CN101521578B - Method for detecting computer illegal external connection in closed network - Google Patents
Method for detecting computer illegal external connection in closed network Download PDFInfo
- Publication number
- CN101521578B CN101521578B CN2009100816061A CN200910081606A CN101521578B CN 101521578 B CN101521578 B CN 101521578B CN 2009100816061 A CN2009100816061 A CN 2009100816061A CN 200910081606 A CN200910081606 A CN 200910081606A CN 101521578 B CN101521578 B CN 101521578B
- Authority
- CN
- China
- Prior art keywords
- network
- interface card
- computer
- network interface
- external connection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method for detecting computer illegal external connection in a closed network, includes the following steps: any computer in the network is provided with an internal network card and an external network card which are used as monitors and is respectively provided with an internal network address and a non-internal network address which correspond to the internal network card and the external network card, and a port of a router connected to the external network card is provided with a port address with the same network segment as the non-internal network address; the monitors send monitored messages to the inside of the network through the internal network card and the external network card and receive the corresponding response messages, if a computer which does not send the response messages to the external network card exists in the network, the computer can be judged to be an illegal external connection host computer. The method can effectively detect the illegal external connection computer in the network, is simple and effective and is convenient to implement and operate.
Description
Technical field
The present invention relates to field of computer technology, be meant a kind of method of detecting computer illegal external connection in closed network especially.
Background technology
In enterprise, army, internal network such as bank and external network require in the tight environment of isolating, the computer of internal network can pass through modulator-demodulator, the network equipments such as two network interface cards are walked around network boundary safety prevention measure (as the fire compartment wall of network exit) and are illegally inserted external network, information security to Intranet has constituted very big threat, very easily causes data to give away secrets, serious consequences such as viral communication.
The method of traditional detection internal network illegal external connection roughly is divided into two classes.The first kind is an installation and measuring software on all computers of Intranet, in time find and go up the illegal external connection computerized information is complained to the illegal external connection monitoring server, this method requires the necessary installation and measuring software of internal network computer, is unkitted the computer that detects software for newly entering network and can not plays detection effect.Second class is to adopt to lay scanning computer (end of probe) in Intranet, externally public network is laid machines (monitor), as shown in Figure 1, scanning machine is forged the detection icmp packet of the IP of machines on the public network to each inner net computer transmission forgery source IP, if inner net computer energy and external network are interconnected, will send response message to public network by the network interface card that outreaches route, this moment, the machines on public network just can be received response message, thereby detect internal network the computer illegal external connection is arranged, and record routing iinformation, when the method is implemented, can there be following shortcoming: illegal external connection response of host Intranet probe messages, it is interior net address to the response message source IP address that public network sends, and Intranet IP generally is planned to private net address.Because the Access Layer of public network has been done the source address filtration at present, if the source address of IP message is in 192.168.x.x, the 10.x.x.x etc. during net address, router can be with this IP packet loss, so this message can't be in the machines of delivering on the public network on the public network, thereby detect failure, so method can only just might work when Intranet IP is set to non-Intranet IP.In addition, not public network (as the internal network of another one enterprise) if not method outreaches external network that main frame connects, then the method can not detect this main frame illegal external connection.
Summary of the invention
In view of this, the invention reside in the method that a kind of detecting computer illegal external connection in closed network is provided, to solve owing to the Access Layer of present public network has been done the source address filtration, when if the source address of IP message is interior net address, router can be with this IP packet loss, so this message can't be in the machines of delivering on the public network on the public network, thereby detect the problem of failure.
For addressing the above problem, the invention provides a kind of method of detecting computer illegal external connection in closed network, comprise: Intranet network interface card and outer net network interface card are set on any computer in described network as monitoring machine, the Ethernet interface of outer net network interface card and internal router links to each other, and the interior net address and the Fei Nei net address of corresponding different segment be set respectively, router port setting that described outer net network interface card connects with described non-in the port address of the identical network segment of net address;
Described monitoring machine sends probe messages by described Intranet network interface card and outer net network interface card in network, and receive corresponding response message, if network internal storage is at the computer that does not send response message to described outer net network interface card, then will judge this computer is the illegal external connection main frame;
Described probe messages is ICMP ECHO message or TCP/UDP scanning message.
Preferably, also comprise: if monitoring machine is received the response message of the interior computer of network to described Intranet network interface card and the transmission of outer net network interface card simultaneously, then judging this computer does not have illegal external connection.
Preferably, also comprise: if monitoring machine is not received the response message of the interior computer of network to described Intranet network interface card and the transmission of outer net network interface card, the IP address of then judging this computer shutdown or this computer correspondence does not exist in the network.
Method of the present invention can effectively detect the computer of the illegal external connection in the network, even this computer has just entered network, also can detect and whether outreach, solve because the Access Layer of present public network has been done the source address filtration, also can detect and whether outreach, not need on each main frame of internal network, to install any software; Do not need the spoofed IP message; Do not need in public network, to send packet, need on public network, not place any equipment, do not need with public network in system interaction, therefore do not worry that routing policy in the public network is to detecting the influence of accuracy rate.Even main frame outreaches the non-public network of network in addition, also can detect illegal external connection.And method is simply effective, is convenient to implementation and operation.
Description of drawings
Fig. 1 is the schematic diagram that existing illegal external connection detects;
Fig. 2 is for implementing schematic diagram of the present invention;
Fig. 3 is the schematic diagram of normal response of host IP probe messages;
Fig. 4 is the schematic diagram of illegal external connection response of host IP probe messages.
Embodiment
For clearly demonstrating technical scheme of the present invention, provide preferred embodiment below and be described with reference to the accompanying drawings.
Because internal network generally is an Ethernet, network configuration is to connect multiple host under the switch, and respective switch is up to link to each other with upper strata internal router (or 3 layer switch).The present invention adopts at Intranet router (or 3 layer switch) and goes up the pseudo-route of increase, make each main frame of inner-mesh network receive the message of the non-internal network IP of source IP, the route that guiding illegal external connection main frame is chosen outer net responds, thereby monitoring machine can't be received the response message of illegal external connection, is the illegal external connection main frame and detect this main frame.
The present invention realizes by following steps:
Step 1: two network interface cards (network interface card 1 and network interface card 2) are installed on computer of Intranet, as shown in Figure 2, as monitoring machine, the IP of network interface card 1 is set to Intranet IP, guarantee can with each main-machine communication of Intranet, network interface card 2 is configured to any non-internal network IP, and network interface card 2 links to each other with the Ethernet interface of internal router (or 3 layer switch).
Step 2: (or 3 layer switch) are provided with on internal router, dispose pseudo-route: the IP address (this IP address is non-interior net address) that the router ethernet mouth that is connected with network interface card 2 is configured to the network interface card 2 place network segments, make its route unimpeded, make network interface card 2 can pass through this router and each main-machine communication of internal network.At this moment, this router will produce pseudo-routing iinformation in network.
Step 3: monitoring machine sends to each main frame of Intranet simultaneously by network interface card 1 and network interface card 2 has mutual IP probe messages (as ICMP ECHO message, TCP/UDP scanning message etc.), the probe messages source IP that network interface card 1 sends is the IP of network interface card 1, and the probe messages source IP that network interface card 2 sends is the IP of network interface card 2.
Step 4: monitoring machine is accepted the response message of each main frame, analyzes each response of host message that network interface card 1 and network interface card 2 obtain respectively, analyzes whether illegal external connection of main frame, as following table:
| Whether network interface card 1 receives response message | Whether network interface card 2 receives response message | ? |
| Be | Be | Main frame does not have illegally and outreaches |
| Be | Not | Main frame is just at illegal external connection |
| Not | Be | The internal network fault |
| Not | Not | Main frame shuts down or does not exist |
The course of work of the present invention is:
At first, monitoring machine sends by network interface card 1 and network interface card 2 simultaneously mutual IP probe messages, makes each main frame of internal network all receive the probe messages that network interface card 1 and network interface card 2 send.For convenience of description, we are called IP1 with the IP address of network interface card 1, and the IP address of network interface card 2 is called IP2; The written message 1 of the probe messages that network interface card 1 sends, the probe messages that network interface card 2 sends is called message 2; Tested main frame is called response message 1 to the response message of message 1, and the response message of message 2 is called response message 2.
After then tested main frame was received message 1, the purpose IP address of response message 1 was IP1, because IP1 is the Intranet legal address, can send on the network interface card 1 by normal route, and at this moment, monitoring machine can be received the response message of tested main frame to message 1.
When tested main frame was received message 2, the purpose IP address of response message 2 was IP2.At this moment, if tested main frame does not carry out illegal external connection, owing to there is the pseudo-route of the IP2 network segment in the network, so response message 2 can be sent to by the route in the Intranet on the network interface card 2, at this moment monitoring machine can be received the response message of message 2.If tested main frame has carried out illegal external connection, then certainly exist another piece on the main frame and linked the online network interface card of public network, because IP2 is a public network address, then response message 2 can be sent to public network by this piece network interface card (be illegal external connection to the public network network interface card) and gets on, and at this moment monitoring machine can't be received the response message of message 2.
Therefore, whether we can receive that the response message of message 1 and message 2 analyzes tested main frame and whether carried out illegal external connection by analyzing monitoring.
Method of the present invention can effectively detect the computer of the illegal external connection in the network, even this computer has just entered network, also can detect and whether outreach, solve because the Access Layer of present public network has been done the source address filtration, also can detect and whether outreach, not need on each main frame of internal network, to install any software; Do not need the spoofed IP message; Do not need in public network, to send packet, need on public network, not place any equipment, do not need with public network in system interaction, therefore do not worry that routing policy in the public network is to detecting the influence of accuracy rate.Even main frame outreaches the non-public network of network in addition, also can detect illegal external connection.And method is simply effective, is convenient to implementation and operation.
For the method for being set forth among each embodiment of the present invention, within the spirit and principles in the present invention all, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (3)
1. the method for a detecting computer illegal external connection in closed network, it is characterized in that, comprise: Intranet network interface card and outer net network interface card are set on any computer in described network as monitoring machine, the Ethernet interface of outer net network interface card and internal router links to each other, and be provided with respectively corresponding in net address and Fei Nei net address, router port setting that described outer net network interface card connects with described non-in the port address of the identical network segment of net address;
Described monitoring machine sends probe messages by described Intranet network interface card and outer net network interface card in network, and receive corresponding response message, if network internal storage is at the computer that does not send response message to described outer net network interface card, then will judge this computer is the illegal external connection main frame;
Described probe messages is ICMP ECHO message or TCP/UDP scanning message.
2. method according to claim 1 is characterized in that, also comprises: if monitoring machine is received the response message of the interior computer of network to described Intranet network interface card and the transmission of outer net network interface card simultaneously, then judging this computer does not have illegal external connection.
3. method according to claim 1, it is characterized in that, also comprise: if monitoring machine is not received the response message of the interior computer of network to described Intranet network interface card and the transmission of outer net network interface card, the IP address of then judging this computer shutdown or this computer correspondence does not exist in the network.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009100816061A CN101521578B (en) | 2009-04-03 | 2009-04-03 | Method for detecting computer illegal external connection in closed network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009100816061A CN101521578B (en) | 2009-04-03 | 2009-04-03 | Method for detecting computer illegal external connection in closed network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101521578A CN101521578A (en) | 2009-09-02 |
| CN101521578B true CN101521578B (en) | 2011-09-07 |
Family
ID=41081967
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009100816061A Expired - Fee Related CN101521578B (en) | 2009-04-03 | 2009-04-03 | Method for detecting computer illegal external connection in closed network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101521578B (en) |
Families Citing this family (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102129534A (en) * | 2010-10-22 | 2011-07-20 | 新兴铸管股份有限公司 | Method for file security and virus protection of multi-network computer |
| CN105577668A (en) * | 2015-12-25 | 2016-05-11 | 北京奇虎科技有限公司 | Network connection control method and device |
| CN107317729A (en) * | 2017-07-11 | 2017-11-03 | 浙江远望信息股份有限公司 | A kind of active probe method of the multiple network interconnection based on ICMP agreements |
| CN109450921B (en) * | 2018-11-29 | 2021-08-10 | 北京北信源信息安全技术有限公司 | Network state monitoring method and device, storage medium and server |
| CN110191102B (en) * | 2019-05-09 | 2021-12-21 | 黄志英 | Illegal external connection comprehensive monitoring system and method thereof |
| CN112104590B (en) * | 2019-06-18 | 2023-03-24 | 浙江宇视科技有限公司 | Method and system for detecting private connection of network equipment in private network to public network |
| CN110768999B (en) * | 2019-10-31 | 2022-01-25 | 杭州迪普科技股份有限公司 | Method and device for detecting illegal external connection of equipment |
| CN111130930B (en) * | 2019-12-16 | 2022-11-01 | 杭州迪普科技股份有限公司 | Dual-network card detection method and device |
| CN111385376B (en) * | 2020-02-24 | 2022-12-23 | 杭州迪普科技股份有限公司 | Illegal external connection monitoring method, device, system and equipment for terminal |
| CN112073381B (en) * | 2020-08-13 | 2021-12-17 | 中国电子科技集团公司第三十研究所 | Detection method for connecting internet equipment to access intranet |
| CN112202749B (en) * | 2020-09-24 | 2023-07-14 | 深信服科技股份有限公司 | Illegal external connection detection method, detection equipment, networking terminal and storage medium |
| CN112565005B (en) * | 2020-11-26 | 2022-05-13 | 北京北信源软件股份有限公司 | Network serial line detection method and device, equipment and medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN2337611Y (en) * | 1998-07-07 | 1999-09-08 | 深圳市宏网实业有限公司 | Safety network computer capable of simultaneously connecting internal network and external network |
| CN1447240A (en) * | 2003-01-24 | 2003-10-08 | 上海金诺网络安全技术发展股份有限公司 | Method to realize monitoring connection states of closed network by using a computer on intranet |
| CN1509006A (en) * | 2002-12-13 | 2004-06-30 | 联想(北京)有限公司 | Firewall and invasion detecting system linkage method |
-
2009
- 2009-04-03 CN CN2009100816061A patent/CN101521578B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN2337611Y (en) * | 1998-07-07 | 1999-09-08 | 深圳市宏网实业有限公司 | Safety network computer capable of simultaneously connecting internal network and external network |
| CN1509006A (en) * | 2002-12-13 | 2004-06-30 | 联想(北京)有限公司 | Firewall and invasion detecting system linkage method |
| CN1447240A (en) * | 2003-01-24 | 2003-10-08 | 上海金诺网络安全技术发展股份有限公司 | Method to realize monitoring connection states of closed network by using a computer on intranet |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101521578A (en) | 2009-09-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101521578B (en) | Method for detecting computer illegal external connection in closed network | |
| CN105227383B (en) | A kind of device of network topology investigation | |
| Fovino et al. | An experimental platform for assessing SCADA vulnerabilities and countermeasures in power plants | |
| CN103607399B (en) | Private IP network network safety monitoring system and method based on darknet | |
| CN105450442B (en) | A kind of network topology investigation method and its system | |
| KR100426317B1 (en) | System for providing a real-time attacking connection traceback using of packet watermark insertion technique and method therefor | |
| KR101369727B1 (en) | Apparatus and method for controlling traffic based on captcha | |
| WO2015129934A1 (en) | Command control channel detection device and method | |
| CN105515180A (en) | Intelligent substation communication network dynamic monitoring system and monitoring method thereof | |
| CN101136797B (en) | Detection of inside and outside network physical connection, on-off control method and device for using the same | |
| CN103746885A (en) | Test system and test method oriented to next-generation firewall | |
| CN104700024B (en) | A kind of method and system of Unix classes host subscriber operational order audit | |
| CN107483484A (en) | One kind attack protection drilling method and device | |
| CN105227559A (en) | The information security management framework that a kind of automatic detection HTTP actively attacks | |
| CN1988439A (en) | Device and method for realizing network safety | |
| CN101355459A (en) | Method for monitoring network based on credible protocol | |
| CN107122685A (en) | A kind of big data method for secure storing and equipment | |
| CN105554022A (en) | Automatic testing method of software | |
| CN104539483A (en) | Network testing system | |
| CN108040039A (en) | A kind of method, apparatus, equipment and system for identifying attack source information | |
| CN104204973B (en) | The dynamic configuration of industrial control system | |
| CN112565300A (en) | Industry-based cloud hacker attack identification and blocking method, system, device and medium | |
| KR101380015B1 (en) | Collaborative Protection Method and Apparatus for Distributed Denial of Service | |
| CN113965355B (en) | Illegal IP (Internet protocol) intra-provincial network plugging method and device based on SOC (system on chip) | |
| CN102917360A (en) | Device and method for detecting Zigbee protocol vulnerabilities |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20110907 Termination date: 20210403 |