CN1503952A - Method and system for restricting access from external - Google Patents

Method and system for restricting access from external Download PDF

Info

Publication number
CN1503952A
CN1503952A CNA028081927A CN02808192A CN1503952A CN 1503952 A CN1503952 A CN 1503952A CN A028081927 A CNA028081927 A CN A028081927A CN 02808192 A CN02808192 A CN 02808192A CN 1503952 A CN1503952 A CN 1503952A
Authority
CN
China
Prior art keywords
address
information
packets
network interface
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CNA028081927A
Other languages
Chinese (zh)
Inventor
���׿�ó�����޹�˾
安贸卿
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
SAFEI CO Ltd
Original Assignee
SAFEI CO Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by SAFEI CO Ltd filed Critical SAFEI CO Ltd
Publication of CN1503952A publication Critical patent/CN1503952A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F17/00Digital computing or data processing equipment or methods, specially adapted for specific functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/90Buffering arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/163In-band adaptation of TCP data exchange; In-band control procedures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Computing Systems (AREA)
  • Databases & Information Systems (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

Disclosed herein is a method and apparatus for controlling access from the outside through the Internet. The present invention uses a storage unit for storing an access-allowable address list communicating with a network interface card, extracts an address from packets transmitted/received through the network interface card, an compares the extracted address with addresses on the access-allowable address list, and determines access allowance or access prohibition according to the compared result. The network interface card of the present invention communicates with a storage device for storing a secure access-allowable list on the Internet. Further, an address determining unit of the network interface card extracts an address from packets received from the outside and allows only accesses by secure computers, so as to control international accesses. Further, the present invention uses a server to provide an update service for allow-allowable addresses or access-prohibited addresses according to a user's requirement.

Description

The outer method and system that visits of restriction
Technical field
The present invention is mainly concerned with the method and apparatus that is used to control by visiting outside the internet, specially refer to a kind of control by method that visits outside the internet and the equipment of realizing this method, described equipment receives the packets of information by a network interface unit transmission/reception, they are stored in transmission/reception buffer, from the canned data bag, extract the address, compared in the address of extracting and the IP address that is stored in the safety in the store list with the network interface unit communication, and determine permits access or disable access according to result relatively.
Background technology
After Internet protocol formed standardization in nineteen eighty-three, the internet had mainly obtained popularizing such as e-mail, file transfer (FTP), Gopher (based on the Internet resource discovery tool of menu-drive), Internet news or the like purposes with various by government, large enterprises and many university computer networks.And, when the National Science Foundation (NSF) of the U.S. when making up NSFNET in 1985, NSF has adopted TCP/IP as basic communications protocol.TCP/IP is the Internet protocol of ARPA (ARPA of U.S. Department of Defense).Therefore, NSFNET has obtained at full speed popularizing as the backbone network of internet.In addition, in 1988, ARPA begin the to upgrade original device of Advanced Research Projects Agency Network.When Advanced Research Projects Agency Network when nineteen ninety no longer is used to Military Application, the internet finally reappears with private network.In addition, in numerous phenomenons that is accompanied by information society progress appearance, there be the integrated of medium and communication network.Because this integrated, the internet is along with Internet development has become of great value medium.Along with the advanced person's who has developed information and mechanics of communication, the internet has been deep into daily social life, and so great profit has just produced.Yet on the other hand, the internet has also produced great social concern.
Figure 1 shows that the framework map of the representative network that is applied to conventional enterprise.With reference to Fig. 1, the network of conventional enterprise is built to as shown in Figure 1 usually.This network comprises that one is connected to the router one 0 on the internet, to determine an optimal path and to send packets of information to the path of determining; With a fire wall 20 that is connected on the router one 0.Fire wall 20 is used to plan the access control policy between two networks.Also having according to access control in addition needs de-protected various servers or main frame 60 and 80 or the like, and they are connected to the rear end of fire wall 20 by a switch hub 70.In addition, server can be classified as usually: mail server 40, the webserver 30, ftp server 50 or the like.The function of each server is known in the art, so the detailed description of function is omitted.And, main frame 60 and 80, they are the personal computers that used by the user, are connected to the rear end of fire wall 20 by switch hub 70.Main is stored in the main frame 60 and 80 that uses in the enterprise with the relevant data of work.Yet, become intelligent day by day by steal (hacking) technology of internet, increase day by day directly at main frame 60 and 80 steals, rather than to the attempt of server steal.When the steal to main frame 60 and 80 becomes attempt, want the danger of data just to become very big from computing machine upper reaches weightlessness.
Simultaneously, personal computer is not fundamentally to be different from regular computing machine.The safety problem that personal computer user is faced comprises that the problem that confidentiality, integrity, and availability and mainframe computer faced of program, data and hardware is same.Therefore, the standard control technology is even if also must be employed comparably under personal computer environment such as restrict access tabulation, protected storage, user authentication technique, reliable operating system or the like.Yet, typically and the computing machine of mainframe computer or similar type compare, personal computer is not strict aspect its security control.In addition, in addition the data that cause for internal user of mainframe computer destroy neither safety.Personal computer provides the hardware level protection at the premeditated steal of external the Internet user hardly.Typical hardware level protective device is generally used for server.Yet the problem of such hardware level protective device is to use for little and medium scale enterprise too expensive.In addition, also have the another one problem to be exactly, even enterprise has bought the device that the hardware level protection is provided, because personnel's that can control device shortage can make that also the management of device is not best usually, so this device becomes utterly useless under many circumstances.
Also have, the enterprise that has only minority is main frame 60 and 80 operations security server separately, that is to say, just computing machine is for the setting of working.In order to address the above problem, the user is individual installation of client and program safe in utilization.The problem of above-mentioned individual fire wall is that it is realized by form of software, and the direct supervisory routine of the user that fire wall is installed, therefore since the danger of the steal that the careless omission of management causes always exist.
In addition, in the typical computing machine that family uses, the communication environment that uses xDSL is along with Internet development is occupied leading position.And the computing machine that uses with family has produced as simple program as the steal method of target, and spreads wide under communication environment.The example of these steal programs is Back Orifice 2K, Schoolbus, Netbus, Subseven y3k or the like.Be proficient in only other people's of steal the personal computer easily just of the handbook by the above-mentioned steal program of research of computed people.Yet according to user's computing rank, the method that prevents steal is different.The user class safety guarantee provides various guard methods, for example file encryption, screen locking, IP control, port controlling, access log control, process Task Management window, shared control or the like function.Yet, a problem is arranged, have only seldom client user correspondingly to safeguard and install and such program is managed.
Summary of the invention
Therefore, the present invention is devoted to solution exactly and occurs in the problems referred to above of the prior art, and the purpose of this invention is to provide the method and apparatus of a kind of control by the external premeditated visit in internet.
Another object of the present invention provides a kind of outer method and apparatus that visits of controlling, and it can prevent that the user from removing packets of information arbitrarily.
Another purpose of the present invention provides the method and apparatus of a kind of control by visiting outside the internet, and it can need not extra fire wall by each subscriber computer operation.
Another object of the present invention provides the method and apparatus of a kind of control by visiting outside the internet, and it does not need extra keeper.
To achieve these goals, the present invention has used one to be used to store the storage unit of tabulating with an accessible address of network interface unit communication, from by extracting an address the packets of information of network interface unit transmission/acceptance, compared in the address of extraction and the address in the accessible address tabulation, and determine permits access or disable access according to comparative result.Can freely carry out from the visit that a subscriber's main station (60) is outside, can be under an embargo from any unreasonable request of access of export-oriented subscriber's main station (60).In addition, the exterior terminal acceptance of request of access is at first proposed from the next request of access of subscriber's main station (60) by subscriber's main station (60).
Description of drawings
Above and other objects of the present invention, feature and other advantage will more clearly be understood from following detailed description in conjunction with the accompanying drawings, wherein:
Figure 1 shows that the representative network structural drawing that is used for conventional enterprise;
Figure 2 shows that the concept map of the request of access process of using a SYN position;
Figure 3 shows that according to the preferred embodiments of the present invention and realize that a kind of control carries out the network structure of the outer method that visits by the internet;
Figure 4 shows that the calcspar of inner structure that has the network interface unit of the access control function by the internet according to the preferred embodiments of the present invention;
Fig. 5 detect to receive packets of information by the address determining unit and permits/process flow diagram of the process of disable access request; With
Fig. 6 detect to send packets of information by the address determining unit and permits/process flow diagram of the process of disable access request.
Embodiment
Figure 2 shows that the concept map of the request of access process of using the SYN position.When carrying out communication by the internet, the typical method that transmits data to the computing machine of a correspondence is to use transmission control protocol (TCP) to carry out data transmission.TCP provides the connection-oriented service of streaming, and it is reliably, just, and by transmitting execution error control and current control again.TCP sets up a connection between the logical terminal (LTERM) of the computing machine of two communications.Before carrying out communication between two computing machines, the control information that is called shake hands (Handshake) is transmitted.Be used for shaking hands of TCP and be called as three-way handshake, because three message segments are exchanged.A subscriber's main station 60 is by sending a message segment to a connector main frame 80 initiated access.In this message segment, include one ' SYN ' (SYN) position.This message segment notice connector main frame 80, subscriber's main station 60 wants to begin visit, and distributes a sequence number, and subscriber's main station 60 uses the starting symbol of this sequence number as message segment.Connector main frame 80 is replied to subscriber's main station 60 by sending the message segment that is provided with ACK and SYN position in.In addition, from the message segment of connector main frame 80 notice subscriber's main station 60, connector main frame 80 has received the message segment from subscriber's main station 60, and notice subscriber's main station 60 connector main frames 80 homing sequence that will use number.At last, subscriber's main station 60 sends a message segment to connector main frame 80, show that subscriber's main station 60 has received the message segment that comes from connector main frame 80, and send first valid data to connector main frame 80, so just make between subscriber's main station 60 and the connector main frame 80 swap data reliably.Said method is the three-way handshake method, the method for normal use when it need visit a computing machine by TCP corresponding to the user.
Below, embodiments of the present invention is described in detail with reference to the accompanying drawings.
With reference to Fig. 3, a kind of control is carried out the outer method that visits by the internet and is described in detail as follows.Figure 3 shows that according to the preferred embodiments of the present invention and realize the network structure of a kind of control by the method that visits outside the internet.
The network interface unit 100 that is installed in the subscriber's main station 60 is configured to and can carries out communication with addressable address storaging unit 200.Being configured to corresponding to the packets of information of 60 the request of access from connector main frame 80 to subscriber's main station must be by network interface unit 100.Therefore, also compare source address of extracting and the address that is stored in the accessible address storage unit 200 in network interface unit 100 extraction source address from the packets of information of passing through.According to result relatively, if the address identical with source address is present in the accessible address storage unit 200, then network interface unit 100 is transmitted this packets of information.On the contrary, if the address identical with source address do not exist in accessible address storage unit 200, then network interface unit 100 removes this packets of information.In addition, for convenience of the interface between the main frame, if subscriber's main station 60 is asked visit aerial lug main frame 80 once more, then network interface unit 100 can store the address of asking recently to visit in the additional buffer, so that later address searching, thereby wait for that the connector main frame 80 of visiting from subscriber's main station 60 requests receives the answer signal of coming.Therefore, if this subscriber's main station 60 these connector main frames 80 of request visit then to the transmission of packets of information without limits, and are removed corresponding to the packets of information from this connector main frame 80 to the request of access of subscriber's main station 60.Yet if according to a request of subscriber's main station 60, a request of access of connector main frame 80 is transfused to, and network interface unit 100 temporarily is stored in packets of information in the impact damper so that transmit packets of information.Therefore, if the address of extracting from the packets of information that sends is present in this impact damper as an accessible address, then connector main frame 80 can calling party main frame 60.As mentioned above, because subscriber's main station 60 internet usages etc. carry out data retrieval and need visit external server 300 continually, the packets of information of 00 visit is that the purpose of freely transmitting of packets of information is not restricted from subscriber's main station 60 to external server.In addition, even be sent out from the packets of information of the request of access of external server 300, by external server 300 being provided with the sign of a permits access, still can be licensed to the visit of external server 300.Therefore, even when the user buys commodity by internet site, do not have restriction in the electronic cash yet.
Below, with reference to Fig. 4 the network interface unit according to the preferred embodiments of the present invention is described in detail.Figure 4 shows that the calcspar of inner structure that has the network interface unit of the access control function by the internet according to the present invention.
The pci bus that communication was used between this network interface unit 100 used a computer.Network interface unit 100 comprises: media interviews control (MAC) processing unit 150 is used to handle the MAC by pci bus information transmitted bag; A PHY processing unit 160 is used to handle Physical layer; A packets of information is handled required impact damper 120; A boot ROM (BootROM) and a connector etc.
Network interface unit 100 of the present invention further comprises: an address determining unit 110, one accessible address storage unit 200, send bag formation 130 and and receive bag formation 140.In addition, network interface unit 100 can be realized as further and comprise: impact damper 120 is used for information stores to from subscriber computer to connector main frame 80 or to the request of access of external server 300.
With reference to Fig. 4, address determining unit 110 is connected to the MAC processing unit 150 of previous stage; Yet it also can be placed between MAC processing unit 150 and the PHY processing unit 160, and perhaps it can be connected to the PHY processing unit 160 of next stage.In addition, in Fig. 4, formation 140 is separated to place with the reception bag to send bag formation 130; Yet they also can be integrated in the single bag formation.
Address determining unit 110 is extraction source/destination address from pass through Ethernet (Ethernet)/pci bus information transmitted bag.Destination address is from by extracting the pci bus information transmitted bag, and source address is from by extracting the industry ethernet information transmitted bag simultaneously.Address determining unit 110 is extracted an address from the input information bag, this address and an address list that is stored in impact damper 120 or the accessible address storage unit 200 are compared, and determine whether to transmit this packets of information according to result relatively.In addition, address determining unit 110 can detect all packets of information by therebetween.Yet, determine preferably whether the input information bag is the target of handling, and transmitting is not the packets of information of processing target, determines whether to transmit the just packets of information of processing target then.The packets of information that is processing target preferably is restricted to the bag that uses TCP and UDP.The packets of information that is imported in the address determining unit 110 is stored in transmission bag formation 130 or the formation 140 of reception bag, as what the following describes, by address determining unit 110 temporarily.Address that will extract from packets of information of address determining unit 110 further execution deposits the function in the impact damper 120 in.
In addition, accessible address storage unit 200 is the computer address of the permanent permission of request of access storage that comes of the outer computer of subscriber's main station 60, and be configured to can with network interface unit 100 communications.Just, accessible address storage unit 200 can be stored in the hard disk that is installed in the computing machine, and perhaps network interface unit 100 can comprise extra memory storage.Non-volatile storer such as flash memory, EEPROM or the like, is used as extra memory storage.Be stored in content in the accessible address storage unit 200 and be numeral corresponding to the IP address of addressable computing machine, or corresponding to the character value of its URL address.Best, numeral and character value are not stored in the accessible address storage unit 200 with their original forms, but deposit in the form of handling through hash function hash (Hash).Because hash function does not have reverse function, even if there is the people to attempt to read the content of storage, the value of memory contents also is unreadable.In addition, have advantage with the content of hashed value storage, because they form and storage with index, so the inquiry of they and normal file can be inquired about by comparison more quickly.And accessible address storage unit 200 can also comprise the tabulation of disable access, and it is the tabulation of the address that obtains visit of for good and all being under an embargo, and makes address determining unit 110 determine disable access.
If subscriber's main station 60 is just crossed visit by the Internet request recently, then impact damper 120 is temporarily stored the content of the request of access that subscriber's main station 60 sends, so as for once more can be to transmit packets of information from the request of access that external server 300 provides.In addition, impact damper 120 is built into and can sets the nearest quantity of asking the bag of visit that is stored in the impact damper 120 arbitrarily.Just, the quantity of bag increases along with the increase of the capacity of impact damper 120, so the information that from first to last whole request of access of a station symbol semicomputer user internet access are wrapped can be stored in the impact damper 120.In addition, if the capacity of impact damper 120 is little, then the request of access bag that receives of most recent is stored in the impact damper 120, and the request of access bag that receives is at first removed the earliest.
In addition, impact damper 120 can be with nonvolatile memory such as flash memory, and perhaps volatile memory realizes such as RAM.Yet, preferably use volatile memory, because it has high access speed.
Send bag formation 130 and be used for temporarily storing the packets of information that is input to address determining unit 110 from pci bus.In addition, when address determining unit 110 is extracted the address from packets of information, send bag formation 130 canned data bag temporarily.Afterwards, send to external server 300 or connector main frame 80 packets of information if be set at from subscriber's main station 60 corresponding to a SYN position of request of access, then, a destination address sends bag formation 130 storage package temporarily when having the information of SYN and ACK position when being stored in the impact damper 120 so that wait for.In addition, when an accessible address tabulation is stored in the impact damper 120, send bag formation 130 storage package temporarily.Send bag formation 130 and accessible address storage unit 200 separately.Therefore, when a request of access bag that is provided with the SYN position in it is received by the accessible address from be stored in impact damper 120, can be licensed to the visit of subscriber's main station 60.In addition, sending bag formation 130 can be with volatile memory such as RAM, and perhaps nonvolatile memory is realized such as flash memory.Yet, consider access speed, preferably use volatile memory.
Receive bag formation 140 and be used for temporarily storing the packets of information that is input to address determining unit 110 from Ethernet.In addition, when address determining unit 110 is extracted an address from packets of information, receive bag formation 140 canned data bag temporarily.If it is the visit that is under an embargo that address determining unit 110 is determined the address, then corresponding bag is removed.Yet,, receive bag formation 140 and transmit packets of information, because this address is stored in the impact damper 120 as an accessible address if the bag of input is the address corresponding to subscriber's main station 60 request visits.Just, can make can be accessed from SYN and ACK position that outer computer receives for SYN position of transmission outer computer of visiting to subscriber's main station 60 requests.In addition, receiving bag formation 140 can realize with volatile memory or nonvolatile memory, as sending bag formation 130; Yet, receive bag formation 140 and preferably realize with volatile memory.
Hereinafter, the permission/disable access of docking packet receiving with reference to Fig. 5 is elaborated.Fig. 5 permits/forbids the process flow diagram of the process of a request of access according to the address determining unit of the preferred embodiments of the present invention by detecting the reception packets of information.
At step S100, the network interface unit 100 that is installed in the subscriber's main station 60 that is connected on the internet receives packets of information from external server 300 or connector main frame 80.At step S110, network interface unit 100 is stored in the packets of information that receives in the formation 140 of reception bag by duplicating the packets of information that receives.At step S120, address determining unit 110 is extracted a source address from the packets of information that receives.In addition, at step S130, address determining unit 110 is compared source address of extracting and the address that is stored in the impact damper 120.
For the address of in impact damper 120, sorting out,,, then determine at step S131 whether the address of extracting is classified as an accessible address if the address identical with the address of extracting exists at step S130-1.If be classified as an addressable address in step S132 address, then transmit packets of information in step S134 address determining unit 110, if and be classified as the address of a disable access in step S133 address, then remove corresponding bag in step S135 address determining unit 110.
In addition, at step S130-2, if in impact damper 120, do not exist, then the address on address of extracting and the address list that is stored in the accessible address storage unit 200 is compared in step S140 address determining unit 110 with the identical address, address of extracting.
At step S150, address determining unit 110 determines to be stored in the address whether any one address in the address list in the accessible address storage unit 200 is equal to extraction.If determine that at step S150-1 any one address in the address list all is different from the address of extraction, then should be mutually to receive and forbid in step S151 address.Therefore, the address in address that step S152 extracts as a disable access is recorded in the impact damper, and is removed in the corresponding packets of information of step S153.
In addition, if determine to be stored in the address of any one address in the address list in the accessible address storage unit 200 and extraction at step S150-2 identical, then the address as a permits access is recorded in the impact damper in address that step S160 extracts, and is transmitted in the corresponding packets of information of step S170.
Hereinafter, with reference to Fig. 6 the permission/disable access of the packets of information of transmission is described.Fig. 6 permits/forbids the process flow diagram of the process of a request of access according to the address determining unit of the preferred embodiments of the present invention by detecting the transmission packets of information.
If subscriber's main station 60 request visit connector main frame 80 or external servers 300, such as the Web server 30 that uses Web browser or other application program arbitrarily, then the network interface unit 100 that is installed in the subscriber's main station 60 at step S200 receives the packets of information that sends.Thereby, in step S210 network interface unit 100 packets of information storage is seted out and to send bag formation 130.Address determining unit 110 is extracted destination address from the packets of information that receives in step S220, and in step S230 destination address of extracting and the address that is stored in the impact damper 120 is compared.
At step S230-1,, then transmit corresponding packets of information in step S231 address determining unit 110 if be present in the impact damper 120 with the identical address of destination address of extracting; And,, then determined whether that in step S240 address determining unit 110 a SYN position is set in the packets of information if in impact damper 120, do not exist with the identical address of destination address of extracting at step S230-2.
At step S240-1, if the SYN position is set in the packets of information, then be used as an accessible address and be recorded in the impact damper, and be stored in the waiting status that step S260 is used to receive soon the packets of information that has an ACK position that sends from destination address in step S250 destination address.In addition, thus transmitting packets of information in step S270 address determining unit 110 makes packets of information send to the outside by Ethernet.
On the other hand, at step S240-2,, then be stored in the impact damper in step S241 destination address if the SYN position is not set in the packets of information.In addition, thus transmitting packets of information in step S242 address determining unit 110 makes packets of information send to the outside by Ethernet.
Though the preferred embodiments of the present invention are open for illustrative purposes, those of skill in the art recognize that the various modifications, interpolation and the replacement that do not depart from the disclosed scope and spirit of the present invention of claims all are possible.
Industrial applicability
As mentioned above, carry out the outer a kind of side that visit for control by the internet according to of the present invention The advantage of method and device is that it can be controlled by the internet and carry out external premeditated access.
In addition, advantage of the present invention is that it can prevent that the user from random deleting or removing information Bag.
And advantage of the present invention is that it can not have by the computer that uses each platform independent Needing extra fire wall to control by the outer of internet visits.
Have, advantage of the present invention is that outer the visiting that it can be controlled by the internet need not again Extra access control management.

Claims (7)

1, a kind of control is carried out the outer method that visits by the internet, and this method is handled by a network interface unit, may further comprise the steps:
Receive one or more packets of information, and described packets of information is stored in the transmission/reception buffer by described network interface unit transmission/reception;
From described canned data bag, extract an address;
Compared in the address of described extraction and the safe IP address that is stored in the store list of and described network interface unit communication; With
Result according to described comparison determines permits access or disable access.
2, the method for a kind of control by visiting outside the internet, this method is handled by a network interface unit, may further comprise the steps:
In predetermined zone storage one or more packets of information, and from described packets of information, extract an address by described network interface unit reception;
Whether detect has an address identical with address of described extraction to be stored in the addressable tabulation with described network interface unit communication; With
Whether there be the address identical to be stored in definite permits access/disable access in the described addressable tabulation by detecting with the address of described extraction.
3, as the access control method of claim 1 or 2, further comprise following steps:
In described impact damper, store a packets of information that is provided with a SYN position therein in the packets of information that sends by described network interface unit, and from described packets of information, extract an address;
Send the described packets of information that wherein is provided with the SYN position by described network interface unit; With
Have a packets of information of an ACK position from the address reception identical, and an addressable sign is set in described impact damper with the address of described extraction.
4, as the access control method of claim 1 or 2, further comprise following steps:
Storage is provided with the packets of information of a SYN position by an inside in the packets of information of described network interface unit transmission in described impact damper, and extracts and store an address from described packets of information;
Compared in each address of storing in the address of described extraction and the described impact damper, and determine that described address is whether identical and whether be provided with an addressable sign; With
Be set up if the address of described comparison is identical and addressable sign, then transmit the described packets of information that receives.
5, as the access control method of claim 1 or 2, further comprise following steps:
Storage is provided with the packets of information of a SYN position by an inside in the packets of information of described network interface unit reception in described impact damper, and extracts and store an address from described packets of information;
Compared in each address of storing in the address of described extraction and the described impact damper, and determine that described address is whether identical and whether be provided with an addressable sign; With
If the address of described comparison sign inequality and addressable is not set up, then remove the described packets of information that receives.
6, a kind of control is carried out the outer device that visits by the internet, comprising:
One accessible address storage unit is used to store the secure address according to the accessed computing machine that asks for permission;
One sends the bag formation, is used for temporarily storing the transmission packets of information that will be sent to the outside;
One receives the bag formation, is used for temporarily storing the reception packets of information that receives from the outside; With
One address determining unit, be used for extracting an address from receiving packets of information, determine with reference to described accessible address storage unit whether the address of described extraction is permits access, if the address identical with the address of described extraction do not exist in described accessible address storage unit, then remove the packets of information that receives, if and the address identical with the address of described extraction exist, then accept the described packets of information that receives in described accessible address storage unit.
7, access control apparatus as claimed in claim 6 is characterized in that, described accessible address storage unit uses hash function with the encryption format storage address information.
CNA028081927A 2001-04-11 2002-04-04 Method and system for restricting access from external Pending CN1503952A (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR10-2001-0019395A KR100418445B1 (en) 2001-04-11 2001-04-11 Method and system for restricting access from external
KR2001/19395 2001-04-11

Publications (1)

Publication Number Publication Date
CN1503952A true CN1503952A (en) 2004-06-09

Family

ID=19708107

Family Applications (1)

Application Number Title Priority Date Filing Date
CNA028081927A Pending CN1503952A (en) 2001-04-11 2002-04-04 Method and system for restricting access from external

Country Status (4)

Country Link
JP (1) JP2004535096A (en)
KR (1) KR100418445B1 (en)
CN (1) CN1503952A (en)
WO (1) WO2002084512A1 (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101370020A (en) * 2008-10-17 2009-02-18 北京中星微电子有限公司 Peripheral information product, method and system for updating its collocation information
CN101147138B (en) * 2005-02-18 2010-05-12 Duaxes株式会社 Communication control system
CN1760872B (en) * 2004-10-13 2011-06-15 国际商业机器公司 Method and system for processing destination addresses
CN102547684A (en) * 2011-12-28 2012-07-04 中兴通讯股份有限公司 Method and device for controlling digital mobile network alliance contents
CN1893440B (en) * 2005-07-01 2012-10-24 捷讯研究有限公司 System and method for managing forbidden network lists on a wireless user equipment (ue)
CN103347213A (en) * 2013-06-29 2013-10-09 深圳市龙视传媒有限公司 Method, terminal, server and system for controlling terminal network cards

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100475970B1 (en) * 2002-07-06 2005-03-10 주식회사 잉카인터넷 Method for controlling network access in gateway
KR101391508B1 (en) * 2012-08-29 2014-05-29 주식회사 팬택 Terminal and method for protecting stored file
KR101428999B1 (en) * 2013-04-12 2014-08-12 주식회사 엑스게이트 Packet filtering method and firewall using dns information
US10841280B2 (en) * 2018-03-16 2020-11-17 Lightspeed Systems, Inc. User device-based enterprise web filtering
JP7114769B2 (en) * 2021-03-05 2022-08-08 Necプラットフォームズ株式会社 Communications system

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP3593762B2 (en) * 1995-11-08 2004-11-24 富士通株式会社 Relay device
DE69708281T2 (en) * 1996-04-24 2002-05-16 Nortel Networks Ltd INTERNET PROTOCOL-FILTER
US6009475A (en) * 1996-12-23 1999-12-28 International Business Machines Corporation Filter rule validation and administration for firewalls
US5864666A (en) * 1996-12-23 1999-01-26 International Business Machines Corporation Web-based administration of IP tunneling on internet firewalls
JPH11187016A (en) * 1997-12-24 1999-07-09 Toyo Commun Equip Co Ltd Network authenticating system
KR100411903B1 (en) * 1998-06-08 2004-03-30 주식회사 케이티 Restriction of Access to Special Information in Communication Processing Service Network
JP2000201143A (en) * 1999-01-05 2000-07-18 Nec Corp Terminal certification device
JP2001077811A (en) * 1999-09-01 2001-03-23 Akuton Technology Kk Network interface card
KR20000024492A (en) * 2000-02-16 2000-05-06 이성호 Method and Apparatus for Certifying User and Method and Apparatus for Recording Shop and Goods
KR20000054777A (en) * 2000-06-23 2000-09-05 김상돈 Method of authenticating on the basis of mac address in a network connection
KR20010025209A (en) * 2000-10-20 2001-04-06 고진선 Business method for providing harmful information intercept service using network and computer readable medium having stored thereon computer executable instruction for performing the method

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1760872B (en) * 2004-10-13 2011-06-15 国际商业机器公司 Method and system for processing destination addresses
CN101147138B (en) * 2005-02-18 2010-05-12 Duaxes株式会社 Communication control system
CN1893440B (en) * 2005-07-01 2012-10-24 捷讯研究有限公司 System and method for managing forbidden network lists on a wireless user equipment (ue)
CN101370020A (en) * 2008-10-17 2009-02-18 北京中星微电子有限公司 Peripheral information product, method and system for updating its collocation information
CN101370020B (en) * 2008-10-17 2013-12-11 北京中星微电子有限公司 Peripheral information product, method and system for updating its collocation information
CN102547684A (en) * 2011-12-28 2012-07-04 中兴通讯股份有限公司 Method and device for controlling digital mobile network alliance contents
CN103347213A (en) * 2013-06-29 2013-10-09 深圳市龙视传媒有限公司 Method, terminal, server and system for controlling terminal network cards

Also Published As

Publication number Publication date
WO2002084512A1 (en) 2002-10-24
JP2004535096A (en) 2004-11-18
KR100418445B1 (en) 2004-02-14
KR20020080142A (en) 2002-10-23

Similar Documents

Publication Publication Date Title
JP5624973B2 (en) Filtering device
CN101036369B (en) Offline analysis of packets
CN101802837B (en) System and method for providing network and computer firewall protection with dynamic address isolation to a device
CA2445751C (en) Dynamic packet filter utilizing session tracking
CN101009607B (en) Systems and methods for detecting and preventing flooding attacks in a network environment
CN100425025C (en) Security system and method using server security solution and network security solution
US8336092B2 (en) Communication control device and communication control system
US8661522B2 (en) Method and apparatus for probabilistic matching to authenticate hosts during distributed denial of service attack
US20070245137A1 (en) HTTP cookie protection by a network security device
CN1703867A (en) Firewall
CN1684431A (en) Method and device for server denial of service shield
US20090119745A1 (en) System and method for preventing private information from leaking out through access context analysis in personal mobile terminal
US8359634B2 (en) Method and system to optimize efficiency when managing lists of untrusted network sites
CN109743323B (en) Resource sharing strategy based on block chain technology
Patgiri et al. Preventing ddos using bloom filter: A survey
EP2790354A1 (en) Security management system having multiple relay servers, and security management method
KR101076683B1 (en) Apparatus and method for splitting host-based networks
CN1503952A (en) Method and system for restricting access from external
EP3618355B1 (en) Systems and methods for operating a networking device
CN1440530A (en) Cracker tracing system and method, and authentification system and method using the same
US20020129273A1 (en) Secure content server apparatus and method
US20070083913A1 (en) Propagation of malicious code through an information technology network
CN112187806A (en) Defense method based on dynamic jump of webpage resource address
EP1850234A1 (en) Communication control device and communication control system
US10757078B2 (en) Systems and methods for providing multi-level network security

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication