CN101022340B - Intelligent control method for realizing city Ethernet exchanger switch-in security - Google Patents
Intelligent control method for realizing city Ethernet exchanger switch-in security Download PDFInfo
- Publication number
- CN101022340B CN101022340B CN2007100866786A CN200710086678A CN101022340B CN 101022340 B CN101022340 B CN 101022340B CN 2007100866786 A CN2007100866786 A CN 2007100866786A CN 200710086678 A CN200710086678 A CN 200710086678A CN 101022340 B CN101022340 B CN 101022340B
- Authority
- CN
- China
- Prior art keywords
- user
- metro ethernet
- ethernet switch
- client
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Small-Scale Networks (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
An intelligently controlling method for realizing city Ethernet switch-board access safety integrates functions of certificating user legality, exerting illegal agent proof of legal user, controlling P2P flow rate and DHCP SNOOP together in said method for controlling and monitoring user in order to raise safety of network.
Description
Technical field
The invention belongs to field of computer technology, relate to the safety control technology of Ethernet switch, be specifically related to a kind of intelligence control method of realizing the Metro Ethernet exchanger switch-in security.
Background technology
At present, several safety control technologies that Ethernet switch is commonly used are as follows:
● the user validation authentication
User validation authentication function the most frequently used on the Metro Ethernet switch is IEEE
(802.1x hereinafter referred 802.1x).This agreement is based on the access control and the authentication protocol of Client/Server pattern.It can limit unwarranted subscriber equipment and visit LAN/WAN by access interface.Before obtaining the miscellaneous service that Metro Ethernet switch or LAN provide, 802.1x authenticates the subscriber equipment that is connected on the Metro Ethernet switch ports themselves.Before authentication is passed through, the Metro Ethernet switch ports themselves that 802.1x only allows EAPoL (based on the Extensible Authentication Protocol of local area network (LAN)) message to connect by subscriber equipment; After authentication was passed through, general data just can be passed through switch ports themselves.This agreement realizes its function by 3 functional entitys, as shown in Figure 1.
(1) the 802.1x Client of user side
Input user ID (sign) and password, the major function of realization 802.1x Client.
(2) near user side with metropolitan area network switch too
Realize the RADIUS authentication proxy function, and according to the authentication result of radius server, whether decision opens the access rights of the Ethernet service port that subscriber equipment connects.
(3) radius server
Carry out the authentication of user ID and password, and return results is given the ether network switch.
Each physical port of Ethernet is divided into two controlled and not controlled logic ports, and wherein the unconfined end mouth is exclusively used in the processing of 802.1x protocol massages, and the general data that controlled ports is used for except the 802.1x protocol massages is transmitted.To the visit of controlled ports, be subject to the licensing status of this port.The Metro Ethernet switch carries out authentication result according to certificate server to the user, the mandate/unauthorized state of control controlled ports.Be in the controlled ports of unauthorized state, refusal is transmitted the data of subscriber equipment.
Under the initial condition, the controlled ports of all of the port of the Metro Ethernet switch that links to each other with subscriber equipment all is in unauthorized state, does not transmit data, and it is open having only the unconfined end mouth.Subscriber equipment is by 802.1x Client login Metro Ethernet switch, the radius server that ID that the Metro Ethernet switch provides the user and password are sent to the backstage (can be in this locality, also can link far) by WAN equipment, if the user is by authentication, then the Metro Ethernet switch is opened its corresponding controlled ports, allows the user equipment access Internet.
This user management method of realizing based on the Metro Ethernet switch, can make the networking of whole network become very simple, by Metro Ethernet switch and the promptly basic realization of two kinds of equipment of router, can realize professional centralized control (is the service center control of core with RADIUS) simultaneously and disperse to realize (close user's Metro Ethernet switch is realized).
802.1x agreement is based on the access to netwoks control technology of port.Its basic thought be network system can chain of command to end user's ethernet port, make the miscellaneous service that the subscriber equipment that has only network system to allow and authorize can the accesses network system.
The core of network access technology is PAE (port access entity).In the access control flow process, port access entity comprises 3 parts:
Authenticator---the port that the subscriber equipment that inserts is authenticated;
Requestor---authentic subscriber equipment;
Certificate server---according to authenticator's information, the subscriber equipment of request accesses network resource is carried out the equipment of actual authentication function.
Fig. 2 illustrated controlled ports licensing status to the visit influence.Authenticator's 1 (may be certain port of Metro Ethernet switch) controlled ports is in unauthorized state, so controlled ports do not transmit the data of subscriber equipment, and subscriber equipment can't pass through the controlled ports accesses network; Authenticator's 2 (another port of Ethernet switch) controlled ports is authorized, and this controlled ports is transmitted the data of subscriber equipment, so subscriber equipment can accesses network.
802.1x can on double layer network, realize authentification of user, and can realize the binding of MAC Address, port, accounts information, have very high fail safe by equipment.This function can guarantee user's self legitimacy, but it also has its limitation, it can't guarantee that validated user does not carry out illegal agent operation, and the flow that can't guarantee validated user is legal, also can't realize the monitoring to user equipment information on the network center and the network equipment.
