CN101056306A - Network device and its access control method - Google Patents
Network device and its access control method Download PDFInfo
- Publication number
- CN101056306A CN101056306A CN 200610072686 CN200610072686A CN101056306A CN 101056306 A CN101056306 A CN 101056306A CN 200610072686 CN200610072686 CN 200610072686 CN 200610072686 A CN200610072686 A CN 200610072686A CN 101056306 A CN101056306 A CN 101056306A
- Authority
- CN
- China
- Prior art keywords
- resolution protocol
- address resolution
- protocol frame
- identification information
- access control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Small-Scale Networks (AREA)
Abstract
The present invention provides a network equipment and its access control methods. Said network equipment comprises an address resolution protocol (ARP) data frame filter module which is used for searching for access control list on the basis of identification information in the address resolution protocol data frames received by the network equipment, and filtrating the address resolution protocol data frames according to the corresponding states of the identification information in the access control list. Said network equipment comprises further an address resolution protocol (ARP) data frame inspection module which is used for inspecting the validity and correctness of the address resolution protocol data frames before the address resolution protocol data frame filter module filtrates the address resolution protocol data frames; and an address resolution protocol (ARP) data frame treatment module which is used for dealing with the address resolution protocol data frames permited by the address resolution protocol (ARP) data frame filter module. The present invention is capable of preventing an illegal equipment attacking viciously network equipments through address resolution protocol data frames, with improved security and reliability.
Description
Technical field
The present invention relates to the communications field, relate in particular to a kind of network equipment and access control method thereof.
Background technology
Access Control List (ACL) (ACCESS CONTROL LIST, abbreviate ACL as) use Packet Filtering technology, on the network equipment, read the information in the 3rd layer and the 4th layer data packet header, such as source address, destination address, source port, destination interface etc., according to the rule that pre-defines packet is filtered, thereby reach the purpose of access control.Initial stage, have only router to support this technology, three-tier switch also can be supported this technology in the last few years, part Layer 2 switch (comprising access device) also begins to provide the support to Access Control List (ACL) at present.
Access Control List (ACL) is divided into a variety of, can use different types of Access Control List (ACL) in different occasions.Wherein, the simplest is exactly standard access control tabulation, and standard access control tabulation is to filter by the source IP address in internet usage network agreement (INTERNETPROTOCOL the is called for short IP) packet.Because access list feature is to use the Packet Filtering technology to realize, the foundation of filtration is the partial information in the 3rd layer and the 4th layer data packet header, for the IP packet that allows to pass through, then can handle according to the normal handling flow process.For the IP packet that does not satisfy filtercondition, then carry out discard processing.
In the application of Ethernet, address resolution protocol is not three layer protocols, neither be encapsulated in the IP data packet format.Therefore be filtered when abandoning when the IP of specific source IP address packet, carry the address resolution protocol Frame of this IP address because be not the IP packet, so can not be filtered, therefore may be handled or transmit, thereby can impact to the network and the network equipment by the network equipment.
When the IP address of a network equipment B was accepted for refusal by the Access Control List (ACL) module definition of network equipment A and handled, the IP packet that network equipment B is sent out can be abandoned by network equipment A.But address resolution protocol (the ADDRESS RESOLUTIONPROTOCOL of " MAC Address of request present networks equipment " that if network equipment B sends, abbreviating ARP as) Frame is sent to network equipment A, because network equipment A does not have filtering function to the address resolution protocol Frame, this address resolution protocol Frame will be handled by the address resolution protocol Frame processing module of network equipment A, and returns correct address resolution protocol response frame.Network equipment B just may learn the MAC Address of network equipment A like this.Network equipment B can utilize the MAC Address of network equipment A to initiate malicious attack.On the other hand, if network equipment B malice sends the arp request frame, network equipment A will handle one by one, also can reduce the disposal ability that network equipment A handles other messages and other functions greatly, also can cause the undesired of the network equipment A operation when serious, cause even more serious consequence.
Because common access list feature only carries out filtration treatment to the IP packet, the address resolution protocol Frame that is encapsulated in the ethernet data frame is not filtered, thereby may cause the disposal ability of the network equipment to reduce, even exist the network equipment by the possibility of malicious attack.
Therefore, must adopt a kind of method, make the network equipment that has disposed access list feature not only can filter the IP packet, also should be able to handle the address resolution protocol Frame relevant with this IP address, minimizing is to the influence of the network equipment, prevent that illegality equipment from carrying out malicious attack by the address resolution protocol Frame to the network equipment, improve fail safe and reliability.
Summary of the invention
At above problem, the invention provides a kind of network equipment and the access control method that is used for the network equipment, have access list feature, prevent that illegality equipment from carrying out malicious attack by the address resolution protocol Frame to the network equipment, improve fail safe and reliability.
This network equipment comprises: address resolution protocol Frame filtering module, the identification information that is used for the address resolution protocol Frame that receives according to the network equipment is searched Access Control List (ACL), and the state according to identification information correspondence in Access Control List (ACL) filters the address resolution protocol Frame.
This network equipment also comprises: address resolution protocol Frame inspection module is used for before address resolution protocol Frame filtering module filters the address resolution protocol Frame legitimacy and the correctness of address resolution protocol Frame being tested; And address resolution protocol Frame processing module, be used for the address resolution protocol Frame that address resolution protocol Frame filtering module allows to handle is handled.
Address resolution protocol Frame filtering module comprises: identification information obtaining unit is used for obtaining identification information from the address resolution protocol Frame that receives; Whether identification information is searched the unit, be used for searching the identification information that is obtained in Access Control List (ACL) and exist; The identification information state is searched the unit, exists in Access Control List (ACL) under the situation of identification information, searches the state of identification information correspondence in Access Control List (ACL); And address resolution protocol Frame filter element, according to the state of identification information correspondence the address resolution protocol Frame is filtered.
The state of identification information correspondence indicates address resolution protocol Frame processing module that the address resolution protocol Frame is handled for allowing; And the state of identification information correspondence abandons the address resolution protocol Frame for refusing, indicating.
Wherein, in Access Control List (ACL), under the non-existent situation, abandon the address resolution protocol Frame at identification information.Identification information comprises at least one in IP address and the MAC Address.
According to the access control method that is used for the network equipment of the present invention, comprise: the identification information in the address resolution protocol Frame that address resolution protocol Frame filtering module receives according to the network equipment is searched Access Control List (ACL), and the state according to identification information correspondence in Access Control List (ACL) filters the address resolution protocol Frame.
Access control method also comprises: before the address resolution protocol Frame was filtered, address resolution protocol Frame inspection module carried out legitimacy and verifying correctness to the address resolution protocol Frame; And after the address resolution protocol Frame was filtered, address resolution protocol Frame processing module was handled the address resolution protocol Frame that address resolution protocol Frame filtering module allows to handle.
Wherein, the process that the address resolution protocol Frame is filtered may further comprise the steps:
Step S304-2 obtains identification information in the address resolution protocol Frame that the network equipment receives by identification information obtaining unit; And
Whether step S304-4 searches module by identification information and searches the identification information that is obtained exist in Access Control List (ACL), under the non-existent situation of identification information, abandons the address resolution protocol Frame;
Step S304-6 exists in Access Control List (ACL) under the situation of identification information, and the identification information state is searched the identification information correspondence is searched in the unit in Access Control List (ACL) state; And
Step S304-8 filters the address resolution protocol Frame according to the state of identification information correspondence.
Wherein, the state of identification information correspondence is indicated the address resolution protocol Frame is handled for allowing; The state of identification information correspondence abandons the address resolution protocol Frame for refusal, indication.
Above-mentioned identification information comprises at least one in IP address and the MAC Address.
The method that the present invention adopts IP-based access list feature and address resolution protocol to be associated is filtered the address resolution protocol Frame, the address resolution protocol Frame of having avoided containing illegal IP takies the too many problem of resource of the network equipment, also can avoid illegal equipment to get access to MAC (the medium control sublayer) address of the network equipment, improve the fail safe of the network equipment.
Description of drawings
Accompanying drawing described herein is used to provide further understanding of the present invention, constitutes the application's a part, and illustrative examples of the present invention and explanation thereof are used to explain the present invention, do not constitute improper qualification of the present invention.In the accompanying drawings:
Fig. 1 is the structural representation according to the network equipment of the present invention;
Fig. 2 is the structural representation according to address resolution protocol Frame filtering module of the present invention;
Fig. 3 is the flow chart according to access control method of the present invention;
Fig. 4 is the flow chart according to the process of in the access control method of the present invention the address resolution protocol Frame being filtered; And
Fig. 5 is the flow chart of according to an embodiment of the invention the address resolution protocol Frame being handled.
Embodiment
Below will describe according to a particular embodiment of the invention.
Fig. 1 is the structural representation according to the network equipment of the present invention.As shown in Figure 1, the network equipment according to the present invention has IP-based access list feature, this network equipment comprises: address resolution protocol Frame filtering module 104, the identification information that is used for the address resolution protocol Frame that receives according to the network equipment is searched Access Control List (ACL), and the state according to identification information correspondence in Access Control List (ACL) filters the address resolution protocol Frame.This network equipment also comprises: address resolution protocol Frame inspection module 102 is used for before address resolution protocol Frame filtering module filters the address resolution protocol Frame legitimacy and the correctness of address resolution protocol Frame being tested; And address resolution protocol Frame processing module 106, be used for the address resolution protocol Frame that address resolution protocol Frame filtering module allows to handle is handled.
Fig. 2 is the structural representation according to address resolution protocol Frame filtering module of the present invention.As shown in Figure 2, address resolution protocol Frame filtering module comprises: identification information obtaining unit 104-2 is used for obtaining identification information from the address resolution protocol Frame that receives; Whether identification information is searched unit 104-4, be used for searching the identification information that is obtained in Access Control List (ACL) and exist; The identification information state is searched unit 104-6, exists in Access Control List (ACL) under the situation of identification information, searches the state of identification information correspondence in Access Control List (ACL); And address resolution protocol Frame filter element 104-8, according to the state of identification information correspondence the address resolution protocol Frame is filtered.
The state of identification information correspondence indicates address resolution protocol Frame processing module that the address resolution protocol Frame is handled for allowing; And the state of identification information correspondence abandons the address resolution protocol Frame for refusal.
In Access Control List (ACL), under the non-existent situation, abandon the address resolution protocol Frame at identification information.
Wherein, identification information comprises at least one in IP address and the MAC Address.
Fig. 3 is the flow chart according to access control method of the present invention.As shown in Figure 3, access control method according to the present invention may further comprise the steps: step S304, identification information in the address resolution protocol Frame that address resolution protocol Frame filtering module receives according to the network equipment is searched Access Control List (ACL), and the state according to identification information correspondence in Access Control List (ACL) filters the address resolution protocol Frame.
This access control method also comprises: step S302, and before the address resolution protocol Frame was filtered, address resolution protocol Frame inspection module carried out legitimacy and verifying correctness to the address resolution protocol Frame; Step S306 is after filtering the address resolution protocol Frame, and address resolution protocol Frame processing module is handled the address resolution protocol Frame that address resolution protocol Frame filtering module allows to handle.
Fig. 4 is the flow chart according to the process of in the access control method of the present invention the address resolution protocol Frame being filtered.As shown in Figure 4, step S304 may further comprise the steps:
Step S304-2 obtains identification information in the address resolution protocol Frame that the network equipment receives by identification information obtaining unit; And
Whether step S304-4 searches module by identification information and searches the identification information that is obtained exist in Access Control List (ACL), under the non-existent situation of identification information, abandons the address resolution protocol Frame;
Step S304-6 exists in Access Control List (ACL) under the situation of identification information, and the identification information state is searched the identification information correspondence is searched in the unit in Access Control List (ACL) state; And
Step S304-8 filters the address resolution protocol Frame according to the state of identification information correspondence.
Wherein, the state of identification information correspondence is indicated the address resolution protocol Frame is handled for allowing; The state of identification information correspondence abandons the address resolution protocol Frame for refusal, indication.Identification information comprises at least one in IP address and the MAC Address.
The present invention can make the network equipment that has disposed access list feature, not only can filter the IP datagram literary composition, also should be able to filter and address access protocal Frame that this IP is associated, reduce of the influence of illegal IP equipment, be convenient to implement the present invention the network equipment.
Fig. 5 is the flow chart of according to an embodiment of the invention the address resolution protocol Frame being handled.As shown in Figure 5, the address resolution protocol Frame that receives also obtains wherein source IP address.The handling process of common address resolution protocol Frame is: after the input function of address resolution protocol module gets access to the address resolution protocol Frame that the network equipment receives from network, carry out the subsequent treatment of address resolution protocol Frame.When realizing this method, need in the input function of address resolution protocol module, increase code and carry out the processing that the address resolution protocol Frame is associated with Access Control List (ACL).This code should be added on the back to address resolution protocol Frame legitimacy and correctness inspection part of the input function of address resolution protocol module, and this address resolution protocol Frame is carried out before the code of normal process flow process.
The flow process that the address resolution protocol Frame is handled may further comprise the steps:
Step S502 in this code, at first from the source IP address field of address resolution protocol Frame, obtains source IP address.For example: source IP address is 192.168.1.2 in this address resolution protocol Frame, and then this step can get access to this IP address.Wherein, define the frame format of address resolution protocol packet in the address resolution protocol, indicated the position of source IP address in Frame, comprised the first byte at source IP address place and the byte number that the IP address takies.
Step S504 searches Access Control List (ACL) according to source IP address.In access control row piece, the query interface function must be provided, input parameter is the IP address, output parameter is a Query Result: allow or refusal.In concrete code is realized, can use specific numerical value to represent.
The functional description of Access Control List (ACL) query interface function is as follows: according to the IP address of importing into, search the data structure of depositing the Access Control List (ACL) item, compare with source IP address field in the data structure; If coupling judges that then this state allows or refuses, and returns this value then again.If coupling then is not defaulted as refusal, return the numerical value of expression refusal.The purpose of doing like this is in order to guarantee the fail safe of the network equipment.
Illustrate:
The content that comprises in the general Access Control List (ACL) item must have: source IP address, behavior state.There are two Access Control List (ACL) items in hypothesis in this example:
The source IP address behavior state
192.168.2.3 permit
192.168.1.2 deny
Query function can be mated according to IP address 192.168.1.2 that imports into and the source IP address in the Access Control List (ACL), finds identical with the source IP address of the last item.Can judge this behavior state field then, be found to be deny, then return the numerical value of refusal.
Step S506 judges whether that this IP address is the IP address that is allowed to handle.According to the return value of query interface function, judge that this IP address is the legal address that can be allowed to handle, the still illegal address of handling of not allowing.
Judge whether to handle the address resolution protocol Frame according to return value.Step S508 if not the address that is allowed to handle, then abandons this address resolution protocol Frame, does not deal with.
According to Query Result, if the IP address of illegal needs refusals, show that then this address resolution protocol Frame can not handle, need to discharge the shared system resource of this address resolution protocol Frame, do not do any response.From the input function of address resolution protocol module, withdraw from, no longer carry out the handling process of back.
Step S510 is if then handle according to the handling process of normal address resolution protocol Frame the address that is allowed to handle.
If allow the IP address of processing, then Xin Zeng code is not done any processing to this address resolution protocol Frame of receiving, directly gives the input function of address resolution protocol module and handles subsequent treatment.
If receive the arp request Frame, judge then whether the purpose IP address in this Frame is the IP address of this equipment.If purpose IP address is the IP address of this equipment, then send an address resolution protocol reply data frame, source MAC field in this Frame is inserted the MAC Address of this equipment, if purpose IP address is not the IP address of this equipment, then this Frame is not responded, abandon this Frame, and discharge all resources that this Frame takies.
If transmitting terminal receives address resolution protocol reply data frame, then obtain the source IP address and the source MAC that carry in this Frame, and discharge all shared resources of this Frame.
Therefore, the method that the present invention adopts IP-based access list feature and address resolution protocol to be associated is filtered the address resolution protocol Frame, and the address resolution protocol Frame of having avoided containing illegal IP takies the too many problem of resource of the network equipment.Also can avoid illegal equipment to get access to MAC (the medium control sublayer) address of the network equipment, improve the fail safe of the network equipment.
The above is the preferred embodiments of the present invention only, is not limited to the present invention, and for a person skilled in the art, the present invention can have various changes and variation.Within the spirit and principles in the present invention all, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (13)
1. a network equipment has access list feature, it is characterized in that comprising:
Address resolution protocol Frame filtering module, the identification information that is used for the address resolution protocol Frame that receives according to the described network equipment is searched Access Control List (ACL), and the state according to described identification information correspondence in described Access Control List (ACL) filters described address resolution protocol Frame.
2. the network equipment according to claim 1 is characterized in that also comprising:
Address resolution protocol Frame inspection module is used for before described address resolution protocol Frame filtering module filters described address resolution protocol Frame the legitimacy and the correctness of described address resolution protocol Frame being tested.
3. the network equipment according to claim 1 is characterized in that also comprising:
Address resolution protocol Frame processing module is used for the address resolution protocol Frame that described address resolution protocol Frame filtering module allows to handle is handled.
4. the network equipment according to claim 1 is characterized in that, described address resolution protocol Frame filtering module comprises:
Identification information obtaining unit is used for obtaining described identification information from the address resolution protocol Frame that receives;
Whether identification information is searched the unit, be used for searching the identification information that is obtained in described Access Control List (ACL) and exist;
The identification information state is searched the unit, exists in described Access Control List (ACL) under the situation of described identification information, searches the state of described identification information correspondence in described Access Control List (ACL); And
Address resolution protocol Frame filter element filters described address resolution protocol Frame according to the state of described identification information correspondence.
5. the network equipment according to claim 4 is characterized in that:
The state of described identification information correspondence indicates described address resolution protocol Frame processing module that described address resolution protocol Frame is handled for allowing; And
The state of described identification information correspondence abandons described address resolution protocol Frame for refusal, indication.
6. the network equipment according to claim 4 is characterized in that, under the non-existent situation, abandons described address resolution protocol Frame at described identification information in described Access Control List (ACL).
7. according to each described network equipment in the claim 1 to 6, it is characterized in that described identification information comprises at least one in IP address and the MAC Address.
8. access control method that is used for the network equipment, it is characterized in that, described method comprises: the identification information in the address resolution protocol Frame that address resolution protocol Frame filtering module receives according to the described network equipment is searched Access Control List (ACL), and the state according to described identification information correspondence in described Access Control List (ACL) filters described address resolution protocol Frame.
9. access control method according to claim 8, it is characterized in that, described access control method also comprises: before described address resolution protocol Frame was filtered, address resolution protocol Frame inspection module carried out legitimacy and verifying correctness to described address resolution protocol Frame.
10. access control method according to claim 8, it is characterized in that, described access control method also comprises: after described address resolution protocol Frame was filtered, address resolution protocol Frame processing module was handled the address resolution protocol Frame that described address resolution protocol Frame filtering module allows to handle.
11. access control method according to claim 8 is characterized in that, the process that described address resolution protocol Frame is filtered may further comprise the steps:
Step S304-2 obtains identification information in the address resolution protocol Frame that the described network equipment receives by identification information obtaining unit; And
Whether step S304-4 searches module by identification information and searches the identification information that is obtained exist in described Access Control List (ACL), under the non-existent situation of described identification information, abandons described address resolution protocol Frame;
Step S304-6 exists in described Access Control List (ACL) under the situation of described identification information, and the identification information state is searched described identification information correspondence is searched in the unit in described Access Control List (ACL) state; And
Step S304-8 filters described address resolution protocol Frame according to the state of described identification information correspondence.
12. access control method according to claim 11 is characterized in that:
The state of described identification information correspondence is indicated described address resolution protocol Frame is handled for allowing;
The state of described identification information correspondence abandons described address resolution protocol Frame for refusal, indication.
13. to the access control method described in 12, it is characterized in that according to Claim 8 described identification information comprises at least one in IP address and the MAC Address.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200610072686 CN101056306A (en) | 2006-04-11 | 2006-04-11 | Network device and its access control method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200610072686 CN101056306A (en) | 2006-04-11 | 2006-04-11 | Network device and its access control method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101056306A true CN101056306A (en) | 2007-10-17 |
Family
ID=38795910
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200610072686 Pending CN101056306A (en) | 2006-04-11 | 2006-04-11 | Network device and its access control method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101056306A (en) |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101719899A (en) * | 2008-10-09 | 2010-06-02 | 丛林网络公司 | Dynamic access control policy with port restrictions for a network security appliance |
| CN101951415A (en) * | 2010-08-30 | 2011-01-19 | 清华大学 | Method of increasing safety of address conflict detection process |
| WO2011094994A1 (en) * | 2010-02-08 | 2011-08-11 | 中兴通讯股份有限公司 | Method, device and system for controlling authority for accessing optical network unit |
| CN102215170A (en) * | 2011-06-08 | 2011-10-12 | 中兴通讯股份有限公司 | Method and processor for restraining Internet storm |
| CN102750750A (en) * | 2012-06-18 | 2012-10-24 | 北京大学 | Punch card method based on Wi-Fi and system thereof |
| CN101741855B (en) * | 2009-12-16 | 2012-11-28 | 中兴通讯股份有限公司 | Maintenance method of address resolution protocol cache list and network equipment |
| CN103414730A (en) * | 2013-08-29 | 2013-11-27 | 迈普通信技术股份有限公司 | Method and device for processing ARP messages |
| US8789180B1 (en) | 2007-11-08 | 2014-07-22 | Juniper Networks, Inc. | Multi-layered application classification and decoding |
| CN104754070A (en) * | 2013-12-31 | 2015-07-01 | 华为技术有限公司 | Method and device for learning address resolution protocol table entries and network device |
| US9398043B1 (en) | 2009-03-24 | 2016-07-19 | Juniper Networks, Inc. | Applying fine-grain policy action to encapsulated network attacks |
| CN105978844A (en) * | 2015-06-04 | 2016-09-28 | 乐视致新电子科技(天津)有限公司 | Network access control method, router and system based on router |
| CN106850559A (en) * | 2016-12-26 | 2017-06-13 | 中国科学院计算技术研究所 | A kind of expansible procotol analysis system and method |
| US9712490B1 (en) | 2007-08-08 | 2017-07-18 | Juniper Networks, Inc. | Identifying applications for intrusion detection systems |
| US10075416B2 (en) | 2015-12-30 | 2018-09-11 | Juniper Networks, Inc. | Network session data sharing |
| CN114070633A (en) * | 2021-11-22 | 2022-02-18 | 北京天融信网络安全技术有限公司 | Address scanning behavior detection method and device |
| CN116015876A (en) * | 2022-12-27 | 2023-04-25 | 北京天融信网络安全技术有限公司 | Access control method, device, electronic equipment and storage medium |
-
2006
- 2006-04-11 CN CN 200610072686 patent/CN101056306A/en active Pending
Cited By (25)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10033696B1 (en) | 2007-08-08 | 2018-07-24 | Juniper Networks, Inc. | Identifying applications for intrusion detection systems |
| US9712490B1 (en) | 2007-08-08 | 2017-07-18 | Juniper Networks, Inc. | Identifying applications for intrusion detection systems |
| US8789180B1 (en) | 2007-11-08 | 2014-07-22 | Juniper Networks, Inc. | Multi-layered application classification and decoding |
| US9860210B1 (en) | 2007-11-08 | 2018-01-02 | Juniper Networks, Inc. | Multi-layered application classification and decoding |
| US9485216B1 (en) | 2007-11-08 | 2016-11-01 | Juniper Networks, Inc. | Multi-layered application classification and decoding |
| US9258329B2 (en) | 2008-10-09 | 2016-02-09 | Juniper Networks, Inc. | Dynamic access control policy with port restrictions for a network security appliance |
| US8572717B2 (en) | 2008-10-09 | 2013-10-29 | Juniper Networks, Inc. | Dynamic access control policy with port restrictions for a network security appliance |
| CN101719899A (en) * | 2008-10-09 | 2010-06-02 | 丛林网络公司 | Dynamic access control policy with port restrictions for a network security appliance |
| US9398043B1 (en) | 2009-03-24 | 2016-07-19 | Juniper Networks, Inc. | Applying fine-grain policy action to encapsulated network attacks |
| CN101741855B (en) * | 2009-12-16 | 2012-11-28 | 中兴通讯股份有限公司 | Maintenance method of address resolution protocol cache list and network equipment |
| WO2011094994A1 (en) * | 2010-02-08 | 2011-08-11 | 中兴通讯股份有限公司 | Method, device and system for controlling authority for accessing optical network unit |
| CN101951415B (en) * | 2010-08-30 | 2013-10-16 | 清华大学 | Method of increasing safety of address conflict detection process |
| CN101951415A (en) * | 2010-08-30 | 2011-01-19 | 清华大学 | Method of increasing safety of address conflict detection process |
| CN102215170A (en) * | 2011-06-08 | 2011-10-12 | 中兴通讯股份有限公司 | Method and processor for restraining Internet storm |
| CN102215170B (en) * | 2011-06-08 | 2017-02-08 | 中兴通讯股份有限公司 | Method and processor for restraining Internet storm |
| WO2012167697A1 (en) * | 2011-06-08 | 2012-12-13 | 中兴通讯股份有限公司 | Method and processor for suppressing network storm |
| CN102750750A (en) * | 2012-06-18 | 2012-10-24 | 北京大学 | Punch card method based on Wi-Fi and system thereof |
| CN103414730A (en) * | 2013-08-29 | 2013-11-27 | 迈普通信技术股份有限公司 | Method and device for processing ARP messages |
| CN104754070A (en) * | 2013-12-31 | 2015-07-01 | 华为技术有限公司 | Method and device for learning address resolution protocol table entries and network device |
| CN105978844A (en) * | 2015-06-04 | 2016-09-28 | 乐视致新电子科技(天津)有限公司 | Network access control method, router and system based on router |
| US10075416B2 (en) | 2015-12-30 | 2018-09-11 | Juniper Networks, Inc. | Network session data sharing |
| CN106850559A (en) * | 2016-12-26 | 2017-06-13 | 中国科学院计算技术研究所 | A kind of expansible procotol analysis system and method |
| CN114070633A (en) * | 2021-11-22 | 2022-02-18 | 北京天融信网络安全技术有限公司 | Address scanning behavior detection method and device |
| CN116015876A (en) * | 2022-12-27 | 2023-04-25 | 北京天融信网络安全技术有限公司 | Access control method, device, electronic equipment and storage medium |
| CN116015876B (en) * | 2022-12-27 | 2024-01-26 | 北京天融信网络安全技术有限公司 | Access control method, device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101056306A (en) | Network device and its access control method | |
| EP2739003B1 (en) | Systems and methods to detect and respond to distributed denial of service (DDoS) attacks | |
| CN101123614B (en) | A method and communication device for processing address parsing protocol packet | |
| CN1612532A (en) | Host-based network intrusion detection systems | |
| CN1874303A (en) | Method for implementing black sheet | |
| CN101030980A (en) | Wide-band terminal identifier based on Ethernet and its identifying method | |
| CN101036369A (en) | Offline analysis of packets | |
| CN101068229A (en) | Content filtering gateway realizing method based on network filter | |
| CN1406351A (en) | System, device and method for rapid packet filtering and preocessing | |
| CN1414746A (en) | Method of providing internal service apparatus in network for saving IP address | |
| CN1859409A (en) | Method and system for improving network dynamic host configuration DHCP safety | |
| CN101039176A (en) | DHCP monitoring method and apparatus thereof | |
| CN1905555A (en) | Fire wall controlling system and method based on NGN service | |
| CN101039326A (en) | Service flow recognition method, apparatus and method and system for defending distributed refuse attack | |
| CN1175621C (en) | Method of detecting and monitoring malicious user host machine attack | |
| CN1801781A (en) | Exchange equipment and its message processing method for preventing flow attack | |
| CN101035034A (en) | Method and device for detecting the message attack | |
| CN1741504A (en) | Flow controlling method based on application and network equipment for making applied flow control | |
| CN1496642A (en) | Firewall with index to access rule | |
| CN101043465A (en) | Dynamic host configuration protocol service managing method and system thereof | |
| CN1863193A (en) | Method for implementing safety tactics of network safety apparatus | |
| CN1881938A (en) | Method and system for preventing and detecting proxy | |
| CN1921489A (en) | Secure communication equipment for processing send data packets | |
| CN101771575B (en) | Method, device and system for processing IP partitioned message | |
| CN1204713C (en) | Management method of user's connecting network in wideband network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20071017 |