CN205510108U - A network access system for local lan - Google Patents
A network access system for local lan Download PDFInfo
- Publication number
- CN205510108U CN205510108U CN201620271559.2U CN201620271559U CN205510108U CN 205510108 U CN205510108 U CN 205510108U CN 201620271559 U CN201620271559 U CN 201620271559U CN 205510108 U CN205510108 U CN 205510108U
- Authority
- CN
- China
- Prior art keywords
- network
- lan
- server
- gateway
- control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The utility model discloses a network access system for local lan, local lan include the core network switch who links to each other with external network, with a plurality of customer ends and at least one application server of core network switch internet access, network access system including using control network pass, management server, control server, uses control network and closes and concatenate that arrange or the bypass is arranged in local lan's entrance, management server and control server all with core network switch internet access. The utility model discloses, can carry out the effective management of to visit local lan's network behavior.
Description
Technical field
This utility model relates to digital communication technology field, is specifically related to a kind of network admittance system for LAN.
Background technology
At present, most government organs, enterprise, financial institution, educational institution, NGO non-government organizations, by the industry of oneself
Business datumization, and business datum is stored in the application server of oneself, professional workstation and subscription client.And according to one
Application server, professional workstation and hundreds of client network are coupled together by fixed network topology structure, composition office
Territory network.Again by BPR, by networked business flow.For the ease of with external unit carry out business exchange or
Integrate, this LAN, also need to be interconnected with external the Internet by router.
Computer network for the purpose of data resource sharing and data utilization of resources, opening is the feature of its maximum.Open
Also computer network is caused to have inherent system vulnerability.Meanwhile, the physical support structure of computer network, communication calculate
The operating system that machine runs and application software, the equal existing defects of network communication protocol, the existence of drawbacks described above, deepen meter further
The vulnerability of calculation machine network.
The vulnerability of computer network, easily causes from computer network network attack either internally or externally, network attack meeting
Cause computer network to paralyse, cause the service disconnection run on the computer network.
For LAN, from internal network attack, mainly due to government organs, enterprise, financial institution, education
The units such as mechanism, NGO non-government organizations lack effective technological means, the server in local area network, work station, client
The facilities of end carries out effective management and control, and the awareness of network security of employee is thin, the operating system of client is not arranged password,
Do not carry out system update and antivirus software virus base updates;Meanwhile, employee is convenient for individual, and amendment computer security is arranged privately,
Use P2P download tool, such as BT, electricity donkey download of network data, use agency to browse and the unrelated website that works, cause fishing
The plug-in unit of website is implanted, and hacker enters internal client by the security breaches of browser or application software.Once, hacker
Control internal client, it is possible to use internal client, internal lan is attacked, steals or distort business datum,
Damage the network environment of LAN.
At present, safety management based on internal lan, network firewall is mainly set between external the Internet and LAN,
Application server, professional workstation and subscription client are installed corresponding firewall software, is blocked by network firewall
Network intrusions, the mutation that network firewall based on security strategy is attacked for emerging network attack type or existing network
Defence capability poor.Therefore, strong unit also arranges intruding detection system and vulnerability scanners in internal lan,
Found the security breaches in LAN by vulnerability scanners in time, found network attack by intruding detection system in time.On
State technical scheme and can solve most external attack and invasion, if but hacker enters internal office by anthelmintic or wooden horse mutation
After the net of territory, inside LAN, carry out network attack, just cannot the effective safety management of local area real-time performance, therefore, manage
The network behavior of reason internal client, extremely important to the network attack stopped within LAN.
Utility model content
Technical problem to be solved in the utility model be to provide a kind of can to access LAN network behavior effectively manage
The network admittance system for LAN, thus the probability that from internal lan carry out network attack is greatly reduced further,
Improve the internet security of internal lan further.
This utility model solves technical problem and be the technical scheme is that
For the network admittance system of LAN, LAN includes the core network switch being connected with external network, with core
Multiple clients that heart network switch network connects and at least one application server;Network admittance system, including application controls
Gateway, management server, control server, Application control gateway concatenation is disposed or bypasses the entrance being deployed in LAN
Place, management server and control server are all connected with core network switch network.
Further, control server and include a primary control server and a standby control server, primary control server
All it is connected with core network switch network with standby control server.
Further, Application control gateway is the Application control gateway with passway for escaping.
Further, Application control gateway bypasses by the way of being connected with core network switch network and is deployed in entering of LAN
At Kou.
Further, core network switch is the same with Application control gateway quantity, and is at least two, at least two application controls
Gateway processed uses and the mode of at least two core network switch map network connections bypasses the porch being deployed in LAN,
Between at least two Application control gateways, network connects.
Network admittance system for LAN of the present utility model be applicable to government organs, enterprises and institutions, financial institution,
The access management of the internal lan of non-government organization.
Compared with prior art, the beneficial effects of the utility model are:
1, the network admittance system for LAN of the present utility model, makes the computer client in LAN all reach
Unified security set standard, has stopped computer user and has consciously or unconsciously violated the relevant rule of client secure management in LAN
Chapter system.Meanwhile, customer access network whole during, every strategy all can be checked by network admittance system in real time,
Once finding not to be inconsistent with predefined strategy, system can change the authority of this customer access network resource in time or disable this visitor
Family end subscriber access network, fundamentally prevents user during Web vector graphic, arbitrarily changes client secure strategy scenarios
Occur, meet the safety management demand of LAN well.Utility model realizes client secure scheme in LAN
Compulsory execution, will be down to minimum from the security threat within LAN, significantly improve LAN level of security.
2, the network admittance system for LAN of the present utility model, due to the design by optimal control server,
Under the management of management server, it is achieved the service under the two-node cluster hot backup of control server and fault is uninterruptedly automatically switched, thus
Improve reliability and the effectiveness of network admittance system further, improve the internet security of LAN the most accordingly;Owing to passing through
Optimize Application control gateway, make network admittance system have good fault emergency capability, thus improve network admittance system further
The reliability of system and effectiveness;Due to the access way by optimizing Application control gateway, it is to avoid Application control gateway fault occurs
Bring LAN with external network communication, thus the reliability of LAN cannot be improved further;Owing to being applied by employing
Control the technical scheme that gateway matches with the core network switch in LAN, when wherein an Application control gateway lost efficacy
After, an other Application control gateway by the control function of Hot Spare link taking over failing Application control gateway, thus can enter
One step improves reliability and the effectiveness of network admittance system, improves the internet security of LAN the most accordingly.
Accompanying drawing explanation
Fig. 1 is the structural frames of the network admittance system for LAN of the present utility model that Application control gateway concatenation is disposed
Figure.
Fig. 2 is the structural frames of the network admittance system for LAN of the present utility model that Application control gateway bypass is disposed
Figure.
Fig. 3 is to have primary control server and the network admittance system for LAN of the present utility model with control server
The structured flowchart of system.
Fig. 4 has the network admittance for LAN of the present utility model of two core network switch and Application control gateway
The structured flowchart of system.
Detailed description of the invention
With embodiment, this utility model is further illustrated below in conjunction with the accompanying drawings.
As shown in Figure 1 and Figure 2, the network admittance system for LAN of the present utility model, LAN includes and extranets
The core network switch that network is connected, the multiple clients being connected with core network switch network and at least one application server;
Network admittance system, including Application control gateway, management server, control server, Application control gateway concatenation dispose or
Bypass is deployed in the porch of LAN, management server and control server and is all connected with core network switch network.
Above-mentioned Application control gateway, for hardware controls gateway, the H3CSecPathACG series of products communicated such as China three.Application control
Gateway processed, for opening different authorities to the client user being subordinate to different role and different safe condition, namely according to control
The information of server feedback controls the client of local area network to local area network and the access rights of external the Internet, and
The client of the control external the Internet access rights to local area network.The unauthorized client preventing external the Internet is visited
Ask local area network;Prevent the legal of local area network but unsafe client-access local area network;Isolation connects
To local area network but do not carry out the client-access of safety certification.
Above-mentioned management server, has existing network admittance and controls software system, for the control centre of network admittance system, bears
The management of duty system and regular maintenance.Network manager can log in management server by IE browser and carry out routine maintaining operations,
Carry out network admittance system configuration, establishment officer's management, security policy manager, mended management, software distribution, asset management,
The operations such as bulletin management and Report Server Management.
Above-mentioned control server, is responsible for the identity of checking client user, client host is carried out safety inspection, with application control
Gateway processed linkage realizes the access of minimum authorization and controls.
This utility model only to Application control gateway, management server, control server in LAN topology network architecture
Annexation between position, and they and the network equipment of LAN is innovated and improves, not to Application control gateway,
Management server, the software system controlling to run in server, core network switch are innovated and improve.
During enforcement, as shown in Figure 1 and Figure 2, those skilled in the art, in the LAN porch being connected with external network,
Application control gateway is set.Application control gateway can use series system to be linked into LAN, namely Application control gateway portion
Administration is between external network and core network switch;Application control gateway can also use and be connected with core network switch network
Mode bypass the porch being deployed in LAN;Server will be managed and control server with core network switch network even
Connect;Again management server, control server, Application control gateway are carried out corresponding network link and software arrangements.
By above-mentioned steps, the network admittance system for LAN of the present utility model can be made.
Network admittance system for LAN of the present utility model, when coming into operation, client connects control server, sends out
Go out access request, set up encryption tunnel;Control the request of server customer in response end, return server certificate, and require client
Submitting user certificate to, client call certificate processing module carrys out the identity of authentication server;Control server requirement client to use
Certificate logs in, and client calls certificate processing module automatically, it is achieved digital certificate authentication;User certificate is submitted to by client
Control server, after server receives the certificate that client is submitted to. call certification authentication module, complete testing of user certificate
Card;After certification authentication, control server calls certificate parsing module, resolve user certificate, obtain user profile, and root
According to user profile, it is achieved access control and the security control to client.Control server identity certification and have three kinds of results: user
Identity is illegal, and certification is not passed through;User identity is legal, and certification is passed through, but client fails safety standards;User's body
Part is legal, and certification is passed through, and client meets safety criterion;Control server authentication result can be fed back to simultaneously client with
And Application control gateway.
With controlling the authentication result that gateway will provide according to control server, relative client is applied corresponding control strategy, right
Illegal in user identity, that certification is not passed through client user, can only access the pre-authentication domain of LAN;For user's body
Part is legal, but the client user that computer client fails safety standards, the quarantine domain of LAN can only be accessed: right
In simultaneously by authentication and the client user of safety certification, then can access the post-authentication domain of LAN completely.
Network admittance system for LAN of the present utility model, when coming into operation, by inspection and evaluation client secure shape
State, for not meeting the client of minimum bandwidth requirement, using the teaching of the invention it is possible to provide personalized reparation suggestion, and it is each to assist client to install
Class patch and indispensable software, to guarantee that client reaches LAN client secure and arranges requirement;Simultaneously for there is weight
The systems such as the client of big potential safety hazard and undelegated external client can carry out forced quarantine;Network admittance system energy
Enough network behaviors to client carry out precision management, specifically include that control is various and illegal outer connect behavior, control network traffics,
Control real-time Communication for Power, speculation in stocks, P2P software and online game, control web access and IP accesses, carry out ARP address resolution association
View protection, is monitored file operation, is managed movable storage device, to process/service black and white lists and Peripheral Interface
It is managed;Network admittance system is supported and WSUS (WindowsServerUpdateServices) Seamless integration-, by certainly
Dynamicization patch inspection, it is possible in time, safety and detecting system leak exactly, and help client host by connect WSUS and
Shi Gengxin patch, thus in time, actively eliminate various safety defect, it is to avoid the client secure brought due to system vulnerability threatens;
Needing software to be installed for computer client, software is passed through manual or is distributed to client according to plan by network admittance system support
End main frame, and support by department, by operating system, be distributed by IP address field;Network admittance system can collect client automatically
End soft and hardware assets information, statistics output enterprise computer Asset State form.It addition, system changes by following the tracks of assets,
Output change form, it is achieved asset management ITization, ensures that enterprise information assets is controlled and manages.
It is above basic embodiment of the present utility model.From above-mentioned implementation process it can be seen that each assembly of the present utility model exists
The most interrelated, the most mutually support, use and cooperate, by network admittance system, in making LAN
Computer client has all reached unified security set standard, has stopped computer user and has consciously or unconsciously violated visitor in LAN
The pertinent regulation system of family end safety management.Meanwhile, customer access network whole during, network admittance system all can be real
Time every strategy is checked, once find be not inconsistent with predefined strategy, system can change this customer access network in time
The authority of resource or disable this client user's access network, fundamentally prevents user during Web vector graphic, arbitrarily changes
Become the generation of client secure strategy scenarios, meet the safety management demand of LAN well.Utility model realizes client
End safety approach compulsory execution in LAN, by being down to minimum from the security threat within LAN, significantly carries
Rise LAN level of security.
Control the data exchange service of client, its reliability inside and outside server direct control area net(CAN) network, be directly connected to network
Can access system normally work.In order to improve the reliability controlling server work, this utility model is at basic embodiment
On the basis of be further improved, as it is shown on figure 3, the first preferred implementation of the present utility model is, control server include one
Platform primary control server and a standby control server, primary control server and standby control server are all and core network
Switch network connects.
During enforcement, as it is shown on figure 3, those skilled in the art, a primary control server and standby a control is used to take
Business device coordinated, carrys out the data exchange service of client inside and outside control area net(CAN) network.First, by primary control server and standby
All it is connected with core network switch network with controlling server, then carries out network settings, make primary control server and standby control
Can Backup Data automatically real-time between control server.Under normal condition, it is responsible for inside and outside LAN primary control server
The data exchange service of client.When primary control server fail, management server can listen to fault and notify
System data exchange automatically switches on standby control server, and the most standby control server provides the data exchange clothes of client
Business, it is achieved the service under the two-node cluster hot backup of control server and fault is uninterruptedly automatically switched, thus improves network admittance further
The reliability of system and effectiveness, improve the internet security of LAN the most accordingly.
First preferred embodiments of the present utility model, by the design of optimal control server, at the pipe of management server
Under reason, it is achieved the service under the two-node cluster hot backup of control server and fault is uninterruptedly automatically switched, thus it is accurate to improve network further
Enter reliability and the effectiveness of system, improve the internet security of LAN the most accordingly.
When breaking down in order to ensure Application control gateway, the Business Processing in LAN is normally carried out, and this utility model is on basis
It is further improved on the basis of embodiment or the first preferred implementation, the second preferred implementation of the present utility model
For, Application control gateway is the Application control gateway with passway for escaping.
During enforcement, those skilled in the art, select there is the Application control gateway of passway for escaping as application of the present utility model
Control gateway.The network admittance system of this second preferred implementation, when coming into operation, when occurring that controlling server occurs serious
Fault, it is impossible to when undertaking normal authentication and safety certification, controls the heart-beat protocol between server and Application control gateway
Can detect fault in time, and open passway for escaping, the access rights of access system automatic opening external the Internet, to ensure industry
Do honest work normally opened exhibition;After heart beating protocol discovery control server recovers from fault, Application control gateway will be automatically switched off escape
Passage, secure accessing control mechanism comes into force again.
Second preferred embodiments of the present utility model, by optimizing Application control gateway, makes network admittance system have good
Fault emergency capability, thus improve reliability and the effectiveness of network admittance system further.
In order to optimize the access way of Application control gateway, this utility model basic embodiment, the first preferred implementation,
Second preferred implementation is further improved on the basis of any one embodiment, as in figure 2 it is shown, of the present utility model
3rd preferred implementation is, Application control gateway bypasses by the way of being connected with core network switch network and is deployed in local
The porch of network.
During enforcement, as in figure 2 it is shown, those skilled in the art, bypass by the way of being connected with core network switch network
Application deployment control gateway, dispose compared to concatenation, and Application control gateway is disposed in bypass, does not interferes with the existing net of LAN
Network structure, will not increase the new network failure being likely to occur point.Therefore, be conducive to improving the reliability of LAN.
3rd preferred embodiments of the present utility model, by optimizing the access way of Application control gateway, it is to avoid application control occurs
Gateway fails processed brings LAN with external network communication, thus cannot improve the reliability of LAN further.
In order to reduce the LAN operation risk that Application control gateway fault is brought, this utility model basic embodiment,
Being further improved on the basis of any one embodiment in one to the 3rd preferred implementation, as shown in Figure 4, this practicality is new
4th preferred implementation of type is that core network switch is the same with Application control gateway quantity, and is at least two, extremely
Few two Application control gateways use the mode connected with at least two core network switch map networks to bypass and are deployed in LAN
The porch of network, between at least two Application control gateways, network connects.
Relatively large LAN, all can have at least two core network switch.If having two cores in LAN
The heart network switch, respectively core network switch 1 and core network switch 2, two Application control gateways, it is respectively
Application control gateway 1 and Application control gateway 2, connect the network switch 1 and Application control gateway 1 network, core network
Switch 2 and Application control gateway 2 network connect, and are connected by network between Application control gateway 1 and Application control gateway 2,
Set up the Hot Spare link between Application control gateway 1 and Application control gateway 2.At core network switch 1 and core network
Routing policy is set on switch 2 network data flow is guided into Application control gateway 1 and Application control gateway 2.Network admittance system
System, when coming into operation, Application control gateway 1 is responsible for the access access control of the connect client of the network switch 1, application controls
Gateway 2 is responsible for the access access control of the connect client of the network switch 2, after wherein an Application control gateway lost efficacy, separately
An outer Application control gateway by the control function of Hot Spare link taking over failing Application control gateway, thus can carry further
The reliability of high network admittance system and effectiveness, improve the internet security of LAN the most accordingly.
4th preferred embodiments of the present utility model, by using Application control gateway to exchange with the core network in LAN
The technical scheme that machine matches, after wherein an Application control gateway lost efficacy, an other Application control gateway can be by warm
The control function of backup link taking over failing Application control gateway, thus improve the reliability of network admittance system further with effective
Property, improve the internet security of LAN the most accordingly.
It is above the implementation process of the network admittance system for LAN of the present utility model.Can from above-mentioned implementation process
Go out, this utility model, use network admittance system, carry out internal user authentication, access device to internal user enters
Row state estimation, it is achieved to internal user property, presence, the management and control of flow restriction.
Claims (5)
1., for the network admittance system of LAN, described LAN includes the core network exchange being connected with external network
Machine, the multiple clients being connected with core network switch network and at least one application server;It is characterized in that,
Described network admittance system, including Application control gateway, management server, controls server, described Application control gateway
Concatenation is disposed or bypass is deployed in the porch of LAN, described management server and control server all with core net cross winding
Network of changing planes connects.
Network admittance system for LAN the most according to claim 1, it is characterised in that described control service
Device includes a primary control server and a standby control server, described primary control server and standby control server
All it is connected with core network switch network.
Network admittance system for LAN the most according to claim 1, it is characterised in that described application controls
Gateway is the Application control gateway with passway for escaping.
4., according to the network admittance system for LAN described in any one claim in claims 1 to 3, it is special
Levying and be, described Application control gateway bypasses by the way of being connected with core network switch network and is deployed in entering of LAN
At Kou.
Network admittance system for LAN the most according to claim 4, it is characterised in that described core network
Switch is the same with Application control gateway quantity, and is at least two, and at least two Application control gateways use and at least two
The mode that core network switch map network connects bypasses the porch being deployed in LAN, at least two described application controls
Between gateway, network connects.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201620271559.2U CN205510108U (en) | 2016-04-02 | 2016-04-02 | A network access system for local lan |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201620271559.2U CN205510108U (en) | 2016-04-02 | 2016-04-02 | A network access system for local lan |
Publications (1)
Publication Number | Publication Date |
---|---|
CN205510108U true CN205510108U (en) | 2016-08-24 |
Family
ID=56734751
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201620271559.2U Active CN205510108U (en) | 2016-04-02 | 2016-04-02 | A network access system for local lan |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN205510108U (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110493195A (en) * | 2019-07-23 | 2019-11-22 | 上海文化广播影视集团有限公司 | A kind of network access control method and system |
CN111474885A (en) * | 2020-04-29 | 2020-07-31 | 江苏建筑职业技术学院 | Solar wireless intelligent networking control platform |
CN115529220A (en) * | 2021-06-08 | 2022-12-27 | 中国移动通信集团重庆有限公司 | Communication gateway disaster tolerance system and method |
-
2016
- 2016-04-02 CN CN201620271559.2U patent/CN205510108U/en active Active
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110493195A (en) * | 2019-07-23 | 2019-11-22 | 上海文化广播影视集团有限公司 | A kind of network access control method and system |
CN111474885A (en) * | 2020-04-29 | 2020-07-31 | 江苏建筑职业技术学院 | Solar wireless intelligent networking control platform |
CN115529220A (en) * | 2021-06-08 | 2022-12-27 | 中国移动通信集团重庆有限公司 | Communication gateway disaster tolerance system and method |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103179130B (en) | A kind of information system intranet security management platform and management method | |
CN102724189B (en) | A kind of method and device controlling user URL access | |
CN106031118A (en) | Cloud service security broker and proxy | |
CN104158767B (en) | A kind of network admittance device and method | |
CN105847300B (en) | The method for visualizing and device of enterprise network boundary device topology | |
CN101512510A (en) | Method and system for providing network management based on defining and applying network administrative intents | |
CN206686205U (en) | The multiple-protection network architecture | |
CN205510108U (en) | A network access system for local lan | |
CN110601889B (en) | System and method for realizing safe backtracking deep encryption controlled network link resource scheduling management | |
CN109981367A (en) | Method based on the empty machine paas service management that Intranet penetrates | |
CN113645213A (en) | Multi-terminal network management monitoring system based on VPN technology | |
CN106209799A (en) | A kind of method, system and dynamic firewall realizing dynamic network protection | |
CN108900328A (en) | A kind of electricity grid network data safety test macro and method | |
CN107659582A (en) | A kind of depth defense system for successfully managing APT attacks | |
CN117118703A (en) | Mobile office security architecture based on Internet | |
CN107104953A (en) | A kind of pair of net security system and the method for lifting Information Security | |
CN205510110U (en) | A network leak scanning system for distributed network platform | |
CN207518625U (en) | A kind of depth defense system for successfully managing APT attacks | |
CN116155559A (en) | Privacy calculation-oriented expandable data fine-granularity access control system | |
CN103841050B (en) | A kind of LAN admittance control method of nuclear power plant analog machine and system | |
CN111541694B (en) | Method for solving network security by adopting fusion technology | |
CN111756747B (en) | Firewall network security control method and system thereof | |
CN111343193B (en) | Cloud network port security protection method and device, electronic equipment and storage medium | |
Yuan et al. | Design and implementation of enterprise network security system based on firewall | |
CN114553828B (en) | DNS operation and maintenance management method, device, equipment and medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right |
Effective date of registration: 20220304 Address after: 401520 8th floor, science and technology incubation building, core area, Hechuan Industrial Park, Chongqing Patentee after: Chongqing Military Technology Co.,Ltd. Address before: 611731, No. 2006, West Avenue, Chengdu hi tech Zone (West District, Sichuan) Patentee before: University of Electronic Science and Technology of China Patentee before: Chongqing College of Electronic Engineering |
|
TR01 | Transfer of patent right |