CN201491035U - Trustworthy terminal system - Google Patents
Trustworthy terminal system Download PDFInfo
- Publication number
- CN201491035U CN201491035U CN2009202224035U CN200920222403U CN201491035U CN 201491035 U CN201491035 U CN 201491035U CN 2009202224035 U CN2009202224035 U CN 2009202224035U CN 200920222403 U CN200920222403 U CN 200920222403U CN 201491035 U CN201491035 U CN 201491035U
- Authority
- CN
- China
- Prior art keywords
- computer
- switch
- local area
- area network
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
Images
Abstract
The utility model relates to a trustworthy terminal system which comprises a local area network, such as Ethernet or a wireless local area network, a plurality of computers, a switch and an authentication server, wherein the computers are interconnected by the local area network; the switch is connected with the computers by the local area network and provided with a controlled port and can accept or reject a network access request of the computers according to an authentication result; the authentication server is connected with the switch; the authentication server carries out authentication or recognition on the computers by an authentication request transmitted by the switch and returns an authenticated or recognized authentication result to the switch. The utility model can effectively prevent the external computers from being accessed into the local area network belonging to the internal network, thereby improving network safe performance.
Description
Technical field
The utility model relates to a kind of computer Intranet system, and particularly a kind of allows the trusted terminal access network and stop the trusted terminal system of other computer access networks.
Background technology
Some present terminal authentications from the illegal access of network layer control computer, make unauthorized terminal data stream can enter network mostly, cause as ARP bag, illegal broadcasting, ping attack, malice virus, wooden horse data flow to spread unchecked in network.
In addition, some terminal authentications directly utilize the common port of switch, port are not controlled, and just to the common forwarding of data, can not control the access of computer.
In addition, some terminal authentications require the user to import relevant authentication information and authenticate for ejecting the interface, unusual trouble, and also give illegally to break a code etc. and illegally be connected into network and created condition.
Therefore, present internal network can not stop extraneous computer illegally to insert, thereby very easily causes information leakage, brings very big information security hidden danger, and how controlling illegal host access internal network is at present a lot of enterprise and institutions questions of common interest.
Summary of the invention
Insert problem in order to solve the illegal host that prior art exists, the utility model provides a kind of trusted terminal system, illegally inserts internal network, protecting network inner computer and data security to prevent external host.
Above-mentioned purpose of the present utility model is achieved in that a kind of trusted terminal system, comprising: local area network (LAN); By the interconnected a plurality of computers of described local area network (LAN); The switch that connects described local area network (LAN) with controlled ports; And connect the certificate server that described switch authenticates with the authentication request that described computer is sent via described switch.
Wherein, each of described a plurality of computer connects a corresponding controlled ports of described switch respectively via described local area network (LAN); Described certificate server connects other ports of described switch.
Wherein, described switch comprises: have a plurality of controlled ports and the exchange chip that is connected described other ports of certificate server that connect described a plurality of computers respectively; And connect the port controlling module of described exchange chip the port that connects described computer is controlled according to the authentication result of described certificate server.
Wherein, described computer has a usb key that starts computer operation.
The utlity model has following technique effect:
1, the authorization identifying that can conduct interviews to Servers-all, the terminal computer of current internal computer network and control.
2, can guarantee to have only the computer of process authorities authorization identifying, just can authenticate by access control smoothly, and then just be free to the computer network of application units inside and resource wherein based on switch ports themselves.
3, by the trusted terminal hypervisor with based on the cooperation of the access control mechanisms of port, make the computer of not authorizing to insert inner computer network without authorization through relevant authorities.
Below in conjunction with accompanying drawing the utility model is elaborated.
Description of drawings
Fig. 1 is the allocation plan of trusted terminal of the present utility model system;
Fig. 2 is the schematic diagram that the request of networking is handled that shows trusted terminal of the present utility model system;
Fig. 3 is the schematic diagram of the described switch of Fig. 2;
Fig. 4 is the schematic diagram that is used for data flow exchange and authentication information transmission that shows switch shown in Figure 3.
Embodiment
Fig. 1 has shown the configuration of trusted terminal of the present utility model system, and trusted terminal system shown in Figure 1 comprises: local area network (LAN) 2, and it can be Ethernet or WLAN (wireless local area network); By the interconnected a plurality of computers 1 of described local area network (LAN) 2; Via the switch with controlled ports 3 of the described computer 1 of described local area network (LAN) 2 connections, the networking request of computer can be accepted or refuse to this switch 3 according to authentication result; And the certificate server 4 that connects described switch 3,4 pairs of described computers 1 of this certificate server authenticate or discern via the authentication request that described switch 3 sends, and the authentication result that will obtain after will authenticating or discern returns to switch 3.
Fig. 2 has shown the situation of the networking request of switch 3 and certificate server 4 process computers 1.As shown in Figure 2, suppose that in computer A, B and C, computer A and B are trusted computer, and computer C is the illegal computer that inserts.When computer A~C starts, send authentication request via switch 3 to server 4 respectively.Because computer A and B are trusted computer, so server 4 makes switch 3 open the controlled ports that connects computer A and B respectively to the authentication result of switch 3 transmissions " computer A and B authentication success "; And because computer C is not a trusted computer, so server 4 sends the authentication result of " computer C authentification failure " to switch 3, make the controlled ports of the connection computer C of switch 3 be in off-state, thereby refusal computer C networks.
As illustrated in fig. 1 and 2, a corresponding controlled ports of switch 1 as described in a plurality of computers 1 connect respectively via local area network (LAN) 2 as each of computer A~C; Certificate server 4 connects other ports of described switch 1.
Fig. 3 has shown the principle that can control the switch 3 of controlled ports state according to the authentication result of server of the present utility model.As shown in Figure 3, this switch 3 comprises: have and a plurality ofly connect the controlled ports 311,312,313 of described computer A~C and the exchange chip 31 of other ports 314 that are connected certificate server 4 respectively via local area network (LAN) 2; And connect the port controlling module 32 of described exchange chip 31 the port that connects computer is controlled according to the authentication result of certificate server.
Exchange chip 31 can add controlled ports number in from the packet of computer A~C, so that port controlling module 32 is controlled the controlled ports of exchange chip 31 according to the packet of the authentication result of server 4.
Server 4 is represented authentication result with the flag bit in the packet usually, port controlling chip 32 just can be controlled the controlled ports of exchange chip according to this flag bit like this, promptly when flag bit is the authentication success symbol, open the controlled ports that connects corresponding computer, allow the data flow of this computer to transmit; And when the flag bit about certain computer authentication request is the authentification failure symbol, make relevant controlled ports be in off-state, network thereby refuse this computer.
In addition, trusted computer 1 of the present utility model can have a usb key that starts computer operation.
Below with reference to Fig. 4 principle of the present utility model is elaborated.
For not with the trusted computer A and the B of usb key, trusted computer A and B send authentication request information by switch authentication information delivery unit to certificate server, after certificate server is received solicited message, information is discerned, transmitted response message to trusted terminal by switch ports themselves.If success, port controlling module 32 is opened controlled ports 311 and 312 (making the switch closure among its figure) according to the flag bit of authentication success, makes it carry out exchanges data by the data flow crosspoint; Otherwise port controlling module 32 is kept the controlled ports off-state according to the flag bit of authentification failure, and refusal computer A and B are connected into network.
For trusted computer A that has usb key and B, must at first insert usb key, during startup, trusted computer reads usb key information, the information that reads is sent to certificate server by switch ports themselves, after certificate server is received solicited message, information is discerned, transmitted response message to trusted terminal by the switch arbitrary port.If success then begins communication, otherwise the refusal terminal is connected into network.
The utility model is based on the access control of port, in the port of switch the computer of all requests that network all given tacit consent to and to be its information flow of blocking-up, that is, other all data flow except that the authentication information data flow of trusted terminal all are blocked in this port.Therefore; for computer without the illegal access internal network of authorities' authorization identifying; when it connects internal computer network by switch; should illegal computer that inserts both inwardly portion's computer network send any data flow; also can not intercept and capture any data flow of computer network inside, thereby reach to the illegal control that inserts of computer with to the protection of computer network internal data flow.
Trusted computer of the present utility model is meant can be by the computer of switch and certificate server authentication.Only send authentication information to switch with the 802.1.x agreement, switch just can be received this authentication information, switch is transmitted to certificate server to the authentication information of receiving again, certificate server extracts username and password from authentication information, when username and password is entirely true, request could be passed through, and switch is defaulted as the port of closing and just can opens, and data could be normal mutual.So trusted computer can send to switch with the 802.1.x agreement and include the authentication information of username and password, and can authenticate by certificate server, such terminal computer is called trusted terminal.
The frame format of the authentication request of computer and the authentication result of server is made up of three parts, and first comprises this machine MAC, Destination MAC and type of data packet; Second portion is a flag bit; Third part is the data content that comprises username and password.After server is received the authentication request that computer sends, check MAC, the username and password of computer, if they are correct, the loopback authentication result of the authentication success represented of the flag bit of 0x03 for example then; If wrong they be wrong, the loopback authentication result of the authentification failure represented of the flag bit of 0x04 for example then.The port controlling module 32 of switch 3 is controlled the corresponding controlled ports of exchange chip 31 according to the symbol of this flag bit.
The utlity model has following technique effect:
The authorization identifying that 1, can conduct interviews to Servers-all, the terminal computer of current internal computer network and control. Controlled ports only authentication by after just open, for delivery network resource and service. If by authentication, controlled ports is not in un-authenticated state to the user, the then service that can't access authentication system provides of user. That controlled ports can be configured to is bi-direction controlled, only import controlled 2 kinds of modes, to adapt to different applied environments.
2, can guarantee to only have through authorities (as, the functional departments such as information centre or the place that maintains secrecy) computer of authorization identifying, just can smoothly by the access control authentication based on switch ports themselves, just be free to the computer network of application units inside and resource wherein.
3, can make the computer network that can't insert without authorization inside without the computer of crossing the mandate of relevant authorities.
Although above the utility model is had been described in detail, the utility model is not limited thereto, and those skilled in the art of the present technique can carry out various modifications according to principle of the present utility model. Therefore, all modifications of doing according to the utility model principle all should be understood to fall into protection domain of the present utility model.
Claims (4)
1. trusted terminal system is characterized in that comprising:
Local area network (LAN) (2);
By the interconnected a plurality of computers (1) of described local area network (LAN) (2);
The switch with controlled ports (3) that connects described local area network (LAN) (2); And
Connect the certificate server (4) that described switch (3) authenticates with the authentication request that described computer (1) is sent via switch (3).
2. trusted terminal according to claim 1 system is characterized in that each of described a plurality of computers (1) connects a corresponding controlled ports of described switch (1) respectively via local area network (LAN) (2); Certificate server (4) connects other ports of described switch (1).
3. trusted terminal according to claim 1 and 2 system is characterized in that described switch (3) comprising:
Have a plurality of controlled ports and the exchange chip (31) that is connected other ports of described certificate server (4) that connect described a plurality of computer (1) respectively; And
Connect the port controlling module (32) of described exchange chip (31) the port that connects computer is controlled according to the authentication result of described certificate server (4).
4. according to the described trusted terminal of claim 3 system, it is characterized in that described computer (1) has a usb key that starts computer operation.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009202224035U CN201491035U (en) | 2009-09-07 | 2009-09-07 | Trustworthy terminal system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009202224035U CN201491035U (en) | 2009-09-07 | 2009-09-07 | Trustworthy terminal system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN201491035U true CN201491035U (en) | 2010-05-26 |
Family
ID=42429900
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009202224035U Expired - Lifetime CN201491035U (en) | 2009-09-07 | 2009-09-07 | Trustworthy terminal system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN201491035U (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106685987A (en) * | 2017-01-23 | 2017-05-17 | 北京东土军悦科技有限公司 | Safety certificate method and device of cascade network |
-
2009
- 2009-09-07 CN CN2009202224035U patent/CN201491035U/en not_active Expired - Lifetime
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106685987A (en) * | 2017-01-23 | 2017-05-17 | 北京东土军悦科技有限公司 | Safety certificate method and device of cascade network |
| CN106685987B (en) * | 2017-01-23 | 2020-06-05 | 北京东土军悦科技有限公司 | Security authentication method and device for cascade network |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN201479143U (en) | Intranet safety management system | |
| CN100539501C (en) | Unified Identity sign and authentication method based on domain name | |
| CN100512109C (en) | Access authentication system and method by verifying safety of accessing host | |
| CN100499554C (en) | Network admission control method and network admission control system | |
| CN100464548C (en) | System and method for blocking worm attack | |
| CN101248613A (en) | Authentic device admission scheme for a secure communication network, especially a secure ip telephony network | |
| CN107864162B (en) | fusion gateway dual system and communication safety protection method thereof | |
| CN101436934A (en) | Method, system and equipment for controlling user upper wire | |
| CN110830447A (en) | SPA single packet authorization method and device | |
| US20080244716A1 (en) | Telecommunication system, telecommunication method, terminal thereof, and remote access server thereof | |
| CN102438028A (en) | Method, device and system for preventing fraud of dynamic host configuration protocol (DHCP) server | |
| CN110830446A (en) | SPA security verification method and device | |
| CN110336788A (en) | A kind of data safety exchange method of internet of things equipment and mobile terminal | |
| CN100579012C (en) | Method for terminal user safety access soft handoff network | |
| CN108011873A (en) | A kind of illegal connection determination methods based on set covering | |
| CN107277058A (en) | A kind of interface authentication method and system based on BFD agreements | |
| CN101272379A (en) | Improving method based on IEEE802.1x safety authentication protocol | |
| CN100471167C (en) | Method and apparatus for managing wireless access-in wide-band users | |
| CN101207475A (en) | Method for preventing non-authorization linking of network system | |
| CN1905553B (en) | Method for ensuring selected user access on DOS attacking or apparatus overload | |
| CN100591068C (en) | Method of transmitting 802.1X audit message via bridging device | |
| CN111416824B (en) | Network access authentication control system | |
| CN101247618B (en) | Terminal validity detecting method and system | |
| CN201491035U (en) | Trustworthy terminal system | |
| CN101765110B (en) | Dedicated encryption protection method between user and wireless access point |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CX01 | Expiry of patent term |
Granted publication date: 20100526 |
|
| CX01 | Expiry of patent term |