CN101115018A - Method for controlling equipment access - Google Patents
Method for controlling equipment access Download PDFInfo
- Publication number
- CN101115018A CN101115018A CNA200710154132XA CN200710154132A CN101115018A CN 101115018 A CN101115018 A CN 101115018A CN A200710154132X A CNA200710154132X A CN A200710154132XA CN 200710154132 A CN200710154132 A CN 200710154132A CN 101115018 A CN101115018 A CN 101115018A
- Authority
- CN
- China
- Prior art keywords
- access rule
- message
- acl access
- acl
- rule
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Small-Scale Networks (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method to control device access, comprising step S102: ACL access rules are set for the equipment management port and processing rules for message unaccepted by the access rules; step S104: working parameters of the system are acquired and whether the message is accepted by ACL access rules is judged with reference to working parameters; and step S106: if the message is unaccepted by ACL access rules, the message can be processed according to the processing rules; and if the message is accepted by ACL access rules, the message can be processed according to ACL access rules. The invention can effectively control the pass management of the message and achieve the goal of assess control for the access device management interface; and can guarantee the security of systems with low cost in relatively simple application environment.
Description
Technical field
The present invention relates to the communications field, and especially, relate to a kind of method of control appliance visit.
Background technology
Broadband access equipment is generally the user outband management mouth is provided, so that the user is by Simple Network Management Protocol (Simple Network Management Protocol, SNMP) mode or the mode by Telnet enter embedded network management, and equipment is implemented management.
Yet the convenience of network has also brought insecurity to equipment, if unauthorized user has got access to the IP address of network element, and also can Telnet equipment control interface and intrusion equipment.For fear of the generation of this class problem, the strick precaution mode of normal employing is provided with username and password exactly, though the unauthorized user of name in an account book password of no use connect gone up management mouthful also can't access arrangement.
In addition, take too much grid resource (for example, socket etc.), also can the connection number of Telnet be limited usually for the outband management of limited subscriber connects.
Yet, there is obvious defects in this mode, promptly, have a mind to or unintentionally the unauthorized person connected system by several connections, though these unauthorized persons can not login equipment, but the maximum that has reached Telnet connects number, therefore can cause validated user can not in time connect equipment, and access system normally.
At this problem, present solution is to adopt Access Control List (ACL) (AccessControl List, ACL) technology.The usually said Access Control List (ACL) technology in the Internet is to use the information in packet header of packet filtering technology read data packet, for example, information such as source address, destination address, source port, destination interface, and bag is filtered or let pass according to predefined rule, to reach the purpose of access control.At present, had the exchange chip of many support acl features, in use, the keeper can be by being configured to control law on the chip, directly judges processing mode to packet (that is, let pass or filter) by hardware afterwards.
Yet, if adopt this mode, just need to buy relevant chip, therefore realize that cost is very high, and for above-mentioned mainly be these classes such as applied environment and uncomplicated occasion in order to prevent unauthorized access, this mode obviously is unaccommodated.
Up to now, the technical scheme that proposing as yet can be effectively, address the above problem easily.
Summary of the invention
Consider the problems referred to above and make the present invention that for this reason, main purpose of the present invention is to provide a kind of scheme of control appliance visit.
According to embodiments of the invention, provide a kind of method of control appliance visit.
This method comprises: step S102, set ACL access rule to the equipment control mouth, and to the processing rule of the message that do not hit the ACL access rule; Step S104 obtains the running parameter of system, and judges in conjunction with running parameter whether message hits the ACL access rule; And step S106, if the miss ACL access rule of message is then handled according to processing rule; If message hits the ACL access rule, then handle accordingly according to the ACL access rule.
Wherein, between step S102 and step S104, further comprise: judge whether system enables to manage acl feature,, then allow all messages to pass through if do not enable to manage acl feature; Otherwise execution in step S104 and step S106.
Wherein, the ACL access rule comprise following one of at least: default ACL access rule and configuration ACL access rule.
In this case, in step S104, may further include: in conjunction with running parameter, judge whether message hits default ACL access rule,, then handle according to default ACL access rule if hit default ACL access rule; In conjunction with running parameter, judge whether the message of miss default ACL access rule hits configuration ACL access rule, if hit configuration ACL access rule, then handle according to configuration ACL access rule; Handle the message of miss default ACL access rule and configuration ACL access rule according to processing rule.
And, can on the embedded network management user interface, provide order configuration ACL access rule to be set for the keeper.
Wherein, in the method, processing rule is one of following: allow the message of miss default ACL access rule and configuration ACL access rule to pass through, or the message of refusing miss default ACL access rule and configuration ACL access rule passes through.
Wherein, in the method, default ACL access rule comprises: allow the message of basic communication to pass through, such message includes but not limited to: Internet Control Message Protocol (InternetControl Messages Protocol, ICMP) message, address resolution protocol (AddressResolution Protocol, ARP) frame.
In addition, in the method, configuration ACL access rule comprises: the legal or invalid information of setting specific fields, the message that comprises legal information is allowed to pass through, or the message refusal that comprises invalid information passed through, wherein, specific fields includes but not limited to: source IP address, purpose IP address, IP protocol type, source port, destination interface.
By technique scheme of the present invention, can control the current management of message effectively, reach purpose to the access control that inserts the equipment control interface; And can under simple relatively applied environment, realize that system safety guarantees cheaply.
Description of drawings
Accompanying drawing described herein is used to provide further understanding of the present invention, constitutes the application's a part, and illustrative examples of the present invention and explanation thereof are used to explain the present invention, do not constitute improper qualification of the present invention.In the accompanying drawings:
Fig. 1 is the flow chart according to the method for the control appliance visit of the embodiment of the invention; And
Fig. 2 is the flow chart according to the processing example of the method for the control appliance visit of the embodiment of the invention.
Embodiment
A kind of method of control appliance visit is provided in the present embodiment.This method does not need to adopt expensive ACL chip just can realize the thought of ACL effectively, reduces and realizes cost, and reach the purpose of access control effectively.
As shown in Figure 1, comprise according to the method for the control appliance of present embodiment visit: step S102, set ACL access rule to the equipment control mouth, and to the processing rule of the message that do not hit the ACL access rule; Step S104 obtains the running parameter of system, and judges in conjunction with running parameter whether message hits the ACL access rule; And step S106, if the miss ACL access rule of message is then handled according to processing rule; If message hits the ACL access rule, then handle accordingly according to the ACL access rule.
Wherein, between step S102 and step S104, may further include: judge whether system enables to manage acl feature,, then allow all messages to pass through if do not enable to manage acl feature; Otherwise execution in step S104 and step S106.
Wherein, the ACL access rule comprise following one of at least: default ACL access rule and configuration ACL access rule.
In this case, in step S104, may further include: in conjunction with running parameter, judge whether message hits default ACL access rule,, then handle according to default ACL access rule if hit default ACL access rule; In conjunction with running parameter, judge whether the message of miss default ACL access rule hits configuration ACL access rule, if hit configuration ACL access rule, then handle according to configuration ACL access rule; And the message of handling miss default ACL access rule and configuration ACL access rule according to processing rule.
Preferably, can on the embedded network management user interface, provide order configuration ACL access rule to be set for the keeper.
In addition, in the method, processing rule can be for one of following: allow the message of miss default ACL access rule and configuration ACL access rule to pass through, or the message of refusing miss default ACL access rule and configuration ACL access rule passes through.
Preferably, default ACL access rule can comprise: allow the message of basic communication to pass through, such message includes but not limited to: Internet Control Message Protocol (ICMP) message and ARP(Address Resolution Protocol) frame.
In addition, in the method, configuration ACL access rule comprises: the legal or invalid information of setting specific fields, the message that comprises legal information is allowed to pass through, or the message refusal that comprises invalid information passed through, wherein, specific fields includes but not limited to: source IP address, purpose IP address, IP protocol type, source port, destination interface.
When actual treatment, above-mentioned processing can be reduced to following process:
A sets some default ACL access rules to the equipment control mouth, and/or on the embedded network management user interface, and the ACL access rule of order for the administrator configurations customization (that is, above-mentioned configuration ACL access rule) is provided; Processing rule when setting message simultaneously and not matching any access rule;
B when management mouth need carry out message when judging, judges whether system enables to manage acl feature, if enable, and then execution in step C and step D; Otherwise allow message to pass through.
C when the management mouth need carry out the message judgement, obtains system's work at present parameter;
D, the coupling system running parameter judges one by one whether message hits default ACL access rule, in this way, then by the default access rule process; And/or the coupling system running parameter, judge one by one whether message hits the configuration ACL access rule of customization, in this way, then handle by the configuration ACL access rule of customization;
E, if message does not hit above any ACL access rule (that is, miss default ACL access rule and configuration ACL access rule), then according to the processing rule that configures in advance allow message by or the refusal message pass through.
Below in conjunction with the method for instantiation description according to present embodiment.
As shown in Figure 2, the method according to present embodiment can comprise the steps:
Step 1 is set some default ACL access rules to the equipment control mouth; The purpose of this step is for the demand according to system, fixes some default rules, thereby removes the trouble that the keeper at every turn must some rules of configuration from, has also avoided causing the basic communication of system to get clogged because the configuration that omission causes is imperfect; Alternatively, default ACL access rule can be for: icmp packet, the ARP frame can be by (being the means that guarantee to have a basic checkout equipment connectedness) like this; And, set processing rule, the message that is not taken into account in any access rule is all refused to pass through;
Step 2, according to actual conditions customization (can customize) by the keeper to other ACL access rule of equipment control mouth (that is, above-mentioned configuration ACL access rule); When carrying out this step, can on the embedded network management user interface, provide order for this ACL access rule of administrator configurations, and should the configurable field of rule comprise: source IP address (comprising mask), IP protocol type, source port and destination interface etc.; Wherein, which IP the keeper can customize is legal source IP, and which is an illegal IP; The serve port that can visit which is (for example, can only use the TELNET service and can not use FTP service etc.), for example, can be configured to following rule:
deny?source-ip?10.40.1.1/32
deny?source-ip?any?ip-prototol-type?TCP?dest-port21
permit?source-ip?10.40.1.0/24
Above-mentioned rule has specified the IP address of this network segment of 10.40.1.0/24 for authorizing the IP address, and 10.40.1.1 is unauthorized IP address; In addition, do not allow equipment is carried out FTP visit (No. 21 ports of TCP);
Step 3 when the management mouth need carry out the message judgement, judges whether system enables to manage acl feature; If this management acl feature does not enable, then allow message to pass through; If management ACL enables, then enter next step; And, can come switch whether to enable by the embedded network management user interface command;
Step 4 when the management mouth need carry out the message judgement, is obtained system's work at present parameter; The current local area network (LAN) characterisitic parameter of management interface that needs understanding equipment, for example, in Ethernet, work and support under the situation of processing of tagged (802.1q protocol label) message, need obtain current tag protocol identifier (Tag Protocol Identifier, parameter such as TPID), so as relatively during message as one of foundation of the start-stop position of judging message format;
Step 5, the coupling system running parameter, judge one by one whether message hits default ACL access rule, if then handle by default ACL access rule, wherein, according to the field contents of being concerned about in the default ACL access rule, find corresponding protocol field in the message, judge whether to meet with rule, if meet, then allow or refuse this message by this default ACL access rule specified action;
And more default one by one ACL access rule in this step relatively finishes until all default ACL access rules;
Step 6, the coupling system running parameter, judge one by one whether message hits the access rule of customization, if, then by rule process, wherein, according to the field contents of being concerned about in the ACL access rule that configures, find corresponding protocol field in the message, judge whether to meet with rule, if meet, then allow or refuse this message by this configuration ACL access rule specified action;
And, in this step, relatively dispose the ACL access rule one by one, relatively finish until all configuration ACL access rules.
In addition, in above-mentioned processing, if message does not hit any rule, then the processing rule of setting in 1 is set by step refused this message.So far, the message control action is finished, and the message of unauthorized access can be rejected, and the message of granted access can pass through, and the purpose of control visit has reached.
In sum, the invention provides a kind of implementation of simple and practical ACL access control, this method can be controlled the current management of message effectively, thereby reaches the purpose to the access control that inserts the equipment control interface; Can under simple relatively applied environment, realize that system safety guarantees cheaply.
The above is the preferred embodiments of the present invention only, is not limited to the present invention, and for a person skilled in the art, the present invention can have various changes and variation.Within the spirit and principles in the present invention all, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (8)
1. the method for a control appliance visit is characterized in that, comprising:
Step S102 sets the ACL access rule to the equipment control mouth, and to the processing rule of the message that do not hit described ACL access rule;
Step S104 obtains the running parameter of system, and judges in conjunction with described running parameter whether message hits described ACL access rule; And
Step S106 is if the miss described ACL access rule of message is then handled according to described processing rule; If message hits described ACL access rule, then handle accordingly according to described ACL access rule.
2. the method for control appliance visit according to claim 1, it is characterized in that, between described step S102 and described step S104, further comprise: judge whether described system enables to manage acl feature, if do not enable described management acl feature, then allow all messages to pass through; Otherwise carry out described step S104 and described step S106.
3. the method for control appliance according to claim 1 and 2 visit is characterized in that, described ACL access rule comprise following one of at least: default ACL access rule and configuration ACL access rule.
4. the method for control appliance visit according to claim 3 is characterized in that, in described step S104, further comprises:
In conjunction with described running parameter, judge whether message hits described default ACL access rule, if hit described default ACL access rule, then handle according to described default ACL access rule;
In conjunction with described running parameter, judge whether the message of miss described default ACL access rule hits described configuration ACL access rule, if hit described configuration ACL access rule, then handle according to described configuration ACL access rule; And
Handle the message of miss described default ACL access rule and described configuration ACL access rule according to described processing rule.
5. the method for control appliance visit according to claim 3 is characterized in that, on the embedded network management user interface, provides order for the keeper described configuration ACL access rule to be set.
6. the method for control appliance visit according to claim 4, it is characterized in that, described processing rule is one of following: allow the message of miss described default ACL access rule and described configuration ACL access rule to pass through, or the message of refusing miss described default ACL access rule and described configuration ACL access rule passes through.
7. the method for control appliance visit according to claim 4, it is characterized in that, described default ACL access rule comprises: allow the message of basic communication to pass through, the message of described basic communication comprises: Internet Control Message Protocol message, address resolution protocol frame.
8. the method for control appliance visit according to claim 4, it is characterized in that, described configuration ACL access rule comprises: the legal or invalid information of setting specific fields, the message that comprises legal information is allowed to pass through, or the message refusal that comprises invalid information passed through, wherein, described specific fields comprises: source IP address, purpose IP address, IP protocol type, source port, destination interface.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA200710154132XA CN101115018A (en) | 2007-09-17 | 2007-09-17 | Method for controlling equipment access |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA200710154132XA CN101115018A (en) | 2007-09-17 | 2007-09-17 | Method for controlling equipment access |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101115018A true CN101115018A (en) | 2008-01-30 |
Family
ID=39023139
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA200710154132XA Pending CN101115018A (en) | 2007-09-17 | 2007-09-17 | Method for controlling equipment access |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101115018A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102833227A (en) * | 2012-07-11 | 2012-12-19 | 武汉虹信通信技术有限责任公司 | Method and system for realizing access control list in wireless access controller |
| CN103152361A (en) * | 2013-03-26 | 2013-06-12 | 华为技术有限公司 | Access control method as well as equipment and system |
| CN103248506A (en) * | 2012-02-08 | 2013-08-14 | 华为终端有限公司 | Right control method of device management and terminal |
| CN103701822A (en) * | 2013-12-31 | 2014-04-02 | 曙光云计算技术有限公司 | Access control method |
| CN103957138A (en) * | 2014-05-06 | 2014-07-30 | 李铭 | Network monitoring method, device and system |
| CN111291383A (en) * | 2020-03-26 | 2020-06-16 | 超验信息科技(长沙)有限公司 | Physical address space access isolation method between any entities on SoC, SoC and computer equipment |
-
2007
- 2007-09-17 CN CNA200710154132XA patent/CN101115018A/en active Pending
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103248506A (en) * | 2012-02-08 | 2013-08-14 | 华为终端有限公司 | Right control method of device management and terminal |
| CN103248506B (en) * | 2012-02-08 | 2016-03-30 | 华为终端有限公司 | The authority control method of equipment control and terminal |
| CN102833227A (en) * | 2012-07-11 | 2012-12-19 | 武汉虹信通信技术有限责任公司 | Method and system for realizing access control list in wireless access controller |
| CN103152361A (en) * | 2013-03-26 | 2013-06-12 | 华为技术有限公司 | Access control method as well as equipment and system |
| WO2014154040A1 (en) * | 2013-03-26 | 2014-10-02 | 华为技术有限公司 | Access control method, device and system |
| CN103152361B (en) * | 2013-03-26 | 2015-12-02 | 华为技术有限公司 | Access control method and equipment, system |
| CN103701822A (en) * | 2013-12-31 | 2014-04-02 | 曙光云计算技术有限公司 | Access control method |
| CN103957138A (en) * | 2014-05-06 | 2014-07-30 | 李铭 | Network monitoring method, device and system |
| CN103957138B (en) * | 2014-05-06 | 2017-08-08 | 李铭 | A kind of method for monitoring network, device and its system |
| CN111291383A (en) * | 2020-03-26 | 2020-06-16 | 超验信息科技(长沙)有限公司 | Physical address space access isolation method between any entities on SoC, SoC and computer equipment |
| CN111291383B (en) * | 2020-03-26 | 2022-03-22 | 超验信息科技(长沙)有限公司 | Physical address space access isolation method between any entities on SoC, SoC and computer equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8239929B2 (en) | Multiple tiered network security system, method and apparatus using dynamic user policy assignment | |
| DE602004009356T2 (en) | Method and device for protecting a network infrastructure and secure communication of control information | |
| CA2570783C (en) | Systems, methods and computer-readable media for regulating remote access to a data network | |
| US7581249B2 (en) | Distributed intrusion response system | |
| US8055800B1 (en) | Enforcing host routing settings on a network device | |
| CN100464548C (en) | System and method for blocking worm attack | |
| CN100581162C (en) | Method for preventing address parsing cheating | |
| EP1858204A1 (en) | Access control method, access control system, and packet communication apparatus | |
| CN101115018A (en) | Method for controlling equipment access | |
| JP2005197823A (en) | Illegitimate access control apparatus between firewall and router | |
| CN101099332A (en) | Dynamic firewall capabilities for wireless access gateways | |
| CN101448264A (en) | Access control method and system of access subscribers | |
| US20220210649A1 (en) | Systems and method for micro network segmentation | |
| US11316935B2 (en) | Systems and method for micro network segmentation | |
| EP1615373A1 (en) | An access gateway of wlan and a method for ensuring network security using the access gateway of wlan | |
| US8245294B1 (en) | Network based virus control | |
| WO2011041964A1 (en) | Method, network system and network access node for network device management | |
| US20030115482A1 (en) | Method and apparatus for network service | |
| CN101631121B (en) | Message control method and access equipment in endpoint admission defense | |
| Cisco | Configuring Network Security | |
| Cisco | Configuring Network Security with ACLs | |
| Cisco | Configuring Network Security with ACLs | |
| Cisco | Configuring Network Security | |
| Cisco | Configuring Network Security | |
| Cisco | Configuring Network Security |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Open date: 20080130 |