CN109617892A - A kind of Intranet boundary management-control method - Google Patents

A kind of Intranet boundary management-control method Download PDF

Info

Publication number
CN109617892A
CN109617892A CN201811602774.6A CN201811602774A CN109617892A CN 109617892 A CN109617892 A CN 109617892A CN 201811602774 A CN201811602774 A CN 201811602774A CN 109617892 A CN109617892 A CN 109617892A
Authority
CN
China
Prior art keywords
intranet
edge device
switch port
port
label information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811602774.6A
Other languages
Chinese (zh)
Other versions
CN109617892B (en
Inventor
常雄
薛锋
叶超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Chengqiang Technology Co Ltd
Original Assignee
Beijing Chengqiang Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Chengqiang Technology Co Ltd filed Critical Beijing Chengqiang Technology Co Ltd
Priority to CN201811602774.6A priority Critical patent/CN109617892B/en
Publication of CN109617892A publication Critical patent/CN109617892A/en
Application granted granted Critical
Publication of CN109617892B publication Critical patent/CN109617892B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/66Layer 2 routing, e.g. in Ethernet based MAN's
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

The present invention provides a kind of Intranet boundary management-control method, which includes: that internal net edge device is authenticated;When Intranet edge device, which passes through, to be authenticated and be computer equipment, whether successively detect in Intranet edge device comprising characterizing the second online label information of the client-side program of the first label information for installing client-side program, characterization installation and characterizing the third label information of deployment secure safeguard procedures;When in Intranet edge device not comprising first label information, the second label information or third label information, the corresponding switch port of Intranet edge device is closed;When in Intranet edge device including the first label information, the second label information and third label information, keeping the corresponding switch port of Intranet edge device is open state.Intranet boundary provided by the invention management-control method can guarantee that computer security measure puts in place right.

Description

A kind of Intranet boundary management-control method
Technical field
The present invention relates to technical field of network security, and in particular to a kind of Intranet boundary management-control method.
Background technique
There are the access layer equipments of the UNKNOWN TYPE of substantial amounts for Intranet, however, the network management system of the overwhelming majority only manages The safety management of the crucial network equipments such as core switch, router and convergence exchange, interior network termination access cannot reach 100% covering, transmitted virus, information stealth, network attack etc. seriously threaten the safe operation of Intranet, carry out to network boundary It is imperative effectively to control.
The method of controlling security of existing interior network termination access, by obtaining the MAC Address of terminal device, and sets with certification Terminal in standby database compares, by the port shutdown of unauthenticated equipment.However, for security protection require compared with High computer, this method do not ensure that its safety prevention measure puts in place right.
Summary of the invention
In view of above-mentioned analysis, the invention proposes a kind of Intranet boundary management-control methods, to solve in the prior art not It can guarantee the problem of computer security measure puts in place right.
To achieve the above object, the present invention adopts the following technical scheme:
First aspect present invention provides a kind of Intranet boundary management-control method, comprising: internal net edge device is recognized Card;When the Intranet edge device passes through certification and is computer equipment, successively detect in the Intranet edge device whether The first label information comprising characterization installation client-side program, characterization installation online the second label information of client-side program and Characterize the third label information of deployment secure safeguard procedures;When in the Intranet edge device not comprising first label believe When breath, the second label information or third label information, the corresponding switch port of the Intranet edge device is closed;When described interior When in net edge device comprising first label information, the second label information and third label information, the interior selvage is kept Equipment corresponding switch port in boundary's is open state.
As a preferred embodiment, Intranet boundary management-control method further include: by the interchanger of closing Port, which is added, to be blocked in tables of data.
As a preferred embodiment, before internal net edge device is authenticated, further includes: by exchanging Periodic polling obtains the mac address forwarding table of Intranet edge device on machine and the mode of ARP table obtains the Intranet edge device MAC-IP-PORT correspond to table.
Divide as a preferred embodiment, corresponding to table to the MAC-IP-PORT of the Intranet edge device of acquisition Analysis closes the corresponding switch port of the HUB when the Intranet edge device is HUB, and by the corresponding friendship of the HUB Port addition of changing planes blocks in tables of data.
As a preferred embodiment, internally net edge device is authenticated, comprising: obtain interior selvage when first time When the MAC-IP-PORT of boundary's equipment corresponds to table, the MAC-IP-PORT is corresponded in table deposit online equipment caching, and will be interior The MAC-IP-PORT of net edge device corresponds to table and compares with the MAC data in authenticating device database;For MAC Address Non-authentication Intranet edge device not in authenticating device database closes the corresponding exchange of the non-authentication Intranet edge device Generator terminal mouth, and the corresponding switch port of the non-authentication Intranet edge device is added and is blocked in tables of data.
As a preferred embodiment, internally net edge device authenticated, further includes: when be not for the first time obtain When the MAC-IP-PORT of Intranet edge device corresponds to table, the MAC-IP-PORT is corresponded in table and online equipment caching and is stored It is data cached compare, generate new access device information table and in new access device information table new access device carry out Certification;For unauthenticated new access device, the corresponding exchange generator terminal of the unauthenticated new access device is closed Mouthful, and the unauthenticated corresponding switch port of new access device is added to and is blocked in tables of data;For passing through The new access device by certification is stored in online equipment caching by the new access device of certification.
As a preferred embodiment, Intranet boundary management-control method further include: close exchange generator terminal when receiving When the access request of the Intranet edge device of mouth, the corresponding interchanger of Intranet edge device for closing switch port is opened Port, and the Intranet edge device for closing switch port is added in authenticating device database.
As a preferred embodiment, restarting the exchange generator terminal blocked in tables of data according to preset time timing Mouthful, and authenticated to the corresponding Intranet edge device of switch port is restarted;When it is described restart switch port it is corresponding in Net edge device by certification or it is described restart switch port and accessed without equipment, switch port unlatching is restarted described in holding; To restart the corresponding Intranet edge device of switch port unauthenticated when described, switch port is restarted described in closing, and will It is described to restart in switch port addition blocking tables of data.
Second aspect of the present invention provides a kind of Intranet boundary control device, comprising: equipment authentication module, for internal Net edge device is authenticated, and authentication result is sent to equipment detection module and switch port control module;Equipment inspection Module is surveyed, for the Intranet boundary successively being detected and being set when the Intranet edge device passes through certification and is computer equipment Whether comprising characterizing the first label information of installation client-side program, characterizing the second online mark of the client-side program of installation in standby It signs information and characterizes the third label information of deployment secure safeguard procedures, and will test result and be sent to switch port control mould Block;Switch port control module does not include first label information, the second label in the Intranet edge device for working as When information or third label information, the corresponding switch port of the Intranet edge device is closed;And work as the Intranet boundary When in equipment comprising first label information, the second label information and third label information, the Intranet edge device is kept Corresponding switch port is open state.
As a preferred embodiment, the switch port control module is also used to, by the exchange of closing Generator terminal mouth, which is added, to be blocked in tables of data.
As a preferred embodiment, Intranet boundary control device further includes apparatus information acquiring module, lead to The mode of the mac address forwarding table and ARP table of crossing the acquisition Intranet edge device of periodic polling on switches obtains the Intranet The MAC-IP-PORT of edge device corresponds to table, and by the MAC-IP-PORT correspond to table be sent to the equipment authentication module and Switch port control module.
As a preferred embodiment, the switch port control module is also used to, to the Intranet boundary of acquisition The MAC-IP-PORT of equipment corresponds to table and is analyzed, and when the Intranet edge device is HUB, closes the corresponding friendship of the HUB It changes planes port, and the corresponding switch port of the HUB is added and is blocked in tables of data.
As a preferred embodiment, when the equipment authentication module receives the MAC- of Intranet edge device for the first time When IP-PORT corresponds to table, the equipment authentication module corresponds to the MAC-IP-PORT in table deposit online equipment caching, and The MAC-IP-PORT of Intranet edge device is corresponded to table to compare with the MAC data in authenticating device database;For MAC Non-authentication Intranet edge device of the address not in authenticating device database, the switch port control module are closed described non- The corresponding switch port of Intranet edge device is authenticated, and the corresponding switch port of the non-authentication Intranet edge device is added Enter to block in tables of data.
As a preferred embodiment, when the equipment authentication module is not to obtain Intranet edge device for the first time When MAC-IP-PORT corresponds to table, the MAC-IP-PORT is corresponded in table and online equipment caching and is deposited by the equipment authentication module Storage it is data cached compare, generate new access device information table and to the new access device in new access device information table into Row certification;For unauthenticated new access device, the switch port control module is closed described unauthenticated The corresponding switch port of new access device, and the corresponding switch port of the unauthenticated new access device is added Into blocking tables of data;For the new access device by certification, the equipment authentication module being connect described by the new of certification Enter in equipment deposit online equipment caching.
As a preferred embodiment, when receiving the access request for closing the Intranet edge device of switch port When, the switch port control module opens the corresponding exchange generator terminal of Intranet edge device for closing switch port Mouthful, and the Intranet edge device for closing switch port is added in authenticating device database.
As a preferred embodiment, the switch port control module restarts resistance according to preset time timing Switch port in disconnected tables of data, the equipment authentication module are carried out to the corresponding Intranet edge device of switch port is restarted Certification;When described the corresponding Intranet edge device of switch port is restarted by certification or described restart switch port without equipment It accesses, restarts switch port unlatching described in the switch port control module holding;Switch port pair is restarted when described The Intranet edge device answered is unauthenticated, restarts switch port described in the switch port control module closing, and will It is described to restart in switch port addition blocking tables of data.
Third aspect present invention provides a kind of non-transient computer readable storage medium, and the non-transient computer can It reads storage medium and stores computer instruction, the computer instruction is for executing computer in the management-control method of above-mentioned Intranet boundary Any one.
Fourth aspect present invention provides a kind of Intranet boundary management and control devices, comprising: at least one processor;And with The memory of at least one processor communication connection;Wherein, the memory be stored with can by it is described at least one processing The instruction that device executes, described instruction are executed by least one described processor, so that the execution of at least one described processor is above-mentioned Any one in the management-control method of Intranet boundary.
Technical solution of the present invention at least has the advantages that compared with prior art
The present invention provides a kind of Intranet boundary management-control methods, comprising: internal net edge device is authenticated;When described interior When net edge device passes through certification and is computer equipment, whether successively detect in the Intranet edge device comprising characterization installation The second online label information of the client-side program that first label information of client-side program, characterization are installed and characterization deployment secure The third label information of safeguard procedures;When in the Intranet edge device not comprising first label information, the second label believe When breath or third label information, the corresponding switch port of the Intranet edge device is closed;When in the Intranet edge device When comprising first label information, the second label information and third label information, keep the Intranet edge device corresponding Switch port is open state.Intranet boundary provided by the invention management-control method can guarantee computer security measure portion Administration is in place.
Detailed description of the invention
It, below will be to specific in order to illustrate more clearly of the specific embodiment of the invention or technical solution in the prior art Embodiment or attached drawing needed to be used in the description of the prior art be briefly described, it should be apparent that, it is described below Attached drawing is some embodiments of the present invention, for those of ordinary skill in the art, before not making the creative labor It puts, is also possible to obtain other drawings based on these drawings.
Fig. 1 is the flow chart of a specific example of Intranet boundary management-control method in the embodiment of the present invention;
Fig. 2 is the flow chart of another specific example of Intranet boundary management-control method in the embodiment of the present invention;
Fig. 3 is the flow chart for the specific example that internally net edge device is authenticated in the embodiment of the present invention;
Fig. 4 is the processing side in the embodiment of the present invention to the unauthenticated Intranet edge device for closing switch port The flow chart of one specific example of formula;
Fig. 5 is that one of the processing mode in the embodiment of the present invention to the Intranet edge device for closing switch port is specific Exemplary flow chart;
Fig. 6 is the functional block diagram of a specific example of Intranet boundary control device in the embodiment of the present invention;
Fig. 7 is the functional block diagram of another specific example of Intranet boundary control device in the embodiment of the present invention;
Fig. 8 is the functional block diagram of a specific example of Intranet boundary management and control devices in the embodiment of the present invention.
Specific embodiment
Technical solution of the present invention is clearly and completely described below in conjunction with attached drawing, it is clear that described implementation Example is a part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, ordinary skill Personnel's every other embodiment obtained without making creative work, shall fall within the protection scope of the present invention.
In the description of the present invention, it should be noted that term " first ", " second ", " third " are used for description purposes only, It is not understood to indicate or imply relative importance.
As long as in addition, the non-structure each other of technical characteristic involved in invention described below different embodiments It can be combined with each other at conflict.
The embodiment of the invention provides a kind of Intranet boundary management-control methods, as shown in Figure 1, the Intranet boundary management-control method packet Include following steps:
Step S1: internal net edge device is authenticated, which is the borderline access device of Intranet.
Step S2: judge whether above-mentioned Intranet edge device passes through certification and for computer equipment.
Step S3: when above-mentioned Intranet edge device passes through certification and is computer equipment, the Intranet boundary is successively detected In equipment whether comprising characterization installation client-side program the first label information, characterization installation client-side program it is online second Label information and the third label information for characterizing deployment secure safeguard procedures.
Step S4: when in Intranet edge device do not include above-mentioned first label information, the second label information or third label When information, the corresponding switch port of Intranet edge device is closed.
Step S5: when in Intranet edge device include above-mentioned first label information, the second label information and third label letter When breath, keeping the corresponding switch port of Intranet edge device is open state.
S1 to step S5 through the above steps, Intranet boundary provided in an embodiment of the present invention management-control method can guarantee to calculate Machine safety prevention measure puts in place right.
As a preferred embodiment, as shown in Fig. 2, S4 closing Intranet edge device is corresponding through the above steps After switch port, Intranet boundary provided in an embodiment of the present invention management-control method further includes step S41: by the above-mentioned friendship of closing Port addition of changing planes blocks in tables of data.
As a preferred embodiment, as shown in Fig. 2, S1 authenticates interior net edge device through the above steps Before, Intranet edge device management-control method provided in an embodiment of the present invention further include:
Step S01: the mac address forwarding table and ARP table of Intranet edge device are obtained by periodic polling on switches Mode obtain the MAC-IP-PORT of Intranet edge device and correspond to table.
Step S02: table is corresponded to the MAC-IP-PORT of the Intranet edge device of acquisition and is analyzed, judges Intranet boundary Whether equipment is HUB (hub), when Intranet edge device is HUB, executes step S03.
Step S03: when Intranet boundary is HUB, closing the corresponding switch port of HUB, and by the corresponding interchanger of HUB Port, which is added, to be blocked in tables of data.When Intranet edge device is not HUB, step S1 is executed.
As a preferred embodiment, as shown in figure 3, in the step S1 that above-mentioned internal net edge device is authenticated Include:
Step S11: the MAC-IP-PORT for judging whether it is acquisition Intranet edge device for the first time corresponds to table.
When the MAC-IP-PORT that first time obtains Intranet edge device corresponds to table, step S12 is executed;When not being first When the secondary MAC-IP-PORT for obtaining Intranet edge device corresponds to table, step S15 is executed.
Step S12: the MAC-IP-PORT is corresponded in table deposit online equipment caching, and by Intranet edge device MAC-IP-PORT corresponds to table and compares with the MAC data in authenticating device database;
Step S13: judge whether Intranet edge device is non-authentication Intranet of the MAC Address not in authenticating device database Edge device;
Step S14: it is non-to close this for the non-authentication Intranet edge device for MAC Address not in authenticating device database The corresponding switch port of Intranet edge device is authenticated, and the corresponding switch port of the non-authentication Intranet edge device is added It blocks in tables of data.
MAC-IP-PORT: being corresponded to store in table and online equipment caching data cached and compared by step S15, raw It is authenticated at new access device information table and to the new access device in new access device information table;
Step S16: judge whether new access device passes through certification;
Step S17: for unauthenticated new access device, it is corresponding to close the unauthenticated new access device Switch port, and the unauthenticated corresponding switch port of new access device is added to and is blocked in tables of data;
Step S18: for the new access device by certification, which is stored in online equipment In caching.
As a preferred embodiment, as shown in figure 4, through the above steps S14 or S17 close it is unauthenticated After the corresponding switch port of Intranet edge device, since unauthenticated Intranet edge device may need to access Intranet, Therefore, the unauthenticated Intranet edge device of access Intranet demand smoothly accesses Intranet, the embodiment of the present invention for guarantee The Intranet boundary management-control method of offer further include:
Step S61: judge whether to receive the access request for the Intranet edge device for closing switch port.
Step S62: when receiving the access request for closing the Intranet edge device of switch port, closing exchange is opened The corresponding switch port of Intranet edge device of generator terminal mouth, and the addition of the Intranet edge device of the closing switch port is recognized It demonstrate,proves in device databases.
Step S63: when not receiving the access request for closing the Intranet edge device of switch port, then the Intranet is kept The closed state of the corresponding switch port of edge device.
As a preferred embodiment, to prevent malice that the Intranet edge device of irregularity is linked into exchange one by one On machine, interchanger all of the port is caused to be closed, it is corresponding to close Intranet edge device by S4, S03, S14 or S17 through the above steps Switch port after, as shown in figure 5, Intranet boundary provided in an embodiment of the present invention management-control method can also include:
Step S71: the switch port blocked in tables of data is restarted according to preset time timing.
Step S72: judgement restarts whether have equipment access on switch port.
Step S73: when it is above-mentioned restart on switch port have equipment access when, to restarting the corresponding Intranet of switch port Edge device is authenticated.
Step S74: judgement restarts whether the corresponding Intranet edge device of switch port passes through certification.
Step S75: the corresponding Intranet edge device of switch port is restarted by authenticating or restarting exchange generator terminal when above-mentioned It is accessed on mouthful without equipment, this is kept to restart switch port unlatching.
Step S76: to restart the corresponding Intranet edge device of switch port unauthenticated when above-mentioned, closes this and restarts friendship It changes planes port, and this is restarted into switch port is added and block in tables of data.
As a preferred embodiment, Intranet boundary provided in an embodiment of the present invention management-control method further includes that analysis is handed over It changes planes the service condition of port, obtains not used switch port list, and the step of calculating switch port utilization rate.It is logical The step is crossed, the use of switch port can be controlled, when the implementing result of the step shows switch port deficiency, It can timely feedback to staff, to increase the switch port for using.
The embodiment of the invention also provides a kind of Intranet boundary control devices, as shown in fig. 6, the Intranet boundary control device Include: equipment authentication module 1, is sent to equipment detection module 2 and interchanger for executing above-mentioned steps S1, and by implementing result Port control modules 3;Equipment detection module 2 sends best friend for executing above-mentioned steps S2 and step S3, and by inspection implementing result It changes planes port control modules 3;Switch port control module 3, for executing above-mentioned steps S4 and step S5.
Pass through above equipment authentication module 1, equipment detection module 2 and switch port control module 3, the embodiment of the present invention The Intranet boundary control device of offer can guarantee that computer security measure puts in place right.
As a preferred embodiment, as shown in fig. 7, Intranet boundary control device further includes that facility information obtains Modulus block 4 is sent to the equipment authentication module 1 and switch port control for executing above-mentioned steps S01, and by implementing result Molding block 3.
As a preferred embodiment, the switch port control module 3 be also used to execute above-mentioned steps S02, Step S03, step S41, step S61 are to step S63, step S71, step S72 and step S74 to step S76.
As a preferred embodiment, above equipment authentication module 1 is also used to execute above-mentioned steps S11 to step S18 and step S73.
The particular content of each step performed by above-mentioned each component part, is retouched in detail in above method embodiment It states, details are not described herein.
The embodiment of the invention also provides a kind of non-transient computer readable storage medium, the non-transient computer is readable Storage medium stores computer instruction, and the computer instruction is for executing computer described in above-mentioned any means embodiment Intranet boundary management-control method.Wherein, the storage medium can be magnetic disk, CD, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), flash memory (Flash Memory), hard disk (Hard Disk Drive, abbreviation: HDD) or solid state hard disk (Solid-State Drive, SSD) etc.;Institute State the combination that storage medium can also include the memory of mentioned kind.
The embodiment of the invention also provides a kind of Intranet boundary management and control devices, as shown in figure 8, the Intranet boundary management and control devices Including at least one processor 801;And the memory 802 with the communication connection of at least one processor 801;With at one in figure For reason device 801.
Wherein, the memory 802 is stored with the instruction that can be executed by least one above-mentioned processor 801, the instruction quilt Above-mentioned at least one processor 801 executes so that at least one processor 801 execute it is interior described in above-mentioned any means embodiment Selvage circle management-control method.
As shown in figure 8, above-mentioned Intranet boundary management and control devices can also include: input unit 803 and output device 804.
Processor 801, memory 802, input unit 803 and output device 804 can pass through bus or other modes Connection.
Processor 801 can be central processing unit (Central Processing Unit, CPU).Processor 801 may be used also Think other general processors, digital signal processor (Digital Signal Processor, DSP), specific integrated circuit (Application Specific Integrated Circuit, ASIC), field programmable gate array (Field- Programmable Gate Array, FPGA) either other programmable logic device, discrete gate or transistor logic, The combination of the chips such as discrete hardware components or above-mentioned all kinds of chips.General processor can be microprocessor or the processing Device is also possible to any conventional processor etc..
Memory 802 is used as a kind of non-transient computer readable storage medium, can be used for storing non-transient software program, non- Transient computer executable program and module, as the corresponding program of Intranet boundary management-control method in the embodiment of the present application refers to Order/module.Non-transient software program, instruction and the module that processor 801 is stored in memory 802 by operation, thus The various function application and data processing of execute server.
Above-mentioned input unit 803 can receive the number or character information of input, generate and user setting and function control Related key signals input.Output device 804 may include that display screen etc. shows equipment.
The present invention be referring to according to the method for the embodiment of the present invention, the process of equipment (system) and computer program product Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for real The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates, Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one The step of function of being specified in a box or multiple boxes.
Obviously, the above embodiments are merely examples for clarifying the description, and does not limit the embodiments.It is right For those of ordinary skill in the art, can also make on the basis of the above description it is other it is various forms of variation or It changes.There is no necessity and possibility to exhaust all the enbodiments.And it is extended from this it is obvious variation or It changes still within the protection scope of the invention.

Claims (10)

1. a kind of Intranet boundary management-control method characterized by comprising
Internal net edge device is authenticated;
When the Intranet edge device passes through certification and is computer equipment, successively detect in the Intranet edge device whether The first label information comprising characterization installation client-side program, characterization installation online the second label information of client-side program and Characterize the third label information of deployment secure safeguard procedures;
When in the Intranet edge device not comprising first label information, the second label information or third label information, Close the corresponding switch port of the Intranet edge device;
When in the Intranet edge device including first label information, the second label information and third label information, protect Holding the corresponding switch port of the Intranet edge device is open state.
2. Intranet boundary according to claim 1 management-control method, which is characterized in that further include: by the exchange of closing Generator terminal mouth, which is added, to be blocked in tables of data.
3. Intranet boundary according to claim 1 or 2 management-control method, which is characterized in that carried out in internal net edge device Before certification, further includes: obtain the mac address forwarding table and ARP table of Intranet edge device by periodic polling on switches Mode obtain the MAC-IP-PORT of the Intranet edge device and correspond to table.
4. Intranet boundary according to claim 3 management-control method, which is characterized in that the Intranet edge device of acquisition MAC-IP-PORT corresponds to table and is analyzed, and when the Intranet edge device is HUB, closes the corresponding exchange generator terminal of the HUB Mouthful, and the corresponding switch port of the HUB is added and is blocked in tables of data.
5. Intranet boundary according to claim 3 management-control method, which is characterized in that internal net edge device is authenticated, Include:
When the MAC-IP-PORT that first time obtains Intranet edge device corresponds to table, the MAC-IP-PORT is corresponded into table deposit In online equipment caching, and the MAC-IP-PORT of Intranet edge device is corresponded into the MAC data in table and authenticating device database It compares;
Non-authentication Intranet edge device for MAC Address not in authenticating device database, closes selvage in the non-authentication The corresponding switch port of boundary's equipment, and the corresponding switch port of the non-authentication Intranet edge device is added and blocks data In table.
6. Intranet boundary according to claim 5 management-control method, which is characterized in that internal net edge device is authenticated, Further include:
When the MAC-IP-PORT for not being acquisition Intranet edge device for the first time corresponds to table, the MAC-IP-PORT is corresponded into table With online equipment caching in store it is data cached compare, generate new access device information table and to new access device information New access device in table is authenticated;
For unauthenticated new access device, the corresponding exchange generator terminal of the unauthenticated new access device is closed Mouthful, and the unauthenticated corresponding switch port of new access device is added to and is blocked in tables of data;
For the new access device by certification, the new access device by certification is stored in online equipment caching.
7. according to the described in any item Intranet boundary management-control methods of claim 4-6, which is characterized in that further include:
When receiving the access request for closing the Intranet edge device of switch port, the interior of the closing switch port is opened The corresponding switch port of net edge device, and authenticating device number is added in the Intranet edge device for closing switch port According in library.
8. according to the described in any item Intranet boundary management-control methods of claim 4-6, which is characterized in that fixed according to a preset time Shi Chongqi blocks the switch port in tables of data, and authenticates to the corresponding Intranet edge device of switch port is restarted;
When described the corresponding Intranet edge device of switch port is restarted by certification or described restart switch port without equipment It accesses, switch port unlatching is restarted described in holding;
To restart the corresponding Intranet edge device of switch port unauthenticated when described, and switch port is restarted described in closing, And restart described in switch port addition blocking tables of data.
9. a kind of non-transient computer readable storage medium, which is characterized in that the non-transient computer readable storage medium is deposited Computer instruction is stored up, the computer instruction is for making computer execute such as the described in any item Intranet boundaries claim 1-8 Management-control method.
10. a kind of Intranet boundary management and control devices characterized by comprising
At least one processor;And the memory being connect at least one described processor communication;Wherein, the memory is deposited The instruction that can be executed by least one described processor is contained, described instruction is executed by least one described processor, so that institute It states at least one processor and executes such as the described in any item Intranet boundary management-control methods of claim 1-8.
CN201811602774.6A 2018-12-26 2018-12-26 Intranet boundary management and control method Active CN109617892B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811602774.6A CN109617892B (en) 2018-12-26 2018-12-26 Intranet boundary management and control method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811602774.6A CN109617892B (en) 2018-12-26 2018-12-26 Intranet boundary management and control method

Publications (2)

Publication Number Publication Date
CN109617892A true CN109617892A (en) 2019-04-12
CN109617892B CN109617892B (en) 2021-12-17

Family

ID=66011751

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811602774.6A Active CN109617892B (en) 2018-12-26 2018-12-26 Intranet boundary management and control method

Country Status (1)

Country Link
CN (1) CN109617892B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1845491A (en) * 2006-02-20 2006-10-11 南京联创通信科技有限公司 Access authentication method of 802.1x
CN101588360A (en) * 2009-07-03 2009-11-25 深圳市安络大成科技有限公司 Associated equipment and method for internal network security management
CN101714927A (en) * 2010-01-15 2010-05-26 福建伊时代信息科技股份有限公司 Network access control method for comprehensive safety management of inner network
CN102271132A (en) * 2011-07-26 2011-12-07 北京星网锐捷网络技术有限公司 Control method and system for network access authority and client
US8413229B2 (en) * 2006-08-21 2013-04-02 Citrix Systems, Inc. Method and appliance for authenticating, by an appliance, a client to access a virtual private network connection, based on an attribute of a client-side certificate
CN103618613A (en) * 2013-12-09 2014-03-05 北京京航计算通讯研究所 Network access control system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1845491A (en) * 2006-02-20 2006-10-11 南京联创通信科技有限公司 Access authentication method of 802.1x
US8413229B2 (en) * 2006-08-21 2013-04-02 Citrix Systems, Inc. Method and appliance for authenticating, by an appliance, a client to access a virtual private network connection, based on an attribute of a client-side certificate
CN101588360A (en) * 2009-07-03 2009-11-25 深圳市安络大成科技有限公司 Associated equipment and method for internal network security management
CN101714927A (en) * 2010-01-15 2010-05-26 福建伊时代信息科技股份有限公司 Network access control method for comprehensive safety management of inner network
CN102271132A (en) * 2011-07-26 2011-12-07 北京星网锐捷网络技术有限公司 Control method and system for network access authority and client
CN103618613A (en) * 2013-12-09 2014-03-05 北京京航计算通讯研究所 Network access control system

Also Published As

Publication number Publication date
CN109617892B (en) 2021-12-17

Similar Documents

Publication Publication Date Title
JP7408725B2 (en) Automatic operation management of computer systems
CN107659543B (en) Protection method for APT (android packet) attack of cloud platform
CN108494729B (en) A kind of zero trust model realization system
CN104618395B (en) A kind of dynamic cross-domain access control system and method connected based on trustable network
US20160352771A1 (en) Automated penetration testing device, method and system
CN105847300B (en) The method for visualizing and device of enterprise network boundary device topology
CN104158767B (en) A kind of network admittance device and method
US20200186429A1 (en) Determining violation of a network invariant
CN104702623B (en) IP blockage method and system
US11552953B1 (en) Identity-based authentication and access control mechanism
CN104796383B (en) A kind of method and apparatus that end message is anti-tamper
US10015153B1 (en) Security using velocity metrics identifying authentication performance for a set of devices
CN105933245A (en) Secure and credible access method in software defined network
CN109766694A (en) Program protocol white list linkage method and device of industrial control host
CN103701822A (en) Access control method
CN102170372B (en) Method for network structure monitoring and boundary inspection
CN111709023A (en) Application isolation method and system based on trusted operating system
CN107111511A (en) Access control method, device and system
CN105245473B (en) Local area network terminal admittance control method based on exchanger dual binding
CN108092777B (en) Method and device for supervising digital certificate
CN110175437A (en) It is a kind of for access terminal authorization control method, apparatus and host terminal
CN110099041A (en) A kind of Internet of Things means of defence and equipment, system
CN109617892A (en) A kind of Intranet boundary management-control method
CN107332862A (en) A kind of identity identifying method, front end processor and identity authorization system
CN109561103A (en) A kind of Intranet boundary management-control method for hub

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant