CN114374543B - Network security protection method, system, device, security switch and storage medium - Google Patents

Network security protection method, system, device, security switch and storage medium Download PDF

Info

Publication number
CN114374543B
CN114374543B CN202111566810.XA CN202111566810A CN114374543B CN 114374543 B CN114374543 B CN 114374543B CN 202111566810 A CN202111566810 A CN 202111566810A CN 114374543 B CN114374543 B CN 114374543B
Authority
CN
China
Prior art keywords
access terminal
security
identity
security policy
management platform
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111566810.XA
Other languages
Chinese (zh)
Other versions
CN114374543A (en
Inventor
林皓
刘建兵
王振欣
杨泳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Vrv Information Technology Co ltd
Original Assignee
Beijing VRV Software Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing VRV Software Corp Ltd filed Critical Beijing VRV Software Corp Ltd
Priority to CN202111566810.XA priority Critical patent/CN114374543B/en
Publication of CN114374543A publication Critical patent/CN114374543A/en
Application granted granted Critical
Publication of CN114374543B publication Critical patent/CN114374543B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application relates to a network security protection method, a system, a device, a security switch and a storage medium, wherein the method comprises the following steps: when the access of the terminal is monitored, a first identity identifier of the access terminal is obtained from the management platform equipment according to the MAC address of the access terminal and used for carrying out identity authentication on the access terminal, and under the condition that the authentication of the access terminal is successful, a security policy request is sent to the managed platform equipment, wherein the security policy request carries the IP address and the first identity identifier of the access terminal, so that when the management platform equipment determines that the security policy issued for the access terminal exists according to the first identity identifier, a preset placeholder in the security policy is replaced with the IP address, a target security policy is obtained, the target security policy is issued to a security switch accessed by the access terminal, and then the security switch executes the target security policy after receiving the target security policy. The application can realize unified formulation of the safety strategy and improve the efficiency and effect of safety protection.

Description

Network security protection method, system, device, security switch and storage medium
Technical Field
The present application relates to the field of network security technologies, and in particular, to a network security protection method, system, device, security switch, and storage medium, which can be applied to network security access control in the field of network security.
Background
Inter-information-point communication and communication between internal and external networks are indispensable business demands in enterprise networks, and in the existing enterprise network security protection work, there are various security protection demands, and these security protection demands need to be implemented through security policies.
However, the security policies of the current enterprises mostly stay on the paper or are discretely distributed in different network security devices. The security policy and the discrete security policy on the paper surface cannot play a role in security protection, and when a security threat or attack is encountered, the security policy cannot find a unified grip to perform unified and rapid formulation and execution, so that the efficiency and effect of security emergency response are poor.
Therefore, it is important for enterprise networks to find a method and technology that can uniformly formulate security policies and quickly execute on the ground.
Disclosure of Invention
In order to solve the technical problems described above or at least partially solve the technical problems described above, the present application provides a network security protection method, system, device, security switch and storage medium.
According to a first aspect of the present application, there is provided a network security protection method applied to a security switch, including:
when the access of the terminal is monitored, acquiring the MAC address of the access terminal;
acquiring a first identity of the access terminal from management platform equipment according to the MAC address of the access terminal for identity authentication of the access terminal;
under the condition that the authentication of the access terminal is successful, a security policy request is sent to the management platform device, wherein the security policy request carries an IP address of the access terminal and the first identity, so that when the management platform device determines that a security policy issued for the access terminal exists according to the first identity, a placeholder preset in the security policy is replaced by the IP address to obtain a target security policy, and the target security policy is issued to a security switch accessed by the access terminal;
and executing the target security policy after receiving the target security policy.
According to a second aspect of the present application, there is provided a network security protection system comprising a management platform device, at least one security switch and at least one access terminal; wherein,,
The security switch is configured to obtain, when detecting that there is a terminal access, a MAC address of an access terminal, and obtain, according to the MAC address of the access terminal, a first identity identifier of the access terminal from the management platform device for performing identity authentication on the access terminal, and send, in case that authentication of the access terminal is successful, a security policy request to the management platform device, where the security policy request carries an IP address of the access terminal and the first identity identifier, and execute, after receiving a target security policy sent by the management platform device, the target security policy;
the management platform device is configured to determine whether a security policy issued for the access terminal exists according to the first identity identifier carried in the security policy request after the security policy request sent by the security switch is received, and when determining that the security policy issued for the access terminal exists, replace a placeholder preset in the security policy with the IP address to obtain the target security policy, and issue the target security policy to the security switch accessed by the access terminal.
According to a third aspect of the present application, there is provided a network security appliance comprising:
the acquisition module is used for acquiring the MAC address of the access terminal when the access of the terminal is monitored;
the processing module is used for acquiring a first identity of the access terminal from the management platform equipment according to the MAC address of the access terminal and carrying out identity authentication on the access terminal;
a sending module, configured to send a security policy request to the management platform device when the authentication of the access terminal is successful, where the security policy request carries an IP address of the access terminal and the first identity, so that when the management platform device determines that a security policy issued for the access terminal exists according to the first identity, the management platform device replaces a placeholder preset in the security policy with the IP address to obtain a target security policy, and issues the target security policy to a security switch accessed by the access terminal;
and the protection module is used for executing the target security policy after receiving the target security policy.
According to a fourth aspect of the present application, there is provided a security switch comprising: and a processor configured to execute a computer program stored in the memory, where the computer program when executed by the processor implements the network security protection method according to the first aspect.
According to a fifth aspect of the present application, there is provided a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the network security protection method of the first aspect.
According to a sixth aspect of the present application, there is provided a computer program product for, when run on a computer, causing the computer to perform the network security protection method of the first aspect.
Compared with the prior art, the technical scheme provided by the embodiment of the application has the following advantages:
the security switch acquires the MAC address of the access terminal when the access of the terminal is monitored, acquires a first identity identifier of the access terminal from the management platform device according to the MAC address of the access terminal for identity authentication of the access terminal, and sends a security policy request to the management platform device under the condition that the authentication of the access terminal is successful, wherein the security policy request carries an IP address and the first identity identifier of the access terminal, so that the management platform device replaces a preset placeholder in the security policy with the IP address when the security policy issued for the access terminal is determined to exist according to the first identity identifier, a target security policy is obtained, the target security policy is issued to the security switch accessed by the access terminal, and then the security switch executes the target security policy after receiving the target security policy. By adopting the technical scheme, the management platform equipment uniformly formulates the security policy, after the authentication of the access terminal is successful, the security switch sends the IP address and the first identity of the terminal which is successfully authenticated to the management platform equipment, the management platform equipment formulates the security policy aiming at the access terminal and issues the security policy to the terminal, and the security policy is issued to the security switch for execution, so that the uniform formulation of the security policy is realized, the security switch can rapidly execute the security policy to play the role of the security policy, the security protection efficiency and effect can be remarkably improved, and the problems that the security policy cannot be uniformly formulated, and is difficult to fall to the ground with high efficiency to resist security threat and attack in the prior art are solved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application.
In order to more clearly illustrate the embodiments of the application or the technical solutions of the prior art, the drawings which are used in the description of the embodiments or the prior art will be briefly described, and it will be obvious to a person skilled in the art that other drawings can be obtained from these drawings without inventive effort.
Fig. 1 is a network topology diagram of a network security protection system for implementing a network security protection method according to an embodiment of the present application;
fig. 2 is a flow chart of a network security protection method according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of a network security protection system according to an embodiment of the present application;
FIG. 4 is a schematic diagram illustrating an interaction process of a network security protection system according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of a network security protection device according to an embodiment of the present application.
Detailed Description
Embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While certain embodiments of the present disclosure have been shown in the accompanying drawings, it is to be understood that the present disclosure may be embodied in various forms and should not be construed as limited to the embodiments set forth herein, but are provided to provide a more thorough and complete understanding of the present disclosure. It should be understood that the drawings and embodiments of the present disclosure are for illustration purposes only and are not intended to limit the scope of the present disclosure.
It should be understood that the various steps recited in the method embodiments of the present disclosure may be performed in a different order and/or performed in parallel. Furthermore, method embodiments may include additional steps and/or omit performing the illustrated steps. The scope of the present disclosure is not limited in this respect.
The term "including" and variations thereof as used herein are intended to be open-ended, i.e., including, but not limited to. The term "based on" is based at least in part on. The term "one embodiment" means "at least one embodiment"; the term "another embodiment" means "at least one additional embodiment"; the term "some embodiments" means "at least some embodiments. Related definitions of other terms will be given in the description below. It should be noted that the terms "first," "second," and the like in this disclosure are merely used to distinguish between different devices, modules, or units and are not used to define an order or interdependence of functions performed by the devices, modules, or units.
It should be noted that references to "one", "a plurality" and "a plurality" in this disclosure are intended to be illustrative rather than limiting, and those of ordinary skill in the art will appreciate that "one or more" is intended to be understood as "one or more" unless the context clearly indicates otherwise.
The application provides a network security protection method, which aims at solving the problems that a unified gripper cannot be found for unified and rapid formulation and execution of a security policy existing in an existing enterprise network, and the efficiency and effect of security emergency response are poor.
By adopting the technical scheme, the management platform equipment uniformly formulates the security policy, after the authentication of the access terminal is successful, the security switch sends the IP address and the first identity of the terminal which is successfully authenticated to the management platform equipment, the management platform equipment formulates the security policy aiming at the access terminal and issues the security policy to the terminal, and the security policy is issued to the security switch for execution, so that the uniform formulation of the security policy is realized, the security switch can rapidly execute the security policy to play the role of the security policy, the security protection efficiency and effect can be remarkably improved, and the problems that the security policy cannot be uniformly formulated, and is difficult to fall to the ground with high efficiency to resist security threat and attack in the prior art are solved.
Fig. 1 is a network topology schematic diagram of a network security protection system for implementing a network security protection method according to an embodiment of the present application, as shown in fig. 1, where the network security protection system includes a management platform device, a security switch (switch with embedded security function), and a terminal, where the management platform device is installed with management platform software, the management platform device issues a security policy to the security switch with successful authentication, and the terminal is installed with authentication client software, and the security switch implements the security function by executing the network security protection method provided by the embodiment of the present application, and implements execution of the security policy.
In the network topology diagram shown in fig. 1, a security switch needs to register and authenticate with management platform software, only the security switch with successful registration and authentication can interact with the management platform software to acquire identity information of a terminal, finally, authentication admission of the terminal is completed, a security policy issued by management platform equipment for the terminal with successful authentication is received, and the security policy is executed; the security switch which is not successfully authenticated by registration belongs to an illegal and non-compliant security switch, and cannot interact with management platform software to acquire identity information of an access terminal for terminal authentication, so that the terminal cannot access a network, and the security switch which is not successfully authenticated cannot acquire a security policy from management platform equipment. According to the scheme of the application, the security switch authenticates the management platform, so that unified and complete management and control of the network boundary is realized. All terminals access the network through the security switch, the security switch is integrated to form a unified and complete network boundary for the access of the terminals of the enterprise, the security switch performs authentication access to the accessed terminals, the network access is opened only by the authenticated terminals, otherwise, the network access is closed, and the network access can be accessed for communication only if the legal and compliant terminals can be authenticated successfully. The security switch with successful authentication sends the IP address and the identity of the access terminal with successful authentication to the management platform equipment, the management platform equipment formulates the security policy corresponding to the access terminal and issues the security policy to the security switch accessed by the access terminal for execution, unified formulation of the security policy is realized, and the security switch can rapidly execute the security policy to play the role of the security policy, and the security protection efficiency and effect can be remarkably improved.
Fig. 2 is a flow chart of a network security protection method according to an embodiment of the present application, where the method may be performed by a network security protection device according to an embodiment of the present application, and the device may be implemented by software and/or hardware and may be integrated in the security switch shown in fig. 1. As shown in fig. 2, the network security protection method may include the following steps:
step 101, when it is monitored that there is a terminal access, the MAC address of the access terminal is obtained.
In the embodiment of the application, the security switch can monitor each port of the security switch, and when the port of the security switch is monitored to be plugged with a network cable, the access of the terminal is determined, and then the MAC (media access control, medium Access Control) address of the access terminal is obtained.
Step 102, according to the MAC address of the access terminal, a first identity of the access terminal is obtained from a management platform device for identity authentication of the access terminal.
In the embodiment of the application, after the security switch acquires the MAC address of the access terminal, the security switch can acquire the first identity of the access terminal from the management platform device according to the MAC address of the access terminal so as to perform identity authentication on the access terminal by using the first identity.
The management platform device stores mapping relations between MAC addresses of different terminals and corresponding first identity identifiers, each pair of the MAC addresses and the first identity identifiers in the mapping relations can be stored when the terminals register on management platform software in the management platform device, the first identity identifiers are generated by the access terminal, and the access terminal can determine the corresponding first identity identifiers according to the MAC addresses of the access terminal, for example, the MAC addresses of the access terminal can be used as the first identity identifiers of the access terminal.
In an alternative embodiment, the security switch sends the acquired MAC address of the access terminal to the management platform device, and after receiving the MAC address of the access terminal, the management platform device queries the mapping relationship between the stored MAC addresses of different terminals and the corresponding first identity, and returns a query result to the security switch. And if the management platform equipment inquires the first identity identifier corresponding to the MAC address of the access terminal from the mapping relation, returning an inquiry result carrying the first identity identifier, otherwise, returning an inquiry result of inquiry failure. The security switch receives the query result returned by the management platform device, if the first identity of the access terminal is obtained from the query result, the terminal is authenticated by using the query result, and if the information of query failure is obtained from the query result, the access terminal is determined to belong to an illegal terminal.
In an optional implementation manner, after the security switch obtains the first identity identifier of the access terminal from the management platform device, the security switch may encrypt the preset message according to the obtained first identity identifier, generate a ciphertext and send the ciphertext to the access terminal, the access terminal decrypts the generated ciphertext and sends a decryption result back to the security switch, and the security switch determines whether the access terminal is authenticated successfully according to the decryption result. If the decryption information sent to the security switch by the access terminal is consistent with the preset message, the authentication success of the access terminal is determined.
Step 103, under the condition that the authentication of the access terminal is successful, a security policy request is sent to the management platform device, wherein the security policy request carries an IP address of the access terminal and the first identity, so that when the management platform device determines that a security policy issued for the access terminal exists according to the first identity, a placeholder preset in the security policy is replaced by the IP address, a target security policy is obtained, and the target security policy is issued to a security switch accessed by the access terminal.
The security policy issued in the management platform device can be one or more, and the management platform device can formulate the security policy in the form of an access control list (Access Control List, ACL) to realize effective access control. The content of the security policy can be formulated according to the actual access control requirement, and the content contained in the security policy is not limited by the application.
In an alternative embodiment, the security policy may include a placeholder, a preset source port number, a preset destination IP address, a preset destination port number, a preset transport layer protocol, and a preset action. The placeholder corresponds to a source IP address field in the ACL quintuple information, that is, in the security policy formulated by the management platform device in the embodiment of the present application, the source IP address field in the ACL quintuple information is not filled with data, but uses one placeholder to perform the placeholder. And presetting corresponding data according to the actual access control requirement when the data of other fields in the ACL quintuple information. The preset action may be, for example, rejection or permission, and may be specifically set according to the actual access control requirement.
In the embodiment of the application, after the security switch determines that the authentication of the access terminal is successful, the security switch can allocate an IP address for the access terminal and send a security policy request carrying the IP address of the access terminal and the first identity of the authentication success to the management platform device. After receiving a security policy request sent by a security switch, the management platform device judges whether a security policy issued for a corresponding access terminal exists or not according to a first identity identifier carried in the security policy request, and when determining that the security policy issued for the access terminal exists, replaces a preset placeholder in the security policy with an IP address carried in the security policy request to generate a target security policy, and then sends the generated target security policy to the security switch accessed by the access terminal.
For example, assume that a plurality of terminals, A, B, C, D, E and F, respectively, are registered on a management platform device, wherein the management platform device formulates security policies for terminals A, E and F. Assuming that the first identity identifier of the terminal E is carried in the policy security request received by the management platform device, after the management platform device receives the security policy request, the management platform device can determine that a security policy for the terminal E exists, and replace the placeholder in the security policy corresponding to the terminal E with the IP address carried in the security policy request, generate a target security policy for the terminal E, and send the target security policy to the security switch accessed by the terminal E.
In the embodiment of the application, the management platform equipment pre-formulates the security policy, takes the place by utilizing the preset placeholder in the security policy, issues the security policy to the access terminal, and generates the target security policy by replacing the placeholder with the IP address, thereby realizing unified formulation of the security policy.
Step 104, executing the target security policy after receiving the target security policy.
In the embodiment of the application, after the security switch receives the target security policy sent by the management platform device, the target security policy can be executed to control the flow of the access terminal according to the target security policy, so that the rapid execution of the security policy is realized, and the threat and attack are effectively resisted.
According to the network security protection method of the embodiment, when the access of the terminal is monitored, the security switch acquires the MAC address of the access terminal, acquires the first identity identifier of the access terminal from the management platform device according to the MAC address of the access terminal, is used for carrying out identity authentication on the access terminal, and sends a security policy request to the management platform device under the condition that the authentication of the access terminal is successful, wherein the security policy request carries the IP address and the first identity identifier of the access terminal, so that the management platform device replaces a preset placeholder in the security policy with the IP address when the security policy issued for the access terminal is determined to exist according to the first identity identifier, a target security policy is obtained, the target security policy is issued to the security switch accessed by the access terminal, and then the security switch executes the target security policy after receiving the target security policy. By adopting the technical scheme, the management platform equipment uniformly formulates the security policy, after the authentication of the access terminal is successful, the security switch sends the IP address and the first identity of the terminal which is successfully authenticated to the management platform equipment, and the management platform equipment formulates the security policy aiming at the access terminal and issues the security policy to the security switch for execution, so that the uniform formulation of the security policy is realized, and the security switch can rapidly execute the security policy to play the role of the security policy, and the security protection efficiency and effect can be remarkably improved.
In the embodiment of the application, the security switch can register and authenticate on the management platform equipment, the security switch with successful authentication can interact with the management platform equipment, the security switch with successful authentication constructs a unified and complete network boundary of the terminal access network, and all network access terminals are accessed through the security switch in a unified way so as to ensure network security. Thus, in an alternative embodiment of the present application, before the security switch obtains the first identity of the access terminal from the management platform device according to the MAC address of the access terminal, the security switch may further include:
acquiring a second identity of the security switch and a third identity of the management platform device;
encrypting the second identity by using the third identity to generate a first ciphertext;
the first ciphertext is sent to the management platform equipment for identity authentication, so that the management platform equipment decrypts the second identity from the first ciphertext by using a first private key, determines that the security switch authentication is successful when the second identity exists in a local identity database of the management platform equipment, and establishes TCP connection with the security switch; the first private key is generated through an identification public key security technology according to the third identity;
And determining that the TCP connection is established successfully.
The third identity is used for uniquely identifying the management platform device, the identity of the management platform device is generated according to the management platform device MAC (media access control, medium Access Control), and the generated third identity is led into management platform software installed in the management platform device; the second identity is used for uniquely identifying the security switch, the second identity of the security switch is generated according to the security switch MAC, the generated second identity can be stored in a local storage space of the security switch and is imported to the management platform software, and the management platform software stores the second identity of the security switch in a local identity database of the management platform device.
In an alternative embodiment, the product serial number of the management platform device may be used as the third identity, and the product serial number of the security switch may be used as the second identity.
In an alternative embodiment, the third identity may be determined based on a unique physical feature of the management platform device, i.e. the MAC address, and the second identity may be determined based on the MAC address of the security switch. For example, the MAC address of the management platform device may be used as the third identity, and the MAC address of the security switch may be used as the second identity.
In the embodiment of the application, the management platform device can send the third identity of the management platform device to the security switch through the management platform software, and the security switch acquires the third identity and the second identity of the management platform device from the local storage space.
Then, after the security switch acquires the third identity and the second identity, the third identity can be used as a public key, the second identity is encrypted by using the third identity to generate a first ciphertext, and the first ciphertext is sent to the management platform device, so that the management platform device performs identity authentication on the security switch according to the first ciphertext.
Specifically, when the management platform device performs identity authentication on the security switch according to the first ciphertext, the first ciphertext is firstly decrypted by using the first private key, and the second identity is decrypted from the first ciphertext, wherein the first private key is generated in advance by the management platform device, and after determining the third identity, the management platform device can perform operation on the third identity and an IPK matrix according to the third identity through an identification public key security technology (Identity Public Key, IPK) to generate the first private key, so that the association between the third identity and the first private key is realized through the IPK technology. After the management platform device decrypts the second identity from the first ciphertext, the local identity database can be queried to determine whether the second identity exists in the local identity database, if the management platform device queries that the second identity exists in the local identity database, the security switch corresponding to the second identity is considered to be registered on the management platform device, so that the security switch authentication is determined to be successful, and the management platform device establishes TCP (transmission control protocol ) connection with the security switch with successful authentication. If the management platform device does not inquire the decrypted second identity from the local identity database, the security switch fails to authenticate, and TCP connection is not established.
Furthermore, after the TCP connection is successfully established between the security switch and the management platform device, the security switch can determine that the authentication of the security switch is successful, otherwise, the authentication fails. The security switch with successful authentication can interact with the management platform device, and acquire the first identity of the access terminal from the management platform device, acquire the target security policy issued by the management platform device, and the like.
In the embodiment of the application, the security switch performs registration authentication to the management platform equipment, and the security switch with successful authentication constructs the network boundary of the unified and complete terminal access network of the enterprise network.
As described above, when the security switch performs identity authentication on the access terminal, the first identity identifier of the access terminal may be used to encrypt the preset message, and the identity of the access terminal may be authenticated according to the decryption result of the access terminal on the generated ciphertext. Thus, in an alternative embodiment of the present application, the access terminal has authentication client software installed therein, and the obtaining, from a management platform device, a first identity of the access terminal according to a MAC address of the access terminal, for performing identity authentication on the access terminal includes:
Sending an information request to the management platform equipment, wherein the information request comprises the MAC address of the access terminal;
receiving response information returned by the management platform equipment based on the information request, wherein the response information comprises a first identity of the access terminal, which is inquired by the management platform equipment according to the MAC address of the access terminal;
encrypting the preset message by using the first identity identifier to generate a second ciphertext;
the second ciphertext is sent to the authentication client software, so that the authentication client software decrypts the second ciphertext by using a second private key to obtain decryption information, and the decryption information is returned to the security switch; the second private key is generated through the identification public key security technology according to the first identification;
and under the condition that the decryption information is consistent with the preset message, determining that the access terminal authentication is successful.
In the embodiment of the application, after the security switch acquires the MAC address of the access terminal, an information request can be sent to the management platform device, wherein the information request comprises the MAC address of the access terminal, so that the management platform device inquires the first identity of the access terminal corresponding to the MAC address of the access terminal according to the MAC address of the access terminal carried in the information request after receiving the information request, and sends response information to the security switch after inquiring the first identity, wherein the response information comprises the first identity of the access terminal inquired by the management platform device. The management platform device stores mapping relations between MAC addresses of different terminals and corresponding first identity identifiers, and the mapping relations can be established and stored when the terminals register on the management platform device.
Then, the security switch receives response information returned by the management platform device based on the information request, and acquires a first identity of the access terminal from the response information, and further encrypts a preset message by using the first identity as a public key to generate a second ciphertext, wherein the preset message can be any preset random number. And then, the security switch sends the generated second ciphertext to authentication client software of the access terminal, so that the authentication client software decrypts the second ciphertext by using a second private key to obtain decryption information, and returns the decryption information to the security switch.
Wherein the second private key is generated by the access terminal. After the access terminal generates the first identity, the access terminal calculates the matrix of the first identity and the IPK according to the generated first identity through an identity public key security technology to generate a second private key, so that the association between the first identity and the second private key is realized. The generated second private key is stored in the authentication client software of the access terminal.
Finally, after receiving the decryption information returned by the access terminal, the security switch can compare the decryption information with a preset message, and when the decryption information is consistent with the preset message, the security switch determines that the authentication of the access terminal is successful.
Because the security switch uses the first identity of the access terminal as the public key to encrypt the preset message to generate the second ciphertext, the access terminal uses the second private key to decrypt the second ciphertext, and the second private key is associated with the first identity through the IPK technology, only the access terminal with the second private key can successfully decrypt, and the identity authentication is completed by using the decrypted decryption information.
Further, after determining that the access terminal authentication is successful, the security switch opens a network path for the authenticated access terminal to enable the authenticated access terminal to conduct network communication.
In the embodiment of the application, the access terminals are accessed through the security switch in a unified way, and the access terminals successfully authenticated by the security switch are allowed to communicate with the access network, so that the legal terminals are allowed to access the network, the illegal terminals are forbidden to access the network, the illegal access behavior of the terminals is avoided, and the network security is maintained.
Corresponding to the embodiment of the method, the embodiment of the application also provides a network security protection system.
Fig. 3 is a schematic structural diagram of a network security protection system according to an embodiment of the present application, and as shown in fig. 3, the network security protection system 30 includes: a management platform device 301, at least one security switch 302, and at least one access terminal 303. It should be noted that, the network security protection system provided in the embodiment of the present application includes at least one security switch, each security switch may access at least one access terminal, and fig. 3 illustrates the present application by only taking one security switch and one access terminal as examples, and is not intended to limit the present application.
The security switch 302 is configured to, when detecting that there is a terminal access, obtain a MAC address of an access terminal 303, obtain, according to the MAC address of the access terminal 303, a first identity identifier of the access terminal 303 from the management platform device 301 for performing identity authentication on the access terminal, and send a security policy request to the management platform device 301 if the authentication of the access terminal 303 is successful, where the security policy request carries an IP address of the access terminal 303 and the first identity identifier, and execute the target security policy after receiving the target security policy sent by the management platform device 301;
the management platform device 301 is configured to determine, after receiving the security policy request sent by the security switch 302, whether a security policy issued for the access terminal 303 exists according to the first identity identifier carried in the security policy request, and when determining that the security policy issued for the access terminal 303 exists, replace a placeholder preset in the security policy with the IP address to obtain the target security policy, and issue the target security policy to a security switch accessed by the access terminal 303.
In an alternative embodiment, the management platform device 301 is further configured to formulate the security policy in the form of an access control list, where the security policy includes the placeholder, a preset source port number, a preset destination IP address, a preset destination port number, a preset transport layer protocol, and a preset action.
In an optional embodiment of the present application, the security switch 302 is further configured to obtain a second identity of the security switch and a third identity of the management platform device 301, encrypt the second identity by using the third identity, generate a first ciphertext, and send the first ciphertext to the management platform device 301 for identity authentication;
the management platform device 301 is further configured to send a third identity of itself to the secure switch 302, receive a first ciphertext sent by the secure switch 302, decrypt the second identity from the first ciphertext using a first private key, and determine that the secure switch 302 is successfully authenticated and establish TCP connection with the secure switch 302 when the second identity exists in the local identity database; the first private key is generated through an identification public key security technology according to the third identity.
In an alternative embodiment, the access terminal 303 has authentication client software installed therein;
the management platform device 301 is further configured to receive an information request carrying a MAC address of the access terminal 303 sent by the security switch 302, query a first identity of the access terminal 303 according to the MAC address of the access terminal, and return response information carrying the first identity to the security switch 302;
the security switch 302 is further configured to receive the response information returned by the management platform device 301 after sending the information request to the management platform device 301, encrypt a preset message by using the first identity identifier, generate a second ciphertext, and send the second ciphertext to the authentication client software;
the authentication client software is configured to decrypt the second ciphertext with a second private key to obtain decryption information, and return the decryption information to the secure switch 302; the second private key is generated through the identification public key security technology according to the first identification;
the security switch 302 is further configured to determine that the authentication of the access terminal 303 is successful if it is determined that the decryption information is consistent with the preset message.
Further, in an alternative embodiment of the present application, the security switch 302 is further configured to open a network path when it is determined that the authentication of the access terminal 303 is successful, so that the access terminal 303 performs network communication through the network path opened by the security switch 302.
In an alternative embodiment, the security switch 302 is further configured to generate a second identity according to the MAC address of the security switch 302, store the second identity, and import the second identity to the management platform software 301;
the access terminal 303 is further configured to generate the first identity according to the MAC address of the access terminal 303, generate the second private key according to the first identity through an identifier public key security technology, import the second private key into the authentication client software, and import the MAC address of the access terminal 303 and the first identity to the management platform device 301;
the management platform device 301 is further configured to generate the third identity according to the MAC address of the management platform device 301, generate the first private key according to the third identity through the identification public key security technology, and store the third identity and the first private key; the second identity is stored in the local identity database, and the mapping relationship between the MAC address of the access terminal 303 and the first identity is stored.
In an alternative embodiment, the management platform device 301 may further comprise a display screen. The management platform device 301 is further configured to monitor, by using a simple network management protocol (Simple Network Management Protocol, SNMP), a security switch that is authenticated, and display terminal access information of the security switch that is authenticated in the display screen.
In the embodiment of the present application, the management platform device 301 monitors the running condition of the security switch with successful registration authentication in a centralized manner through SNMP protocol, including monitoring the CPU, the memory, the port usage condition, etc. of the security switch, and monitors the number of access terminals on each port of the security switch, the time of access to each terminal, the time of successful authentication of the access terminal, the accessed time of the access terminal, the offline time of the access terminal, etc. in real time, and displays the information through a display screen, so as to grasp the terminal access condition of the unified network boundary constructed by the security switch in real time, realize the visual monitoring and protection of the unified network boundary, and trace and locate the access terminal in time through the monitoring of the management platform device when the security problem occurs, so as to find the source of the security problem.
Fig. 4 is a schematic diagram of an interaction process of the network security protection system according to an embodiment of the present application, where, as shown in fig. 4, a security switch and a terminal need to register on a management platform device, and the management platform device further has a function of making and publishing a security policy. The process of realizing the network security protection method provided by the application by the interaction of the security switch, the management platform equipment and the terminal specifically comprises the following steps: the security switch firstly carries out identity authentication on the management platform equipment, and after authentication is successful, TCP connection is established between the management platform equipment and the security switch. When the terminal is accessed to the security switch, the security switch with successful authentication inquires a first identity of the access terminal from the management platform equipment, the management platform equipment returns the first identity to the security switch, the security switch performs identity authentication on the access terminal based on the first identity, and after the access terminal is authenticated successfully, the security switch opens a network access, and when the access terminal fails to authenticate, the security switch refuses to open the network access. The authentication process of the security switch and the access terminal can be referred to the foregoing embodiments, and will not be described herein.
As shown in fig. 4, after the authentication of the access terminal is successful, the security switch reports terminal information to the management platform device, where the terminal information may include an IP address and a first identity of the access terminal, and when the management platform device queries that the security policy of the access terminal exists, the management platform device replaces a placeholder in the security policy with the IP address, and issues the replaced security policy to the security switch, where the security switch executes the security policy. The scheme of the application constructs a unified and complete network boundary, avoids illegal access of the terminal, formulates the security policy by the management platform equipment and issues the security policy to the security switch for execution, realizes unified formulation of the security policy, and can rapidly execute the security policy by the security switch to play the role of the security policy, thereby remarkably improving the security protection efficiency and effect.
The network security protection system provided by the embodiment of the application can execute any network security protection method provided by the embodiment of the application, and has the corresponding functional modules and beneficial effects of the execution method. Details of the system embodiments of the present application that are not described in detail may refer to the description of any method embodiment of the present application.
Corresponding to the embodiment of the method, the embodiment of the application also provides a network safety protection device.
Fig. 5 is a schematic structural diagram of a network security protection apparatus according to an embodiment of the present application, where the apparatus is applied to a security switch, and as shown in fig. 5, the network security protection apparatus 50 may include: an acquisition module 510, a processing module 520, a transmission module 530, and a guard module 540.
The acquiring module 510 is configured to acquire a MAC address of an access terminal when it is detected that there is a terminal access;
a processing module 520, configured to obtain, from a management platform device, a first identity of the access terminal according to a MAC address of the access terminal, for performing identity authentication on the access terminal;
a sending module 530, configured to send a security policy request to the management platform device, where the security policy request carries an IP address of the access terminal and the first identity, so that when the management platform device determines that a security policy issued for the access terminal exists according to the first identity, the management platform device replaces a placeholder preset in the security policy with the IP address to obtain a target security policy, and issues the target security policy to a security switch accessed by the access terminal;
And the protection module 540 is configured to execute the target security policy after receiving the target security policy.
Optionally, the security policy includes the placeholder, a preset source port number, a preset destination IP address, a preset destination port number, a preset transport layer protocol, and a preset action.
Optionally, the network security protection apparatus 50 further includes:
the identity acquisition module is used for acquiring a second identity of the security switch and a third identity of the management platform equipment;
the encryption module is used for encrypting the second identity by using the third identity to generate a first ciphertext;
the ciphertext sending module is used for sending the first ciphertext to the management platform equipment for identity authentication, so that the management platform equipment decrypts the second identity from the first ciphertext by using a first private key, determines that the authentication of the security switch is successful when the second identity exists in a local identity database of the management platform equipment, and establishes TCP connection with the security switch; the first private key is generated through an identification public key security technology according to the third identity;
And the determining module is used for determining that the TCP connection is successfully established.
Optionally, authentication client software is installed in the access terminal, and the processing module 520 is further configured to:
sending an information request to the management platform equipment, wherein the information request comprises the MAC address of the access terminal;
receiving response information returned by the management platform equipment based on the information request, wherein the response information comprises a first identity of the access terminal, which is inquired by the management platform equipment according to the MAC address of the access terminal;
encrypting the preset message by using the first identity identifier to generate a second ciphertext;
the second ciphertext is sent to the authentication client software, so that the authentication client software decrypts the second ciphertext by using a second private key to obtain decryption information, and the decryption information is returned to the security switch; the second private key is generated through the identification public key security technology according to the first identification;
and under the condition that the decryption information is consistent with the preset message, determining that the access terminal authentication is successful.
Optionally, the network security protection apparatus 50 further includes:
And the opening module is used for opening a network path so as to enable the access terminal to perform network communication.
The network security protection device provided by the embodiment of the application can execute any network security protection method provided by the embodiment of the application, and has the corresponding functional modules and beneficial effects of the execution method. Details of the embodiments of the apparatus according to the application which are not described in detail can be found in any of the embodiments of the method according to the application.
It should be noted that although in the above detailed description several modules or units of a device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functions of two or more modules or units described above may be embodied in one module or unit in accordance with embodiments of the application. Conversely, the features and functions of one module or unit described above may be further divided into a plurality of modules or units to be embodied.
In an exemplary embodiment of the present application, there is also provided a security switch including: and a processor for executing a computer program stored in the memory, the computer program implementing the steps of the network security protection method according to the above embodiment when executed by the processor.
In an exemplary embodiment of the present application, there is also provided a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the network security protection method described in the above embodiment.
The computer readable storage medium according to the present application may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory, a read-only memory, an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable storage medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, radio frequency, and the like, or any suitable combination of the foregoing.
In an exemplary embodiment of the application, a computer program product is also provided, which, when run on a computer, causes the computer to perform the steps of the network security protection method described in the above embodiments.
It should be noted that in this document, relational terms such as "first" and "second" and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The foregoing is only a specific embodiment of the application to enable those skilled in the art to understand or practice the application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown and described herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

1. A method of network security protection, applied to a security switch, the method comprising:
when the access of the terminal is monitored, acquiring the MAC address of the access terminal;
acquiring a first identity of the access terminal from management platform equipment according to the MAC address of the access terminal for identity authentication of the access terminal;
under the condition that the authentication of the access terminal is successful, a security policy request is sent to the management platform device, wherein the security policy request carries an IP address of the access terminal and the first identity, so that when the management platform device determines that a security policy issued for the access terminal exists according to the first identity, a placeholder preset in the security policy is replaced by the IP address to obtain a target security policy, and the target security policy is sent to a security switch accessed by the access terminal, wherein the placeholder is used for occupying a place and corresponds to a source IP address field in five-tuple information of an access control list;
And executing the target security policy after receiving the target security policy.
2. The method of claim 1, wherein the security policy comprises the placeholder, a preset source port number, a preset destination IP address, a preset destination port number, a preset transport layer protocol, and a preset action.
3. The method of claim 1, further comprising, prior to said obtaining the first identity of the access terminal from a management platform device:
acquiring a second identity of the security switch and a third identity of the management platform device;
encrypting the second identity by using the third identity to generate a first ciphertext;
the first ciphertext is sent to the management platform equipment for identity authentication, so that the management platform equipment decrypts the second identity from the first ciphertext by using a first private key, determines that the security switch authentication is successful when the second identity exists in a local identity database of the management platform equipment, and establishes TCP connection with the security switch; the first private key is generated through an identification public key security technology according to the third identity;
And determining that the TCP connection is established successfully.
4. A method according to any of claims 1-3, wherein the access terminal has authentication client software installed therein, and wherein the obtaining the first identity of the access terminal from a management platform device for identity authentication of the access terminal based on the MAC address of the access terminal comprises:
sending an information request to the management platform equipment, wherein the information request comprises the MAC address of the access terminal;
receiving response information returned by the management platform equipment based on the information request, wherein the response information comprises a first identity of the access terminal, which is inquired by the management platform equipment according to the MAC address of the access terminal;
encrypting the preset message by using the first identity identifier to generate a second ciphertext;
the second ciphertext is sent to the authentication client software, so that the authentication client software decrypts the second ciphertext by using a second private key to obtain decryption information, and the decryption information is returned to the security switch; the second private key is generated through the identification public key security technology according to the first identification;
And under the condition that the decryption information is consistent with the preset message, determining that the access terminal authentication is successful.
5. The method of claim 4, wherein after determining that the access terminal authentication was successful, the method further comprises:
and opening a network path to enable the access terminal to perform network communication.
6. A network security protection system comprising a management platform device, at least one security switch, and at least one access terminal; wherein,,
the security switch is configured to obtain, when detecting that there is a terminal access, a MAC address of an access terminal, and obtain, according to the MAC address of the access terminal, a first identity identifier of the access terminal from the management platform device for performing identity authentication on the access terminal, and send, in case that authentication of the access terminal is successful, a security policy request to the management platform device, where the security policy request carries an IP address of the access terminal and the first identity identifier, and execute, after receiving a target security policy sent by the management platform device, the target security policy;
the management platform device is configured to determine whether a security policy issued for the access terminal exists according to the first identity identifier carried in the security policy request after the security policy request sent by the security switch is received, and when determining that the security policy issued for the access terminal exists, replace a placeholder preset in the security policy with the IP address to obtain the target security policy, and issue the target security policy to the security switch accessed by the access terminal, where the placeholder is used for occupying a place and corresponds to a source IP address field in five-tuple information of an access control list.
7. The system of claim 6, wherein the management platform device is further configured to:
and formulating the security policy in the form of an access control list, wherein the security policy comprises the placeholder, a preset source port number, a preset target IP address, a preset target port number, a preset transport layer protocol and a preset action.
8. A network security appliance, comprising:
the acquisition module is used for acquiring the MAC address of the access terminal when the access of the terminal is monitored;
the processing module is used for acquiring a first identity of the access terminal from the management platform equipment according to the MAC address of the access terminal and carrying out identity authentication on the access terminal;
a sending module, configured to send a security policy request to the management platform device when the access terminal authentication is successful, where the security policy request carries an IP address of the access terminal and the first identity, so that when the management platform device determines that a security policy issued for the access terminal exists according to the first identity, the management platform device replaces a placeholder preset in the security policy with the IP address to obtain a target security policy, and sends the target security policy to a security switch accessed by the access terminal, where the placeholder is used for occupying a place and corresponds to a source IP address field in quintuple information of an access control list;
And the protection module is used for executing the target security policy after receiving the target security policy.
9. A security switch, comprising: a processor for executing a computer program stored in a memory, which when executed by the processor implements the steps of the network security protection method according to any of claims 1-5.
10. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the network security protection method according to any of claims 1-5.
CN202111566810.XA 2021-12-20 2021-12-20 Network security protection method, system, device, security switch and storage medium Active CN114374543B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111566810.XA CN114374543B (en) 2021-12-20 2021-12-20 Network security protection method, system, device, security switch and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111566810.XA CN114374543B (en) 2021-12-20 2021-12-20 Network security protection method, system, device, security switch and storage medium

Publications (2)

Publication Number Publication Date
CN114374543A CN114374543A (en) 2022-04-19
CN114374543B true CN114374543B (en) 2023-10-13

Family

ID=81139852

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111566810.XA Active CN114374543B (en) 2021-12-20 2021-12-20 Network security protection method, system, device, security switch and storage medium

Country Status (1)

Country Link
CN (1) CN114374543B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114938295B (en) * 2022-05-10 2024-04-23 北京北信源软件股份有限公司 Active safety network and construction method

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105049446A (en) * 2015-08-20 2015-11-11 中国联合网络通信集团有限公司 Method and system for filtering URL (Uniform Resource Locator)
CN106470206A (en) * 2015-08-14 2017-03-01 纬创资通股份有限公司 Abnormity prediction method and system suitable for heterogeneous network architecture
CN108418806A (en) * 2018-02-05 2018-08-17 新华三信息安全技术有限公司 A kind of processing method and processing device of message
CN110311929A (en) * 2019-08-01 2019-10-08 江苏芯盛智能科技有限公司 A kind of access control method, device and electronic equipment and storage medium
CN111654464A (en) * 2015-12-31 2020-09-11 华为技术有限公司 Access control method, authentication device and system
CN112615829A (en) * 2020-12-08 2021-04-06 北京北信源软件股份有限公司 Terminal access authentication method and system
CN113315754A (en) * 2021-04-25 2021-08-27 中国民生银行股份有限公司 Intelligent linkage method, device, equipment and medium for firewall of container visit

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106470206A (en) * 2015-08-14 2017-03-01 纬创资通股份有限公司 Abnormity prediction method and system suitable for heterogeneous network architecture
CN105049446A (en) * 2015-08-20 2015-11-11 中国联合网络通信集团有限公司 Method and system for filtering URL (Uniform Resource Locator)
CN111654464A (en) * 2015-12-31 2020-09-11 华为技术有限公司 Access control method, authentication device and system
CN108418806A (en) * 2018-02-05 2018-08-17 新华三信息安全技术有限公司 A kind of processing method and processing device of message
CN110311929A (en) * 2019-08-01 2019-10-08 江苏芯盛智能科技有限公司 A kind of access control method, device and electronic equipment and storage medium
CN112615829A (en) * 2020-12-08 2021-04-06 北京北信源软件股份有限公司 Terminal access authentication method and system
CN113315754A (en) * 2021-04-25 2021-08-27 中国民生银行股份有限公司 Intelligent linkage method, device, equipment and medium for firewall of container visit

Also Published As

Publication number Publication date
CN114374543A (en) 2022-04-19

Similar Documents

Publication Publication Date Title
CN105027493B (en) Safety moving application connection bus
US9935954B2 (en) System and method for securing machine-to-machine communications
CN106034104B (en) Verification method, device and system for network application access
CN102685093B (en) A kind of identity authorization system based on mobile terminal and method
CN102970299B (en) File safe protection system and method thereof
US9219722B2 (en) Unclonable ID based chip-to-chip communication
US10021101B2 (en) Embedding security posture in network traffic
US11652637B2 (en) Enforcing a segmentation policy using cryptographic proof of identity
US10735195B2 (en) Host-storage authentication
WO2012100677A1 (en) Identity management method and device for mobile terminal
CN105553666B (en) Intelligent power terminal safety authentication system and method
CN103297437A (en) Safety server access method for mobile intelligent terminal
US20210306157A1 (en) Infrastructure device enrolment
CN112669104B (en) Data processing method of leasing equipment
CN110474921A (en) A kind of perception layer data fidelity method towards local Internet of Things
Domenech et al. An authentication and authorization infrastructure for the web of things
CN114374543B (en) Network security protection method, system, device, security switch and storage medium
CN114374508B (en) Network security protection method, system, device, security switch and storage medium
US20160105407A1 (en) Information processing apparatus, terminal, information processing system, and information processing method
EP3580885B1 (en) Private key updating
Pérez et al. ARMOUR: Large-scale experiments for IoT security & trust
CN114598724A (en) Safety protection method, device, equipment and storage medium for power internet of things
CN102427461B (en) Method and system for realizing Web service application security
CN116015961B (en) Control processing method, security CPE, system and medium of down-hanging terminal equipment
US11968302B1 (en) Method and system for pre-shared key (PSK) based secure communications with domain name system (DNS) authenticator

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20240104

Address after: Room 303-1, No. 4, Lane 1369, Lianhang Road, Minhang District, Shanghai, 201100

Patentee after: SHANGHAI VRV INFORMATION TECHNOLOGY CO.,LTD.

Address before: Room 1602, block C, Zhongguancun Science and technology development building, 34 Zhongguancun South Street, Haidian District, Beijing 100081

Patentee before: BEIJING VRV SOFTWARE Corp.,Ltd.

TR01 Transfer of patent right