● prevent the validated user agency
Though network access technique has had various authentication mechanisms, such as IEEE 802.1x, but identity identifying technology can not prevent that disabled user PC is by the online of the agent software on the validated user PC, because the data of disabled user PC are through behind the agent software, network access equipment just can't be distinguished the data that it and validated user PC send.The existence of the data of these disabled user PC has increased offered load, has endangered the interests that network security has also been damaged validated user.
Metro Ethernet switch in the network is not also effectively handled validated user PC agency's situation at present.
● control P2P flow
The P2P technology be a kind ofly be used between the different user PC, without the technology of direct swap data of trunking or service.It has broken traditional Client/Server pattern, and in peer-to-peer network, the status of each node all is identical, possesses the client and server double grading, can be simultaneously as service user and ISP.Because the develop rapidly of P2P technology, the memory module of the Internet will by present " content is positioned at the " center " pattern and changes " content is disperseed storage " pattern into, changed Internet present be the flow status at center with big website.
The most frequently used P2P software is BT (Bit Torrent) on the Internet now.
The P2P technology has mainly been brought the following variation:
(1) variation of the last discharge model of Internet.The flow of Internet last 70% all is the flow of P2P now, and traditional HTTP flow has not been the main flow on the Internet.
(2) variation of personal user's discharge model.Personal user's downlink traffic (from Internet to personal user) was far longer than uplink traffic in the past.And since the P2P technology when downloading, also need to upload.Cause personal user's downlink traffic and uplink traffic all very big.
(3) the P2P flow causes the extreme congestion of network.
Conventional network equipment, for example fire compartment wall has certain data message filtering function, but these filtering functions all are based on the ACL realization, can only filter according to IP address, MAC Address, protocol type, the port number information of data message usually.It can accurately filter the legacy network flow, but can't accurately filter the P2P flow.The full name that with BT is example: BT is Bit Torrent, because the port numbers that its uses is can be self-defining, administrative staff can't know, so the use side slogan carries out accurately monitoring difficulty relatively of BT flow.This shows that traditional firewall can't accurately be controlled user's BT flow, security breaches occurred.
●DHCP?SNOOP
DHCP SNOOP can strengthen the fail safe of DHCP, and it realizes function by 82 options of DHCP.Its objective is the detailed access information that allows DHCP Server can know certain user, promptly this user comes from which port of which Metro Ethernet switch; Allow access switch can control the visit of user simultaneously to network.
Its first function: the function of promptly obtaining user profile is finished by interpolation DHCP 82 options of Metro Ethernet switch;
Its second function: promptly user's controlled function is finished by the hardware consulting table function of Metro Ethernet switch;
Simple network topological diagram such as Fig. 3 of its realization.
DHCP Client operates on user's the PC, and DHCPSNOOP operates on the Metro Ethernet switch, and DHCP Server operates on the Dynamic Host Configuration Protocol server, and this server can be resolved DHCP 82 options.
Below two subtype all belong to the content of 82 options of DHCP, they have comprised Ethernet switch, VLAN, port information that user PC is connected.DHCP 82 option total lengths 20 bytes, wherein content is 18 bytes, and the option content-length (0x12) of the option (0x52) and 1 byte of 1 byte is arranged in addition.This option is positioned at the front of END option.
| Table (1) link ID option frame format: Suboption type (1) | Len(6) | Circuit ID?type (0) | Len (4) | VLAN | Module | Port |
1B 1B 1B 1B 2B 1B 1B
Field description:
Suboption type: take 1 byte, the expression type of message is filled to 1;
Len: take 1 byte, the length of whole subtype is filled to 6;
Link ID type: be filled to 0;
Len: content-length;
VLAN: data message VLAN of living in;
Module: module No.;
Port: inbound port number;
| Table (2) remote ident option frame format: Suboption type (2) | Len(8) | ?Remote?ID?type(0) | Len(6) | ?MAC |
Field description:
Suboption type: take 1 byte, the expression type of message is filled to 2;
Len: take 1 byte, the length of whole subtype is filled to 8;
Remote ident type: be filled to 0;
Len: content-length is fixed as 6;
MAC: Metro Ethernet switch mac address;
After DHCP Server receives the data message that carries DHCP 82 options, resolve this data message, obtain the residing vlan information of Metro Ethernet switch mac address, user access port, user access port that links to each other with this user PC, set up database, realize monitoring user PC.In case certain user PC has abnormal conditions to occur, can arrive this user profile by this database lookup rapidly.
Be in the Metro Ethernet switch between user and the DHCP Server, intercept and capture the DHCP data message of communicating by letter between user PC and the DHCP Server, obtain IP address, MAC Address, the incoming end slogan of user PC, the vlan information of access interface, set up the monitoring list item, have only the data of having mated the monitoring list item fully to transmit by the Metro Ethernet switch, user PC just can't surf the Net by the mode of configuration of IP address privately like this, has reduced IP address embezzlement and user and has changed the harm that bring to network the IP address privately.
DHCP SNOOP function can be monitored and timely consumer positioning PC, guarantee that to greatest extent the network planning is not damaged, but it also has its limitation, this mainly shows: it can't verify the legitimacy of user PC self, can't guarantee that validated user PC does not carry out illegal agent operation, illegitimate traffic that also can't limited subscriber PC.
Before technical scheme of the present invention is described, introduce some Essential Terms earlier.
IP (Internet Protocol (Internet protocol)): this agreement is the basic of the computer nowadays network interconnection, and it mainly acts on is various packet networks in the world to be carried out interconnected, please refer to RFC791 about the detailed introduction of this agreement.
IP address (IP Address): in IP network, the node in any one network all needs to use a sign to represent this node, claims this to be designated IP address (being the logical address of network node) in the IP agreement.
DNS (Domain Name System): the major function of this agreement is to solve the mapping of a network node name to the IP address, please refer to RFC1034 about the detailed introduction of this agreement.
TCP (Transmission Control Protocol (transmission control protocol)): run on the IP agreement, function is to guarantee that data correctly transmit between two nodes of IP network, please refer to RFC793 about the detailed introduction of this agreement.
Internet: literal translating is the Internet, refers to the general name of all in the world networks of coupling together by TCP/IP at present.
DHCP (Dynamic Host Configuration Protocol (DHCP)): the target of this agreement is that configuration information is passed to main frame in the TCP/IP network, please refer to RFC1541 about the detailed introduction of this agreement.
EAP:extensible authentication protocol, Extensible Authentication Protocol.
EAPOL:EAP over LANs, the EAP on the local area network (LAN).
RADIUS:remote authentication dial in user service, the remote authentication dialing of user's service.
LAN:local area networks, local area network (LAN).
WAN:wide area networks, wide area network.
PC:personal computer, individual main frame.
HTTP: HTML (Hypertext Markup Language), what go sight-seeing the webpage use at present is exactly this agreement.
ACL:access-list, access list is controlled the data flows according to IP address, MAC Address, protocol type, the port number information of data message usually.
VLAN: VLAN.
AP:anti-proxy, anti-agency.
AP Client: anti-agent software client.
AP Server: anti-agent software server end.
Summary of the invention
The objective of the invention is at the safety control technology of existing Metro Ethernet switch of a great varietyly, function is perfect inadequately, and the problem of configuration relative complex has proposed a kind of intelligence control method of realizing the Metro Ethernet exchanger switch-in security.This method synthesis the existing multiple safety control technology of Metro Ethernet switch, enable more comprehensively, perfect control, supervisory user, and dispose easy, thereby further improved fail safe, stability and the operability of network.
Technical scheme of the present invention is as follows: a kind of intelligence control method of realizing the Metro Ethernet exchanger switch-in security, this method adopts the IEEE802.1x agreement on Metro Ethernet switch and user PC, and anti-agent software is installed on them, on described Metro Ethernet switch and user PC, move AP Server, AP Client respectively, when the user need surf the Net, carry out following processing procedure:
(1) user PC operation AP Client software starts the 802.1x function, carries out the 802.1x authentication; The Metro Ethernet switch is opened the security control function on the port that user PC inserts, all connect the port of user PC all closes, and starts 802.1x Server function;
(2) if the 802.1x authentification failure, 802.1x Server sends authentification failure message just for user PC, the Metro Ethernet switch is not opened port; If 802.1x is passed through in authentication
Server sends authentication success message for user PC, opens the port that the Metro Ethernet switch connects described user PC, and user PC can be by opening the online of Metro Ethernet switch;
(3) DHCP Client (user PC operating system carries) communicates by Metro Ethernet switch and DHCP Server, and the DHCP data message is resolved and transmitted to the Metro Ethernet switch, realizes DHCP SNOOP function;
(4) enabled agent software or closed AP Client when detecting user PC, APServer just closes the port of the described user PC of connection of Metro Ethernet switch, makes this user PC can't continue online.
The method whether middle detection of step (4) user PC has enabled agent software comprises:
(4.1) AP Client judge current whether have well-known agent software program the operation;
(4.2) AP Client detects the message that user PC receives;
(4.3) AP Client sends a connection request and gives this user PC, purpose IP address in the connection request is set at a special address by it, if this user PC has accepted this connection, and send connection request to gateway, and the purpose IP address of this connection request is the APClient IP address set, and then AP Client judges on this user PC and moved agent software.
Further, when user PC had enabled agent software, the Client software of user PC sent message to AP Server, and AP Server closes the interface that the Metro Ethernet switch connects described user PC after receiving message.
The intelligence control method of aforesaid realization Metro Ethernet exchanger switch-in security, wherein, anti-agent software is divided into the AP Client that operates on the user PC and operates in the AP Server of territory, Jiao cheng City Ethernet on changing planes.The transmission in AP Server cycle carries the AP-Check message of random sequence to AP Client, and the AP-Check-Response of wait AP Client response, if user PC closes AP Client, then AP Server can't receive correct AP-Check-Response, and described AP Server can close the port that the Metro Ethernet switch connects described user PC.
A shared password is arranged between AP Client and the AP Server, use and shared password to be encrypted by random sequence.
The intelligence control method of aforesaid realization Metro Ethernet exchanger switch-in security, wherein, a private exchange chip is set on the Metro Ethernet switch, identification P2P data traffic, set up corresponding control table entry, thereby the flow restriction numerical value of concrete list item is set as required.
The intelligence control method of aforesaid realization Metro Ethernet exchanger switch-in security, wherein, the Metro Ethernet switch provides concrete user PC locating information on the one hand DHCP Server in the step (3), set up the user monitoring list item of the vlan information of the IP address comprise user PC, MAC Address, incoming end slogan, access interface on the other hand, have only fully and could pass through the Metro Ethernet switch with the data of monitoring list item coupling, remainder data is abandoned by the Metro Ethernet switch.
Beneficial effect of the present invention is: safe Metro Ethernet switch has comprehensively been realized the user validation authentication, has prevented the illegal agency of validated user enforcement, has been controlled P2P flow, DHCPSNOOP function, can be more comprehensively, perfect control, supervisory user, and dispose easy, thereby further improved fail safe, stability and the operability of network.The validated user that prevents is wherein implemented illegally to act on behalf of and control these two functions of P2P flow and has been adopted distinctive anti-agency mechanism and control P2P flow mechanism, has realized perfect user monitoring, has rationally controlled network traffics, has strengthened network security.
Description of drawings
Fig. 1 is an ethernet port user management certification mode schematic diagram.
Fig. 2 is the slave mode schematic diagram of controlled ports.
Fig. 3 uses schematic diagram for DHCP.
Fig. 4 is the simple network topological diagram of anti-agent application and P2P detection.
Fig. 5 is anti-agent software flow chart.
Fig. 6 is private exchange chip logic figure.
Fig. 7 is exchanger side P2P monitoring flow chart.
Fig. 8 is user's controlled data flow chart.
Fig. 9 is the security switch data flowchart.
Figure 10 is a multi-service Ethernet switch platform schematic diagram.
Figure 11 is a multi-service Ethernet switch software function module schematic diagram.
Embodiment
Below in conjunction with drawings and Examples the present invention is described in detail.
● adopt the IEEE802.1x agreement
This agreement is based on access control and the authentication protocol of Client/Server.It can limit unwarranted subscriber equipment and visit LAN/WAN by access interface.Before obtaining the miscellaneous service that Metro Ethernet switch or LAN provide, 802.1x authenticates the subscriber equipment that is connected on the Metro Ethernet switch ports themselves.Before authentication is passed through, the Metro Ethernet switch ports themselves that 802.1x only allows EAPoL (based on the Extensible Authentication Protocol of local area network (LAN)) message to connect by subscriber equipment; After authentication was passed through, common data just can be passed through the Metro Ethernet switch ports themselves.
● based on the port authentication of Metro Ethernet switch and the anti-agency of application program binding realization
The authenticating user identification technology that with 802.1x is representative can not prevent that disabled user PC is by the online of the agent software on the validated user PC, because after the data of disabled user PC are handled through agent software, the Metro Ethernet switch just can't be distinguished the data that these class data and validated user PC send, and disabled user PC just can accesses network like this.The appearance of this situation has damaged the interests of other validated users and has brought unsafe factor to network.
Anti-agency agreement can provide the appearance that prevents this situation.Existing authentication mechanism can have been guaranteed the checking to validated user, does not install and the use agent software if can confirm the PC of validated user, and network just can be accepted the data of validated user PC so.The way that solves is to use anti-agent software, and this software is divided into AP Client that operates on the user PC and the AP Server that operates on the Metro Ethernet switch.If AP Client finds user PC and has used agent software that it just notifies AP Server so, forbids that by described AP Server described user PC sends data to network; In order to prevent that validated user PC from not enabling anti-agent software, AP Server needs also to guarantee that validated user PC has moved AP Client simultaneously.
After starting anti-agent software, AP Server can close the Metro Ethernet switch, and all connect the port of user PC, have only AP Client by after preventing proxy authentication, and AP Server just can open the port that the Metro Ethernet switch is attached thereto.If user PC does not start AP Client, AP Server can not allow this user PC by authentication so, described user PC data can't be passed through this Metro Ethernet switch, after described user PC has started AP Client, whether AP Client will enable agent functionality by the described user PC of automatic inspection, if enabled, it sends message just for AP Server, close the port that the Metro Ethernet switch connects this user PC by AP Server, force users PC rolls off the production line.
Anti-agency agreement is divided into AP Client and AP Server, and AP Client operates on user's the PC, and AP Server operates on the Metro Ethernet switch.
The simple network topology of its realization as shown in Figure 4.
Find whether user PC has used the method for agent software as follows:
(1) whether well-known agent software operation is arranged.Be AP Client judge current whether have well-known agent software program the operation.
(2) detect the data message that legal PC receives.After the AP Client operation, it can analyze the data message that this user PC network interface card is received, if the head of data message has " PROXY " feature field to occur, illustrate that this data message is the data message that comes from the needs agency of disabled user PC, this just shows that this validated user PC has moved agent software, has implemented agent functionality.
(3) sending out data message detects.AP Client sends a connection request and gives this user PC (the purpose IP address in the connection request is set at a special address by AP Client), if this PC has accepted this connection and be AP Client IP address set to the purpose IP address that gateway sends connection request and this connection request, so just can determine to have moved agent software on this user PC.
AP Client finds that user PC has used the processing behind the agent software as follows: open agent software in case find user PC, for example: ProxyCap, MagicProxy, Proxifier, implement agency service, AP Client can send AP-Disconnect-Request message, and request disconnects and connecting.After AP Server receives and handles this message of AP-Disconnect-Request, close the port that the Metro Ethernet switch connects described user PC,, described user PC is forced to roll off the production line.
It is as follows to guarantee that the user starts the flow process of preventing agent software:
The link setup process:
A shared password is arranged between AP Client and the AP Server.Beginning sends AP-Discover message by the AP Client of user PC to network, replys with AP-Check after AP Server receives, and AP-Check carries a random sequence.After AP Client receives AP-Check message, send AP-Check-Response as replying, before replying, it need use shared password to come random sequence is encrypted, and uses the MD5 algorithm, then the result is inserted AP-Check-Response.If AP Server finds the Check-Response failure, the AP Client that user PC use is described so is illegal, directly close this user PC, need not send AP-Disconnect message, and this user PC could connect after need waiting for a period of time once more.If AP-Check-Response result is correct, APServer sends AP-Start message to AP Client, AP Client begins to check agent software after receiving this message, this moment, AP Client entered connection status, AP Server opens the port that the Metro Ethernet switch connects described user PC, and described user PC data can be passed through this Metro Ethernet switch.
After this, the transmission AP-Check message in AP Server cycle is to the APClient of user PC, and the AP-Check-Response (needing equally to encrypt) of wait AP Client response, closes AP Client midway to prevent user PC.In case user PC closes AP Client, AP-Server just can't receive AP-Check-Response, perhaps can only receive the AP-Check-Response of the mistake of personation, thereby closes the port that the Metro Ethernet switch connects described user PC.
Tear chain process open:
AP Client and AP Server all can initiate to tear open chain process, the initiator who tears chain open at first sends AP-Disconnect-Request message, after receiving, the recipient of this message sends AP-Disconnect-Check message, comprise a random sequence in this message of AP-Disconnect-Check, the requestor who tears chain open need calculate the back to random sequence and send AP-Disconnect-Response message to the other side, find that AP-Disconnect-Response result of calculation is correct if tear the recipient of chain open, disconnect connection so, otherwise do not disconnect connection.To add verification process mainly be in order to prevent that malicious user from forging being connected of the APServer that tears open on AP Client that chain message removes other user PC and the Metro Ethernet switch tearing chain process open.
Fig. 5 is that the user is not activated the anti-agent software process chart under the agent software situation.
● control the P2P flow based on the depth detection of data message
The Metro Ethernet switch can be discerned the P2P flow, to reach the purpose that the P2P flow is limited accurately to the method for P2P software employing depth detection.
Be that example is described in detail below with BT.BT: full name is the P2P software that a multiple spot is downloaded " BitTorrent ", and is very easy to use, and being to use the most widely, a P2P downloads software.
Directly with on the Metro Ethernet switch that user PC links to each other realizing controlling the function of BT flow, the simple network topological diagram of its realization as shown in Figure 4.
Discover: the BitTorrent agreement belongs to Transmission Control Protocol bunch, the stream mode that is based on session that adopts, following feature is arranged in its handshake information form: the start-up portion of tcp data is<character (1 byte)〉<character string (19 byte) 〉, wherein first byte is the value " 19 " of fixing, and the value of back character string is " BitTorrent protocol ".Therefore can use this characteristic information sign BitTorrent to carry the data message of handshaking information:
1.TCP first byte of effective load data is a character 19;
2. 19 bytes of character ' 19 ' back are character string ' BitTorrent protocol '.
The Metro Ethernet switch uses a private exchange chip, logical construction such as Fig. 6, and it can set up corresponding control table entry according to these characteristic informations of BT handshake phase.The content of list item comprises source IP address, purpose IP address, Transmission Control Protocol number, tcp source port number, the TCP destination slogan of data message.Compare with common ACL list item, tcp source port in this list item number, TCP destination slogan derive from the handshake information of BT stream, can reflect the situation of BT stream truly, accurately, overcome the BT agreement and do not used the well-known difficult management that fixedly tcp port number produced.
Exchange chip can accurately be located BT stream according to list item, and the webmaster personnel just can use ACL information such as user's source IP address, Transmission Control Protocol number, BT option that the BT rate limit numerical value of list item is set in view of the above, thereby realization is to the accurate control of BT flow.This BT metering characteristics adopt the hardware handles mode, can not influence the handling property of switch.
BT monitoring flow process as shown in Figure 7.
The Metro Ethernet switch combines 802.1x, anti-agency, control P2P flow, DHCPSNOOP function, has realized perfect authentification of user and monitoring, and rationally the Control Network flow has been strengthened network security.It adopts Client and the mutual pattern of Server, and 802.1xClient, AP Client run on the user PC, and 802.1x Server, AP Server run on the Metro Ethernet switch.
● adopt the DHCP SNOOP of standard
DHCP Client operational process on the user PC as shown in Figure 8.
When user PC need surf the Net, at first to move AP Client, start 802.1xClient, carry out the 802.1x authentication, this moment, the user need input user name, password.
If user PC authentification failure will be received the authentification failure message that 802.1x Server sends, can't surf the Net; If user PC authentication success can be received the authentication success message that 802.1x Server sends, can obtain the IP address information by DHCP, start anti-agent functionality simultaneously.
In case user PC has enabled agent software or has closed AP Client, will be closed access interface by APServer, thereby be forced to roll off the production line.
In the process of normal online, if user PC has sent the P2P flow, then according to the configuring condition of Metro Ethernet switch, this flow may be subjected to rate limit.
AP Server on the Metro Ethernet switch, 802.1x Server operational process are as shown in Figure 9.
After the Metro Ethernet switch starts, on the port that user PC inserts, open the security control function, all of the port is closed the general data flow, starts AP Server, 802.1xServer.
If user authentication failure, 802.1x Server send authentification failure message just for 802.1x Client, the Metro Ethernet switch is not opened port, and user PC data can't be passed through this Metro Ethernet switch; If authentification of user passes through, then 802.1x Server sends authentication success message for 802.1x Client, and the Metro Ethernet switch is opened port, and user PC data can be passed through the Metro Ethernet switch.
DHCP Client communicates by Metro Ethernet switch and DHCP Server, obtains IP address, dns server information.The DHCP data message is resolved and transmitted to the Metro Ethernet switch, realize DHCP SNOOP function, concrete user's locating information is provided on the one hand DHCP Server, set up the user monitoring list item of the VLAN of the IP address comprise user PC, MAC Address, incoming end slogan, access interface on the other hand, have only fully and could pass through the Metro Ethernet switch with the data of monitoring list item coupling, remainder data is abandoned by the Metro Ethernet switch.
AP Client communicates by letter with AP Server.If AP Client finds that the user has moved agent software, send message will for AP Server, after receiving, AP Sever can close the user PC access interface of Metro Ethernet switch, and force users PC rolls off the production line; If user PC closes AP Client by force, then this user PC can't be by the authentication of AP Server, and APServer closes the port that described Metro Ethernet switch connects described user PC; If user PC has normally moved AP Client, and be not activated agent functionality, AP Server keeps communicating by letter with AP Client always so, connect the port of described user PC on the open Metro Ethernet switch of AP Server, described user PC data can be passed through the Metro Ethernet switch.In this process, in case user PC starts agent functionality or closes AP Client, AP Server will close the port that the Metro Ethernet switch connects described user PC, makes its data can't continue to pass through.
The webmaster personnel can open or cancel the P2P flow control function at any time based on port.Can be limited in the scope the P2P flow, for example can specify the P2P range of flow is 100K~50Mpps, so not only can also can not allow the P2P flow that network is caused too big impact so that the user uses P2P software freely; Certainly, also can thoroughly refuse the P2P flow.The user PC that implements the P2P traffic monitoring can specify by ACL, the user profile that needs during appointment can obtain by the DHCPSNOOP list item, the user in the ACL specified scope then is not subjected to the traffic monitoring of safe Metro Ethernet switch, and its flow that sends P2P is uncontrolled.
Figure 10 has represented a concrete Metro Ethernet Ethernet switch platform structure, and the protocol processes part of this platform is partly separated with the forwarding of data message, mainly is in order to improve the performance that system data is transmitted.
The 10/100M self adaptation port that this series Metro Ethernet Ethernet switch is a multiport.This series Metro Ethernet switch comprises 8 ports, 16 ports and three kinds of specifications of 24 ports, all can reach full wire speed forward; Have Tag VLAN, port trunking and port address binding function; Have 100M optical interface slot, can insert single mode or multimode 100M optical interface module, the transmission range of support has four kinds of 2km (multimode), 20km, 40km and 60km; Can satisfy the demand that broadband network inserts under the various occasions.
This series Metro Ethernet switch provides visual in image, powerful graphical interfaces network management system, supports snmp protocol and http protocol and the flexible interior and out of band network management of band.Network manager can carry out maintenance and management to network by unified network management platform or Web mode or SGM.
This series Metro Ethernet switch is supported IEEE 802.1d Spanning-Tree Protocol; IEEE802.1w produces tree protocol fast; Based on port vlan and IEEE 802.1q VLAN; The management of IEEE 802.1P priority query; IGMP Snooping supports 256 multicast group at most; Port speed control, the rate limit granularity is the 64K bits per second; Flow Control, broadcast storm controlled function; IEEE 802.1x authentication, Radius; Metro Ethernet switch cluster management SGM; DHCP RELAY, DHCP SNOOP.
The software function module schematic diagram of this series Metro Ethernet Ethernet switch platform as shown in figure 11, major function is positioned at the protocol stack part of Metro Ethernet switch, these functions make the Metro Ethernet switch can be more comprehensively, perfect control, supervisory user, and dispose easy.
Claims (5)
1. intelligence control method of realizing the Metro Ethernet exchanger switch-in security, this method adopts the IEEE802.1x agreement on Ethernet switch, and anti-agent software is installed on user PC and Metro Ethernet switch, when user PC need surf the Net, carry out following processing procedure:
(1) user PC operation AP Client software starts 802.1x Client function, carries out the 802.1x authentication; The Metro Ethernet switch is opened the security control function on the port that user PC inserts, all connect the port of user PC all closes, and starts 802.1x Server function;
(2) if the 802.1x authentification failure, 802.1x Server sends authentification failure message just for user PC, the Metro Ethernet switch is not opened port; If authentication is passed through, 802.1xServer sends authentication success message for user PC, opens the port that the Metro Ethernet switch connects described user PC, and user PC can be by the online of Metro Ethernet switch;
(3) the DHCP Client that carries of user PC operating system communicates by Metro Ethernet switch and DHCP Server, and the Metro Ethernet switch is resolved and also transmitted the DHCP data message, realizes DHCP SNOOP function;
(4) enabled agent software or closed AP Client when detecting user PC, APServer just closes the port that the Metro Ethernet switch connects described user PC, makes this user PC can't continue online;
The method whether middle detection of step (4) user PC has enabled agent software comprises:
(4.1) AP Client judge current whether have well-known agent software program the operation;
(4.2) AP Client detects the message that user PC receives;
(4.3) AP Client sends a connection request and gives this user PC, purpose IP address in the connection request is set at a special address by it, if this user PC has accepted this connection, and send connection request to gateway, and the purpose IP address of this connection request is the APClient IP address set, and then AP Client judges on this user PC and moved agent software;
In the step (4), processing mode to the user PC that enables agent software is as follows: when user PC enables agent software, the AP Client of user PC sends message to AP Server, and AP Server closes the port that the Metro Ethernet switch connects described user PC after receiving message.
2. the intelligence control method of realization Metro Ethernet exchanger switch-in security as claimed in claim 1, it is characterized in that: AP Server periodically send carry random sequence AP-Check message to AP Client, and the AP-Check-Response of wait AP Client response, if user PC closes AP Client, then AP Server can't receive correct AP-Check-Response, and described AP Server can close the port that the Metro Ethernet switch connects described user PC.
3. the intelligence control method of realization Metro Ethernet exchanger switch-in security as claimed in claim 2 is characterized in that: a shared password is arranged between AP Client and the AP Server, use and should shared password be encrypted by random sequence.
4. the intelligence control method of realization Metro Ethernet exchanger switch-in security as claimed in claim 1, it is characterized in that: a private exchange chip is set on the Metro Ethernet switch, identification P2P data traffic, set up corresponding control table entry, thereby the flow restriction numerical value of concrete list item is set as required.
5. the intelligence control method of realization Metro Ethernet exchanger switch-in security as claimed in claim 1, it is characterized in that: the Metro Ethernet switch provides concrete user's locating information to DHCPServer on the one hand in the step (3), set up the user monitoring list item of the vlan information of the IP address comprise user PC, MAC Address, incoming end slogan, user access port on the other hand, have only fully and could pass through the Metro Ethernet switch with the data of monitoring list item coupling, remainder data is abandoned by the Metro Ethernet switch.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007100866786A CN101022340B (en) | 2007-03-30 | 2007-03-30 | Intelligent control method for realizing city Ethernet exchanger switch-in security |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007100866786A CN101022340B (en) | 2007-03-30 | 2007-03-30 | Intelligent control method for realizing city Ethernet exchanger switch-in security |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101022340A CN101022340A (en) | 2007-08-22 |
| CN101022340B true CN101022340B (en) | 2010-11-24 |
Family
ID=38710002
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2007100866786A Expired - Fee Related CN101022340B (en) | 2007-03-30 | 2007-03-30 | Intelligent control method for realizing city Ethernet exchanger switch-in security |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101022340B (en) |
Families Citing this family (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101378358B (en) * | 2008-09-19 | 2010-12-15 | 成都市华为赛门铁克科技有限公司 | Method, system and server for safety access control |
| CN101902365B (en) * | 2009-05-26 | 2012-05-23 | 北京启明星辰信息技术股份有限公司 | Method for monitoring P2P traffic of wide area network and system thereof |
| CN101741726B (en) * | 2009-12-18 | 2012-11-14 | 西安西电捷通无线网络通信股份有限公司 | Access control method for supporting multiple controlled ports and system thereof |
| CN102480460B (en) * | 2010-11-22 | 2016-08-31 | 上海宝信软件股份有限公司 | The method realizing switching equipment port level access authentication |
| CN102111406B (en) * | 2010-12-20 | 2014-02-05 | 杭州华三通信技术有限公司 | Authentication method, system and DHCP proxy server |
| CN102316034B (en) * | 2011-09-06 | 2017-05-10 | 中兴通讯股份有限公司 | Method for preventing manual Internet protocol (IP) address specification in local area network and device |
| CN102299859A (en) * | 2011-09-20 | 2011-12-28 | 北京星网锐捷网络技术有限公司 | Mutual information forwarding method and device |
| CN103139136B (en) * | 2011-11-22 | 2016-06-08 | 阿里巴巴集团控股有限公司 | The management process of a kind of password and equipment |
| CN102571816B (en) * | 2012-02-15 | 2015-09-30 | 神州数码网络(北京)有限公司 | A kind of method and system preventing neighbor learning attack |
| CN102546666B (en) * | 2012-02-28 | 2016-04-27 | 神州数码网络(北京)有限公司 | The method preventing IGMP from cheating and to attack and device |
| CN102833264B (en) * | 2012-09-07 | 2016-03-30 | 北京星网锐捷网络技术有限公司 | Prevent authenticated user from passing through to act on behalf of the method for fee evasion, device and Authentication Client |
| CN103281212B (en) * | 2013-06-21 | 2016-02-10 | 武汉烽火网络有限责任公司 | The method of monitoring Metro Ethernet performance |
| CN105592016B (en) * | 2014-10-29 | 2019-04-30 | 国家电网公司 | The protective device of virtual machine under a kind of cloud environment of power information system |
| CN105722182A (en) * | 2016-02-25 | 2016-06-29 | 上海斐讯数据通信技术有限公司 | Automatic internet stealing prevention method and routing equipment |
| CN106888222B (en) * | 2017-04-24 | 2020-08-18 | 中国工商银行股份有限公司 | Monitoring method and device for preventing malicious security detection activities |
| CN107689961A (en) * | 2017-09-14 | 2018-02-13 | 长沙开雅电子科技有限公司 | A kind of switch ports themselves certification access-in management device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1558634A (en) * | 2004-01-17 | 2004-12-29 | 港湾网络有限公司 | User based control method in IEEE802.1x authentication |
| CN1787434A (en) * | 2004-12-08 | 2006-06-14 | 杭州华为三康技术有限公司 | System and method for safety identification to network customer terminal |
| CN1881938A (en) * | 2006-04-27 | 2006-12-20 | 中兴通讯股份有限公司 | Method and system for preventing and detecting proxy |
-
2007
- 2007-03-30 CN CN2007100866786A patent/CN101022340B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1558634A (en) * | 2004-01-17 | 2004-12-29 | 港湾网络有限公司 | User based control method in IEEE802.1x authentication |
| CN1787434A (en) * | 2004-12-08 | 2006-06-14 | 杭州华为三康技术有限公司 | System and method for safety identification to network customer terminal |
| CN1881938A (en) * | 2006-04-27 | 2006-12-20 | 中兴通讯股份有限公司 | Method and system for preventing and detecting proxy |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101022340A (en) | 2007-08-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101022340B (en) | Intelligent control method for realizing city Ethernet exchanger switch-in security | |
| CN100563158C (en) | Access control method and system | |
| CN100594476C (en) | Method and apparatus for realizing network access control based on port | |
| CN100512109C (en) | Access authentication system and method by verifying safety of accessing host | |
| Kiravuo et al. | A survey of Ethernet LAN security | |
| US8886934B2 (en) | Authorizing physical access-links for secure network connections | |
| US7765309B2 (en) | Wireless provisioning device | |
| CN201194396Y (en) | Safe gateway platform based on transparent proxy gateway | |
| US20150207793A1 (en) | Feature Enablement or Disablement Based on Discovery Message | |
| CN101695022B (en) | Management method and device for service quality | |
| Wu et al. | A source address validation architecture (SAVA) testbed and deployment experience | |
| CN102255918A (en) | DHCP (Dynamic Host Configuration Protocol) Option 82 based user accessing authority control method | |
| CN103621028A (en) | Computer system, controller, and method for controlling network access policy | |
| CN106302371A (en) | A kind of firewall control method based on subscriber service system and system | |
| CN104601566B (en) | authentication method and device | |
| JP2018514956A (en) | Apparatus and method for using certificate data to route data | |
| CN101478485B (en) | Method for local area network access control and network gateway equipment | |
| CN104009972B (en) | The Verification System and its authentication method of network security access | |
| CN100438427C (en) | Network control method and equipment | |
| CN102404346A (en) | Method and system for controlling access authority of internet user | |
| EP2974355A2 (en) | A device, a system and a related method for dynamic traffic mirroring and policy, and the determination of applications running on a network | |
| CN107277058A (en) | A kind of interface authentication method and system based on BFD agreements | |
| CN101286894A (en) | Detection and control method for illegal connection to IP network | |
| CN100471167C (en) | Method and apparatus for managing wireless access-in wide-band users | |
| CN101166093A (en) | An authentication method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20101124 Termination date: 20170330 |