| CN113225308B (en) * | 2021-03-19 | 2022-11-08 | 深圳市网心科技有限公司 | Network access control method, node equipment and server |
| CN113315772A (en) * | 2021-05-29 | 2021-08-27 | 南京步锐捷电子科技有限公司 | Network access control implementation method based on Internet of things |
| CN113890896A (en) * | 2021-09-24 | 2022-01-04 | 中移(杭州)信息技术有限公司 | Network access method, communication device, and computer-readable storage medium |
| CN114024714A (en) * | 2021-09-30 | 2022-02-08 | 山东云海国创云计算装备产业创新中心有限公司 | Access request processing method and device, network card equipment and storage computing system |
| CN113810504A (en) * | 2021-09-30 | 2021-12-17 | 北京天融信网络安全技术有限公司 | Transparent proxy service method and device |
| CN114124477B (en) * | 2021-11-05 | 2024-04-05 | 深圳市联软科技股份有限公司 | Business service system and method |
| CN113938317A (en) * | 2021-11-29 | 2022-01-14 | 福建瑞网科技有限公司 | Network security monitoring method and computer equipment |
| CN114338809A (en) * | 2021-12-28 | 2022-04-12 | 山石网科通信技术股份有限公司 | Access control method, device, electronic equipment and storage medium |
| CN114401133B (en) * | 2022-01-13 | 2023-12-01 | 中电福富信息科技有限公司 | Equipment monitoring vulnerability detection system based on agent |
| CN114629704A (en) * | 2022-03-14 | 2022-06-14 | 深圳须弥云图空间科技有限公司 | Method, device, equipment and storage medium for realizing safety of collaborative design software |
| CN114615073A (en) * | 2022-03-22 | 2022-06-10 | 广州方硅信息技术有限公司 | Access flow control method, device, equipment and medium |
| CN114598552A (en) * | 2022-03-29 | 2022-06-07 | 邹瀴 | Interface access control method and device, electronic equipment and storage medium |
| CN114640534A (en) * | 2022-03-29 | 2022-06-17 | 广州方硅信息技术有限公司 | Access interception control method, device, equipment and medium |
| CN114915497A (en) * | 2022-07-13 | 2022-08-16 | 杭州云缔盟科技有限公司 | Network access blocking method, device and application for Windows process |
| CN117478423B (en) * | 2023-11-30 | 2024-05-03 | 东方物通科技(北京)有限公司 | Data security communication system and method |
Family Cites Families (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1152333C (en) * | 2002-07-31 | 2004-06-02 | 华为技术有限公司 | Method for realizing portal authentication based on protocols of authentication, charging and authorization |
| CN1271822C (en) * | 2003-07-04 | 2006-08-23 | 华为技术有限公司 | Method of interactive processing of user terminal network selection information in WLAN |
| KR20050097674A (en) * | 2004-04-02 | 2005-10-10 | 삼성전자주식회사 | Internet connection service method of mobile node and system thereof |
| CN100421374C (en) * | 2005-06-01 | 2008-09-24 | 中国移动通信集团公司 | Method for interacting office documents based on mobile communication network |
| CN101026594A (en) * | 2007-01-23 | 2007-08-29 | 张志东 | Mail calling system and method |
| CN101374044B (en) * | 2007-08-21 | 2010-12-15 | 中国电信股份有限公司 | Method and system for making business engine to obtain user identification |
| US8555365B2 (en) * | 2010-05-21 | 2013-10-08 | Barracuda Networks, Inc. | Directory authentication method for policy driven web filtering |
| CN102118398B (en) * | 2011-03-31 | 2014-04-23 | 北京星网锐捷网络技术有限公司 | Access control method, device and system |
| US8914883B2 (en) * | 2013-05-03 | 2014-12-16 | Fortinet, Inc. | Securing email communications |
| CN104202307B (en) * | 2014-08-15 | 2018-06-08 | 小米科技有限责任公司 | Data forwarding method and device |
-
2016
- 2016-12-13 CN CN201611146932.2A patent/CN108616490B/en active Active
-
2017
- 2017-11-21 WO PCT/CN2017/112080 patent/WO2018107943A1/en active Application Filing
Also Published As
| Publication number | Publication date |
|---|---|
| WO2018107943A1 (en) | 2018-06-21 |
| CN108616490A (en) | 2018-10-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108616490B (en) | Network access control method, device and system | |
| US11023378B2 (en) | Distributed cloud-based dynamic name server surrogation systems and methods | |
| US9609460B2 (en) | Cloud based mobile device security and policy enforcement | |
| CN110311929B (en) | Access control method and device, electronic equipment and storage medium | |
| US11336696B2 (en) | Control access to domains, servers, and content | |
| US9621407B2 (en) | Apparatus and method for pattern hiding and traffic hopping | |
| US10944721B2 (en) | Methods and systems for efficient cyber protections of mobile devices | |
| US8479266B1 (en) | Network assignment appeal architecture and process | |
| US11190550B1 (en) | Synthetic request injection to improve object security posture for cloud security enforcement | |
| US9401962B2 (en) | Traffic steering system | |
| US11184403B1 (en) | Synthetic request injection to generate metadata at points of presence for cloud security enforcement | |
| US11271972B1 (en) | Data flow logic for synthetic request injection for cloud security enforcement | |
| US11050787B1 (en) | Adaptive configuration and deployment of honeypots in virtual networks | |
| US20130173757A1 (en) | Method, System, Push Client, and User Equipment for Service Communication | |
| EP3231153B1 (en) | Distributing a network access policy | |
| US11271973B1 (en) | Synthetic request injection to retrieve object metadata for cloud policy enforcement | |
| US11336698B1 (en) | Synthetic request injection for cloud policy enforcement | |
| MX2011003223A (en) | Service provider access. | |
| WO2013154532A1 (en) | Techniques to monitor connection paths on networked devices | |
| CN111786969A (en) | Single sign-on method, device and system | |
| US11582191B2 (en) | Cyber protections of remote networks via selective policy enforcement at a central network | |
| US20230198987A1 (en) | Systems and methods for controlling accessing and storing objects between on-prem data center and cloud | |
| CN110913011A (en) | Session keeping method, session keeping device, readable storage medium and electronic equipment | |
| US9207953B1 (en) | Method and apparatus for managing a proxy autoconfiguration in SSL VPN | |
| JP7383145B2 (en) | Network service processing methods, systems and gateway devices |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |