CN110661744A - Network access control method - Google Patents
Network access control method Download PDFInfo
- Publication number
- CN110661744A CN110661744A CN201810683911.7A CN201810683911A CN110661744A CN 110661744 A CN110661744 A CN 110661744A CN 201810683911 A CN201810683911 A CN 201810683911A CN 110661744 A CN110661744 A CN 110661744A
- Authority
- CN
- China
- Prior art keywords
- terminal
- network
- message
- authority
- router
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a network access control method, which is applied to a system comprising a terminal and a network control device, wherein a message of the terminal can enter an internet network after being processed by the network control device, a router determines network authority according to the protocol type/destination IP/destination port number of the terminal and the message after receiving the terminal message, and simultaneously provides a simple network authority generation method for a user. Through the mode, the terminal data can be uploaded to the internet only after the user is fully authorized, so that the personal privacy of the user is effectively protected.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a network access control method.
Background
Fig. 1 is a current common home network logical networking diagram, and various terminal devices (terminals for short) such as a personal computer, a mobile phone, a camera and the like access the internet through a home router.
The network also increases the potential safety hazard in making things convenient for everybody life, for example the intelligence camera uploads the image to internet and leads to individual privacy to reveal, uploads privacy data etc. after the PC is attacked. Currently, there are several control methods available for home router manufacturers:
1. when the wireless access mode is used, a router is configured to prohibit a specific terminal from accessing a wireless network, and the mode causes that a user cannot access the monitoring equipment through the network;
2. some routers (such as a home router of TP-LINK company) provide firewall configuration, and specify that network rights are controlled according to MAC (Media Access Control, MAC for short) addresses or IP (Internet Protocol ) addresses, and the like, which is relatively complex in configuration, and needs to search for the MAC or IP address of the terminal according to the terminal name, and then enter the firewall configuration to add Control entries; and all network access is prevented, and the internet access and the safety can not be considered for the terminal with the network access requirement.
Disclosure of Invention
The invention provides a network access control method, which can control the network access authority of a terminal on a router.
In view of this, the embodiment of the present invention provides:
a network access control method is applied to a system comprising a terminal and a router, wherein a message of the terminal can enter an internet network after being processed by the router, the router searches a corresponding terminal according to a terminal address of the message after receiving the terminal message, and determines a message processing method according to network authority of the corresponding terminal and a network operation type of the message.
The invention can ensure that the data transmitted to the internet by the terminal needs to be fully authorized by the user, has simple user configuration and can more effectively protect the personal privacy of the user.
Drawings
Fig. 1 is a diagram of a home network logical networking.
Fig. 2 is a flow chart of router network access control.
Fig. 3 is a flow diagram of another embodiment of router network access control.
Detailed Description
The invention is mainly applied to the logic networking shown in fig. 1, and the process of the router for allocating the private network IP address to the terminal equipment is irrelevant to the invention and is not described any more. The embodiment of the invention mainly describes a configuration method and a network access control method of a router for the network authority of terminal equipment after the terminal equipment is accessed into the router.
The embodiment of the invention defines two network operation types and three network authorities:
the message sent by the terminal is divided into two network operation types of uploading data and downloading data: the data uploading refers to that a message sent by a terminal is used for sending local data to a network (such as HTTP PUT/POST operation), the data downloading refers to that the message sent by the terminal is used for requesting to acquire data from the network (such as HTTP GET operation), and whether the message is uploaded or downloaded needs to be specifically analyzed according to a protocol;
the router classifies the messages according to the quadruplet of the terminal name, the protocol type, the destination IP and the destination port number of the sent message and generates a network authority list entry, and the same type of message has one of the following three network authorities:
no authority: the message is not allowed to be forwarded to the internet;
low authority: there is a limit condition for forwarding this type of message to the internet. For example, the processing method is determined according to the network operation type: the message for uploading data is not allowed to be forwarded to the internet, and the message for downloading data is allowed to be forwarded to the internet; the amount of data transmitted or the frequency of transmission per time/day, etc. can be controlled more strictly; or to customize other constraints;
high authority: the message is forwarded to the internet without limitation.
The terminal can generate default authority (such as low authority) after accessing the router, the router provides a configuration interface to modify the authority based on the terminal name, and the router provides four network authority configuration items of no authority, low authority, high authority and equipment self-definition.
After configuring the terminal user-defined authority, the router can receive the network authority configuration message sent by the corresponding terminal and generate a corresponding network authority table; the configuration message must contain the terminal identification (terminal name or terminal MAC address or terminal IP address), and the optional information in the configuration message includes network authority (no authority/low authority/high authority), protocol type (e.g. TCP/UDP …), destination IP address, destination port number.
When the terminal is configured to be a terminal self-defined right, the terminal can realize network right control based on application program granularity through software; the software may specifically operate as follows:
1. the user adds other application programs (such as an IE browser) with network access right on the terminal through a configuration interface provided by the software, and can configure the network right of the application program (the default network right can be a low right); at this time, the software starts to monitor the communication port (protocol type/destination IP/port number) opened by the target application program (such as an IE browser);
2. when monitoring a communication port opened by a target application program, the software sends the terminal name, the configured network authority, the protocol type, the destination IP address and the destination port number of the terminal to the router according to the message format defined by the router;
3. and when the software monitoring target application program closes the communication port, the terminal name, the default network authority, the protocol type, the destination IP address and the destination port number of the terminal are sent to the router according to the message format defined by the router.
The following describes the terminal network authority information stored in the router by using a specific example; suppose that:
1. four terminals access to the router, wherein one is that a personal computer named PC is provided with a wireless network card and an Ethernet card, wherein the MAC address of the wireless network card is E0-CE-C3-F9-82-23, and the MAC address of the Ethernet card is 74-2B-62-6E-06-17; two network cards of the PC are both accessed to the router; the second is an intelligent Camera named Camera, which is accessed to the router through a wireless network card, and the MAC address of the intelligent Camera is D0-5B-A8-32-43-62; thirdly, a Mobile phone named Mobile accesses the router through a wireless network card, and the MAC address of the Mobile phone is 80-AD-16-5D-E6-80; and the fourth is an intelligent sound box named Echo, which is accessed to the router through a wireless network card, and the MAC address of the intelligent sound box is 14-CF-92-C7-17-83. After the terminal is accessed, the router generates a terminal information table (table 1), wherein the MAC address and the IP address are collectively called as a terminal address; the generation of table 1 is not related to the present invention, and the generation process is not described again;
terminal name | MAC address | IP address |
PC | 74-2B-62-6E-06-17 | 192.168.1.101 |
PC | E0-CE-C3-F9-82-23 | 192.168.1.111 |
Camera | D0-5B-A8-32-43-62 | 192.168.1.102 |
Mobile | 80-AD-16-5D-E6-80 | 192.168.1.103 |
Echo | 14-CF-92-C7-17-83 | 192.168.1.104 |
TABLE 1
2. The router has the following configuration authority for four terminals: the PC is configured as a terminal self-definition, the Camera is configured as a no-permission, the Mobile is configured as a high-permission, and the Echo is configured as a low-permission. The router generates a terminal network authority table (table 2);
terminal name | Type of protocol | Destination IP | Destination port number | Network privileges |
PC | All of | All of | All of | Low privilege |
Camera | All of | All of | All of | Without permission |
Mobile | All of | All of | All of | High authority |
Echo | All of | All of | All of | Low privilege |
TABLE 2
If the processing efficiency is considered, the terminal information table can be searched according to the terminal name in the network authority table to obtain all the MAC addresses of the terminal (for example, two network cards of a PC are both accessed to the network, and the MAC addresses corresponding to the two network cards need to generate table entry items); then, the MAC address replaces the terminal name to generate an address authority table (table 3);
MAC address | Type of protocol | Destination IP | Destination port number | Network privileges |
74-2B-62-6E-06-17 | All of | All of | All of | Low privilege |
E0-CE-C3-F9-82-23 | All of | All of | All of | Low privilege |
D0-5B-A8-32-43-62 | All of | All of | All of | Without permission |
80-AD-16-5D-E6-80 | All of | All of | All of | High authority |
14-CF-92-C7-17-83 | All of | All of | All of | Low privilege |
TABLE 3
The address authority table shown in table 3 uses the MAC address as a key, and may also use the IP address as an entry key;
3. the PC is provided with software matched with the router and configures the IE browser to be high-authority through the software. When the IE browser accesses http://192.144.149.48, the router receives a network authority configuration message sent by PC software and generates a network authority table entry; the network authority table of the whole router is referred to table 4;
terminal name | Type of protocol | Destination IP | Destination port number | Network privileges |
PC | TCP | 192.144.148.48 | 80 | High authority |
PC | All of | All of | All of | Low privilege |
Camera | All of | All of | All of | Without permission |
Mobile | All of | All of | All of | High authority |
Echo | All of | All of | All of | Low privilege |
TABLE 4
The address authority table of the whole router is not described in detail.
Fig. 2 illustrates an implementation flow of a network access control flow when a router receives a terminal device packet, which is specifically described as follows:
201. analyzing a source MAC address, a protocol type, a destination IP and a destination port of the message, and analyzing whether the message uploads data or downloads data;
202. searching a terminal information table according to the source MAC address to obtain a terminal name;
203. judging whether the terminal exists or not, if not, directly discarding the message, otherwise, entering step 204;
204. searching a matching entry in a network authority table according to the terminal name, the protocol type, the destination IP and the destination port: when the protocol type/destination IP/destination port number is 'all', any value of the corresponding field of the message can be matched with the entry; if a plurality of matching entries exist, the entry with the most matching elements in the four-tuple is preferred;
205. if the network authority of the matched entry is no authority, discarding the message, otherwise, entering step 206;
206. if the network authority of the matched entry is the low authority, the step 207 is entered; otherwise, the authority is considered to be high, and the forwarding is carried out normally;
207. if the data is uploaded, the message is discarded, and the data is normally forwarded after being downloaded.
Fig. 3 is another embodiment of the network access control process when the router receives the terminal device packet, which is specifically described as follows:
301. analyzing a source MAC address, a protocol type, a destination IP and a destination port of the message, and analyzing whether the message uploads data or downloads data;
302. searching a matching entry in the network authority table according to the MAC address, the protocol type, the destination IP and the destination port: when the protocol type/destination IP/destination port number is 'all', any value of the corresponding field of the message can be matched with the entry; if a plurality of matching entries exist, the entry with the most matching elements in the four-tuple is preferred;
303. if the network authority of the matched entry is no authority, discarding the message, otherwise, entering step 304;
304. if the network authority of the matched entry is low, go to step 305; otherwise, the authority is considered to be high, and the forwarding is carried out normally;
305. if the data is uploaded, the message is discarded, and the data is normally forwarded after being downloaded.
In the invention, the authority is configured and the network authority table is generated based on the terminal name, so that the user configuration can be simplified compared with the authority configured based on the MAC address/IP address, if a PC has two network cards, if the authority configured based on the MAC address needs to be configured twice, the same configuration needs to be performed only once based on the terminal name. If a plurality of terminals are grouped into a set and configured with authority so as to be indirectly based on the terminal configuration authority, if a security group concept is introduced on a router, a PC and a Mobile join the same security group, the network authority only needs to be configured based on the security group, and a message forwarding flow on the router can correspondingly find the configuration of the security group to which the network authority belongs according to the terminal name to determine the network authority, the method is considered as the protection scope of the invention.
The above description of the embodiments is only for the purpose of helping understanding the method of the present invention and the core idea thereof, and for those skilled in the art, the specific implementation and the application range may be changed according to the idea of the present invention; in view of the above, the present disclosure should not be construed as limiting the invention.
Claims (4)
1. A network access control method is applied to a system comprising a terminal and a router, wherein a message of the terminal can enter an internet network after being processed by the router, and the router controls the network authority of the terminal by discarding or forwarding the message.
2. The method according to claim 1, wherein the router searches a terminal information table according to a terminal address of the message to obtain a terminal name after receiving the terminal message, and further obtains a network authority table of the terminal according to the terminal name.
3. The method according to claim 1, wherein the router searches an address authority table according to a terminal address of the message after receiving the terminal message, and the address authority table is generated according to a terminal information table and a network authority table of the terminal.
4. The method according to claim 1, wherein the network permission table of the terminal is generated according to a configuration message of the terminal, and the configuration message must carry a terminal identifier and may carry zero or more of three information, i.e. a protocol type, a destination IP address, and a destination port.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810683911.7A CN110661744A (en) | 2018-06-28 | 2018-06-28 | Network access control method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810683911.7A CN110661744A (en) | 2018-06-28 | 2018-06-28 | Network access control method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110661744A true CN110661744A (en) | 2020-01-07 |
Family
ID=69026259
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810683911.7A Pending CN110661744A (en) | 2018-06-28 | 2018-06-28 | Network access control method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110661744A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114285819A (en) * | 2021-12-29 | 2022-04-05 | 深圳市共进电子股份有限公司 | Method and device for visiting intranet by visitor network, computer equipment and medium |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101188604A (en) * | 2006-11-16 | 2008-05-28 | 中兴通讯股份有限公司 | A right authentication method for network user |
CN104768204A (en) * | 2015-03-25 | 2015-07-08 | 广东欧珀移动通信有限公司 | Network access management method, wearable device and system |
CN105357168A (en) * | 2014-08-19 | 2016-02-24 | 酷派软件技术(深圳)有限公司 | Device access permission allocation method and device |
CN106302373A (en) * | 2015-06-25 | 2017-01-04 | 中兴通讯股份有限公司 | A kind of connection control method and terminal |
-
2018
- 2018-06-28 CN CN201810683911.7A patent/CN110661744A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101188604A (en) * | 2006-11-16 | 2008-05-28 | 中兴通讯股份有限公司 | A right authentication method for network user |
CN105357168A (en) * | 2014-08-19 | 2016-02-24 | 酷派软件技术(深圳)有限公司 | Device access permission allocation method and device |
CN104768204A (en) * | 2015-03-25 | 2015-07-08 | 广东欧珀移动通信有限公司 | Network access management method, wearable device and system |
CN106302373A (en) * | 2015-06-25 | 2017-01-04 | 中兴通讯股份有限公司 | A kind of connection control method and terminal |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114285819A (en) * | 2021-12-29 | 2022-04-05 | 深圳市共进电子股份有限公司 | Method and device for visiting intranet by visitor network, computer equipment and medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10084642B2 (en) | Automated sensing of network conditions for dynamically provisioning efficient VPN tunnels | |
US10095878B2 (en) | Internal controls engine and reporting of events generated by a network or associated applications | |
US10333897B2 (en) | Distributed firewalls and virtual network services using network packets with security tags | |
EP2580903B1 (en) | Traffic classification | |
US8301771B2 (en) | Methods, systems, and computer program products for transmission control of sensitive application-layer data | |
US11741801B2 (en) | Network sanitization for dedicated communication function and edge enforcement | |
Maximov et al. | Network topology masking in distributed information systems | |
CN110311929B (en) | Access control method and device, electronic equipment and storage medium | |
US10193890B2 (en) | Communication apparatus to manage whitelist information | |
US20120054358A1 (en) | Network Relay Device and Frame Relaying Control Method | |
EP3523940A1 (en) | Enforcing network security policy using pre-classification | |
WO2014062629A1 (en) | System and method for correlating security events with subscriber information in a mobile network environment | |
CN110691074B (en) | IPv6 data encryption method and IPv6 data decryption method | |
TW202137735A (en) | Programmable switching device for network infrastructures | |
CN110661744A (en) | Network access control method | |
US20230164119A1 (en) | Network device protection | |
WO2013082793A1 (en) | Method, device and system for controlling service transmission | |
US9455957B2 (en) | Map sharing for a switch device | |
Andreev et al. | Generalized net model of implementation of port knocking on RouterOS | |
CN112787947A (en) | Network service processing method, system and gateway equipment | |
US20230319684A1 (en) | Resource filter for integrated networks | |
US11792093B2 (en) | Generating network system maps based on network traffic | |
EP4369689A1 (en) | Peer-to-peer (p2p) network identification | |
Frank et al. | Securing smart homes with openflow | |
Alfaw et al. | 5G security threats |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200107 |
|
RJ01 | Rejection of invention patent application after publication |