CN101022340A - Intelligent control method for realizing city Ethernet exchanger switch-in security - Google Patents
Intelligent control method for realizing city Ethernet exchanger switch-in security Download PDFInfo
- Publication number
- CN101022340A CN101022340A CN 200710086678 CN200710086678A CN101022340A CN 101022340 A CN101022340 A CN 101022340A CN 200710086678 CN200710086678 CN 200710086678 CN 200710086678 A CN200710086678 A CN 200710086678A CN 101022340 A CN101022340 A CN 101022340A
- Authority
- CN
- China
- Prior art keywords
- user
- switch
- server
- client
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Small-Scale Networks (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
An intelligently controlling method for realizing city Ethernet switch-board access safety integrates functions of certificating user legality, exerting illegal agent proof of legal user, controlling P2P flow rate and DHCP SNOOP together in said method for controlling and monitoring user in order to raise safety of network.
Description
Technical field
The invention belongs to field of computer technology, relate to the safety control technology of Ethernet switch, be specifically related to a kind of intelligence control method of realizing the Metro Ethernet exchanger switch-in security.
Background technology
At present, several safety control technologies that Ethernet switch is commonly used are as follows:
● the user validation authentication
The most frequently used user validation authentication function is IEEE 802.1x (hereinafter referred 802.1x) on Ethernet switch.This agreement is based on access control and the authentication protocol of Client/Server.It can limit unwarranted subscriber equipment and visit LAN/WAN by access interface.Before obtaining the miscellaneous service that switch or LAN provide, 802.1x authenticates the user who is connected on the switch ports themselves.Before authentication is passed through, the switch ports themselves that 802.1x only allows EAPoL (based on the Extensible Authentication Protocol of local area network (LAN)) data to connect by equipment; After authentication was passed through, normal data just can be passed through switch ports themselves.This agreement realizes its function by 3 functional entitys, as shown in Figure 1.
(1) client software on the user PC
Input user ID (sign) and password are realized the client major function that authenticates.
(2) Ethernet switch of close user side
On common Ethernet switch, expand, realize the RADIUS authentication proxy function, and according to the authentication result of radius server, open user connects the access rights of Ethernet service port.
(3) radius server
Carry out the authentication of user ID and password, and return results is given the ether network switch.
Each physical port of Ethernet is divided into two controlled and not controlled logic ports, and wherein the unconfined end mouth is exclusively used in the processing of 802.1x protocol data, and the general data that controlled ports is used for except the 802.1x protocol data is transmitted.To the visit of controlled ports, be subject to the licensing status of this port.Ethernet switch carries out authentication result according to certificate server to the user, the mandate/unauthorized state of control controlled ports.Be in the controlled ports of unauthorized state, refusal is transmitted user data.
Under the initial condition, the controlled ports of all of the port of the Ethernet switch that links to each other with the end user all is in unauthorized state, does not transmit user data, and it is open having only the unconfined end mouth.The user logins switch by client software, the radius server that ID that switch provides the user and password are sent to the backstage (can be in this locality, also can link far) by WAN equipment, if the user is by authentication, then Ethernet switch is opened corresponding controlled ports, allows the user capture Internet.
By this user management method based on layer 2 ethernet switch, can make the networking of whole network become very simple, by layer 2 ethernet switch and the promptly basic realization of two kinds of equipment of router, can realize professional centralized control (is the service center control of core with RADIUS) simultaneously and disperse to realize (close user's Ethernet switch is realized).
802.1x agreement is based on the access to netwoks control technology of port.Its basic thought be network system can chain of command to end user's ethernet port, make the miscellaneous service that the user that has only network system to allow and authorize can the accesses network system.
The core of network access technology is PAE (port access entity).In the access control flow process, port access entity comprises 3 parts:
Authenticator---the port that the user/equipment that inserts is authenticated;
Requestor---authentic user/equipment;
Certificate server---according to authenticator's information, the user/equipment of request accesses network resource is carried out the equipment of actual authentication function.
Fig. 2 illustrated controlled ports licensing status to the visit influence.Authenticator's 1 (may be certain port of Ethernet switch) controlled ports is in unauthorized state, so controlled ports do not transmit the user data that is connected on the physical port, and the user's data message can't pass through controlled ports accesses network resource; Authenticator's 2 (another port of Ethernet switch) controlled ports is authorized, and therefore the port that connects is open, and the user can the free access Internet resources.
802.1X can on double layer network, realize authentification of user, and can realize the binding of information such as MAC Address, port, account, have very high fail safe by equipment.This function can guarantee user's self legitimacy, but it also has its limitation, it can't guarantee that validated user does not carry out illegal agent operation, and the flow that can't guarantee validated user is legal, also can't realize the monitoring to the PC address on the network center and the network equipment.
● prevent the validated user agency
Though network access technique has had various authentication mechanisms, such as IEEE 802.1x, but identity identifying technology can not prevent that disabled user PC is by the online of the agent software on the validated user PC, because disabled user's data are through behind the agent software, network access equipment just can't be distinguished the data that it and validated user send.These disabled users' existence has increased offered load, has endangered the interests that network security has also been damaged validated user.
Switch in the network is not also effectively handled legal user agent's situation at present.
● control P2P flow
The P2P technology be a kind ofly be used between the different pc users, without the technology of direct swap data of trunking or service.It has broken traditional Client/Server pattern, and in peer-to-peer network, the status of each node all is identical, possesses the client and server double grading, can be simultaneously as service user and ISP.Because the develop rapidly of P2P technology, the memory module of the Internet will by present " content is positioned at the " center " pattern and changes " content is disperseed storage " pattern into, changed Internet present be the flow status at center with big website.
The most frequently used P2P software is BT (Bit Torrent) on the Internet now.
The P2P technology has mainly been brought the following variation:
(1) variation of the last discharge model of Internet.The flow of Internet last 70% all is the flow of P2P now, and traditional HTTP flow has not been the main flow on the Internet.
(2) variation of personal user's discharge model.Personal user's downlink traffic (from Internet to personal user) was far longer than uplink traffic in the past.And since the P2P technology when downloading, also need to upload.Cause personal user's downlink traffic and uplink traffic all very big.
(3) the P2P flow causes the extreme congestion of network.
Conventional network equipment, for example fire compartment wall has certain Packet Filtering function, but these filtering functions are based on all that ACL realizes, can only filter according to information such as the IP address of packet, MAC Address, protocol type, port numbers usually.It can accurately filter the legacy network flow, but can't accurately filter the P2P flow.The full name that with BT is example: BT is Bit Torrent, because the port numbers that its uses is can be self-defining, administrative staff can't know, so the use side slogan carries out accurately monitoring difficulty relatively of BT flow.This shows that traditional firewall can't accurately be controlled user's BT flow, security breaches occurred.
●DHCP?SNOOP
DHCP SNOOP can strengthen the fail safe of DHCP, and it realizes function by 82 options of DHCP.Its objective is the detailed access information that allows DHCP Server can know certain user, promptly this user comes from which port of which switch; Allow access switch can control the visit of client simultaneously to network.
Its first function: the function of promptly obtaining client information is finished by the interpolation DHCP82 option of switch;
Its second function: promptly the client controlled function is finished by the hardware consulting table function of switch;
Simple network topological diagram such as Fig. 3 of its realization.
DHCP Client operates on user's the PC, and DHCPSNOOP operates on the switch, and DHCP Server operates on the Dynamic Host Configuration Protocol server, and this server can be resolved DHCP 82 options.
Below two subtype all belong to the content of 82 options of DHCP, they have comprised information such as the switch that the user connected, VLAN, port.DHCP 82 option total lengths 20 bytes, wherein content is 18 bytes, and the option content-length (0 * 12) of the option (0 * 52) and 1 byte of 1 byte is arranged in addition.This option is positioned at the front of END option.
| Table (1) link ID option frame format: Suboption type (1) | Len(6) | Circuit?ID ?type(0) | Len(4) | Vlan | ?Module | ?Port |
1B 1B 1B 1B 2B 1B 1B
Field description:
Suboption type: take 1 byte, the expression type of message is filled to 1;
Len: take 1 byte, the length of whole subtype is filled to 6;
Link ID type: be filled to 0;
Len: content-length;
Vlan: packet vlan of living in;
Module: module No.;
Port: inbound port number;
| Table (2) remote ident option frame format: Suboption type (2) | Len(8) | Remote?ID?type(0) | Len(6) | MAC |
1B 1B 1B 1B 6B
Field description:
Suboption type: take 1 byte, the expression type of message is filled to 2;
Len: take 1 byte, the length of whole subtype is filled to 8;
Remote ident type: be filled to 0;
Len: content-length is fixed as 6;
MAC: switch mac address;
After DHCP Server receives the packet that carries DHCP 82 options, resolve this packet, obtain information such as the switch mac address that links to each other with this user, user access port, the residing VLAN of user access port, set up database, realize monitoring the user.In case certain user has abnormal conditions to occur, can arrive this user profile, consumer positioning by this database lookup rapidly.
Be in the switch between user and the DHCP Server, intercept and capture the DHCP packet of communicating by letter between user and the DHCPServer, obtain the information such as VLAN of IP address, user's MAC address, user access port, user access port, set up the monitoring list item, have only the packet that has mated the monitoring list item fully to be transmitted by switch, the user just can't go up the Internet by the mode of configuration of IP address privately like this.So just reduce IP address embezzlement and user and changed the harm that bring to network the IP address privately.
DHCP SNOOP function can be monitored and timely consumer positioning, guarantee that to greatest extent the network planning is not damaged, but it also has its limitation, this mainly shows: it can't verify user's self legitimacy, can't guarantee that validated user does not carry out illegal agent operation, illegitimate traffic that also can't limited subscriber.
Before technical scheme of the present invention is described, introduce some Essential Terms earlier.
IP (Intemet Protocol (Internet protocol)): this agreement is the basic of the computer nowadays network interconnection, and it mainly acts on is various packet networks in the world to be carried out interconnected, please refer to RFC791 about the detailed introduction of this agreement.
IP address (IP Address): in IP network, the node in any one network all needs to use a sign to represent this node, claims this to be designated IP address (being the logical address of network node) in the IP agreement.
DNS (Domain Name System): the major function of this agreement is to solve the mapping of a network node name to the IP address, please refer to RFC1034 about the detailed introduction of this agreement.
TCP (Transmission Control Protocol (transmission control protocol)): run on the IP agreement, function is to guarantee that data correctly transmit between two nodes of IP network, please refer to RFC793 about the detailed introduction of this agreement.
Internet: literal translating is the Internet, refers to the general name of all in the world networks of coupling together by TCP/IP at present.
DHCP (Dynamic Host Configuration Protocol (DHCP)): the target of this agreement is that configuration information is passed to main frame in the TCP/IP network, please refer to RFC1541 about the detailed introduction of this agreement.
EAP:extensible authentication protocol, Extensible Authentication Protocol.
EAPOL:EAP over LANs, the EAP on the local area network (LAN).
RADIUS:remote authentication dial in user service, the remote authentication dialing of user's service.
LAN:local area networks, local area network (LAN).
WAN:wide area networks, wide area network.
PC:personal computer, individual main frame.
HTTP: HTML (Hypertext Markup Language), what go sight-seeing the webpage use at present is exactly this agreement.
ACL:access-list, access list, information such as common IP address according to packet, MAC Address, protocol type, port numbers are controlled the data flows.
VLAN: VLAN.
AP:anti-proxy, anti-agency.
Summary of the invention
The objective of the invention is at the safety control technology of existing switch of a great varietyly, function is perfect inadequately, and the problem of configuration relative complex has proposed a kind of intelligence control method of realizing the Metro Ethernet exchanger switch-in security.This method synthesis the existing multiple safety control technology of switch, enable more comprehensively, perfect control, supervisory user, and dispose easy, thereby further improved fail safe, stability and the operability of network.
Technical scheme of the present invention is as follows: a kind of intelligence control method of realizing the Metro Ethernet exchanger switch-in security, this method adopts the IEEE802.1x agreement on Ethernet switch, and on user's PC and switch, install and prevent agent software, when the user need surf the Net, carry out following processing procedure:
(1) user side PC operation Client software starts the 802.1x function, carries out dialing authentication; Switch is opened the security control function on the port that the user inserts, all of the port is closed the general data flow, and starts the 802.1x function;
(2) if authentification failure, server just sends authentification failure message to user side, switch is not opened port; If authentication is passed through, server sends authentication success message to user side, and switch is opened port, and user data can pass through switch;
(3) DHCP Client communicates by switch and DHCP Server, and the DHCP packet is resolved and transmitted to switch, realizes DHCP SNOOP function;
(4) enabled agent software or closed anti-agent functionality when detecting the user, server just closes the corresponding port of switch, makes the user can't continue online.
The intelligence control method of aforesaid realization Metro Ethernet exchanger switch-in security, wherein, the method that the middle detection of step (4) user has enabled agent software comprises:
(2) client-side program judge current whether have well-known agent software program the operation;
(2) detect the client PC and whether be bundled on some well-known ports, judge that with this whether this PC is at the operation agent software;
(3) anti-agent client program is sent a connection request and is given this PC, purpose IP address in the connection request is set at a special address by anti-Agent, if this PC has been accepted this connection, and send connection request to gateway, and the purpose IP address of this connection request is anti-Agent IP address set, then judges on this PC and moved agent software.
Further, when the user had enabled agent software, the Client software of user side PC sent message to server, and server receives user's access interface of closing switch after the message.
The intelligence control method of aforesaid realization Metro Ethernet exchanger switch-in security, wherein, anti-agent software is divided into AP client part that operates on the PC and the AP server part that operates on the switch, the transmission in AP Server cycle has been carried the AP-Check message of random sequence to AP Client, and the AP-Check-Response of wait AP Client response, when the user closes anti-agent functionality, AP Server can't receive correct AP-Check-Response, just closes user's access interface of switch.
A shared password is arranged between AP Client and the AP Server, use and shared password to be encrypted by random sequence.
The intelligence control method of aforesaid realization Metro Ethernet exchanger switch-in security, wherein, a private exchange chip is set on switch, identification P2P data traffic, set up corresponding control table entry, thereby the flow restriction numerical value of concrete list item is set as required.
The intelligence control method of aforesaid realization Metro Ethernet exchanger switch-in security, wherein, switch provides concrete user's locating information on the one hand DHCP Server in the step (3), set up the user monitoring list item of the information such as vlan that comprise IP address, user's MAC address, user access port, user access port on the other hand, have only fully and could pass through switch with the packet of monitoring the list item coupling, remainder data is abandoned by switch.
Beneficial effect of the present invention is: security switch has comprehensively been realized the user validation authentication, has been prevented functions such as validated user is implemented illegally to act on behalf of, control P2P flow, DHCP SNOOP, can be more comprehensively, perfect control, supervisory user, and dispose easy, thereby further improved fail safe, stability and the operability of network.The validated user that prevents is wherein implemented illegally to act on behalf of and control these two functions of P2P flow and has been adopted distinctive anti-agency mechanism and control P2P flow mechanism, has realized perfect user monitoring, has rationally controlled network traffics, has strengthened network security.
Description of drawings
Fig. 1 is an ethernet port user management certification mode schematic diagram.
Fig. 2 is the slave mode schematic diagram of controlled ports.
Fig. 3 uses schematic diagram for DHCP.
Fig. 4 is the simple network topological diagram of anti-agent application and P2P detection.
Fig. 5 is anti-agent software flow chart.
Fig. 6 is private exchange chip logic figure.
Fig. 7 is exchanger side P2P monitoring flow chart.
Fig. 8 is user's controlled data flow chart.
Fig. 9 is the security switch data flowchart.
Figure 10 is a multi-service Ethernet switch platform schematic diagram.
Figure 11 is a multi-service Ethernet switch software function module schematic diagram.
Embodiment
Below in conjunction with drawings and Examples the present invention is described in detail.
● adopt the IEEE802.1x agreement
This agreement is based on access control and the authentication protocol of Client/Server.It can limit unwarranted subscriber equipment and visit LAN/WAN by access interface.Before obtaining the miscellaneous service that switch or LAN provide, 802.1x authenticates the user who is connected on the switch ports themselves.Before authentication is passed through, the switch ports themselves that 802.1x only allows EAPoL (based on the Extensible Authentication Protocol of local area network (LAN)) data to connect by equipment; After authentication was passed through, normal data just can be passed through switch ports themselves.
● based on the port authentication of switch and the anti-agency of application program binding realization
The authenticating user identification technology that with 802.1X is representative can not prevent that disabled user PC is by the online of the agent software on the validated user PC, because disabled user's data are through behind the agent software, switch can't be distinguished the data that these data and validated user send, and the disabled user just can visit the Internet resource like this.The appearance of this situation has damaged the interests of other validated users and has brought unsafe factor to network.
Anti-agency agreement can provide the appearance that prevents this situation.Existing authentication mechanism can have been guaranteed the checking to validated user, does not install and the use agent software if can confirm the PC of validated user, and network just can be accepted the data of validated user so.So the way that solves is exactly to allow anti-agent software is installed on user's the PC, if the agent software of having found user installation, so just forbid that this PC sends data to network; In order to prevent that the user from not enabling anti-agent software, this function also needs the PC that guarantees the user to move anti-agent software simultaneously.
After starting anti-agent software, access switch port can have only the user by anti-proxy authentication to surf the Net by switch at the data forwarding function of all user's close port.If the user does not start anti-agent software, server on the switch can not allow this user by authentication so, he just can't surf the Net, after he has started anti-agent software, whether the anti-agent functionality of client will the automatic inspection user enable agent functionality, if just enabled and sent message to server end, by the server end close port that operates on the switch, force users rolls off the production line.
Anti-agency agreement is divided into client part and server part, and client partly operates on user's the PC, and server partly operates on the access device such as switch.
The simple network topology of its realization as shown in Figure 4.
Find whether the user has used the method for agent software as follows:
(1) whether the agent software operation is arranged.Be client-side program judge current whether have well-known agent software program the operation.
(2) detect the packet that legal PC is received.After the anti-agent client operation, it can analyze the packet that this PC network interface card is received, if the head of packet has " PROXY " feature field to occur, illustrate that this packet is the packet that comes from the needs agency of illegal PC, this just shows that this legal PC has moved agent software, has implemented agent functionality.
(3) give out a contract for a project and detect.Anti-agent client program is sent a connection request and is given this PC (the purpose IP address in the connection request is set at a special address by anti-Agent), if this PC has been accepted this connection and be anti-Agent IP address set to the purpose IP address that gateway sends connection request and this connection request, so just can determine to have moved agent software on this PC.
Find that the user has used the processing behind the agent software as follows: in case find that the user opens agent software, for example: ProxyCap, MagicProxy, Proxifier etc., implement agency service, the client of anti-agent software will send AP-Disconnect-Request message, and request disconnects and connecting.After anti-acting server on the switch is received this message and handled, can close the port that connects the user, the user is forced to roll off the production line.
It is as follows to guarantee that the user starts the flow process of preventing agent software:
The link setup process:
A shared password is arranged between AP Client and the AP Server.Beginning sends AP-Discover message by AP Client to network, replys with AP-Check after AP Server receives, and AP-Check carries a random sequence.After AP Client receives AP-Check message, send AP-Check-Response as replying, before replying, it need use shared password to come random sequence is encrypted, and uses the MD5 algorithm, then the result is inserted AP-Check-Response.If AP Server finds the Check-Response failure, illustrate that so the AP Client software that the user uses is illegal, directly close this user, need not send AP-Disconnect message, and this user could connect after need waiting for a period of time once more.If AP-Check-Response result is correct, AP Server sends AP-Start message to the client, AP Client starts anti-agent functionality after receiving this message, this moment, AP Client entered connection status, and AP Server notice security switch can be transmitted the general data message that this user sends.
After this, the transmission AP-Check message in AP Server cycle is to AP Client, and the AP-Check-Response (needing equally to encrypt) of wait AP Client response, closes client software midway to prevent the user.In case the user closes anti-agent client software, AP-Server just can't receive AP-Check-Response, perhaps can only receive the AP-Check-Response of the mistake of personation, thereby notice switch close port is no longer transmitted this user's data.
Tear chain process open:
AP Client and AP Server all can initiate to tear open chain process, the initiator who tears chain open at first sends AP-Disconnect-Request message, after receiving, the recipient of this message sends AP-Disconnect-Check message, comprise a random sequence in this message of AP-Disconnect-Check, the requestor who tears chain open need calculate the back to random sequence and send AP-Disconnect-Response message to the other side, find that AP-Disconnect-Response result of calculation is correct if tear the recipient of chain open, disconnect connection so, otherwise do not disconnect connection.Tearing chain process open, to add verification process mainly be to tear chain message open and remove the user that other is being surfed the Net in order to prevent that malicious user from forging.
Fig. 5 is that the user is not activated the anti-agent software process chart under the agent software situation.
● control the P2P flow based on the depth detection of packet
Switch can be discerned the P2P flow, to reach the purpose that the P2P flow is limited accurately to the method for P2P software employing depth detection.
Be that example is described in detail below with BT.BT: full name is the P2P software that a multiple spot is downloaded " BitTorrent ", and is very easy to use, and being to use the most widely, a P2P downloads software.
Directly with on the switch that user PC links to each other realizing controlling the function of BT flow, the simple network topological diagram of its realization as shown in Figure 4.
Discover: the BitTorrent agreement belongs to Transmission Control Protocol bunch, the stream mode that is based on session that adopts, following feature is arranged in its handshake information form: the start-up portion of tcp data is<character (1 byte)〉<character string (19 byte) 〉, wherein first byte is the value " 19 " of fixing, and the value of back character string is " BitTorrent protocol ".Therefore can use this characteristic information sign BitTorrent to carry the packet of handshaking information:
1.TCP first byte of effective load data is a character 19;
2. 19 bytes of character ' 19 ' back are character string ' BitTorrent protocol '.
Security switch uses a private exchange chip, logical construction such as Fig. 6, and it can set up corresponding control table entry according to these characteristic informations of BT handshake phase.The content of list item comprises source IP address, purpose IP address, Transmission Control Protocol number, tcp source port number, the TCP destination slogan of packet.Compare with common ACL list item, tcp source port in this list item number, TCP destination slogan derive from the handshake information of BT stream, can reflect the situation of BT stream truly, accurately, overcome the BT agreement and do not used the well-known difficult management that fixedly tcp port number produced.
Exchange chip can accurately be located BT stream according to list item, and the webmaster personnel just can use ACL information such as user's source IP address, Transmission Control Protocol number, BT option that the BT rate limit numerical value of list item is set in view of the above, thereby realization is to the accurate control of BT flow.This BT metering characteristics adopt the hardware handles mode, can not influence the handling property of switch.
BT monitoring flow process as shown in Figure 7.
Security switch combines functions such as 802.1X, anti-agency, control P2P flow, DHCPSNOOP, has realized perfect authentification of user and monitoring, and rationally the Control Network flow has been strengthened network security.It adopts Client and the mutual pattern of Server, and Client runs on user's the PC, and Server runs on the switch.
● adopt the DHCP SNOOP of standard
Client operational process on the user PC as shown in Figure 8.
When the user need surf the Net, at first to move Client software, start the 802.1X function, carry out dialing authentication, this moment, the user need input user name, password.
If user authentication failure will be received the authentification failure message that Server sends, can't surf the Net; If the authentification of user success can be received the authentication success message that Server sends, can obtain information such as IP address by DHCP, start anti-agent functionality simultaneously.
In case the user has enabled agent software or has closed anti-agent functionality, will be closed access interface by security switch, thereby can't surf the Net.
In the process of normal online, if the user has sent the P2P flow, then according to the configuring condition of security switch, this flow may be subjected to rate limit.
Reach the Server operational process as shown in Figure 9 on the security switch.
After switch starts, on the port that the user inserts, open the security control function, all of the port is closed the general data flow, starts 802.1X.
If user authentication failure, Server just send authentification failure message to Client, security switch is not opened port, and the user can't surf the Net; If authentification of user passes through, then Server sends authentication success message to Client, and security switch is opened port, and user data can pass through switch.
DHCP Client communicates by security switch and DHCP Server, obtains information such as IP address, dns server.The DHCP packet is resolved and transmitted to security switch, realize DHCP SNOOP function, concrete user's locating information is provided on the one hand DHCP Server, set up the user monitoring list item of the information such as vlan that comprise IP address, user's MAC address, user access port, user access port on the other hand, have only fully and could pass through security switch with the packet of monitoring the list item coupling, remainder data is abandoned by security switch.
Anti-proxy server communication on anti-agent client and the security switch.If Client finds that the user has moved agent software, will send message to Server, user's access interface of meeting closed safe switch after Sever receives, force users rolls off the production line; If the user closes anti-agent client by force, then this user can't be by the authentication of anti-acting server, and security switch also can be closed access interface because of authentification failure, and the user can't surf the Net; If the user has normally moved anti-agent client, and be not activated agent functionality, Server keeps communicating by letter with Client always so, and the user can surf the Net.In this process, in case the user start agent functionality or close anti-agent client, the port that Server will the closed safe switch, the user can't continue online.
The webmaster personnel can open or cancel the P2P flow control function at any time based on port.Can be limited in the scope the P2P flow, for example can specify the P2P range of flow is 100K~50Mpps, so not only can also can not cause because the P2P flow causes too big impact to network so that the user uses P2P software freely; Certainly, also can thoroughly refuse the P2P flow.The user who implements the P2P traffic monitoring can specify by ACL, the user profile that needs during appointment can obtain by the DHCPSNOOP list item, the user in the ACL specified scope then is not subjected to the traffic monitoring of security switch, and its flow that sends P2P is uncontrolled.
Figure 10 has represented a concrete multi-service Ethernet switch platform structure, and the protocol processes part of this platform is partly separated with the forwarding of datagram, mainly is in order to improve the performance that system data is transmitted.
The multi-service Ethernet switch is the 10/100M self adaptation webmaster type layer 2 ethernet switch of multiport.This series of switch comprises 8 ports, 16 ports and three kinds of specifications of 24 ports, all can reach full wire speed forward; Have functions such as Tag VLAN, port trunking and port address binding; Have 100M optical interface slot, can insert single mode or multimode 100M optical interface module, the transmission range of support has four kinds of 2km (multimode), 20km, 40km and 60km; Can satisfy the demand that broadband network inserts under the various occasions.
This series webmaster type switch provides visual in image, powerful graphical interfaces network management system, supports snmp protocol and http protocol and the flexible interior and out of band network management of band.Network manager can carry out maintenance and management to network by unified network management platform or Web mode or SGM.
This series of switch is supported IEEE 802.1d Spanning-Tree Protocol; IEEE 802.1w produces tree protocol fast; Based on port vlan and IEEE 802.1q VLAN; The management of IEEE 802.1P priority query; IGMP Snooping supports 256 multicast group at most; Port speed control, the rate limit granularity is the 64K bits per second; Flow Control, broadcast storm controlled function; IEEE 802.1x authentication, Radius; Switch cluster management SGM; DHCP RELAY, DHCP SNOOP; Deng enriching function.
The software function module schematic diagram of this multi-service Ethernet switch platform as shown in figure 11, major function is positioned at the protocol stack part of security switch, can be more comprehensively, perfect control, supervisory user, and dispose easy.
Claims (7)
1. intelligence control method of realizing the Metro Ethernet exchanger switch-in security, this method adopts the IEEE802.1x agreement on Ethernet switch, and anti-agent software is installed on user's PC and switch, when the user need surf the Net, carry out following processing procedure:
(1) user side PC operation Client software starts the 802.1x function, carries out dialing authentication; Switch is opened the security control function on the port that the user inserts, all of the port is closed the general data flow, and starts the 802.1x function;
(2) if authentification failure, server just sends authentification failure message to user side, switch is not opened port; If authentication is passed through, server sends authentication success message to user side, and switch is opened port, and user data can pass through switch;
(3) DHCP Client communicates by switch and DHCP Server, and the DHCP packet is resolved and transmitted to switch, realizes DHCP SNOOP function;
(4) enabled agent software or closed anti-agent functionality when detecting the user, server just closes the corresponding port of switch, makes the user can't continue online.
2. the intelligence control method of realization Metro Ethernet exchanger switch-in security as claimed in claim 1 is characterized in that: the method that the middle detection of step (4) user has enabled agent software comprises:
(1) client-side program judge current whether have well-known agent software program the operation;
(2) detect the client PC and whether be bundled on some well-known ports, judge that with this whether this PC is at the operation agent software;
(3) anti-agent client program is sent a connection request and is given this PC, purpose IP address in the connection request is set at a special address by anti-Agent, if this PC has been accepted this connection, and send connection request to gateway, and the purpose IP address of this connection request is anti-Agent IP address set, then judges on this PC and moved agent software.
3. the intelligence control method of realization Metro Ethernet exchanger switch-in security as claimed in claim 2, it is characterized in that: when the user has enabled agent software, the Client software of user side PC sends message to server, and server receives user's access interface of closing switch after the message.
4. the intelligence control method of realization Metro Ethernet exchanger switch-in security as claimed in claim 1, it is characterized in that: anti-agent software is divided into AP client part that operates on the PC and the AP server part that operates on the switch, the transmission in AP Server cycle has been carried the AP-Check message of random sequence to AP Client, and the AP-Check-Response of wait AP Client response, when the user closes anti-agent functionality, AP Server can't receive correct AP-Check-Response, just closes user's access interface of switch.
5. the intelligence control method of realization Metro Ethernet exchanger switch-in security as claimed in claim 4 is characterized in that: a shared password is arranged between AP Client and the AP Server, use and should shared password be encrypted by random sequence.
6. the intelligence control method of realization Metro Ethernet exchanger switch-in security as claimed in claim 1, it is characterized in that: a private exchange chip is set on switch, identification P2P data traffic is set up corresponding control table entry, thereby the flow restriction numerical value of concrete list item is set as required.
7. the intelligence control method of realization Metro Ethernet exchanger switch-in security as claimed in claim 1, it is characterized in that: switch provides concrete user's locating information on the one hand DHCP Server in the step (3), set up the user monitoring list item of the information such as vlan that comprise IP address, user's MAC address, user access port, user access port on the other hand, have only fully and could pass through switch with the packet of monitoring the list item coupling, remainder data is abandoned by switch.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007100866786A CN101022340B (en) | 2007-03-30 | 2007-03-30 | Intelligent control method for realizing city Ethernet exchanger switch-in security |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007100866786A CN101022340B (en) | 2007-03-30 | 2007-03-30 | Intelligent control method for realizing city Ethernet exchanger switch-in security |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101022340A true CN101022340A (en) | 2007-08-22 |
| CN101022340B CN101022340B (en) | 2010-11-24 |
Family
ID=38710002
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2007100866786A Expired - Fee Related CN101022340B (en) | 2007-03-30 | 2007-03-30 | Intelligent control method for realizing city Ethernet exchanger switch-in security |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101022340B (en) |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2010031263A1 (en) * | 2008-09-19 | 2010-03-25 | 成都市华为赛门铁克科技有限公司 | Method, system and server for realizing the secure access control |
| WO2011072512A1 (en) * | 2009-12-18 | 2011-06-23 | 西安西电捷通无线网络通信股份有限公司 | Access control method supporting multiple controlled ports and system thereof |
| CN102111406A (en) * | 2010-12-20 | 2011-06-29 | 杭州华三通信技术有限公司 | Authentication method, system and DHCP proxy server |
| CN102299859A (en) * | 2011-09-20 | 2011-12-28 | 北京星网锐捷网络技术有限公司 | Mutual information forwarding method and device |
| CN101902365B (en) * | 2009-05-26 | 2012-05-23 | 北京启明星辰信息技术股份有限公司 | Method for monitoring P2P traffic of wide area network and system thereof |
| CN102480460A (en) * | 2010-11-22 | 2012-05-30 | 上海宝信软件股份有限公司 | Method for implementing port-level access authentication of switching equipment |
| CN102546666A (en) * | 2012-02-28 | 2012-07-04 | 神州数码网络(北京)有限公司 | Method and device for preventing IGMP (Internet Group Management Protocol) from being cheated and attacked |
| CN102571816A (en) * | 2012-02-15 | 2012-07-11 | 神州数码网络(北京)有限公司 | Method and system for preventing attack caused by neighbor learning |
| WO2012151927A1 (en) * | 2011-09-06 | 2012-11-15 | 中兴通讯股份有限公司 | Method and device for preventing manually designating ip address within local area network |
| CN102833264A (en) * | 2012-09-07 | 2012-12-19 | 北京星网锐捷网络技术有限公司 | Method and device for preventing authenticated user from escaping from fee through agent and authenticated client side |
| CN103139136A (en) * | 2011-11-22 | 2013-06-05 | 阿里巴巴集团控股有限公司 | Method and device for managing passwords |
| CN103281212A (en) * | 2013-06-21 | 2013-09-04 | 武汉烽火网络有限责任公司 | Method for monitoring performance of metro Ethernet |
| CN105592016A (en) * | 2014-10-29 | 2016-05-18 | 国家电网公司 | Virtual machine protection device of power information system in cloud environment |
| CN105722182A (en) * | 2016-02-25 | 2016-06-29 | 上海斐讯数据通信技术有限公司 | Automatic internet stealing prevention method and routing equipment |
| CN106888222A (en) * | 2017-04-24 | 2017-06-23 | 中国工商银行股份有限公司 | A kind of monitoring method and device for preventing malice safety detection activity |
| CN107689961A (en) * | 2017-09-14 | 2018-02-13 | 长沙开雅电子科技有限公司 | A kind of switch ports themselves certification access-in management device |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1558634A (en) * | 2004-01-17 | 2004-12-29 | 港湾网络有限公司 | User based control method in IEEE802.1x authentication |
| CN100592688C (en) * | 2004-12-08 | 2010-02-24 | 杭州华三通信技术有限公司 | System and method for safety identification to network customer terminal |
| CN1881938A (en) * | 2006-04-27 | 2006-12-20 | 中兴通讯股份有限公司 | Method and system for preventing and detecting proxy |
-
2007
- 2007-03-30 CN CN2007100866786A patent/CN101022340B/en not_active Expired - Fee Related
Cited By (24)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8407462B2 (en) | 2008-09-19 | 2013-03-26 | Chengdu Huawei Symantec Technologies Co., Ltd. | Method, system and server for implementing security access control by enforcing security policies |
| WO2010031263A1 (en) * | 2008-09-19 | 2010-03-25 | 成都市华为赛门铁克科技有限公司 | Method, system and server for realizing the secure access control |
| CN101902365B (en) * | 2009-05-26 | 2012-05-23 | 北京启明星辰信息技术股份有限公司 | Method for monitoring P2P traffic of wide area network and system thereof |
| WO2011072512A1 (en) * | 2009-12-18 | 2011-06-23 | 西安西电捷通无线网络通信股份有限公司 | Access control method supporting multiple controlled ports and system thereof |
| CN102480460A (en) * | 2010-11-22 | 2012-05-30 | 上海宝信软件股份有限公司 | Method for implementing port-level access authentication of switching equipment |
| CN102480460B (en) * | 2010-11-22 | 2016-08-31 | 上海宝信软件股份有限公司 | The method realizing switching equipment port level access authentication |
| CN102111406A (en) * | 2010-12-20 | 2011-06-29 | 杭州华三通信技术有限公司 | Authentication method, system and DHCP proxy server |
| CN102111406B (en) * | 2010-12-20 | 2014-02-05 | 杭州华三通信技术有限公司 | Authentication method, system and DHCP proxy server |
| WO2012151927A1 (en) * | 2011-09-06 | 2012-11-15 | 中兴通讯股份有限公司 | Method and device for preventing manually designating ip address within local area network |
| CN102299859A (en) * | 2011-09-20 | 2011-12-28 | 北京星网锐捷网络技术有限公司 | Mutual information forwarding method and device |
| CN103139136B (en) * | 2011-11-22 | 2016-06-08 | 阿里巴巴集团控股有限公司 | The management process of a kind of password and equipment |
| CN103139136A (en) * | 2011-11-22 | 2013-06-05 | 阿里巴巴集团控股有限公司 | Method and device for managing passwords |
| CN102571816B (en) * | 2012-02-15 | 2015-09-30 | 神州数码网络(北京)有限公司 | A kind of method and system preventing neighbor learning attack |
| CN102571816A (en) * | 2012-02-15 | 2012-07-11 | 神州数码网络(北京)有限公司 | Method and system for preventing attack caused by neighbor learning |
| CN102546666A (en) * | 2012-02-28 | 2012-07-04 | 神州数码网络(北京)有限公司 | Method and device for preventing IGMP (Internet Group Management Protocol) from being cheated and attacked |
| CN102546666B (en) * | 2012-02-28 | 2016-04-27 | 神州数码网络(北京)有限公司 | The method preventing IGMP from cheating and to attack and device |
| CN102833264A (en) * | 2012-09-07 | 2012-12-19 | 北京星网锐捷网络技术有限公司 | Method and device for preventing authenticated user from escaping from fee through agent and authenticated client side |
| CN102833264B (en) * | 2012-09-07 | 2016-03-30 | 北京星网锐捷网络技术有限公司 | Prevent authenticated user from passing through to act on behalf of the method for fee evasion, device and Authentication Client |
| CN103281212A (en) * | 2013-06-21 | 2013-09-04 | 武汉烽火网络有限责任公司 | Method for monitoring performance of metro Ethernet |
| CN103281212B (en) * | 2013-06-21 | 2016-02-10 | 武汉烽火网络有限责任公司 | The method of monitoring Metro Ethernet performance |
| CN105592016A (en) * | 2014-10-29 | 2016-05-18 | 国家电网公司 | Virtual machine protection device of power information system in cloud environment |
| CN105722182A (en) * | 2016-02-25 | 2016-06-29 | 上海斐讯数据通信技术有限公司 | Automatic internet stealing prevention method and routing equipment |
| CN106888222A (en) * | 2017-04-24 | 2017-06-23 | 中国工商银行股份有限公司 | A kind of monitoring method and device for preventing malice safety detection activity |
| CN107689961A (en) * | 2017-09-14 | 2018-02-13 | 长沙开雅电子科技有限公司 | A kind of switch ports themselves certification access-in management device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101022340B (en) | 2010-11-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101022340B (en) | Intelligent control method for realizing city Ethernet exchanger switch-in security | |
| CN100563158C (en) | Access control method and system | |
| CN100594476C (en) | Method and apparatus for realizing network access control based on port | |
| CN100512109C (en) | Access authentication system and method by verifying safety of accessing host | |
| US8886934B2 (en) | Authorizing physical access-links for secure network connections | |
| Kiravuo et al. | A survey of Ethernet LAN security | |
| CN201194396Y (en) | Safe gateway platform based on transparent proxy gateway | |
| CN100437550C (en) | Ethernet confirming access method | |
| CN105915550B (en) | A kind of Portal/Radius authentication method based on SDN | |
| CN101695022B (en) | Management method and device for service quality | |
| US20150207793A1 (en) | Feature Enablement or Disablement Based on Discovery Message | |
| CN102255918A (en) | DHCP (Dynamic Host Configuration Protocol) Option 82 based user accessing authority control method | |
| CN103621028A (en) | Computer system, controller, and method for controlling network access policy | |
| CN101478485B (en) | Method for local area network access control and network gateway equipment | |
| CN106302371A (en) | A kind of firewall control method based on subscriber service system and system | |
| CN104601566B (en) | authentication method and device | |
| JP2018514956A (en) | Apparatus and method for using certificate data to route data | |
| US20040168049A1 (en) | Method for encrypting data of an access virtual private network (VPN) | |
| CN109005179A (en) | Network security tunnel establishing method based on port controlling | |
| CN100438427C (en) | Network control method and equipment | |
| CN102404346A (en) | Method and system for controlling access right of internet users | |
| CN106790274A (en) | A kind of method that disposal password logs in WLAN | |
| CN107277058A (en) | A kind of interface authentication method and system based on BFD agreements | |
| CN101286894A (en) | Detection and control method for illegal connection to IP network | |
| CN107135190A (en) | The data traffic ownership recognition methods connected based on Transport Layer Security and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20101124 Termination date: 20170330 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |