CN110661744A - Network access control method - Google Patents

Network access control method Download PDF

Info

Publication number
CN110661744A
CN110661744A CN201810683911.7A CN201810683911A CN110661744A CN 110661744 A CN110661744 A CN 110661744A CN 201810683911 A CN201810683911 A CN 201810683911A CN 110661744 A CN110661744 A CN 110661744A
Authority
CN
China
Prior art keywords
terminal
network
message
authority
router
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810683911.7A
Other languages
Chinese (zh)
Inventor
石悌君
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN201810683911.7A priority Critical patent/CN110661744A/en
Publication of CN110661744A publication Critical patent/CN110661744A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a network access control method, which is applied to a system comprising a terminal and a network control device, wherein a message of the terminal can enter an internet network after being processed by the network control device, a router determines network authority according to the protocol type/destination IP/destination port number of the terminal and the message after receiving the terminal message, and simultaneously provides a simple network authority generation method for a user. Through the mode, the terminal data can be uploaded to the internet only after the user is fully authorized, so that the personal privacy of the user is effectively protected.

Description

Network access control method
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a network access control method.
Background
Fig. 1 is a current common home network logical networking diagram, and various terminal devices (terminals for short) such as a personal computer, a mobile phone, a camera and the like access the internet through a home router.
The network also increases the potential safety hazard in making things convenient for everybody life, for example the intelligence camera uploads the image to internet and leads to individual privacy to reveal, uploads privacy data etc. after the PC is attacked. Currently, there are several control methods available for home router manufacturers:
1. when the wireless access mode is used, a router is configured to prohibit a specific terminal from accessing a wireless network, and the mode causes that a user cannot access the monitoring equipment through the network;
2. some routers (such as a home router of TP-LINK company) provide firewall configuration, and specify that network rights are controlled according to MAC (Media Access Control, MAC for short) addresses or IP (Internet Protocol ) addresses, and the like, which is relatively complex in configuration, and needs to search for the MAC or IP address of the terminal according to the terminal name, and then enter the firewall configuration to add Control entries; and all network access is prevented, and the internet access and the safety can not be considered for the terminal with the network access requirement.
Disclosure of Invention
The invention provides a network access control method, which can control the network access authority of a terminal on a router.
In view of this, the embodiment of the present invention provides:
a network access control method is applied to a system comprising a terminal and a router, wherein a message of the terminal can enter an internet network after being processed by the router, the router searches a corresponding terminal according to a terminal address of the message after receiving the terminal message, and determines a message processing method according to network authority of the corresponding terminal and a network operation type of the message.
The invention can ensure that the data transmitted to the internet by the terminal needs to be fully authorized by the user, has simple user configuration and can more effectively protect the personal privacy of the user.
Drawings
Fig. 1 is a diagram of a home network logical networking.
Fig. 2 is a flow chart of router network access control.
Fig. 3 is a flow diagram of another embodiment of router network access control.
Detailed Description
The invention is mainly applied to the logic networking shown in fig. 1, and the process of the router for allocating the private network IP address to the terminal equipment is irrelevant to the invention and is not described any more. The embodiment of the invention mainly describes a configuration method and a network access control method of a router for the network authority of terminal equipment after the terminal equipment is accessed into the router.
The embodiment of the invention defines two network operation types and three network authorities:
the message sent by the terminal is divided into two network operation types of uploading data and downloading data: the data uploading refers to that a message sent by a terminal is used for sending local data to a network (such as HTTP PUT/POST operation), the data downloading refers to that the message sent by the terminal is used for requesting to acquire data from the network (such as HTTP GET operation), and whether the message is uploaded or downloaded needs to be specifically analyzed according to a protocol;
the router classifies the messages according to the quadruplet of the terminal name, the protocol type, the destination IP and the destination port number of the sent message and generates a network authority list entry, and the same type of message has one of the following three network authorities:
no authority: the message is not allowed to be forwarded to the internet;
low authority: there is a limit condition for forwarding this type of message to the internet. For example, the processing method is determined according to the network operation type: the message for uploading data is not allowed to be forwarded to the internet, and the message for downloading data is allowed to be forwarded to the internet; the amount of data transmitted or the frequency of transmission per time/day, etc. can be controlled more strictly; or to customize other constraints;
high authority: the message is forwarded to the internet without limitation.
The terminal can generate default authority (such as low authority) after accessing the router, the router provides a configuration interface to modify the authority based on the terminal name, and the router provides four network authority configuration items of no authority, low authority, high authority and equipment self-definition.
After configuring the terminal user-defined authority, the router can receive the network authority configuration message sent by the corresponding terminal and generate a corresponding network authority table; the configuration message must contain the terminal identification (terminal name or terminal MAC address or terminal IP address), and the optional information in the configuration message includes network authority (no authority/low authority/high authority), protocol type (e.g. TCP/UDP …), destination IP address, destination port number.
When the terminal is configured to be a terminal self-defined right, the terminal can realize network right control based on application program granularity through software; the software may specifically operate as follows:
1. the user adds other application programs (such as an IE browser) with network access right on the terminal through a configuration interface provided by the software, and can configure the network right of the application program (the default network right can be a low right); at this time, the software starts to monitor the communication port (protocol type/destination IP/port number) opened by the target application program (such as an IE browser);
2. when monitoring a communication port opened by a target application program, the software sends the terminal name, the configured network authority, the protocol type, the destination IP address and the destination port number of the terminal to the router according to the message format defined by the router;
3. and when the software monitoring target application program closes the communication port, the terminal name, the default network authority, the protocol type, the destination IP address and the destination port number of the terminal are sent to the router according to the message format defined by the router.
The following describes the terminal network authority information stored in the router by using a specific example; suppose that:
1. four terminals access to the router, wherein one is that a personal computer named PC is provided with a wireless network card and an Ethernet card, wherein the MAC address of the wireless network card is E0-CE-C3-F9-82-23, and the MAC address of the Ethernet card is 74-2B-62-6E-06-17; two network cards of the PC are both accessed to the router; the second is an intelligent Camera named Camera, which is accessed to the router through a wireless network card, and the MAC address of the intelligent Camera is D0-5B-A8-32-43-62; thirdly, a Mobile phone named Mobile accesses the router through a wireless network card, and the MAC address of the Mobile phone is 80-AD-16-5D-E6-80; and the fourth is an intelligent sound box named Echo, which is accessed to the router through a wireless network card, and the MAC address of the intelligent sound box is 14-CF-92-C7-17-83. After the terminal is accessed, the router generates a terminal information table (table 1), wherein the MAC address and the IP address are collectively called as a terminal address; the generation of table 1 is not related to the present invention, and the generation process is not described again;
terminal name MAC address IP address
PC 74-2B-62-6E-06-17 192.168.1.101
PC E0-CE-C3-F9-82-23 192.168.1.111
Camera D0-5B-A8-32-43-62 192.168.1.102
Mobile 80-AD-16-5D-E6-80 192.168.1.103
Echo 14-CF-92-C7-17-83 192.168.1.104
TABLE 1
2. The router has the following configuration authority for four terminals: the PC is configured as a terminal self-definition, the Camera is configured as a no-permission, the Mobile is configured as a high-permission, and the Echo is configured as a low-permission. The router generates a terminal network authority table (table 2);
terminal name Type of protocol Destination IP Destination port number Network privileges
PC All of All of All of Low privilege
Camera All of All of All of Without permission
Mobile All of All of All of High authority
Echo All of All of All of Low privilege
TABLE 2
If the processing efficiency is considered, the terminal information table can be searched according to the terminal name in the network authority table to obtain all the MAC addresses of the terminal (for example, two network cards of a PC are both accessed to the network, and the MAC addresses corresponding to the two network cards need to generate table entry items); then, the MAC address replaces the terminal name to generate an address authority table (table 3);
MAC address Type of protocol Destination IP Destination port number Network privileges
74-2B-62-6E-06-17 All of All of All of Low privilege
E0-CE-C3-F9-82-23 All of All of All of Low privilege
D0-5B-A8-32-43-62 All of All of All of Without permission
80-AD-16-5D-E6-80 All of All of All of High authority
14-CF-92-C7-17-83 All of All of All of Low privilege
TABLE 3
The address authority table shown in table 3 uses the MAC address as a key, and may also use the IP address as an entry key;
3. the PC is provided with software matched with the router and configures the IE browser to be high-authority through the software. When the IE browser accesses http://192.144.149.48, the router receives a network authority configuration message sent by PC software and generates a network authority table entry; the network authority table of the whole router is referred to table 4;
terminal name Type of protocol Destination IP Destination port number Network privileges
PC TCP 192.144.148.48 80 High authority
PC All of All of All of Low privilege
Camera All of All of All of Without permission
Mobile All of All of All of High authority
Echo All of All of All of Low privilege
TABLE 4
The address authority table of the whole router is not described in detail.
Fig. 2 illustrates an implementation flow of a network access control flow when a router receives a terminal device packet, which is specifically described as follows:
201. analyzing a source MAC address, a protocol type, a destination IP and a destination port of the message, and analyzing whether the message uploads data or downloads data;
202. searching a terminal information table according to the source MAC address to obtain a terminal name;
203. judging whether the terminal exists or not, if not, directly discarding the message, otherwise, entering step 204;
204. searching a matching entry in a network authority table according to the terminal name, the protocol type, the destination IP and the destination port: when the protocol type/destination IP/destination port number is 'all', any value of the corresponding field of the message can be matched with the entry; if a plurality of matching entries exist, the entry with the most matching elements in the four-tuple is preferred;
205. if the network authority of the matched entry is no authority, discarding the message, otherwise, entering step 206;
206. if the network authority of the matched entry is the low authority, the step 207 is entered; otherwise, the authority is considered to be high, and the forwarding is carried out normally;
207. if the data is uploaded, the message is discarded, and the data is normally forwarded after being downloaded.
Fig. 3 is another embodiment of the network access control process when the router receives the terminal device packet, which is specifically described as follows:
301. analyzing a source MAC address, a protocol type, a destination IP and a destination port of the message, and analyzing whether the message uploads data or downloads data;
302. searching a matching entry in the network authority table according to the MAC address, the protocol type, the destination IP and the destination port: when the protocol type/destination IP/destination port number is 'all', any value of the corresponding field of the message can be matched with the entry; if a plurality of matching entries exist, the entry with the most matching elements in the four-tuple is preferred;
303. if the network authority of the matched entry is no authority, discarding the message, otherwise, entering step 304;
304. if the network authority of the matched entry is low, go to step 305; otherwise, the authority is considered to be high, and the forwarding is carried out normally;
305. if the data is uploaded, the message is discarded, and the data is normally forwarded after being downloaded.
In the invention, the authority is configured and the network authority table is generated based on the terminal name, so that the user configuration can be simplified compared with the authority configured based on the MAC address/IP address, if a PC has two network cards, if the authority configured based on the MAC address needs to be configured twice, the same configuration needs to be performed only once based on the terminal name. If a plurality of terminals are grouped into a set and configured with authority so as to be indirectly based on the terminal configuration authority, if a security group concept is introduced on a router, a PC and a Mobile join the same security group, the network authority only needs to be configured based on the security group, and a message forwarding flow on the router can correspondingly find the configuration of the security group to which the network authority belongs according to the terminal name to determine the network authority, the method is considered as the protection scope of the invention.
The above description of the embodiments is only for the purpose of helping understanding the method of the present invention and the core idea thereof, and for those skilled in the art, the specific implementation and the application range may be changed according to the idea of the present invention; in view of the above, the present disclosure should not be construed as limiting the invention.

Claims (4)

1. A network access control method is applied to a system comprising a terminal and a router, wherein a message of the terminal can enter an internet network after being processed by the router, and the router controls the network authority of the terminal by discarding or forwarding the message.
2. The method according to claim 1, wherein the router searches a terminal information table according to a terminal address of the message to obtain a terminal name after receiving the terminal message, and further obtains a network authority table of the terminal according to the terminal name.
3. The method according to claim 1, wherein the router searches an address authority table according to a terminal address of the message after receiving the terminal message, and the address authority table is generated according to a terminal information table and a network authority table of the terminal.
4. The method according to claim 1, wherein the network permission table of the terminal is generated according to a configuration message of the terminal, and the configuration message must carry a terminal identifier and may carry zero or more of three information, i.e. a protocol type, a destination IP address, and a destination port.
CN201810683911.7A 2018-06-28 2018-06-28 Network access control method Pending CN110661744A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810683911.7A CN110661744A (en) 2018-06-28 2018-06-28 Network access control method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810683911.7A CN110661744A (en) 2018-06-28 2018-06-28 Network access control method

Publications (1)

Publication Number Publication Date
CN110661744A true CN110661744A (en) 2020-01-07

Family

ID=69026259

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810683911.7A Pending CN110661744A (en) 2018-06-28 2018-06-28 Network access control method

Country Status (1)

Country Link
CN (1) CN110661744A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114285819A (en) * 2021-12-29 2022-04-05 深圳市共进电子股份有限公司 Method and device for visiting intranet by visitor network, computer equipment and medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101188604A (en) * 2006-11-16 2008-05-28 中兴通讯股份有限公司 A right authentication method for network user
CN104768204A (en) * 2015-03-25 2015-07-08 广东欧珀移动通信有限公司 Network access management method, wearable device and system
CN105357168A (en) * 2014-08-19 2016-02-24 酷派软件技术(深圳)有限公司 Device access permission allocation method and device
CN106302373A (en) * 2015-06-25 2017-01-04 中兴通讯股份有限公司 A kind of connection control method and terminal

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101188604A (en) * 2006-11-16 2008-05-28 中兴通讯股份有限公司 A right authentication method for network user
CN105357168A (en) * 2014-08-19 2016-02-24 酷派软件技术(深圳)有限公司 Device access permission allocation method and device
CN104768204A (en) * 2015-03-25 2015-07-08 广东欧珀移动通信有限公司 Network access management method, wearable device and system
CN106302373A (en) * 2015-06-25 2017-01-04 中兴通讯股份有限公司 A kind of connection control method and terminal

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114285819A (en) * 2021-12-29 2022-04-05 深圳市共进电子股份有限公司 Method and device for visiting intranet by visitor network, computer equipment and medium

Similar Documents

Publication Publication Date Title
US10084642B2 (en) Automated sensing of network conditions for dynamically provisioning efficient VPN tunnels
US10095878B2 (en) Internal controls engine and reporting of events generated by a network or associated applications
US10333897B2 (en) Distributed firewalls and virtual network services using network packets with security tags
EP2580903B1 (en) Traffic classification
US8301771B2 (en) Methods, systems, and computer program products for transmission control of sensitive application-layer data
US11741801B2 (en) Network sanitization for dedicated communication function and edge enforcement
Maximov et al. Network topology masking in distributed information systems
CN110311929B (en) Access control method and device, electronic equipment and storage medium
US10193890B2 (en) Communication apparatus to manage whitelist information
US20120054358A1 (en) Network Relay Device and Frame Relaying Control Method
EP3523940A1 (en) Enforcing network security policy using pre-classification
WO2014062629A1 (en) System and method for correlating security events with subscriber information in a mobile network environment
CN110691074B (en) IPv6 data encryption method and IPv6 data decryption method
TW202137735A (en) Programmable switching device for network infrastructures
CN110661744A (en) Network access control method
US20230164119A1 (en) Network device protection
WO2013082793A1 (en) Method, device and system for controlling service transmission
US9455957B2 (en) Map sharing for a switch device
Andreev et al. Generalized net model of implementation of port knocking on RouterOS
CN112787947A (en) Network service processing method, system and gateway equipment
US20230319684A1 (en) Resource filter for integrated networks
US11792093B2 (en) Generating network system maps based on network traffic
EP4369689A1 (en) Peer-to-peer (p2p) network identification
Frank et al. Securing smart homes with openflow
Alfaw et al. 5G security threats

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20200107

RJ01 Rejection of invention patent application after publication