CN101247346A - Method for controlling local area network data message based on gateway mode - Google Patents
Method for controlling local area network data message based on gateway mode Download PDFInfo
- Publication number
- CN101247346A CN101247346A CNA2008100894598A CN200810089459A CN101247346A CN 101247346 A CN101247346 A CN 101247346A CN A2008100894598 A CNA2008100894598 A CN A2008100894598A CN 200810089459 A CN200810089459 A CN 200810089459A CN 101247346 A CN101247346 A CN 101247346A
- Authority
- CN
- China
- Prior art keywords
- network
- local area
- area network
- address
- lan
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
With the information age coming, non-paper electronic office is inevitable choice for improving work efficiency and more and more business activity in the enterprises are finished via network. However, because of the infinity, openness of the network, and the flood of virus and Trojan Horse, great disadvantages and hidden troubles accompanied with the enterprises: bt download, for example, which takes up a plurality of bandwidth and affects the network velocity; some employee may monopolize or transfer to the competitor important information, business secrets via email, ftp and other transferring forms, which bring about great harm to the enterprises. In this method, through the mode of setting network bridge in the network route of the enterprise, and monitor the local area network computer in the network port so as to grasp the local area network host message, and analyze and hold up the message grasped so as to control the network action of local area network visiting the public network.
Description
Technical field
What the present invention relates to is a kind of method that in sharing formula, interactive network environment the local network main machine public network message is managed.
Background technology
Current domestic network management system generally realizes by virtual route technology or by bypass mode the monitoring management of local host machine.Virtual route technology also is the virtual gateway technology, be by on a computer of local area network (LAN), sending ARP broadcast packet all computers to local area network (LAN), this ARP broadcast packet the inside invents the MAC Address of this computer the MAC Address of the real gateway of local area network (LAN), it is a MAC Address of sending out the computer of ARP bag that thereby the correct gateway address that makes the ARP table the inside of computer of local area network (LAN) exist is modified, make the computer of local area network (LAN) when sending public net message, can issue this computer, this computer expert crosses the deployment packet catcher message of the network interface card of this computer of process is caught and analyzed, whether decision is transmitted to real router after some filtration policies of enforcement, comes the public network visit of local area network (LAN) computer is controlled with this.But this pattern is because the computer of the dress Control Software of local area network (LAN) is equivalent to the acting server of local area network (LAN), can greatly influence the networking speed of local area network (LAN) computer by repeating process, and also the propagation for ARP virus provides convenient condition, in addition, because present various fire compartment walls all have the function of this ARP of preventing deception, so adopt the monitoring software of of this sort framework moving towards to lose efficacy, can not reach the purpose of monitoring.And by bypass mode the computer of local area network (LAN) is monitored, generally be to realize by switch, acting server or the HUB that disposes the band edge port mirror image, but because this monitoring mode is based on the http protocol of data message transmissions is realized, thereby in monitoring, can't effectively tackle and control, thereby can't effectively control the very serious various P2P softwares of local area network (LAN) influence, chat software or the like to the message of P2P agreement.Distinctive feature of the present invention is exactly a deficiency of having walked around these two kinds of monitoring modes, software directly is deployed on the gateway of local area network (LAN), just the IP address of a computer of local area network (LAN) is changed to the IP address of local area network (LAN) default gateway, and the local area network (LAN) default gateway ip address changed to other IP address, and on the routing device of local area network (LAN), filtercondition is set, the computer of forbidding local area network (LAN) is except that the IP address being changed to computer the default gateway ip address directly by routing device visit public network, and can only be the computer to access public network of default gateway ip address by change IP address, like this, because all public net messages that the computer of local area network (LAN) sends all will could finally send to public network through this gateway, thereby make software can realize catching and analyzing easily to the data message, determine whether that by using various control laws visit is tackled and side's row to the public network of local area network (LAN) computer, thus various public networks visits that can the control area net computer.In addition, this mode can avoid sending the deficiency that ARP deception message is controlled local area network (LAN), can tackle the message transmissions of the variety of protocols such as http protocol, P2P agreement of local area network (LAN) computer again like a cork, thereby can control various P2P softwares effectively.
Summary of the invention
Along with development of internet technology, enterprise has mostly set foot on the express of the Internet, numerous and confused diverse network technology, the electronic technology of adopting to carry out work by network: but because the unlimited opening of network, and, bring great network management problem for vast enterprise and institution to the disappearance that network is effectively managed.As: employee the operating time on network with a large amount of amusement data of various P2P software downloads, these P2P instruments can exhaust the bandwidth of enterprise, have caused the normal network of enterprise to use; Simultaneously, the employee also browses a large amount of network address that have nothing to do with work, as pornographic, reaction, violence etc., has caused extremely bad influence, has wasted the operating time, also causes internet worm to spread unchecked easily, has a strong impact on the operate as normal of enterprise, has reduced operating efficiency; Simultaneously, because the convenience of Network Transmission, make data transmission at a high speed become possibility, some employee steals the trade secret of enterprise-essential, proprietary technology by modes such as mail, HTTP/FTP transmission, chats and plays one's own game, serious harm the interests of enterprise, bring heavy losses to enterprise.In sum, become the essential of enterprise network management once the effective network management system of cover.
Technical solution of the present invention is as follows: at first on a computer of local area network (LAN) gateway is set, just the IP address of a computer of local area network (LAN) is changed to the IP address of local area network (LAN) default gateway, and the local area network (LAN) default gateway ip address changed to other IP address, and on the routing device of local area network (LAN), filtercondition is set, the computer of computer except that this computer that the IP address is changed to default gateway ip address of forbidding local area network (LAN) be directly by routing device visit public network, and can only be by the IP address being changed to this computer to access public network of default gateway ip address; Dispose monitoring software to this computer, because the gateway of the previous acquiescence of local area network (LAN) has been set up the IP address of new gateway for this reason, so the public net message of local area network (LAN) computer will send to this gateway, monitoring software will start the data message that packet catcher grasps this network bridge of process then, the data message of catching is analyzed according to certain controlled filter rule, to meet the packet loss of control interception rule or interrupt, and make it and to pass through, control its network behavior with this; For the data message that can let pass, monitoring software can be forwarded to the real gateway of local area network (LAN), also is routing device, its access to netwoks of letting pass; In this case, if the monitored computer of local area network (LAN) changes to self default gateway address the IP address of new routing device, because routing device still can provide routing function, also promptly allow the computer expert of local area network (LAN) to cross this routing device online, then monitored computer may directly carry out the public network visit by routing device and avoid monitoring.So we also must be provided with filtercondition on routing device, forbid that the monitored computer of local area network (LAN) is directly directly visited public network by routing device, and the computer expert that monitoring software only allow to be installed crosses route equipment and directly visits public network.All controlled computers of local area network (LAN) all can't directly be visited public network by routing device like this, can only pass through this computer to access, thereby can reach the purpose of whole monitoring.
According to the technical characterictic of this software, can realize with programming language arbitrarily.The software of writing according to present principles is owing to be to be deployed in the gateway outlet of local area network (LAN) visit public network, and enterprises and institutions are extensive, centralized monitor thereby can adapt to; Simultaneously, owing to manage in conjunction with routing device, thereby some computer attempts that can effectively prevent local area network (LAN) are escaped monitoring by certain means; Because the public net message of the computer of local area network (LAN) at first is to mail to this new gateway, be forwarded to routing device visit public network by this new gateway then, thereby monitoring software just can grasp the data message of institute's protocols having and filter and transmit, and has guaranteed that like this monitoring software can all network behaviors of control area net.
Embodiment
(1) on a computer of local area network (LAN), gateway is set, just the IP address of a computer of local area network (LAN) is changed to the IP address of local area network (LAN) default gateway, and the local area network (LAN) default gateway ip address changed to other IP address, and on the routing device of local area network (LAN), filtercondition is set, the computer of computer except that this computer that the IP address is changed to default gateway ip address of forbidding local area network (LAN) be directly by routing device visit public network, and can only be by the IP address being changed to this computer to access public network of default gateway ip address.Wherein: routing device can be router, lead the way by the fire compartment wall of function, server of function of surfing the Net or the like can be provided; (2) set the IP address, subnet mask, gateway address, dns address or the like of this new gateway, guarantee that the computer of this new gateway can normally be surfed the Net.Here, generally the IP address setting of this new gateway is become the IP address of local area network (LAN) default gateway, as 192.168.0.1, generally be exactly the IP address of router, and the IP address setting of default gateway is become other IP address, as 192.168.0.10, according to its network segment dividing condition, its subnet mask is set, the IP address of the gateway address of new gateway computer for the routing device after changing is set, the DNS that DNS is a public network is set, the dns address that provides as Netcom, telecommunications; (3) dispose monitoring software to this new gateway, monitoring software will be a watch-dog with this new gateway automatically, the packet capturing that starts monitoring software drives, data message through this network bridge is grasped and analyzes, with the data message that grabs according to its data characteristics, as packet with the IP address, port, protocol characteristic, size or the like, using set control law mates, as forbid surfing the Net, forbidding carrying out P2P downloads, forbid chat, forbid sending responsive mail or the like, the data message that meets the interception rule, monitoring software will abandon its data message or interrupt, and for the data message that does not meet the interception rule, it directly can be forwarded to real gateway, also be routing device, its public network visit of letting pass.
Claims (1)
- A kind of based on the gateway mode method that area network data message controls of playing a game.Change to the IP address of local area network (LAN) default gateway by IP address with a computer of local area network (LAN), and the IP address of the default gateway of local area network (LAN) changed to other IP address, and on the routing device of local area network (LAN), filtercondition is set, only allow the IP address is changed to that computer of default gateway ip address directly by routing device visit public network, and the data message of forbidding the main frame that local area network (LAN) is monitored directly transmits by routing device, and must be the computer transfer transmission of default gateway ip address through local area network (LAN) change IP, at this computer deploy monitoring software, by extracting and analysis to passing data message, use certain control law and mate, a kind of method whether decision is afterwards let pass or do not let pass.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008100894598A CN101247346A (en) | 2008-04-01 | 2008-04-01 | Method for controlling local area network data message based on gateway mode |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008100894598A CN101247346A (en) | 2008-04-01 | 2008-04-01 | Method for controlling local area network data message based on gateway mode |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101247346A true CN101247346A (en) | 2008-08-20 |
Family
ID=39947556
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2008100894598A Pending CN101247346A (en) | 2008-04-01 | 2008-04-01 | Method for controlling local area network data message based on gateway mode |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101247346A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101945084A (en) * | 2009-07-09 | 2011-01-12 | 精品科技股份有限公司 | Client web browsing control system and method |
| CN101997871A (en) * | 2010-09-21 | 2011-03-30 | 电子科技大学 | Device for quickly capturing, filtering and forwarding data |
| CN102075450A (en) * | 2009-11-19 | 2011-05-25 | 北京明朝万达科技有限公司 | Utility method for recording chatting content of instant messaging device |
| CN102739512A (en) * | 2011-03-30 | 2012-10-17 | 大势至(北京)软件工程有限公司 | Method for centrally filtering network data packet based on three-layer switchboard under multi virtual local area network (VLAN) environment |
| CN102739433A (en) * | 2011-03-30 | 2012-10-17 | 大势至(北京)软件工程有限公司 | Control method of local area network computer through network management software allocation based on multi-net environment of three-layer switch |
| CN114629828A (en) * | 2022-05-12 | 2022-06-14 | 杭州玖玖盾信息科技有限公司 | Network access detection method and electronic equipment |
-
2008
- 2008-04-01 CN CNA2008100894598A patent/CN101247346A/en active Pending
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101945084A (en) * | 2009-07-09 | 2011-01-12 | 精品科技股份有限公司 | Client web browsing control system and method |
| CN102075450A (en) * | 2009-11-19 | 2011-05-25 | 北京明朝万达科技有限公司 | Utility method for recording chatting content of instant messaging device |
| CN102075450B (en) * | 2009-11-19 | 2015-03-04 | 北京明朝万达科技有限公司 | Utility method for recording chatting content of instant messaging device |
| CN101997871A (en) * | 2010-09-21 | 2011-03-30 | 电子科技大学 | Device for quickly capturing, filtering and forwarding data |
| CN101997871B (en) * | 2010-09-21 | 2013-07-24 | 电子科技大学 | Device for quickly capturing, filtering and forwarding data |
| CN102739512A (en) * | 2011-03-30 | 2012-10-17 | 大势至(北京)软件工程有限公司 | Method for centrally filtering network data packet based on three-layer switchboard under multi virtual local area network (VLAN) environment |
| CN102739433A (en) * | 2011-03-30 | 2012-10-17 | 大势至(北京)软件工程有限公司 | Control method of local area network computer through network management software allocation based on multi-net environment of three-layer switch |
| CN114629828A (en) * | 2022-05-12 | 2022-06-14 | 杭州玖玖盾信息科技有限公司 | Network access detection method and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111294365B (en) | Attack flow protection system, method and device, electronic equipment and storage medium | |
| Rawat et al. | Software defined networking architecture, security and energy efficiency: A survey | |
| CN101431449B (en) | Network flux cleaning system | |
| Yan et al. | Software-defined networking (SDN) and distributed denial of service (DDoS) attacks in cloud computing environments: A survey, some research issues, and challenges | |
| Mirkovic et al. | Attacking DDoS at the source | |
| CN104272656B (en) | The executable method of computing system, computer and computer readable storage medium | |
| KR100796996B1 (en) | Methods and apparatus for protecting against overload conditions on nodes of a distributed network | |
| US7234168B2 (en) | Hierarchy-based method and apparatus for detecting attacks on a computer system | |
| CN107135187A (en) | Preventing control method, the apparatus and system of network attack | |
| Mihai-Gabriel et al. | Achieving DDoS resiliency in a software defined network by intelligent risk assessment based on neural networks and danger theory | |
| CN101247346A (en) | Method for controlling local area network data message based on gateway mode | |
| CN101106518B (en) | Service denial method for providing load protection of central processor | |
| CN102857388A (en) | Cloud detection safety management auditing system | |
| CN101252474A (en) | Method for controlling local area network data message based on network bridge mode | |
| CN104160735B (en) | Send out message processing method, transponder, message processor, message handling system | |
| CA2925717A1 (en) | Method and system for triggering augmented data collection on a network based on traffic patterns | |
| CN113037731A (en) | Network flow control method and system based on SDN architecture and honey network | |
| CN107332810A (en) | Attack defense method and device, system | |
| Poongothai et al. | Simulation and analysis of DDoS attacks | |
| CN102045302A (en) | Network attack preventing method, service control node and access node | |
| Srinivasa et al. | RIoTPot: a modular hybrid-interaction IoT/OT honeypot | |
| Dayal et al. | Analyzing effective mitigation of DDoS attack with software defined networking | |
| Dressler et al. | Attack detection using cooperating autonomous detection systems (CATS) | |
| Cruz et al. | Cooperative security management for broadband network environments | |
| CN102739433A (en) | Control method of local area network computer through network management software allocation based on multi-net environment of three-layer switch |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20080820 |