CN101119234B - Apparatus and method for implementing access control - Google Patents
Apparatus and method for implementing access control Download PDFInfo
- Publication number
- CN101119234B CN101119234B CN2007101224264A CN200710122426A CN101119234B CN 101119234 B CN101119234 B CN 101119234B CN 2007101224264 A CN2007101224264 A CN 2007101224264A CN 200710122426 A CN200710122426 A CN 200710122426A CN 101119234 B CN101119234 B CN 101119234B
- Authority
- CN
- China
- Prior art keywords
- access
- rule
- time
- state
- access time
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 26
- 101100083503 Caenorhabditis elegans acl-1 gene Proteins 0.000 description 3
- 230000000737 periodic effect Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 238000007711 solidification Methods 0.000 description 2
- 230000008023 solidification Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
Images
Landscapes
- Computer And Data Communications (AREA)
Abstract
The present invention discloses an instrument and a method which are both can achieve the visit control and the visit time and the visit rule can be set up independently. The visit time and the visit rule are related; when the present time falls in the visit time range, the visit rule which determines the related visit time is used for the internet visit. Hereby, the instrument and method provided by the present invention improves the flexibility of the visit control, as the original fixed setting between the visit time and the visit rule is replaced by the dynamic relation. Such flexibility guarantees the sharing of a visit time by different visit rules, thus efficiently reduces the occupation of the system resources.
Description
Technical Field
The present invention relates to network communication technologies, and in particular, to an apparatus and method for implementing access control.
Background
The currently applied network access control mechanism can divide access time for accessing a network, and apply predefined access rules to perform network access at different access times. However, the access time and the access rule are set by the solidification, and the access time is usually set as a part of the access rule; therefore, whether the access rule or the access time is adjusted, the access rule/the access time to be adjusted and the access time/the access rule solidified together are deleted, and then the new access rule and the new access time are generated by solidifying again, and the inflexible access control setting has high complexity and difficulty.
In addition, because the setting mode of the access control is fixed, different access rules cannot share the same access time in many cases, but the fixed access rule and the access time need to be newly set, which may cause a large amount of occupied system resources, thereby reducing the system processing capacity.
Disclosure of Invention
In view of this, the main objective of the present invention is to provide an apparatus and method for implementing access control, which improve flexibility of access control and reduce system resource occupation.
In order to achieve the purpose, the technical scheme of the invention is realized as follows:
an apparatus for implementing access control, the apparatus comprising: the access time management unit, the association unit and the access rule management unit are sequentially connected; wherein,
the access time management unit is used for managing the set access time;
the association unit is used for associating the access time and the access rule which are respectively set;
and the access rule management unit is used for determining that the access rule associated with the access time can be used for network access when the current time falls into the range of the access time.
The association unit is further connected with the state management unit;
the state management unit is used for updating the utility state of the access time and notifying the updated utility state of the access time to the association unit;
the association unit is further configured to update the utility state of the access rule corresponding to the access time according to the received updated access time and the established association relationship, and notify the access rule management unit of the updated utility state of the access rule;
the access rule management unit is further configured to update the utility state of the access rule.
The access rule management unit is further connected with the rule execution unit;
wherein the access rule management unit is further configured to send the access rule that can be used for network access to the rule execution unit;
and the rule execution unit is used for carrying out network access according to the received access rule.
The device is arranged in a router or a switch.
A method of implementing access control, the method comprising:
respectively setting access time and access rules; associating the set access time and the set access rule; when the current time falls within the range of access times, it is determined that the access rule associated with the access time can be used for network access.
The associated access time and access rule are respectively one or more; the correlation method comprises the following steps:
and establishing a corresponding relation between the access time and the access rule.
And further updating the utility state of the access rule corresponding to the access time.
The updating method comprises the following steps:
updating the utility state of the access time according to the change of the current time; searching for an access rule of which the utility states of all the associated access time are invalid states; and determining the utility state of the searched access rule as an invalid state, and determining that the access rule is not applicable to network access.
The updating method comprises the following steps:
updating the utility state of the access time according to the change of the current time; searching the access time changed from the invalid state to the valid state in the access time associated with the access rule in the invalid state; and determining the utility state of the access rule associated with the searched access time as a valid state, and determining that the access rule can be applied to network access.
The network access is further performed using the access rule applicable to the network access.
Therefore, the device and the method for realizing access control provided by the invention have the advantages that the access time and the access rule are changed from the original curing setting into the dynamic association, so that the flexibility of access control is improved; the flexibility ensures that different access rules can share the same access time, thereby effectively reducing the occupation of system resources.
Drawings
FIG. 1 is a diagram of an apparatus for implementing access control according to an embodiment of the present invention;
FIG. 2 is a flow chart of an embodiment of the present invention for implementing access control;
FIG. 3 is a flow chart of implementing access control according to another embodiment of the present invention;
fig. 4 is a flowchart of implementing access control according to yet another embodiment of the present invention.
Detailed Description
The present invention will be described in detail with reference to the accompanying drawings.
Referring to fig. 1, fig. 1 is a diagram of an apparatus for implementing access control according to an embodiment of the present invention, in fig. 1, an association unit is respectively connected to an access time management unit, an access rule management unit, and a state management unit, and the apparatus shown in fig. 1 is generally disposed in a router or a switch.
In specific application, a user can set the access time and the access rule respectively (for example, the access time and the access rule which are independent of each other are input through an operation interface), the access time management unit receives and stores the access time set by the user, and the access rule management unit receives and stores the access rule set by the user.
For the access time in the access time management unit and the access rule in the access rule management unit, the association unit may associate (one or more of the associated access time and access rule may be respectively) the access time and the access rule, and save an association relationship between the access time and the access rule. Such as: the association unit reads the access time and the access rule to be associated from the received association command, establishes a corresponding relationship between the read access time and the access rule, and then stores the corresponding relationship between the access time and the access rule.
After the association is completed, when the current time falls within the range of the access time, the network access can be performed by using the access rule associated with the access time. It can be seen that, in order to perform network access smoothly, it is necessary to determine whether the current time falls within the range of the access time, and only when the current time falls within the range of the access time (in this case, the utility state of the access time may be referred to as a valid state), the network access may be performed using the access rule corresponding to the access time (in this case, the utility state of the access rule may be referred to as a valid state).
In practical applications, the state management unit may provide a basis for determining the access time and the utility state of the access rule: the state management unit receives state data such as system time (indicating current time) in real time or periodically, determines the utility state of the access time containing the state data as an effective state, and determines the utility state of the access time not containing the state data as an ineffective state; and the state management unit further sends the determined access time utility state to the association unit.
When the access time utility state from the state management unit is received, the association unit searches for the access rule associated with the access time according to the association relation stored by the association unit, and if the utility states of all the access time associated with the access rule are invalid states, the association unit determines that the utility state of the access rule is invalid; otherwise, the association unit determines that the utility state of the access rule is a valid state. And then the association unit sends the determined access rule utility state and the access time utility state from the state management unit to the access rule management unit and the access time management unit respectively. In fact, if the association relationship is stored in the state management unit, the state management unit may also determine the utility state of the access rule by applying the above method, and send the determined utility state of the access rule to the access rule management unit through the association unit.
In case of knowing the validity status of the access rule, the access rule management unit may send the access rule in the valid status to a connected rule execution unit (not shown in the figure), and the rule execution unit performs network access using the received access rule. As can be seen, from the perspective of access time, since the current time falls within the access time corresponding to the access rule, the access rule can be used for network access.
Of course, it is also possible to directly send the access time utility state to the access time management unit at the time of initial setting, and also directly send the access rule utility state to the access rule management unit. Thus, the access rule management unit can directly search the access rule in the valid state in the stored access rules, and send the found access rule to the connected rule execution unit, and the rule execution unit uses the received access rule to perform network access.
It should be noted that, as the current time changes, the utility state of the access time inevitably changes; in this case, it may be necessary to update the utility state of the access rule according to the change of the utility state of the access time, and perform network access using the access rule in the valid state after update. The operations relating to the update are in particular:
the state management unit receives state data such as system time and the like, determines the utility state of the access time according to the received state data, and then sends the access time with the changed utility state to the association unit; the association unit searches for an access rule associated with the received access time according to an association relation stored by the association unit, and if the utility states of all the access times associated with the access rule are invalid states, the association unit determines that the utility state of the access rule is changed into the invalid state; otherwise, the association unit determines that the utility state of the access rule has not changed. And then the association unit respectively sends the changed utility states of the access time and the access rule to the access time management unit and the access rule management unit.
Similarly, in the received access time with the changed utility state, the association unit may also search for the access time associated with the access rule in the invalid state, and if all the access times associated with the access rule are changed from the invalid state to the valid state, the association unit determines that the utility state of the access rule is changed to the valid state; otherwise, the association unit determines that the utility state of the access rule has not changed. Then, the association unit may also send the changed utility states of the access time and the access rule to the access time management unit and the access rule management unit, respectively.
Of course, if the state management unit stores the association relationship, the state management unit may also determine the utility state of the access rule by applying the above method, and send the changed utility state of the access rule to the access rule management unit through the association unit.
When receiving the changed utility state of the access rule, the access rule management unit updates the previously stored utility state of the corresponding access rule by using the received changed utility state, and sends the updated access rule in the valid state to the connected rule execution unit, and the rule execution unit performs network access by using the received access rule. Of course, for an access rule that changes from a valid state to an invalid state, a request to apply the access rule for network access will be denied.
As can be seen from fig. 1 and the description of fig. 1, the access control flow in the normal access may apply to the flow expression shown in fig. 2; when the access rule changes from the valid state to the invalid state due to the change of the access time, the access control flow may apply the flow expression shown in fig. 3; when the access rule changes from the invalid state to the valid state due to the change of the access time, the flow expression shown in fig. 3 can be applied to the access control flow.
The following is described with respect to fig. 2, 3, 4, respectively:
referring to fig. 2, the process shown in fig. 2 includes the following steps:
step 201: setting and saving access time and access rules.
Step 202: and associating the set access time with the access rule.
Step 203: and when the current time falls into the range of the access time, performing network access by using the access rule associated with the access time.
Referring to fig. 3, the flow shown in fig. 3 includes the following steps:
step 301: and updating the utility state of the access time according to the change of the current time.
Step 302: and searching for the access rule of which the utility states of all the associated access times are invalid states.
Step 303: and determining the utility state of the searched access rule as an invalid state, and refusing to apply the access rule to carry out network access.
Referring to fig. 4, the flow shown in fig. 4 includes the following steps:
step 401: and updating the utility state of the access time according to the change of the current time.
Step 402: and searching for the access time changed from the invalid state to the valid state in the access time associated with the access rule in the invalid state.
Step 403: and determining the utility state of the access rule associated with the searched access time as an effective state, and applying the access rule to carry out network access.
Besides the change of the access time and the access rule, the set access time and the set access rule can be added or deleted, and a new association relationship is established according to the added or deleted access time and the set access rule.
In practical applications, if the access rule has an identifier of 1 and the filter content is to allow all IP packets with an active Internet Protocol (IP) address of 1.1.1.0 to pass through, the access rule may be expressed as follows:
rule 1 permit 1.1.1.0255.255.255.0;
the access time may be a periodic access time or an absolute access time. Wherein the absolute access time has a specific start time and end time; in the time range between the starting time and the ending time, the access rule corresponding to the access time is in a valid state. The absolute access time may be expressed in the form:
set time-range time-name range absolute start-time start-date[to end-timeend-date];
the periodic access time may be week or the like as the access period; within the period, the access rule corresponding to the access time is in a valid state. The periodic access time may be expressed in the form:
set time-range time-name range period start-time to endtime day-type;
in a specific application, the following access times can be set:
set time-range TR_1 range absolute 08:00 2006-09-01 to 08:00 2006-11-20;
set time-range TR_2 range period 08:00 to 16:00 Monday;
set time-range TR_3 range period 08:00 to 16:00 Wednesday;
set time-range TR_4 range period 08:00 to 16:00 Friday;
if it is desired to allow user access to a network segment having a source IP address of 1.1.1.0 every monday and every wednesday at 8 am to 16 pm, and from 8 am at 9/1/morning of 2006 to 8 am at 11/20/morning of 2006, the association between access time and access rules may be expressed in the following form:
set time-range TR_1 acl 1 rule 1 enable;
set time-range TR_2 acl 1 rule 1 enable;
set time-range TR_3 acl 1 rule 1 enable;
it can be seen from the above that, the device and method for implementing access control provided by the present invention improves the flexibility of access control because the original solidification setting of the access time and the access rule is changed into dynamic association; the flexibility ensures that different access rules can share the same access time, thereby effectively reducing the occupation of system resources.
Claims (10)
1. An apparatus for implementing access control, the apparatus comprising: the access time management unit, the association unit and the access rule management unit are sequentially connected; wherein,
the access time management unit is used for managing the set access time;
the association unit is used for associating the access time and the access rule which are respectively set;
and the access rule management unit is used for determining that the access rule associated with the access time can be used for network access when the current time falls into the range of the access time.
2. The apparatus according to claim 1, wherein the association unit is further connected to a status management unit;
the state management unit is used for updating the utility state of the access time and notifying the updated utility state of the access time to the association unit;
the association unit is further configured to update the utility state of the access rule corresponding to the access time according to the received updated access time and the established association relationship, and notify the access rule management unit of the updated utility state of the access rule;
the access rule management unit is further configured to update the utility state of the access rule.
3. The apparatus according to claim 1 or 2, wherein the access rule management unit is further connected to a rule execution unit;
wherein the access rule management unit is further configured to send the access rule that can be used for network access to the rule execution unit;
and the rule execution unit is used for carrying out network access according to the received access rule.
4. The apparatus of claim 1, wherein the apparatus is disposed in a router or a switch.
5. A method for implementing access control, the method comprising:
respectively setting access time and access rules; associating the set access time and the set access rule; when the current time falls within the range of access times, it is determined that the access rule associated with the access time can be used for network access.
6. The method of claim 5, wherein the associated access time and access rule are one or more respectively; the correlation method comprises the following steps:
and establishing a corresponding relation between the access time and the access rule.
7. The method of claim 5, further updating a utility state of the access rule corresponding to the access time.
8. The method of claim 7, wherein the updating method is:
updating the utility state of the access time according to the change of the current time; searching for an access rule of which the utility states of all the associated access time are invalid states; and determining the utility state of the searched access rule as an invalid state, and determining that the access rule is not applicable to network access.
9. The method of claim 7, wherein the updating method is:
updating the utility state of the access time according to the change of the current time; searching the access time changed from the invalid state to the valid state in the access time associated with the access rule in the invalid state; and determining the utility state of the access rule associated with the searched access time as a valid state, and determining that the access rule can be applied to network access.
10. The method according to any of claims 5 to 9, characterized in that the network access is further performed using the access rules applicable for network access.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007101224264A CN101119234B (en) | 2007-09-25 | 2007-09-25 | Apparatus and method for implementing access control |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007101224264A CN101119234B (en) | 2007-09-25 | 2007-09-25 | Apparatus and method for implementing access control |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101119234A CN101119234A (en) | 2008-02-06 |
| CN101119234B true CN101119234B (en) | 2011-03-02 |
Family
ID=39055186
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2007101224264A Active CN101119234B (en) | 2007-09-25 | 2007-09-25 | Apparatus and method for implementing access control |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101119234B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101741886B (en) * | 2008-11-05 | 2012-05-02 | 北京搜狗科技发展有限公司 | Access path generating method, system and device |
| CN106330984B (en) * | 2016-11-29 | 2019-12-24 | 北京元心科技有限公司 | Dynamic updating method and device of access control strategy |
-
2007
- 2007-09-25 CN CN2007101224264A patent/CN101119234B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN101119234A (en) | 2008-02-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| RU2599969C2 (en) | Data synchronization method and device | |
| TW201743206A (en) | Information display method, device, and system making possible in the system architecture level of integral management presentation information resources | |
| US20020053029A1 (en) | Network access control method, network system using the method and apparatuses configuring the system | |
| CN103595566B (en) | A kind of method and device for detecting free IP addresses | |
| CN107171839B (en) | Bandwidth flow cost control method | |
| CN104954468A (en) | Resource allocation method and resource allocation device | |
| CN110445828B (en) | Data distributed processing method based on Redis and related equipment thereof | |
| CN104410660A (en) | Method and device of downloading multimedia resources as well as router and server | |
| WO2014161261A1 (en) | Data storage method and apparatus | |
| CN103618926A (en) | Method and device for controlling displaying application webpage of intelligent television | |
| CN110677462A (en) | Access processing method, system, device and storage medium for multi-block chain network | |
| KR20160114703A (en) | Data transfer method, communications network, subscriber and vehicle | |
| CN102868770A (en) | Method, equipment and system for distributing interface | |
| CN107508914A (en) | A kind of accurate method for pushing of message and system based on cloud computing analysis | |
| CN101119234B (en) | Apparatus and method for implementing access control | |
| CN114553762B (en) | Method and device for processing flow table items in flow table | |
| WO2015154391A1 (en) | Method and device for processing power consumption of radio access network | |
| CN106878030A (en) | A kind of charging method and device | |
| CN105427149A (en) | Cross-border e-commerce BPO service method and device based on SOA expansion framework | |
| JP2000236583A (en) | Mobile agent system and its control method | |
| CN104468159A (en) | Management method and device of dynamic host configuration protocol server and relay | |
| CN101170778B (en) | System for supporting multiple connection management program access and controlling mobile terminal equipment | |
| KR100641831B1 (en) | System and method of oma device management for dynamic node management | |
| CN110753113A (en) | Network interface request method, device and storage medium | |
| CN104137515A (en) | Method and device for making available a content, stored on a server in energy standby mode |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| EE01 | Entry into force of recordation of patent licensing contract |
Application publication date: 20080206 Assignee: SHENZHEN ZTE MICROELECTRONICS TECHNOLOGY CO., LTD. Assignor: ZTE Corporation Contract record no.: 2017440020015 Denomination of invention: Apparatus and method for implementing access control Granted publication date: 20110302 License type: Common License Record date: 20170310 |
|
| EE01 | Entry into force of recordation of patent licensing contract |