CN100579049C - Safety managing method and system for broad band access network - Google Patents
Safety managing method and system for broad band access network Download PDFInfo
- Publication number
- CN100579049C CN100579049C CN200710099519A CN200710099519A CN100579049C CN 100579049 C CN100579049 C CN 100579049C CN 200710099519 A CN200710099519 A CN 200710099519A CN 200710099519 A CN200710099519 A CN 200710099519A CN 100579049 C CN100579049 C CN 100579049C
- Authority
- CN
- China
- Prior art keywords
- access node
- network gateway
- wideband network
- access
- agreement
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The method comprises: a) the wideband network determines its served access point; b) the wideband network gateway sends security policy information to said access point; c) according to the received security policy information, configuring the security policy. The invention also provides a security management system of wideband access network.
Description
Technical field
The invention belongs to network communications technology field, relate in particular to a kind of method for managing security and system of broadband access network.
Background technology
At present, the framework of broadband access network comprises following components: with the home gateway be core user network, access node (Access Node, AN), aggregation networks and wideband network gateway (BroadbandNetwork Gateway, BNG).Wherein, home gateway also can be called ustomer premises access equipment (CustomerPremises Equipment, CPE).Access node is finished the multi-form access of user, as digital subscriber line access multiplex (Digital Subscriber Line Access Multiplexer, DSLAM) and the optical line terminal of CMTS (Optical Line Terminal, OLT) etc.Aggregation networks is finished the function of convergence and exchange; But wideband network gateway is meant applicable broadband and service quality (Quality of Service, QoS) Ce Lve Internet Protocol (Internet Protocol, IP) edge router, as Broadband Remote Access Server (Broadband Remote Access Server, BRAS) and business router etc.
Broadband access network is flourish in the whole world, and increasing personal user and enterprise customer arrive the Internet network by broadband access.Simultaneously, the user is also more and more higher to the requirement of network performance, and they no longer are satisfied with straightway high bandwidth access capability, gradually the quality of service is had higher requirement.In QoS, the important index that can not ignore is exactly safety assurance.
Yet a lot of hackers utilize some hack tools to monitor other people information, steal business on the current Internet network, (Denial of Service DOS), causes network equipment paralysis to initiate Denial of Service attack.Business on the Internet network is mostly finished by intelligent terminal, and the major function that is in the intermediate equipment in operator's control range exchanges exactly, and operator is difficult to control to business, and this just provides the space of carrying out destructive activity for malicious user.For the user provides safe access service, the normal operation that guarantees the network equipment is the common problem of paying close attention to of equipment supplier and telecom operators.Now, for the solution of network security problem, all be the safety management that each equipment is realized self separately generally, cause to put in order the net cooperation, the solution of whole net is provided, causes to solve safety problem all sidedly, the fail safe of the broadband access network service that provides for the user is low.
In summary, the safety management technology of broadband access network obviously exists inconvenience and defective, so be necessary to be improved in the prior art on reality is used.
Summary of the invention
At above-mentioned defective, the object of the present invention is to provide a kind of method for managing security and system of broadband access network, with the safety management of whole net realization broadband access network, improve the fail safe of broadband access network service.
To achieve these goals, the invention provides a kind of method for managing security of broadband access network, comprising:
A. wideband network gateway is determined the access node that it is served;
B. wideband network gateway sends security policy information to described access node;
C. access node disposes security strategy according to the security policy information that is received.
The method according to this invention, the access node that wideband network gateway is served in the described steps A is initiatively reported its information to wideband network gateway, this wideband network gateway is determined the access node that it is served with this.
The method according to this invention, described access node are initiatively reported its information to wideband network gateway by the mode of access protocol, management agreement or dynamic management agreement.
The method according to this invention, described access protocol include point-to-point middle-agent agreement or DHCP on the Ethernet;
Described management agreement includes Simple Network Management Protocol;
Described dynamic management agreement includes two layers of controlling mechanism agreement, Access Node Control Protocol or public open policy service protocol agreement.
The method according to this invention disposes its access node information of serving on wideband network gateway in the described steps A, this wideband network gateway is determined the access node that it is served with this.
The method according to this invention, wideband network gateway is initiatively found the access node that it is served in the described steps A, this wideband network gateway is determined the access node that it is served with this.
The method according to this invention, wideband network gateway described in the described step B send security policy information by the mode of management agreement or dynamic management agreement to this access node.
The method according to this invention, described management agreement includes Simple Network Management Protocol;
Described dynamic management agreement includes two layers of controlling mechanism agreement, Access Node Control Protocol or public open policy service protocol agreement.
The method according to this invention further includes after the described step C:
The described access node of step D. is carried out the security strategy that is disposed.
In order to realize another goal of the invention of the present invention, the invention provides a kind of safety management system of broadband access network, comprise at least:
Wideband network gateway is used for determining its access node of serving, and sends security policy information to described access node;
Access node is used for disposing security strategy according to the security policy information that is received.
The present invention is by the access node transmission security policy information of wideband network gateway to its service, access node is according to described security policy information, configuration is also carried out security strategy, whole net has been realized the safety management of broadband access network, and the safety problem that solves broadband access network all sidedly, improved the fail safe that broadband access network is served.
Description of drawings
Fig. 1 is the structural representation of the safety management system of broadband access network provided by the present invention;
Fig. 2 is the method flow diagram of the safety management of broadband access network provided by the present invention.
Embodiment
In order to make purpose of the present invention, technical scheme and advantage clearer,, the present invention is further elaborated below in conjunction with drawings and Examples.Should be appreciated that specific embodiment described herein only in order to explanation the present invention, and be not used in qualification the present invention.
Basic thought of the present invention is: wideband network gateway sends security policy information to the access node of its service, and access node is according to described security policy information, and configuration is also carried out security strategy.By the safety management of wideband network gateway control broadband access network, solve the safety problem of broadband access network all sidedly, improved the fail safe of broadband access network service.
Fig. 1 is the structural representation of the safety management system of broadband access network provided by the present invention, is described below;
The safety management system of this broadband access network comprises access node 102 and wideband network gateway 103 at least.Ustomer premises access equipment 101 is linked into access node 102 by link 10, and access node 102 is linked into wideband network gateway 103 by link 20.Ustomer premises access equipment 101 can be equipment such as home gateway; Access node 102 can be a digital subscriber line access multiplex, perhaps the equipment such as optical line terminal of CMTS; And wideband network gateway 103 can be edge router, remote access server or business router etc.In enforcement of the present invention, access node 102 is an example with the digital subscriber line access multiplex, and wideband network gateway 103 is an example with the BAS Broadband Access Server.
Access node 102 is physics terminations of finishing ustomer premises access equipment 101 cables, and perhaps the termination of wireless channel realizes converging of user data, satisfies high density, multi-form access.Access node 102 the most close ustomer premises access equipments 101 are edges of carrier network, are the first road thresholds of security protection.In the broadband access network safety problem, access node 102 is in consequence.Therefore, guarantee and whole control the fail safe of access node 102 still for important.
Fig. 2 is the method flow diagram of the safety management of broadband access network provided by the present invention, and the present invention will be described below in conjunction with Fig. 1, thes contents are as follows;
Among the step S201, wideband network gateway is determined the access node that it is served.
In one embodiment of the invention, initiatively to wideband network gateway 103 its information of report, this wideband network gateway 103 is determined its access node of being served 102 with this to the access node 102 that wideband network gateway 103 is served.Wideband network gateway 103 can be determined the information of its access node of serving 102 according to the report information of access node 102.It is multiple that access node 102 reports that to wideband network gateway 103 mode of its information has, and for example, described access node 102 is by the mode of access protocol, management agreement or dynamic management agreement, initiatively to wideband network gateway 103 its information of report.
Wherein, access node 102 is reported its information by access protocol to wideband network gateway 103, described access protocol includes (the Point-to-Point Protocol overEthernet Intermediate Agent Protocol of point-to-point middle-agent agreement on the Ethernet, PPPoE Intermediate Agent Protocol), perhaps DHCP (Dynamic Host Configuration Protocol, DHCP).
Access node 102 mode by management agreement is to wideband network gateway 103 its information of report, described management agreement include Simple Network Management Protocol (Simple Network Management Protocol, SNMP).
Access node 102 is reported its information by the mode of dynamic management agreement to wideband network gateway 103, described dynamic management agreement includes Digital Subscriber Line (Digital Subscriber Line, DSL) two of forum layers of controlling mechanism (Layer 2 Control Mechanism, L2CM) agreement, Access Node Control Protocol (Access Node Control Protocol, ANCP) and public open policy service protocol (Common OpenPolicy Service, COPS) agreement.
In another embodiment of the present invention, its access node of serving 102 information of configuration on wideband network gateway 103, this wideband network gateway 103 is determined its access node of being served 102 with this.For wideband network gateway 103, the information of the access node 102 of its service can not set in advance before access node 102 also is linked into wideband network gateway 103, the information of access node 102 is recorded in the wideband network gateway 103, so that wideband network gateway 103 for access node 102 provides service, sends security policy information in follow-up access service.
In yet another embodiment of the present invention, wideband network gateway 103 is initiatively found the access node 102 of wideband network gateway 103 services, and this wideband network gateway 103 is determined its access node of being served 102 with this.In this embodiment, access node 102 has been linked into wideband network gateway 103, and wideband network gateway 103 active searching need its access node that service is provided 102, and the information of this access node 102 of respective record.
Among the step S202, wideband network gateway sends security policy information to described access node.
In one embodiment of the invention, wideband network gateway 103 sends security policy information by the mode of management agreement or dynamic management agreement to this access node 102.
Wherein, wideband network gateway 103 is notified access node 102 by the mode of management agreement, and described management agreement includes snmp protocol.
Wideband network gateway 103 is notified access node 102 by the mode of dynamic management agreement, and described dynamic management agreement includes L2CM agreement, ANCP agreement and the COPS agreement of DSL forum.
Among the step S203, access node disposes security strategy according to the security policy information that is received.
Receive the security policy information of wideband network gateway 103 transmissions when access node 102 after,, dispose the security strategy of this access node 102 according to this information.
In a preferred embodiment of the invention, after step S203, further comprise:
Among the step S204, described access node is carried out the security strategy that is disposed.
After the security strategy of access node 102 configuration these access nodes 102, carry out the security strategy that is disposed.So just can play the effect of safeguarding the fail safe of this access node.
In order better to realize the present invention having the present invention further provides a kind of system that implements method of the present invention, described system comprises at least:
Wideband network gateway 103 is used for determining its access node of serving 102, and sends security policy information to described access node 102;
Access node 102 is used for disposing security strategy according to the security policy information that is received.
In sum, the present invention is by the access node transmission security policy information of wideband network gateway to its service, access node is according to described security policy information, configuration is also carried out security strategy, whole net has been realized the safety management of broadband access network, and the safety problem that solves broadband access network all sidedly, improved the fail safe that broadband access network is served.
Certainly; the present invention also can have other various embodiments; under the situation that does not deviate from spirit of the present invention and essence thereof; those of ordinary skill in the art work as can make various corresponding changes and distortion according to the present invention, but these corresponding changes and distortion all should belong to the protection range of the appended claim of the present invention.
Claims (7)
1, a kind of method for managing security of broadband access network is characterized in that, comprising:
A. wideband network gateway is determined the access node that it is served by one of following mode:
A1. the wideband network gateway access node of serving is initiatively reported its information to wideband network gateway, and this wideband network gateway is determined the access node that it is served with this;
A2. dispose its access node information of serving on wideband network gateway, this wideband network gateway is determined the access node that it is served with this;
A3. wideband network gateway is initiatively found the access node that it is served, and this wideband network gateway is determined the access node that it is served with this;
B. wideband network gateway sends security policy information to described access node;
C. access node disposes security strategy according to the security policy information that is received.
2, method according to claim 1 is characterized in that, described access node is initiatively reported its information to wideband network gateway by the mode of access protocol, Simple Network Management Protocol or dynamic management agreement.
3, method according to claim 2 is characterized in that, described access protocol includes point-to-point middle-agent agreement or DHCP on the Ethernet;
Described dynamic management agreement includes two layers of controlling mechanism agreement, Access Node Control Protocol or public open policy service protocol agreement.
4, method according to claim 1 is characterized in that, wideband network gateway described in the described step B sends security policy information by the mode of Simple Network Management Protocol or dynamic management agreement to this access node.
5, method according to claim 4 is characterized in that, described dynamic management agreement includes two layers of controlling mechanism agreement, Access Node Control Protocol or public open policy service protocol agreement.
6, method according to claim 1 is characterized in that, further includes after the described step C:
The described access node of step D. is carried out the security strategy that is disposed.
7, a kind of system that is used to implement described each method of claim 1~6 is characterized in that, described system comprises at least:
Wideband network gateway is used for determining its access node of serving, and sends security policy information to described access node;
Access node is used for disposing security strategy according to the security policy information that is received.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200710099519A CN100579049C (en) | 2007-05-23 | 2007-05-23 | Safety managing method and system for broad band access network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200710099519A CN100579049C (en) | 2007-05-23 | 2007-05-23 | Safety managing method and system for broad band access network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101051979A CN101051979A (en) | 2007-10-10 |
| CN100579049C true CN100579049C (en) | 2010-01-06 |
Family
ID=38783180
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200710099519A Expired - Fee Related CN100579049C (en) | 2007-05-23 | 2007-05-23 | Safety managing method and system for broad band access network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100579049C (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101808430A (en) * | 2009-02-13 | 2010-08-18 | 上海贝尔股份有限公司 | Method and device of cross-domain service strategy interaction for fixed mobile convergence network |
| CN101656964B (en) * | 2009-09-16 | 2016-03-02 | 中兴通讯股份有限公司 | The implementation method of Wi-Fi metropolitan area network and home gateway |
| CN102136958B (en) * | 2010-01-22 | 2014-12-10 | 中兴通讯股份有限公司 | Method and system for diagnosing access node |
-
2007
- 2007-05-23 CN CN200710099519A patent/CN100579049C/en not_active Expired - Fee Related
Also Published As
| Publication number | Publication date |
|---|---|
| CN101051979A (en) | 2007-10-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP2433401B1 (en) | Dynamic management of network flows | |
| US8203943B2 (en) | Colored access control lists for multicast forwarding using layer 2 control protocol | |
| US8332525B2 (en) | Dynamic service groups based on session attributes | |
| US8184625B2 (en) | GPON management system | |
| CN101188614B (en) | A method, system and device for secure control of the user access | |
| US8665726B2 (en) | Dynamically configuring attributes of a parent circuit on a network element | |
| US20120176896A1 (en) | METHODS, SYSTEMS, AND COMPUTER READABLE MEDIA FOR DEEP PACKET INSPECTION (DPI)-ENABLED TRAFFIC MANAGEMENT FOR xDSL NETWORKS | |
| US20080056240A1 (en) | Triple play subscriber and policy management system and method of providing same | |
| CN100388684C (en) | Realizing method for preventing point-to point protocol recognization from being attacked in wideband cut-in network | |
| CN102447565B (en) | A kind of method and system realizing multicast control at broadband access network | |
| US20080285559A1 (en) | Method, Device And System For Implementing Multicast Connection Admission Control | |
| Kramer et al. | The IEEE 1904.1 standard: SIEPON architecture and model | |
| CN101547100B (en) | Method and system for multicast receiving control | |
| CN102098278B (en) | Subscriber access method and system as well as access server and device | |
| CN100579049C (en) | Safety managing method and system for broad band access network | |
| CN101052030B (en) | Managing method for digital user line tied up | |
| US20020194506A1 (en) | Internet service provider method and apparatus | |
| CN101110731A (en) | Method and apparatus for preventing network intermedium from accessing into control address | |
| CN101945143A (en) | Method and device for preventing message address spoofing on mixed network | |
| US20210168173A1 (en) | Detection and remediation of malicious network traffic using tarpitting | |
| US20230362191A1 (en) | Apparatus for distributed denial of service (ddos) detection and mitigation | |
| Reddy | Building MPLS-based broadband access VPNs | |
| KR101094505B1 (en) | System and method for controlling resource based on differentiated service | |
| Kramer | Present state of standards for Ethernet PON systems | |
| Barshan et al. | Management challenges and solutions in next-generation networks (NGN) |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20180426 Address after: California, USA Patentee after: Global innovation polymerization LLC Address before: 518057 Zhongxing building, science and technology south road, Nanshan District hi tech Industrial Park, Guangdong, Shenzhen Patentee before: ZTE Corp. |
|
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20100106 |