CN100372331C - Method and system for filtering data - Google Patents
Method and system for filtering data Download PDFInfo
- Publication number
- CN100372331C CN100372331C CNB2005101274974A CN200510127497A CN100372331C CN 100372331 C CN100372331 C CN 100372331C CN B2005101274974 A CNB2005101274974 A CN B2005101274974A CN 200510127497 A CN200510127497 A CN 200510127497A CN 100372331 C CN100372331 C CN 100372331C
- Authority
- CN
- China
- Prior art keywords
- filter plant
- user
- network access
- access equipment
- user terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The present invention discloses a method for data filtration, which comprises the following steps that a network access device reports an on-line access request of a user terminal to an AAA server for request authentication; if the request passes the authentication, the AAA server can send the service attribute of the user to the network access device; the network access device sends a connection request to a filtering device according to the service attribute sent by the AAA server; the filtering device establishes connection with the network access device; the filtering device allows the user terminal to access the network and filters user data flow. The present invention also provides a system of data filtration simultaneously, and can be extended flexibly. Compared with the traditional on-line service, the present invention has refined and definite data flow filtration.
Description
Technical field
The present invention relates to the Internet access technology, relate in particular to a kind of method and system of filtering data.
Background technology
Along with the increase of domestic Internet traffic carrying capacity, the Internet broadband data service is also constantly increasing and is upgrading for colourful content on the Internet and business also in development constantly.Along with the continuous development of content, the content on the Internet also presents multipolarization, and network world is constantly filled in information, data, news, recreation etc.For the variation of Web content, Web content and information also need classification, and some information is not wished certain class crowd visit, or certain this information need be secret to some people, so just need filter website or content that the user visited in the network process on the user.Could provide the green internet function for the user like this.Reach the maximization of utility of the network information, limited simultaneously certain this user accesses network of crossing the border again.
Prior art can be divided into the control of two aspects.The one, go up the addressable control tabulation of configure user ACL (Access Control List) by network access equipment BAS/NAS (BroadAccess System/Narrow Access System), promptly some users only can visit the website among the ACL; The 2nd, cooperate the tabulation of dynamically finishing user-accessible with network access equipment by AAA (Authentication, Authorization, Accounting) server, when being access authentication of user, by aaa server according to attribute of user, in the Radius of authentication success (Remote Authentication Dial In User Service) message, dynamically issue the control tabulation that the user can visit, again the website that can visit of the control list controls user who issues according to aaa server by network access equipment by the Filter-Id attribute.
The online of employing prior art, operator only is provided with this professional ACL property on aaa server, and when the user ordered this business, the user could use access, and with reference to Fig. 1, it is as follows that it inserts step
1, the user inserts the Internet by terminal dialing request;
When 2, BAS/NAS received online request from user terminal, BAS/NAS can send to the aaa server request authentication to user's request (comprising username and password);
3, aaa server is checked user profile, and inquiry business;
4, the aaa server inquiring user legal after, the business information (including ACL) that the user is ordered
Be handed down to BAS/NAS;
5, the service attribute that issues according to aaa server of BAS/NAS, the port of open user capture the Internet;
6, the user begins access internet, and connection request is committed to BAS/NAS;
7, BAS/NAS visits corresponding internet sites according to connection request;
8, the above-mentioned response internet site data flow of naming a person for a particular job is issued BAS/NAS;
9, BAS/NAS more in the future the data flow of automatic network side be transmitted to user terminal.
In above-mentioned steps, BAS/NAS only can control the acl list website of user capture, can't filter the data flow of user capture.
The shortcoming of prior art is as follows:
1, directly disposes by equipment at above-mentioned first kind of aspect, lack flexibility.
2, cooperate control at above-mentioned second kind of aspect by aaa server,, can't accomplish filtration the online accessed content though can improve flexibility ratio.
Summary of the invention
The invention provides a kind of method and system of filtering data, to solve the problem that prior art can't be filtered the data flow of user capture.
For achieving the above object, the present invention can adopt following technical scheme:
A kind of method of filtering data is characterized in that described method comprises the steps:
A, network access equipment are reported to the aaa server request authentication with the network connection request of user terminal, if by authentication, aaa server is handed down to network access equipment with this user's service attribute, continue step B, otherwise, the request of refusing user's terminal;
B, network access equipment send connection request according to the service attribute that aaa server issues to filter plant;
C, filter plant and network access equipment connect, and filter plant allows accessing user terminal to network and customer traffic is filtered.
According to said method:
If user's service attribute filters for the Internet data stream to the user only, filter plant then mails to the data flow of network side by the filtering rule of setting to user terminal and is filtered by the data flow that network side mails to user terminal.
If user's service attribute filters for the Internet data stream to user terminal and adopts ACL to be controlled, network access equipment also sends to filter plant with described network connection request, filter plant, and utilizes ACL that the website of user terminal access is controlled and user terminal is mail to the data flow of network side and is filtered by the data flow that network side mails to user terminal by the filtering rule of setting from aaa server request ACL according to this online request.
If the aaa server authentication is passed through, aaa server then is handed down to filter plant with ACL, otherwise sends authentification failure, by filter plant refusing user's access internet.
Described filtering rule comprises information filtering, information filtering, website filtration.
Network access equipment is connected with the tunnel that is connected to based on Level 2 Tunnel Protocol that filter plant is set up.
The present invention also provides a kind of system of filtering data, comprises network access equipment, aaa server, and this system also includes the filter plant that is used for according to the service attribute filter user data flow that obtains, wherein:
Network access equipment links to each other with filter plant, and user terminal links to each other with network access equipment, and the whole data flow that goes up in the network process is received and dispatched between user terminal and Internet and transmitted via network access equipment and filter plant;
Aaa server, it links to each other with filter plant with network access equipment respectively, be used for the network connection request that network access equipment and filter plant report is up authenticated, authorizes, keeps accounts and issues ACL, and have a service attribute, to user end certification by the time service attribute of this user terminal issued.
Network access equipment is connected with the tunnel that is connected to based on Level 2 Tunnel Protocol between the filter plant.
Described filter plant is arranged in the network access equipment.
Compared with prior art, the present invention does not need to revise original networking and equipment can increase the green internet business, newly carrying out the green internet business does not influence basic business of networking, but flexible expansion has had than the more refinement of traditional business of networking, clearer and more definite data stream filtering.
Description of drawings
Fig. 1 inserts schematic diagram for the prior art user terminal;
Fig. 2 is a filtering data system construction drawing of the present invention;
Fig. 3 is the flow chart of first kind of data filter mode of the present invention;
Fig. 4 is the flow chart of second kind of data filter mode of the present invention.
Embodiment
In order to realize green internet, the customer traffic that the user is gone up in the network process filters management and control, the invention provides a kind of data filter system, see also the filter plant that Fig. 2 comprises network access equipment, aaa server, is used for the filter user data flow, wherein:
Filter plant links to each other with network access equipment, and user terminal links to each other with network access equipment, and the data flow on whole in the network process is received and dispatched between user terminal and Internet and transmitted via network access equipment and filter plant.Carry out filtration treatment for the data that needs filter by filter plant, for the data that do not need to filter by the filter plant transparent transmission.
Aaa server, it links to each other with filter plant with network access equipment respectively, is used for the network connection request that network access equipment and filter plant report is up authenticated, authorizes, keeps accounts and issues ACL.
The present invention has adopted known filter plant, the data flow that filter plant can filter some pre-set permissions or forbid, and filtering rule can be information filtering, information filtering, website filtration.
The networking structure of data filter of the present invention system, user terminal is a computer, link to each other with BAS/NAS, BAS/NAS can set up based on Level 2 Tunnel Protocol (L2TP with filter plant Filtrate, the tunnel of Layer2Tunnel Protocol connects, and aaa server communicates by Radius message and BAS/NAS and Filtrate.The user is when normal online, and the path passage of customer traffic is: computer-BAS/NAS-Filtrate-Internet.
In said structure, filter plant can be nested in the network access equipment, also can independently be provided with.
In the present invention, operator need be provided with the service attribute of 2 kinds of green internets in aaa server, and first kind is only the Internet data stream of user terminal to be filtered; Second kind is that Internet data stream to user terminal filters, and adopts ACL to be controlled simultaneously.
Below carry out embodiment explanation at first kind of data filter mode, see also Fig. 3:
1, user terminal dialing sends the request of access to BAS/NAS;
2, BAS/NAS receives the request from user terminal, and this request (comprising username and password) is sent to the aaa server request authentication by the Radius authentication request message;
3, aaa server is checked user profile, and inquires service attribute and filter for the Internet data stream to user terminal only;
4, aaa server produces and includes the authentication success response message of green internet service attribute and be handed down to BAS/NAS;
5, BAS/NAS sends the request of connecting to filter plant Filtrate;
6, filter plant Filtrate responds above-mentioned connection request and is connected with the tunnel of BAS/NAS foundation based on L2TP, allows the user to insert Internet simultaneously;
7, the user's request that will visit the Internet website sends to BAS/NAS;
8, BAS/NAS should ask to be transmitted to filter plant Filtrate by the connection of above-mentioned tunnel then;
9, filter plant Filtrate should ask to insert Internet;
10, Internet responds user's request of surfing the Net and customer traffic is sent to filter plant Filtrate;
11, filter plant Filtrate filters according to predefined filtering rule the data flow that Internet sends;
12, filter plant Filtrate sends to BAS/NAS with filtered data stream by the connection of above-mentioned tunnel;
13, BAS/NAS receives above-mentioned filtered data stream and is transmitted to user terminal.
Second kind of data filter mode is that the Internet data stream to user terminal filters, and adopts ACL to be controlled simultaneously.Below carry out embodiment explanation at this second kind of data filter mode, see also Fig. 4:
1, user terminal dialing sends the request of access to BAS/NAS;
2, BAS/NAS receives the request from user terminal, and this request (comprising username and password) is sent to the aaa server request authentication by the Radius authentication request message;
3, aaa server searching user's information, and inquire service attribute and adopt ACL to be controlled simultaneously for the Internet data stream of user terminal is filtered;
4, aaa server produces and includes the authentication success response message of green internet service attribute and be handed down to BAS/NAS;
5, BAS/NAS sends the request of connecting to filter plant Filtrate;
6, filter plant Filtrate responds above-mentioned connection request and is connected with the tunnel of BAS/NAS foundation based on L2TP;
7, filter plant Filtrate reports aaa server with the network connection request of user terminal by above-mentioned tunnel connection of having set up once more, carries out re-authentication;
8, aaa server inquiring user business information;
9, after aaa server passes through above-mentioned user information authentication, issue the authentication success that has ACL and respond to filter plant Filtrate;
10, filter plant Filtrate sends authentication success message to the user, allows the user to insert Internet;
11, the user's request that will visit the Internet website sends to BAS/NAS;
12, BAS/NAS should ask to be transmitted to filter plant Filtrate by the connection of above-mentioned tunnel;
Whether 13, filter plant Filtrate searches in ACL earlier has the user to ask the website of visiting, if having, filter plant Filtrate should ask to insert Internet, otherwise, refuse this online request;
14, Internet responds the request of user capture Internet website and customer traffic is sent to filter plant Filtrate;
15, filter plant Filtrate filters according to predefined filtering rule the data flow that Internet sends;
16, filter plant Filtrate sends to BAS/NAS with filtered data stream;
17, BAS/NAS receives above-mentioned filtered data stream and is transmitted to user terminal.
In the such scheme, filter plant filters himself the data flow of flowing through according to the filtercondition that sets in advance, adds that ACL can be to the control of website, more effective more perfect control internet content.For example can forbid that to students in middle and primary schools they visit websites such as pornographic, violence, recreation, child's the non-healthy leisure that has been parents of student's control assisting.Setting in advance some keyword contents in filter plant effectively controls the not visit of website in ACL.
The present invention increases filter plant and gets final product on original networking and Equipment Foundations, perhaps increase filtering function in network access equipment.
Certainly, more than the various execution modes lifted only be better embodiment of the present invention, for the person of ordinary skill of the art, that is done changes at equivalence of the present invention, must be included in the scope that claim of the present invention advocates.
Claims (9)
1. the method for a filtering data is characterized in that, described method comprises the steps:
A, network access equipment are reported to the aaa server request authentication with the network connection request of user terminal, if by authentication, aaa server is handed down to network access equipment with this user's service attribute, continue step B, otherwise, the request of refusing user's terminal;
B, network access equipment send connection request according to the service attribute that aaa server issues to filter plant;
C, filter plant and network access equipment connect, and filter plant allows accessing user terminal to network and customer traffic is filtered.
2. the method for claim 1, it is characterized in that, if user's service attribute filters for the Internet data stream to the user only, filter plant then mails to the data flow of network side by the filtering rule of setting to user terminal and is filtered by the data flow that network side mails to user terminal.
3. the method for claim 1, it is characterized in that, if user's service attribute filters for the Internet data stream to user terminal and adopts access control list ACL to be controlled, network access equipment also sends to filter plant with described network connection request, filter plant, and utilizes ACL that the website of user terminal access is controlled and user terminal is mail to the data flow of network side and is filtered by the data flow that network side mails to user terminal by the filtering rule of setting from aaa server request ACL according to this online request.
4. method as claimed in claim 3 is characterized in that, if the aaa server authentication is passed through, aaa server then is handed down to filter plant with ACL, otherwise sends authentification failure, by filter plant refusing user's access internet.
5. as claim 2 or 3 described methods, it is characterized in that described filtering rule comprises information filtering, information filtering, website filtration.
6. the method for claim 1 is characterized in that, network access equipment is connected with the tunnel that is connected to based on Level 2 Tunnel Protocol that filter plant is set up.
7. the system of a filtering data comprises network access equipment, aaa server, it is characterized in that, this system also includes the filter plant that is used for according to the service attribute filter user data flow that obtains, wherein:
Network access equipment links to each other with filter plant, and user terminal links to each other with network access equipment, and the whole data flow that goes up in the network process is received and dispatched between user terminal and Internet and transmitted via network access equipment and filter plant;
Aaa server, it links to each other with filter plant with network access equipment respectively, be used for the network connection request that network access equipment and filter plant report is up authenticated, authorizes, keeps accounts and issues ACL, and have a service attribute, to user end certification by the time service attribute of this user terminal issued.
8. system as claimed in claim 7 is characterized in that, network access equipment is connected with the tunnel that is connected to based on Level 2 Tunnel Protocol between the filter plant.
9. system as claimed in claim 7 is characterized in that described filter plant is arranged in the network access equipment.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNB2005101274974A CN100372331C (en) | 2005-12-12 | 2005-12-12 | Method and system for filtering data |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNB2005101274974A CN100372331C (en) | 2005-12-12 | 2005-12-12 | Method and system for filtering data |
Publications (2)
Publication Number | Publication Date |
---|---|
CN1859249A CN1859249A (en) | 2006-11-08 |
CN100372331C true CN100372331C (en) | 2008-02-27 |
Family
ID=37298114
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CNB2005101274974A Active CN100372331C (en) | 2005-12-12 | 2005-12-12 | Method and system for filtering data |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN100372331C (en) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101834846B (en) * | 2010-03-30 | 2012-10-17 | 王兴强 | Minor health website authentication system and method |
CN110475248A (en) * | 2018-05-10 | 2019-11-19 | 中国移动通信集团浙江有限公司 | A kind of wireless network architecture and wireless network access method |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6317838B1 (en) * | 1998-04-29 | 2001-11-13 | Bull S.A. | Method and architecture to provide a secured remote access to private resources |
JP2001326696A (en) * | 2000-05-18 | 2001-11-22 | Nec Corp | Method for controlling access |
CN1486025A (en) * | 2003-08-22 | 2004-03-31 | 北京港湾网络有限公司 | Checking method of PPPoE L2 transparent transmission port-username binding |
JP2004215118A (en) * | 2003-01-08 | 2004-07-29 | Nec Corp | Mobile communication network, radio network controller, mobile terminal and congestion lowering method to be used for the same |
CN1551569A (en) * | 2003-04-08 | 2004-12-01 | Adv通讯公司 | Transmission method of multimedia data over a network |
CN1647486A (en) * | 2002-04-23 | 2005-07-27 | 阿尔卡特公司 | Device for managing data filters |
WO2005094037A1 (en) * | 2004-03-09 | 2005-10-06 | Telefonaktiebolaget Lm Ericsson (Publ) | Network mobility support and access control for movable networks |
CN1705270A (en) * | 2004-05-26 | 2005-12-07 | 华为技术有限公司 | System and method for controlling network access |
-
2005
- 2005-12-12 CN CNB2005101274974A patent/CN100372331C/en active Active
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6317838B1 (en) * | 1998-04-29 | 2001-11-13 | Bull S.A. | Method and architecture to provide a secured remote access to private resources |
JP2001326696A (en) * | 2000-05-18 | 2001-11-22 | Nec Corp | Method for controlling access |
CN1647486A (en) * | 2002-04-23 | 2005-07-27 | 阿尔卡特公司 | Device for managing data filters |
JP2004215118A (en) * | 2003-01-08 | 2004-07-29 | Nec Corp | Mobile communication network, radio network controller, mobile terminal and congestion lowering method to be used for the same |
CN1551569A (en) * | 2003-04-08 | 2004-12-01 | Adv通讯公司 | Transmission method of multimedia data over a network |
CN1486025A (en) * | 2003-08-22 | 2004-03-31 | 北京港湾网络有限公司 | Checking method of PPPoE L2 transparent transmission port-username binding |
WO2005094037A1 (en) * | 2004-03-09 | 2005-10-06 | Telefonaktiebolaget Lm Ericsson (Publ) | Network mobility support and access control for movable networks |
CN1705270A (en) * | 2004-05-26 | 2005-12-07 | 华为技术有限公司 | System and method for controlling network access |
Also Published As
Publication number | Publication date |
---|---|
CN1859249A (en) | 2006-11-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN100464518C (en) | Green internet-accessing system based on concentrated management and dictributed control, and method therefor | |
CN102724189B (en) | A kind of method and device controlling user URL access | |
US8613053B2 (en) | System and method for authorizing a portable communication device | |
CN101515868A (en) | Network privilege management method, device and system | |
EP1381199B1 (en) | Firewall for dynamically granting and denying network resources | |
CN104158824B (en) | Genuine cyber identification authentication method and system | |
CN105704141A (en) | WIFI-based advertisement push method | |
US7024691B1 (en) | User policy for trusting web sites | |
CN104158767B (en) | A kind of network admittance device and method | |
CN106982430B (en) | Portal authentication method and system based on user use habits | |
CN105871881A (en) | Portal authentication method based on Openwrt router | |
CN105847287A (en) | Resource access control method based on community local area network and system based on community local area network | |
CN101184083A (en) | Green internet system and method thereof | |
CN100372331C (en) | Method and system for filtering data | |
CN101227477A (en) | Method for implementing subscriber terminal access authentication | |
KR20060062319A (en) | Home network gateway for assigning authority and administering connection classfied by user and control method thereof | |
CN107071016A (en) | A kind of cloud AC management platforms and its multi-domain authentication power supply management method | |
KR100273776B1 (en) | Integrated authentication system | |
CN101969426B (en) | Distributed user authentication system and method | |
CN100471103C (en) | Three-layer user authentication method | |
KR101277507B1 (en) | System for security smart phone | |
Cisco | CDAT Expert Interface | |
KR100328815B1 (en) | Method for connecting to internet charging withdrawal agency authentication server of high-capacity communication processing system | |
Cisco | CDAT Expert Interface | |
CN1287308C (en) | Method for displaying door web page based on Ethernet protocol when the user is logged |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant |