TW201721498A - Wired area network user management system and method with security and function scalability wherein a network controller is used to control a programmable network switch, and divert a non-authenticated terminal device to an authentication server - Google Patents

Wired area network user management system and method with security and function scalability wherein a network controller is used to control a programmable network switch, and divert a non-authenticated terminal device to an authentication server Download PDF

Info

Publication number
TW201721498A
TW201721498A TW104140069A TW104140069A TW201721498A TW 201721498 A TW201721498 A TW 201721498A TW 104140069 A TW104140069 A TW 104140069A TW 104140069 A TW104140069 A TW 104140069A TW 201721498 A TW201721498 A TW 201721498A
Authority
TW
Taiwan
Prior art keywords
network
terminal device
packet
authentication server
programmable
Prior art date
Application number
TW104140069A
Other languages
Chinese (zh)
Other versions
TWI560574B (en
Inventor
Yao-Ting Chen
xiang-ming Chen
yu-huang Zhu
Original Assignee
Chunghwa Telecom Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chunghwa Telecom Co Ltd filed Critical Chunghwa Telecom Co Ltd
Priority to TW104140069A priority Critical patent/TW201721498A/en
Priority to CN201610948645.7A priority patent/CN107040401A/en
Priority to JP2016231466A priority patent/JP2017103769A/en
Application granted granted Critical
Publication of TWI560574B publication Critical patent/TWI560574B/zh
Publication of TW201721498A publication Critical patent/TW201721498A/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0654Management of faults, events, alarms or notifications using network fault recovery
    • H04L41/0663Performing the actions predefined by failover planning, e.g. switching to standby network elements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/04Network management architectures or arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/26Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using dedicated tools for LAN [Local Area Network] management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/12Avoiding congestion; Recovering from congestion
    • H04L47/125Avoiding congestion; Recovering from congestion by balancing the load, e.g. traffic engineering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords

Abstract

The present invention provides a wired area network user management system and method with security and function scalability, wherein a network controller is used to control a programmable network switch to divert a non-authenticated terminal device to an authentication server. A webpage is sued to perform authentication, a network load balancer is in charge of the load balancing, the authentication server accesses the back-end database or server for account and password verification, and finally, the authentication server informs the network controller to download the dynamic network open rules to the programmable network switch, so that a terminal device can use the network normally. In addition, the invention can also be used with various network software or hardware to expand other network applications and functions to enable immediate blocking, adjusting or isolating of transmission behaviors with abnormality or adverse effects, thus further enhancing the network security.

Description

具安全與功能擴充性的有線區域網路使用者管理系統及方法 Wired area network user management system and method with security and function expansion

本發明係關於一種具安全與功能擴充性的有線區域網路使用者管理系統及方法,特別係指一種結合網路控制器、可程式化網路交換器、伺服器、網路負載平衡器與資料庫,達到動態認證與管理網路使用者,且可彈性擴充各種網路功能的系統與方法。 The invention relates to a wired area network user management system and method with security and function expansion, in particular to a network controller, a programmable network switch, a server, a network load balancer and The database is a system and method that dynamically authenticates and manages network users and flexibly expands various network functions.

網路安全一直是個備受關注的議題,早期基本的網路防護主要透過防火牆來阻擋非法的連線和外部攻擊,但隨著各種木馬和惡意程式、病毒與駭客手法等等的日新月異,顯然已無法只靠防火牆來維護網路安全。目前大部分的有線區域網路皆採用乙太網路技術,而隨插即用是有線乙太區域網路的一個特色,使用便利性高,不過相對的也帶來了安全隱憂,若任何使用者只要將其終端設備接上網路就可以使用網路,將無法避免惡意使用者所帶來的網路安全威脅,因此網路使用者管控變成一個提升網路安全的重點。為了提升傳統乙太區域網路無法管控網路使用者的缺點,現有兩個主要的技術與方法可以讓乙太區域網路具有管控網路使用者的能力,分別是802.1X與DHCP(Dynamic Host Configuration Protocol)。 Network security has always been a topic of concern. Early basic network protection mainly blocked illegal connections and external attacks through firewalls, but with the rapid changes of various Trojans and malicious programs, viruses and hackers, it is obvious that It is no longer possible to rely solely on a firewall to maintain network security. At present, most of the wired area networks use Ethernet technology, and plug and play is a feature of the wired Ethernet network. It is easy to use, but it also brings security concerns. If any use As long as the terminal device is connected to the network, the network can be used, and the network security threat brought by malicious users cannot be avoided. Therefore, network user management becomes a focus of improving network security. In order to improve the shortcomings of the traditional Ethernet network, it is possible to control the network users. There are two main technologies and methods to enable the Ethernet network to control the network users, namely 802.1X and DHCP (Dynamic Host). Configuration Protocol).

802.1X這個連接埠型的網路存取控制可提供OSI第二層的網路存取控制,管控接到區域網路連接埠的設備。就網路設備來看,採用這個方法必須使用支援802.1X的乙太網路交換機,交換機必須支援RADIUS(Remote Authentication Dial In User Service)通訊協定,若原有的乙太網路交換機不支援,則必須進行軟體升級或更新,若已無法升級或更新則必須更換設備。就使用者設備來看,使用者電腦也必須配合安裝802.1X相關軟體與設定,否則整個機制無法正常運作,在實際管理與佈署上相當不便利。就所提供的網路存取控制方式來看,由於僅能提供連接埠(OSI第二層)的存取控制,造成使用與控制上的限制且無彈性。而DHCP是透過使用者終端設備在上網前必須先到DHCP伺服器取得IP位址後才可以上網,DHCP伺服器可以根據MAC或其他方式來管控是否發配IP。 The 802.1X connection type network access control provides network access control for the second layer of the OSI, and controls the devices connected to the regional network. As far as the network device is concerned, the 802.1X-enabled Ethernet switch must be used in this method. The switch must support the RADIUS (Remote Authentication Dial In User Service) protocol. If the original Ethernet switch does not support it, it must be Software upgrades or updates, if you have been unable to upgrade or update, you must replace the device. As far as user equipment is concerned, the user's computer must also be equipped with 802.1X related software and settings. Otherwise, the entire mechanism cannot operate normally, which is quite inconvenient in actual management and deployment. As far as the network access control method is provided, since only the access control (OSI layer 2) access control can be provided, the use and control restrictions are imposed and inelastic. DHCP only needs to go to the DHCP server to obtain the IP address before accessing the Internet through the user terminal device. The DHCP server can control whether the IP is sent according to the MAC or other methods.

由此可見,上述習用方式仍有諸多缺失,仍有改善空間,亟待加以改良。 It can be seen that there are still many shortcomings in the above-mentioned methods of use, and there is still room for improvement, which needs to be improved.

發明人鑑於上述習用方式所衍生的各項缺點,乃亟思加以改良創新,並經多年苦心孤詣潛心研究後,終於成功研發完成本發明一種具安全與功能擴充性的有線區域網路使用者管理系統及方法。 In view of the shortcomings derived from the above-mentioned conventional methods, the inventors have improved and innovated, and after years of painstaking research, finally successfully developed a wired area network user management system with security and functional expansion. And methods.

本發明之目的即在於提供一種具安全與功能擴充性的有線區域網路使用者管理系統及方法,提出一種透過網路控制器和可程式化網路交換器,搭配伺服器、網路負載平衡器和資料庫等來做到網路使用者管理的系統與方法。透過本系統與方法,原網路設備與使用者電腦不需安裝 任何軟體或修改任何設定,使用上非常方便,並且未來還可以彈性的擴充其它網路應用與功能,如OSI第一到第四層的防火牆功能,流量監測與管控功能等等。由於可程式化網路交換器的可程式化特性,也可彈性搭配各種軟體或硬體來擴充其它網路應用與功能。 The object of the present invention is to provide a wired area network user management system and method with security and function expansion, and to provide a network controller and a programmable network switch, with server and network load balancing. Systems and methods for network user management, such as devices and databases. Through the system and method, the original network device and the user's computer do not need to be installed. Any software or modify any settings, it is very convenient to use, and in the future can also flexibly expand other network applications and functions, such as OSI first to fourth layer firewall functions, traffic monitoring and management functions. Due to the programmable nature of the programmable network switch, it is also possible to flexibly match various software or hardware to expand other network applications and functions.

可達成上述發明目的之一種具安全與功能擴充性的有線區域網路使用者管理系統及方法,係利用網路控制器來控制可程式化網路交換器,將未通過認證的使用者轉導到認證伺服器,認證伺服器提供網頁的方式來做認證,而網路負載平衡器將封包分散至相同服務功能之不同伺服器,提升服務容量與加快服務速度。認證伺服器會向存放使用者帳號與密碼等資料的資料庫或伺服器進行帳號和密碼的驗證,驗證通過後,認證伺服器會通知網路控制器將動態開通網路的規則下到可程式化網路交換器,使用者可正常使用網路。 A wired area network user management system and method with security and functional scalability that achieves the above objects, using a network controller to control a programmable network switch to transduce unauthenticated users To the authentication server, the authentication server provides a web page for authentication, and the network load balancer distributes the packets to different servers of the same service function, improving service capacity and speeding up service. The authentication server will verify the account and password to the database or server that stores the user account and password. After the verification is passed, the authentication server will notify the network controller to dynamically open the network to the programmable program. The network switch allows users to use the network normally.

另外透過可程式化網路交換器的特性,可以做到基本OSI第一到第四層的防火牆功能,流量監測與管控等功能,未來也可以搭配各種網路軟體或硬體來擴充其它網路應用與功能,例如深度封包檢測與動態防護,訊務分析與監控等等。 In addition, through the features of the programmable network switch, the basic OSI layer 1 to layer 4 firewall functions, traffic monitoring and management functions can be implemented. In the future, various network software or hardware can be used to expand other networks. Applications and features such as deep packet inspection and dynamic protection, traffic analysis and monitoring, and more.

本發明提供一種具安全與功能擴充性的有線區域網路使用者管理系統,係包含一主網路控制器,該主網路控制器係提供一管控介面至一終端設備,透過該管控介面查詢、新增或刪除一網路封包處理規則,一可程式化網路交換器,該可程式化網路交換器係與該主網路控制器係連接,並依據該網路封包處理規則處理封包,一認證伺服器,係提供一認證網頁使該終端設備向一資料庫做帳號與密碼的驗證,以及呼叫該主網路控 制器提供該管控介面,將該終端設備網路開通的該網路封包處理規則下載到該可程式化網路交換器,一網路負載平衡器,係與該認證伺服器,提供平衡網路流量,即將封包分送至該認證伺服器,其中該網路負載平衡器係為軟體式或硬體式,一乙太網路交換器,係連接該終端設備與該可程式化網路交換器,以及一乙太區域網路,透過該乙太區域網路,將該終端設備與該可程式化網路交換器連接。 The invention provides a wired area network user management system with security and function expansion, which comprises a main network controller, wherein the main network controller provides a control interface to a terminal device, and queries through the management interface. Adding or deleting a network packet processing rule, a programmable network switch, the programmable network switch is connected to the primary network controller, and processing the packet according to the network packet processing rule An authentication server provides an authentication webpage for the terminal device to authenticate the account and password to a database, and to call the main network control The controller provides the management interface, and downloads the network packet processing rule of the terminal device network to the programmable network switch, and a network load balancer and the authentication server provide a balanced network. Traffic, that is, the packet is sent to the authentication server, wherein the network load balancer is a software or a hard type, and an Ethernet switch connects the terminal device and the programmable network switch. And an Ethernet network, through which the terminal device is connected to the programmable network switch.

其中更包含一備援網路控制器,係提供該主網路控制器之備援。其中係透過一網路軟體或一硬體,介以搭配該網路控制器與該可程式化網路交換器擴充與提供他它網路應用功能。 It also includes a backup network controller that provides backup for the primary network controller. Among them, through a network software or a hardware, the network controller and the programmable network switch are used to expand and provide other network application functions.

本發明提供一種具安全與功能擴充性的有線區域網路使用者管理方法,其步驟包括:一可程式化網路交換器透過網路連接一主網路控制器,該主網路控制器將一預設網路封包處理規則下載到該可程式化網路交換器;一終端設備透過一乙太網路交換器或一乙太區域網路或直接連接該可程式化網路交換器,並傳送封包至該可程式化網路交換器,該可程式化網路交換器依據該網路封包處理規則來處理封包,若該終端設備已通過認證或被設定為不管控之該終端設備,該可程式化網路交換器中會有允許該終端設備使用網路的該網路封包處理規則,終端設備可正常的上網;若該可程式化網路交換器中未有允許該終端設備使用網路的該網路封包處理規則,會將該終端設備所發出的一HTTP Request封包轉送到該主網路控制器;該主網路控制器會將轉導該HTTP Request封包到一認證伺服器並下載該網路封包處理規則到該可程式化網路交換器; 該終端設備的再次發出該HTTP Request封包至該可程式化網路交換器,該可程式化網路交換器收到該終端設備瀏覽器根據Table中針對該網路封包處理規則進行封包傳送處理,然後將封包送往一閘道器以路由傳送;該認證伺服器之轉導服務在收到該終端設備發出的該HTTP Request封包後,回傳HTTP 302訊息,要求該終端設備轉導到該認證伺服器中的一認證網頁;該可程式化網路交換器在收到該認證伺服器的轉導服務所回傳的一HTTP Reply封包後,根據該網路封包處理規則中針對該認證伺服器轉導服務回覆該終端設備的該HTTP Reply封包的該網路封包處理規則進行傳送處理,並將封包送往該終端設備;該終端設備依據該HTTP Reply 302封包之轉導訊息,對該認證伺服器中的該認證網頁發出該HTTP Request封包,其中往返該認證伺服器中該認證網頁的HTTP Request封包可正常通過該可程式化網路交換器,該認證伺服器中的該認證網頁收到該HTTP Request封包後,回傳認該證網頁之HTTP Reply封包給該終端設備,使用者在該認證網頁中輸入帳號與密碼,該認證伺服器將帳號與密碼送到一資料庫進行驗證,並取回驗證結果;以及該認證伺服器在確認使用者通過認證後,該認證伺服器通知該主網路控制器,該主網路控制器將允許該終端設備上網的該網路封包處理規則下載到該可程式化網路交換器,同時也將一網路開通時間參數下載到該可程式化網路交換器,以管控使用者之該終端設備在開通網路後預設的使用網路的時間。 The invention provides a wired area network user management method with security and function expansion, the steps comprising: a programmable network switch connecting a master network controller through a network, the master network controller a preset network packet processing rule is downloaded to the programmable network switch; an end device is directly connected to the programmable network switch through an Ethernet switch or an Ethernet network network, and Transmitting a packet to the programmable network switch, the programmable network switch processing the packet according to the network packet processing rule, and if the terminal device has been authenticated or configured to control the terminal device, The programmable network switch has the network packet processing rule that allows the terminal device to use the network, and the terminal device can normally access the Internet; if the programmable network switch does not allow the terminal device to use the network The network packet processing rule of the path forwards an HTTP Request packet sent by the terminal device to the primary network controller; the primary network controller encapsulates the HTTP Request packet to the The network authentication server and downloaded to the packet processing rules programmable network switch; The terminal device re-issues the HTTP Request packet to the programmable network switch, and the programmable network switch receives the packet transmission processing of the terminal device browser according to the packet processing rule according to the table. Then, the packet is sent to a gateway for routing. After receiving the HTTP Request packet sent by the terminal device, the authentication service of the authentication server returns an HTTP 302 message requesting the terminal device to forward the authentication. An authentication webpage in the server; after receiving an HTTP Reply packet sent back by the transduction service of the authentication server, the programmable network switch is configured according to the network packet processing rule for the authentication server Transmitting service replies to the network packet processing rule of the HTTP Reply packet of the terminal device for transmitting processing, and sends the packet to the terminal device; the terminal device performs the authentication server according to the transduction message of the HTTP Reply 302 packet The authentication webpage in the device sends the HTTP Request packet, wherein the HTTP Request packet of the authentication webpage in the authentication server can pass the process normally. The network switch, after receiving the HTTP Request packet, the authentication webpage in the authentication server returns the HTTP Reply packet of the certificate webpage to the terminal device, and the user inputs an account and a password in the authentication webpage. The authentication server sends the account number and password to a database for verification, and retrieves the verification result; and after the authentication server confirms that the user passes the authentication, the authentication server notifies the primary network controller, the primary network The path controller downloads the network packet processing rule that the terminal device accesses the Internet to the programmable network switch, and also downloads a network opening time parameter to the programmable network switch to control the use. The time when the terminal device uses the network after the network is turned on.

其中該預設網路封包處理規則包含ARP封包處理、允許 DNS封包通過、將該HTTP Request封包轉送到該主網路控制器、允許往返該認證伺服器中該認證網頁的封包、已知不管控該終端設備所送出的封包。 The preset network packet processing rule includes ARP packet processing and permission. The DNS packet passes, forwards the HTTP Request packet to the primary network controller, allows a round-trip to the authentication web page of the authentication server, and knows to control the packet sent by the terminal device.

其中該終端設備所發出該HTTP Request封包到該認證伺服器的封包處理規則,包含:a. 轉導使用者該終端設備送出的該HTTP Request封包到該認證伺服器的封包處理規則,係將原封包的目的IP位址與TCP通訊埠號修改為一網路負載平衡器代表該認證伺服器對外所提供的單一IP位址與轉導服務的TCP通訊埠號,再將封包送往該閘道器以路由傳送;以及b. 該認證伺服器的轉導服務回覆給該終端設備的該HTTP Reply封包處理規則,係將原封包的來源IP位址與TCP通訊埠號修改為一開始封包目的地的IP位址與TCP通訊埠號,然後送往該終端設備。 The packet processing rule of the HTTP request packet sent by the terminal device to the authentication server includes: a. translating the packet processing rule of the HTTP request packet sent by the terminal device to the authentication server, and the packet processing rule is The destination IP address and TCP communication nickname of the packet are modified into a network traffic balancer to represent the TCP communication nickname of the single IP address and transduction service provided by the authentication server, and then the packet is sent to the gateway. And the b. The HTTP server packet processing protocol for the terminal device is modified by the forwarding service of the authentication server to the terminal device, and the source IP address and the TCP communication nickname of the original packet are modified to be the starting packet destination. The IP address is communicated with the TCP communication nickname and then sent to the terminal device.

其允許該終端設備上網的封包處理規則,係依據實際使用需求,透過MAC位址、IP位址、所連接到任一可程式化網路交換器的實體埠之組合,構成允許該終端設備上網的該網路封包處理規則,並且可設該終端設備在開通網路後的使用網路的時間。 The packet processing rule that allows the terminal device to access the Internet is configured to allow the terminal device to access the Internet through a combination of a MAC address, an IP address, and an entity connected to any programmable network switch according to actual usage requirements. The network packet processing rule, and the time when the terminal device uses the network after the network is turned on.

100‧‧‧主網路控制器 100‧‧‧Main network controller

101‧‧‧備援網路控制器 101‧‧‧Backup network controller

102‧‧‧可程式化網路交換器 102‧‧‧Programmable Network Switch

103‧‧‧網路負載平衡器 103‧‧‧Network Load Balancer

104‧‧‧認證伺服器 104‧‧‧Authentication server

105‧‧‧資料庫 105‧‧‧Database

106‧‧‧其它網路軟體或硬體 106‧‧‧Other network software or hardware

107‧‧‧乙太網路交換器 107‧‧‧Ethernet Switch

108‧‧‧乙太區域網路 108‧‧‧Ethto Area Network

109‧‧‧終端設備 109‧‧‧ Terminal equipment

S200~S206‧‧‧步驟流程 S200~S206‧‧‧Step process

圖1 係為本發明之具安全與功能擴充性的有線區域網路使用者管理系統之架構示意圖。 FIG. 1 is a schematic structural diagram of a wired area network user management system with security and function expansion according to the present invention.

圖2 係為本發明之具安全與功能擴充性的有線區域網路使用者管理方法之流程圖。 2 is a flow chart of a method for managing a wired area network user with security and function scalability.

以下將參照相關圖式,說明依本發明之具安全與功能擴充性的有線區域網路使用者管理方法之實施例,為使便於理解,下述實施例中之相同元件係以相同之符號標示來說明。 The embodiments of the wired area network user management method with security and function expandability according to the present invention will be described below with reference to the related drawings. For ease of understanding, the same components in the following embodiments are denoted by the same symbols. To illustrate.

請參閱圖1所示,如圖所示,為本發明之具安全與功能擴充性的有線區域網路使用者管理系統之架構示意圖,係包括:主網路控制器100,係用以管控可程式化網路交換器102,查詢可程式化網路交換器102中的相關資料,新增與刪除可程式化網路交換器102中的封包處理則等,並對外提供介面來接收封包處理規則。備援網路控制器101,與主網路控制器100互為備援,功能與主網路控制器100相同。可程式化網路交換器102,係用以接受主網路控制器100或備援網路控制器101的管控、新增與刪除Table中的網路封包處理規則,與提供主網路控制器100或備援網路控制器101所需要的資料。可程式化網路交換器102在收到封包後,會依照Table內所對應的網路封包處理規則來處理封包。當終端設備109透過直接或間接方式連接到可程式化網路交換器102後,即納入本系統的管控。網路負載平衡器103,係用以對外提供認證伺服器104的單一位址,然後將網路封包依照設定分散到後端提供相同服務的不同認證伺服器104上。認證伺服器104,係用以提供將使用者終端設備109的瀏覽器所發出的HTTP Request動態轉導到認證網頁、將使用者在認證網頁所輸入的帳號與密碼拿到資料庫105進行驗證,以及在使用者通過認證後通知主網路控制器100或備援網路控制器101將網路開通的網路封包處理規則下到可程式 化網路交換器102。採用多台提供相同服務的不同認證伺服器104,可搭配網路負載平衡器103來隨服務量的增減來選擇要用到多少台認證伺服器104。資料庫105,係用以儲存使用者帳號與密碼等相關資料來提供認證伺服器104驗證使用者在認證網頁所輸入的帳號與密碼,或採用遠端用戶撥入驗證服務(RADIUS,Remote Authentication Dial In User Service)來驗證使用者輸入的帳號與密碼。也提供網路的使用記錄,如使用者終端設備的網路位址(IP Address,Internet Protocol Address)、實體位址(MAC Address,Media Access Control Address)、網路開通時間,使用者上網行為記錄等等,網路的使用有記錄,而這些資料可提供後續追蹤、分析等使用,方便管理與提升安全性。其它網路軟體或硬體106,透過可程式化網路交換器102可程式化的特點,未來可以方便與彈性的搭配其它網路軟體或硬體來擴充網路應用與功能。如防火牆(Firewall)、入侵偵測系統(IDS,Intrusion Detection System)、入侵防禦系統(IPS,Intrusion Prevention System)、訊務監測與分析、防毒與掃毒等等。乙太網路交換器107,係用以匯集與接取終端設備109。終端設備109可以透過直接或間接方式連接到可程式化網路交換器102。乙太區域網路108,係用以匯集與接取終端設備109,該乙太區域網路108最後會接到可程式化網路交換器102。終端設備109,係用以讓使用者上網用。終端設備109可透過直接接到可程式化網路交換器102的方式來連接到可程式化網路交換器102;間接透過乙太網路交換器107或乙太區域網路108的方式連接到可程式化網路交換器102。 Please refer to FIG. 1 , which is a schematic structural diagram of a wired area network user management system with security and function expansion according to the present invention, which includes: a primary network controller 100, which is used for management and control. The stylized network switch 102 queries the related data in the programmable network switch 102, adds and deletes the packet processing in the programmable network switch 102, and provides an external interface to receive the packet processing rules. . The backup network controller 101 is redundant with the primary network controller 100 and functions the same as the primary network controller 100. The programmable network switch 102 is configured to accept the control of the primary network controller 100 or the backup network controller 101, add and delete network packet processing rules in the Table, and provide a primary network controller. 100 or backup data required by the network controller 101. After receiving the packet, the programmable network switch 102 processes the packet according to the network packet processing rule corresponding to the table. When the terminal device 109 is directly or indirectly connected to the programmable network switch 102, it is incorporated into the control of the system. The network load balancer 103 is configured to externally provide a single address of the authentication server 104, and then distribute the network packets to different authentication servers 104 that provide the same service to the backend according to the settings. The authentication server 104 is configured to dynamically forward the HTTP Request sent by the browser of the user terminal device 109 to the authentication webpage, and obtain the account and password input by the user on the authentication webpage to the database 105 for verification. And after the user passes the authentication, notify the main network controller 100 or the backup network controller 101 to open the network packet processing rule of the network to the programmable Network switch 102. Using multiple authentication servers 104 that provide the same service, the network load balancer 103 can be used to select how many authentication servers 104 to use as the amount of service increases or decreases. The database 105 is used for storing user account and password and other related materials to provide the authentication server 104 to verify the account and password input by the user on the authentication webpage, or to use the remote user dial-in authentication service (RADIUS, Remote Authentication Dial). In User Service) to verify the account and password entered by the user. It also provides usage records of the network, such as the IP address (Internet Address Address) of the user terminal device, the MAC Address (Media Address Control Address), the network opening time, and the user's online behavior record. Etc., the use of the network has a record, and this information can provide follow-up tracking, analysis, etc., to facilitate management and improve security. Other network software or hardware 106, through the stylized features of the programmable network switch 102, can be easily and flexibly combined with other network software or hardware to expand network applications and functions in the future. Such as firewall, Intrusion Detection System (IDS), Intrusion Prevention System (IPS), Intrusion Prevention System (IPS), traffic monitoring and analysis, anti-virus and anti-virus. The Ethernet switch 107 is used to collect and access the terminal device 109. The terminal device 109 can be connected to the programmable network switch 102 either directly or indirectly. The Ethernet local area network 108 is used to aggregate and access the terminal device 109, and the Ethernet local area network 108 is finally connected to the programmable network switch 102. The terminal device 109 is used for the user to access the Internet. The terminal device 109 can be connected to the programmable network switch 102 by directly connecting to the programmable network switch 102; indirectly connected to the Ethernet switch 107 or the Ethernet local area network 108. The network switch 102 can be programmed.

請參閱圖2所示,如圖所示,為本發明之具安全與功能擴充性的有線區域網路使用者管理方法之流程圖,步驟包括: Please refer to FIG. 2, which is a flowchart of a method for managing a wired area network user with security and function scalability according to the present invention. The steps include:

S200:可程式化網路交換器與主網路控制器或備援網路控制器建立連線; S200: The programmable network switch establishes a connection with the primary network controller or the backup network controller;

S201:主網路控制器或備援網路控制器將一些預設的封包處理規則,如允許ARP封包通過、DNS封包通過、將HTTP Request封包轉送到網路控制器、允許往返認證伺服器中認證網頁的封包、已知不管控使用者終端設備所送出的封包等等的封包處理規則下到剛連線上來的可程式化網路交換器中; S201: The primary network controller or the backup network controller sends some preset packet processing rules, such as allowing ARP packets to pass, DNS packets to pass, forwarding the HTTP Request packet to the network controller, and allowing the round-trip authentication server. The packet of the authentication webpage, the packet processing rule that is known to control the packet sent by the user terminal device, etc., to the programmable network switch just connected to the network;

S202:使用者終端設備可透過多種方式接到可程式化網路交換器。可透過直接的方式連接到可程式化網路交換器,或間接透過乙太網路交換器或乙太區域網路接到可程式化網路交換器。使用者在終端設備開啟瀏覽器欲瀏覽網頁,瀏覽器發出DNS Request,由於步驟S201已先將允許DNS封包通過的封包處理規則下到可程式化網路交換器,因此DNS封包可正常通過可程式化網路交換器。然後DNS Server收到DNS Request後,回覆DNS Reply,使用者終端設備的瀏覽器在收到DNS Reply後,接著發出HTTP Request; S202: The user terminal device can be connected to the programmable network switch in multiple ways. It can be connected directly to a programmable network switch or directly to a programmable network switch via an Ethernet switch or Ethernet network. The user opens the browser on the terminal device to browse the webpage, and the browser sends a DNS Request. Since the packet processing rule that allows the DNS packet to pass is first down to the programmable network switch in step S201, the DNS packet can pass the programmable program normally. Network switch. Then, after receiving the DNS Request, the DNS Server replies to the DNS Reply, and the browser of the user terminal device sends an HTTP Request after receiving the DNS Reply;

S203:當可程式化網路交換器收到步驟S202使用者終端設備所發送出的HTTP Request封包後,可程式化網路交換器會根據Table中的封包處理規則來做處理,若該使用者終端設備已經通過認證或被設定為不管控使用者終端設備,可程式化網路交換器的Table中會有允許該使用者終端設備使用網路的封包處理規則,因此使用者終端設備可正常的上網。反之,若可程式化網路交換器的Table中找不到允許該使用者終端設備使用網路的封包處理規則,會將該使用者終端設備所發出的HTTP Request封包轉送到主網路控制器或備援網路控制器做進一步處理。主網路控制器或備援網路控制器 會將轉導HTTP封包到認證伺服器的封包處理規則下到可程式化網路交換器,其中主要包括兩筆封包處理規則,分別是(1)轉導該使用者終端設備送出的HTTP Request封包到認證伺服器的封包處理規則,以及(2)認證伺服器的轉導服務回覆給該終端設備的HTTP Reply的封包處理規則; S203: After the programmable network switch receives the HTTP Request packet sent by the user terminal device in step S202, the programmable network switch performs processing according to the packet processing rule in the table, if the user The terminal device has been authenticated or set to control the user terminal device, and the table of the programmable network switch has a packet processing rule that allows the user terminal device to use the network, so the user terminal device can be normal. Go online. Conversely, if the packet processing rule that allows the user terminal device to use the network is not found in the table of the programmable network switch, the HTTP Request packet sent by the user terminal device is forwarded to the primary network controller. Or backup network controller for further processing. Primary network controller or backup network controller The packet processing rule for translating the HTTP packet to the authentication server is down to the programmable network switch, which mainly includes two packet processing rules, which are (1) translating the HTTP Request packet sent by the user terminal device. a packet processing rule to the authentication server, and (2) a packet processing rule of the HTTP reply of the authentication server to the terminal device;

S204:終端設備的瀏覽器再次發出HTTP Request,可程式化網路交換器在收到該終端設備瀏覽器送出的HTTP Request封包後,根據Table中針對該終端設備瀏覽器的HTTP Request封包處理規則進行封包傳送處理,將原封包的目的IP位址與TCP通訊埠號修改為網路負載平衡器代表認證伺服器對外所提供的單一IP位址與轉導服務的TCP通訊埠號,然後將封包送往閘道器來路由傳送。認證伺服器的轉導服務在收到終端設備瀏覽器發出的HTTP Request封包後,回傳HTTP 302訊息,要求終端設備的瀏覽器轉導到認證伺服器中的認證網頁。可程式化網路交換器在收到認證伺服器的轉導服務所回傳的HTTP Reply封包後,根據Table中針對認證伺服器轉導服務回覆該終端設備的HTTP Reply封包處理規則進行傳送處理,將原封包的來源IP位址與TCP通訊埠號修改為一開始封包目的地的IP位址與TCP通訊埠號,然後送往終端設備。終端設備瀏覽器按照所收到HTTP Reply 302轉導訊息,對認證伺服器中的認證網頁發出HTTP Request,往返認證伺服器中認證網頁的HTTP封包可正常通過可程式化網路交換器,認證伺服器中的認證網頁收到HTTP Request後,回傳認證網頁HTTP Reply給終端設備瀏覽器,使用者在認證網頁中輸入帳號與密碼,認證伺服器將帳號與密碼送到資料庫進行驗證,並取回驗證結果。 S204: The browser of the terminal device sends an HTTP Request again, and the programmable network switch receives the HTTP Request packet sent by the browser of the terminal device, and then performs the HTTP Request packet processing rule for the terminal device browser according to the table. Packet transmission processing, modifying the destination IP address and TCP communication nickname of the original packet to the TCP communication nickname of the single IP address and transduction service provided by the network load balancer on behalf of the authentication server, and then sending the packet Go to the gateway to route the transmission. After receiving the HTTP Request packet sent by the terminal device browser, the authentication server of the authentication server returns an HTTP 302 message, requesting the browser of the terminal device to forward to the authentication page in the authentication server. After receiving the HTTP Reply packet sent back by the authentication service of the authentication server, the programmable network switch transmits and processes the HTTP Reply packet processing rule for replying to the terminal device according to the authentication server transduction service in the table. The source IP address and TCP communication nickname of the original packet are modified to the IP address and TCP communication nickname of the beginning packet destination, and then sent to the terminal device. The terminal device browser sends an HTTP request to the authentication webpage in the authentication server according to the received HTTP Reply 302 transduction message, and the HTTP packet of the authentication webpage in the round-trip authentication server can normally pass the programmable network switch, and the authentication server is authenticated. After receiving the HTTP Request, the authentication page returns the HTTP Reply to the terminal device browser. The user enters the account and password in the authentication page. The authentication server sends the account and password to the database for verification, and takes the authentication. Back to the verification results.

S205:認證伺服器在確認使用者通過認證後,認證伺服器通知主網路控制 器或備援網路控制器,主網路控制器或備援網路控制器將允許終端設備上網的封包處理規則下到可程式化網路交換器,同時也將網路開通時間這個參數下到可程式化網路交換器,來管控使用者終端設備在開通網路後可以使用網路的時間;以及 S205: After the authentication server confirms that the user passes the authentication, the authentication server notifies the main network control Or backup network controller, the primary network controller or the backup network controller will allow the terminal device to access the packet processing rules to the programmable network switch, and also set the network open time under this parameter. To a programmable network switch to control the time that the user terminal device can use the network after the network is turned on;

S206:使用者終端設備可以正常上網與使用網路。 S206: The user terminal device can normally access the Internet and use the network.

可見本發明在突破先前之技術下,確實已達到所欲增進之功效,且也非熟悉該項技藝者所易於思及,其所具之進步性、實用性,顯已符合專利之申請要件,爰依法提出專利申請,懇請 貴局核准本件發明專利申請案,以勵創作,至感德便。 It can be seen that the present invention has achieved the desired effect under the prior art, and is not familiar with the skill of the artist, and its progressiveness and practicability have been met with the patent application requirements.提出 Submit a patent application in accordance with the law, and ask your bureau to approve the application for this invention patent, in order to encourage creation, to the sense of virtue.

以上所述僅為舉例性,而非為限制性者。其它任何未脫離本發明之精神與範疇,而對其進行之等效修改或變更,均應該包含於後附之申請專利範圍中。 The above is intended to be illustrative only and not limiting. Any other equivalent modifications or alterations of the present invention are intended to be included in the scope of the appended claims.

100‧‧‧主網路控制器 100‧‧‧Main network controller

101‧‧‧備援網路控制器 101‧‧‧Backup network controller

102‧‧‧可程式化網路交換器 102‧‧‧Programmable Network Switch

103‧‧‧網路負載平衡器 103‧‧‧Network Load Balancer

104‧‧‧認證伺服器 104‧‧‧Authentication server

105‧‧‧資料庫 105‧‧‧Database

106‧‧‧其它網路軟體或硬體 106‧‧‧Other network software or hardware

107‧‧‧乙太網路交換器 107‧‧‧Ethernet Switch

108‧‧‧乙太區域網路 108‧‧‧Ethto Area Network

109‧‧‧終端設備 109‧‧‧ Terminal equipment

Claims (7)

一種具安全與功能擴充性的有線區域網路使用者管理系統,係包含:一主網路控制器,該主網路控制器係提供一管控介面至一終端設備,透過該管控介面查詢、新增或刪除一網路封包處理規則;一可程式化網路交換器,該可程式化網路交換器係與該主網路控制器係連接,並依據該網路封包處理規則處理封包;一認證伺服器,係提供一認證網頁使該終端設備向一資料庫做帳號與密碼的驗證,以及呼叫該主網路控制器提供該管控介面,將該終端設備網路開通的該網路封包處理規則下載到該可程式化網路交換器;一網路負載平衡器,係與該認證伺服器,提供平衡網路流量,即將封包分送至該認證伺服器,其中該網路負載平衡器係為軟體式或硬體式;一乙太網路交換器,係連接該終端設備與該可程式化網路交換器;以及一乙太區域網路,透過該乙太區域網路,將該終端設備與該可程式化網路交換器連接。 A wired area network user management system with security and function expansion includes: a primary network controller, the primary network controller provides a control interface to a terminal device, through which the management interface queries and new Adding or deleting a network packet processing rule; a programmable network switch, the programmable network switch is connected to the primary network controller, and processing the packet according to the network packet processing rule; The authentication server provides an authentication webpage for the terminal device to authenticate the account and password to a database, and calls the main network controller to provide the management interface, and processes the network packet of the terminal device network. The rules are downloaded to the programmable network switch; a network load balancer is provided with the authentication server to provide balanced network traffic, that is, the packet is distributed to the authentication server, wherein the network load balancer is Soft or hard; an Ethernet switch that connects the terminal device to the programmable network switch; and an Ethernet network through the Ethernet network , The programmable terminal device and the network switch are connected. 如申請專利範圍第1所述之具安全與功能擴充性的有線區域網路使用者管理系統,其中更包含一備援網路控制器,係提供該主網路控制器之備援。 The wired area network user management system with security and function expansion as described in claim 1 further includes a backup network controller, which provides backup of the primary network controller. 如申請專利範圍第1所述之具安全與功能擴充性的有線區域網路使用者管理系統,其中係透過一網路軟體或一硬體,介以搭配該網路控制器與該可程式化網路交換器擴充與提供他它網路應用功能。 A wired area network user management system with security and function expansion as described in claim 1, wherein the network controller is coupled to the network controller through a network software or a hardware. The network switch expands and provides other network application functions. 一種具安全與功能擴充性的有線區域網路使用者管理方法,其步驟包括:一可程式化網路交換器透過網路連接一主網路控制器,該主網路控制 器將一預設網路封包處理規則下載到該可程式化網路交換器;一終端設備透過一乙太網路交換器或一乙太區域網路或直接連接該可程式化網路交換器,並傳送封包至該可程式化網路交換器,該可程式化網路交換器依據該網路封包處理規則來處理封包,若該終端設備已通過認證或被設定為不管控之該終端設備,該可程式化網路交換器中會有允許該終端設備使用該網路封包處理規則,終端設備可正常的上網;若該可程式化網路交換器中未有允許該終端設備使用該網路封包處理規則,會將該終端設備所發出的一HTTP Request封包轉送到該主網路控制器;該主網路控制器會將轉導該HTTP Request封包到一認證伺服器並下載該網路封包處理規則到該可程式化網路交換器;該終端設備的再次發出該HTTP Request封包至該可程式化網路交換器,該可程式化網路交換器收到該終端設備瀏覽器根據Table中針對該網路封包處理規則進行封包傳送處理,然後將封包送往一閘道器以路由傳送;該認證伺服器之轉導服務在收到該終端設備發出的該HTTP Request封包後,回傳HTTP 302訊息,要求該終端設備轉導到該認證伺服器中的一認證網頁;該可程式化網路交換器在收到該認證伺服器的轉導服務所回傳的一HTTP Reply封包後,根據該網路封包處理規則中針對該認證伺服器轉導服務回覆該終端設備的該HTTP Reply封包的該網路封包處理規則進行傳送處理,並將封包送往該終端設備;該終端設備依據該HTTP Reply 302封包之轉導訊息,對該認證伺服器中的該認證網頁發出該HTTP Request封包,其中往返該認證伺服器中 該認證網頁的HTTP Request封包可正常通過該可程式化網路交換器,該認證伺服器中的該認證網頁收到該HTTP Request封包後,回傳認該證網頁之HTTP Reply封包給該終端設備,使用者在該認證網頁中輸入帳號與密碼,該認證伺服器將帳號與密碼送到一資料庫進行驗證,並取回驗證結果;以及該認證伺服器在確認使用者通過認證後,該認證伺服器通知該主網路控制器,該主網路控制器將允許該終端設備上網的該網路封包處理規則下載到該可程式化網路交換器,同時也將一網路開通時間參數下載到該可程式化網路交換器,以管控使用者之該終端設備在開通網路後預設的使用網路的時間。 A method for managing a wired area network user with security and function scalability includes the steps of: a programmable network switch connecting to a main network controller through a network, the main network control Downloading a predetermined network packet processing rule to the programmable network switch; an terminal device is connected to the programmable network switch through an Ethernet switch or an Ethernet network Transmitting a packet to the programmable network switch, the programmable network switch processing the packet according to the network packet processing rule, if the terminal device has been authenticated or is set to be controlled regardless of the terminal device The programmable network switch may allow the terminal device to use the network packet processing rule, and the terminal device can normally access the Internet; if the programmable network switch does not allow the terminal device to use the network The path packet processing rule forwards an HTTP Request packet sent by the terminal device to the primary network controller; the primary network controller encapsulates the HTTP Request packet to an authentication server and downloads the network. Packet processing rules to the programmable network switch; the terminal device resends the HTTP Request packet to the programmable network switch, and the programmable network switch receives the final The device browser performs packet transmission processing according to the packet processing rule in the Table, and then sends the packet to a gateway for routing transmission; the transduction service of the authentication server receives the HTTP Request sent by the terminal device. After the packet is sent back, the HTTP 302 message is sent back, and the terminal device is required to be redirected to an authentication webpage in the authentication server; the programmable network switch returns a message transmitted by the authentication server of the authentication server. After the HTTP reply packet, the network packet processing rule for replying the HTTP reply packet of the terminal device to the authentication server transduction service is processed according to the network packet processing rule, and the packet is sent to the terminal device; The terminal device sends the HTTP Request packet to the authentication webpage in the authentication server according to the forwarding message of the HTTP Reply 302 packet, where the authentication server is sent back and forth to the authentication server. The HTTP Request packet of the authentication webpage can pass through the programmable network switch. After receiving the HTTP Request packet, the authentication webpage in the authentication server returns the HTTP Reply packet of the certificate webpage to the terminal device. The user enters an account number and a password in the authentication webpage, and the authentication server sends the account number and password to a database for verification, and retrieves the verification result; and the authentication server confirms that the user passes the authentication, the authentication The server notifies the primary network controller that the network packet processing rule that allows the terminal device to access the Internet is downloaded to the programmable network switch, and also downloads a network opening time parameter. Go to the programmable network switch to control the time that the user's terminal device uses the network after the network is turned on. 如申請專利範圍第4所述之具安全與功能擴充性的有線區域網路使用者管理方法,其中該預設網路封包處理規則包含ARP封包處理、允許DNS封包通過、將該HTTP Request封包轉送到該主網路控制器、允許往返該認證伺服器中該認證網頁的封包、已知不管控該終端設備所送出的封包。 The method for managing a wired area network user with security and function expansion as described in claim 4, wherein the preset network packet processing rule includes ARP packet processing, allowing DNS packets to pass, and forwarding the HTTP Request packet. A packet to the primary network controller that allows the authentication web page to be sent back and forth to the authentication server, and is known to control the packet sent by the terminal device. 如申請專利範圍第4所述之具安全與功能擴充性的有線區域網路使用者管理方法,其中該終端設備所發出該HTTP Request封包到該認證伺服器的封包處理規則,包含:c. 轉導使用者該終端設備送出的該HTTP Request封包到該認證伺服器的封包處理規則,係將原封包的目的IP位址與TCP通訊埠號修改為一網路負載平衡器代表該認證伺服器對外所提供的單一IP位址與轉導服務的TCP通訊埠號,再將封包送往該閘道器以路由傳送;以及d. 該認證伺服器的轉導服務回覆給該終端設備的該HTTP Reply封包 處理規則,係將原封包的來源IP位址與TCP通訊埠號修改為一開始封包目的地的IP位址與TCP通訊埠號,然後送往該終端設備。 The method for managing a wired area network user with security and function expansion as described in claim 4, wherein the packet processing rule that the terminal device sends the HTTP Request packet to the authentication server includes: c. The packet processing rule for guiding the HTTP request packet sent by the terminal device to the authentication server is to modify the destination IP address and the TCP communication nickname of the original packet to be a network load balancer on behalf of the authentication server. Providing a single IP address and a TCP communication nickname of the transduction service, and then sending the packet to the gateway for routing transmission; and d. the authentication service of the authentication server replies to the HTTP Reply of the terminal device Packet The processing rule is to modify the source IP address and TCP communication nickname of the original packet to the IP address and TCP communication nickname of the starting packet destination, and then send it to the terminal device. 如申請專利範圍第4所述之具安全與功能擴充性的有線區域網路使用者管理方法,其允許該終端設備上網的封包處理規則,係依據實際使用需求,透過MAC位址、IP位址、所連接到任一可程式化網路交換器的實體埠之組合,構成允許該終端設備上網的該網路封包處理規則,並且可設該終端設備在開通網路後預設的使用網路的時間。 The method for managing a wired area network user with security and function expansion as described in claim 4, wherein the packet processing rule for allowing the terminal device to access the Internet is based on the MAC address and IP address according to actual usage requirements. The combination of the entities connected to any of the programmable network switches constitutes the network packet processing rule that allows the terminal device to access the Internet, and can set the terminal to use the network after the network is turned on. time.
TW104140069A 2015-12-01 2015-12-01 Wired area network user management system and method with security and function scalability wherein a network controller is used to control a programmable network switch, and divert a non-authenticated terminal device to an authentication server TW201721498A (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
TW104140069A TW201721498A (en) 2015-12-01 2015-12-01 Wired area network user management system and method with security and function scalability wherein a network controller is used to control a programmable network switch, and divert a non-authenticated terminal device to an authentication server
CN201610948645.7A CN107040401A (en) 2015-12-01 2016-11-02 Wired local network user management system and method with safety and function expansion
JP2016231466A JP2017103769A (en) 2015-12-01 2016-11-29 Wired local area network user management system and method having safety and functional extendibility

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW104140069A TW201721498A (en) 2015-12-01 2015-12-01 Wired area network user management system and method with security and function scalability wherein a network controller is used to control a programmable network switch, and divert a non-authenticated terminal device to an authentication server

Publications (2)

Publication Number Publication Date
TWI560574B TWI560574B (en) 2016-12-01
TW201721498A true TW201721498A (en) 2017-06-16

Family

ID=58227171

Family Applications (1)

Application Number Title Priority Date Filing Date
TW104140069A TW201721498A (en) 2015-12-01 2015-12-01 Wired area network user management system and method with security and function scalability wherein a network controller is used to control a programmable network switch, and divert a non-authenticated terminal device to an authentication server

Country Status (3)

Country Link
JP (1) JP2017103769A (en)
CN (1) CN107040401A (en)
TW (1) TW201721498A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI703836B (en) * 2019-11-26 2020-09-01 台達電子工業股份有限公司 Method for data hand-shaking based on ethercat protocol

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110855488B (en) * 2019-11-13 2022-04-05 迈普通信技术股份有限公司 Virtual machine access method and device
TWI744047B (en) * 2020-10-23 2021-10-21 飛泓科技股份有限公司 Terminal equipment authentication method using network ARP protocol

Family Cites Families (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7061899B2 (en) * 2001-05-01 2006-06-13 Hewlett-Packard Development Company, L.P. Method and apparatus for providing network security
CN1271816C (en) * 2002-08-09 2006-08-23 联想(北京)有限公司 Network protocol layer user identifying method for packet filter
US7636917B2 (en) * 2003-06-30 2009-12-22 Microsoft Corporation Network load balancing with host status information
US7590736B2 (en) * 2003-06-30 2009-09-15 Microsoft Corporation Flexible network load balancing
US20080189769A1 (en) * 2007-02-01 2008-08-07 Martin Casado Secure network switching infrastructure
US8090797B2 (en) * 2009-05-02 2012-01-03 Citrix Systems, Inc. Methods and systems for launching applications into existing isolation environments
JPWO2011081104A1 (en) * 2010-01-04 2013-05-09 日本電気株式会社 Communication system, authentication device, control server, communication method, and program
CN103329489B (en) * 2011-01-20 2016-04-27 日本电气株式会社 Communication system, control appliance, policy management apparatus, communication means and program
US8769622B2 (en) * 2011-06-30 2014-07-01 International Business Machines Corporation Authentication and authorization methods for cloud computing security
CN102347953B (en) * 2011-10-12 2014-10-29 赵强 Media service method based on 3G (third generation) mobile communication
JP5626919B2 (en) * 2012-02-29 2014-11-19 Necソリューションイノベータ株式会社 Network system, authentication cooperation apparatus, authentication cooperation method, and program
CN102710667B (en) * 2012-06-25 2015-04-01 杭州华三通信技术有限公司 Method for realizing Portal authentication server attack prevention and broadband access server
JP5896862B2 (en) * 2012-08-22 2016-03-30 三菱電機株式会社 Test apparatus, test method and program
CN103812836B (en) * 2012-11-12 2017-09-29 孙银海 A kind of website sends the system and method that user reserves information
CN103457878B (en) * 2013-09-05 2016-03-23 电子科技大学 A kind of access control method based on stream

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI703836B (en) * 2019-11-26 2020-09-01 台達電子工業股份有限公司 Method for data hand-shaking based on ethercat protocol

Also Published As

Publication number Publication date
CN107040401A (en) 2017-08-11
TWI560574B (en) 2016-12-01
JP2017103769A (en) 2017-06-08

Similar Documents

Publication Publication Date Title
US11546175B2 (en) Detecting and isolating an attack directed at an IP address associated with a digital certificate bound with multiple domains
US10608821B2 (en) Providing cross site request forgery protection at an edge server
US9356928B2 (en) Mechanisms to use network session identifiers for software-as-a-service authentication
US11652792B2 (en) Endpoint security domain name server agent
EP2959632B1 (en) Augmenting name/prefix based routing protocols with trust anchor in information-centric networks
CN110311929B (en) Access control method and device, electronic equipment and storage medium
JP2018525935A (en) Secure communication using devices that can connect to the Internet
JP2016530814A (en) Gateway device to block a large number of VPN connections
WO2022247751A1 (en) Method, system and apparatus for remotely accessing application, device, and storage medium
US11706628B2 (en) Network cyber-security platform
CA2912774C (en) Providing single sign-on for wireless devices
TW201721498A (en) Wired area network user management system and method with security and function scalability wherein a network controller is used to control a programmable network switch, and divert a non-authenticated terminal device to an authentication server
KR101628534B1 (en) VIRTUAL 802.1x METHOD AND DEVICE FOR NETWORK ACCESS CONTROL
JP6076276B2 (en) Communication system and communication method
KR102224454B1 (en) Method, apparatus, system and computer program for controlling network traffic
KR102578800B1 (en) System for controlling network access and method of the same
KR102584579B1 (en) Database access control gateway service system based on software as a service and method thereof
JP2018029233A (en) Client terminal authentication system and client terminal authentication method
CN117278562A (en) Load balancing method, device, system, electronic equipment and storage medium
CN117061140A (en) Penetration defense method and related device
CN116684113A (en) Service processing method and related device based on SDP (software defined boundary)
Sokasane et al. Reduce Authentication Delay in Eduroam Using Flat Layer Approach
JP2017059149A (en) Authentication system and authentication method