CN101616076B - Fine-granularity network access control method based on user connection information - Google Patents
Fine-granularity network access control method based on user connection information Download PDFInfo
- Publication number
- CN101616076B CN101616076B CN2009100633554A CN200910063355A CN101616076B CN 101616076 B CN101616076 B CN 101616076B CN 2009100633554 A CN2009100633554 A CN 2009100633554A CN 200910063355 A CN200910063355 A CN 200910063355A CN 101616076 B CN101616076 B CN 101616076B
- Authority
- CN
- China
- Prior art keywords
- connection
- user
- information
- access
- gateway
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The invention relates to a fine-granularity network access control method based on user connection information, with the core thought of realizing the network access control method which audits the connection initiated by the user based on user identity and authority through the architectures of a gateway, an authentication server and a client. The method realizes a proposal that each connection initiated by the client and network application programs which initiate the connection can be audited and controlled at the authentication server terminal by binding each connection initiated by the client and the user identity. The method controls the network access of multiple users in the local area network, has relatively high control accuracy and flexibility and can satisfy the control requirement of multi-level of network access and flexible user logging method.
Description
Technical field
The invention belongs to computer network field, is a kind of fine-granularity network access control method based on user connection information specifically.
Background technology
Network admittance control, Network access control also are in access to netwoks control, and its aim is to prevent that the emerging hacking techniques such as virus and worm from working the mischief to enterprise security.By access to netwoks control, the client can only allow legal, credible endpoint device (for example Pc, server, PDA) access network, and does not allow the miscellaneous equipment access.
The method of carrying out at present access to netwoks control mainly contains: mac address filter, IP address-based Access Control List (ACL), 802.1X authentication etc.
Mac address filter is based on the unique ID of the network equipment, by mac address filter, can fundamentally limit the user who uses Internet resources.This kind mode shortcoming is larger for system is reconfigured workload; And the disabled user can be by the method unauthorized access Internet resources of change MAC Address.
IP address-based Access Control List (ACL) is a kind of control technology that flows to based on packet filtering.Standard access control tabulation is by source address, destination address and the port numbers basic element as packet inspection, and can self-defined regulation meets the packet of inspection condition.Access Control List (ACL) is applied in the control of export of enterprise network usually, but the disabled user can be by changing the method unauthorized access Internet resources of IP address.
IEEE 802.1X is according to user ID or equipment, networking client (or port) is carried out the standard of authentication.This flow process is called as " other authentication of port level ".Shortcoming is that the design of 802.1x does not have ripe filtration and the function of handling user identity, and needs specific equipment, involves great expense.
Summary of the invention
The purpose of this invention is to provide a kind of tripartite framework by gateway, certificate server, client and realize that being connected Client-initiated with authority based on user identity connects the fine-granularity network access control method based on user connection information of auditing.
To achieve these goals, the method applied in the present invention is:
Step 1: client is monitored: when the user initiates new connection and attempts to access the outer net resource of being isolated by gateway, client is collected the relevant information of this connection, and with one and be sent to certificate server, determine next step operation to this connection by certificate server;
Step 2: gateway operates link information: gateway receives the access outer net resource that step 1 sends and connects, and this is connected temporary transient the obstruction, and puts it into and treat that audit connects formation, and the operation of the step 4 that brings into operation;
Step 3: the join dependency information that certificate server sends step 1 is carried out the authority audit, specifically comprises:
The first step: judge whether whether have access to netwoks control tabulation and this connection in the internal memory expired:
1.) if this connection is out of date, then refuse this connection; Otherwise continue;
2.) if there is not access control list (ACL) regulations with this join dependency in the certificate server internal memory, obtains the relevant information of access to netwoks control tabulation from database server, and it is read in internal memory;
Second step: according to the Access Control List (ACL) in the internal memory link information of step 1 is carried out permission match, if match the bundle of permissions under this connection, then according to the access control rule that matches corresponding decision is made in this connection; Otherwise take default policy, abandon this connection;
The 3rd step: prepare against management with the link information of step 1 and to the matching process writing system daily record of this link information.;
Step 4: gateway inquiry is judged: the result of the link information in the formation to be audited of gateway in the authentication server challenges step 2, wait for certificate server to connect and under the authority auditing decisions of packet;
Step 5: gateway receives connection that certificate server sends over and processes and determine, and uses this decision, the connection of step 1 is taked let pass/abandon/processing refused.
So far, the connection request that the user accesses segregate outer net resource obtains audit, and the packet of same client different user transmission also can carry out different processing according to user right.
The present invention is based on user ID realizes the authentication of user's connection has effectively been solved the problem of user's spurious information, and improved the flexibility that the user authenticates.Take client, gateway, server three parts as framework, realized the function of precision control and the level control of application-level simultaneously.
A plurality of users' access to netwoks is controlled in the local area network of the present invention, has higher control precision and flexibility, and the control that can satisfy the access to netwoks multi-stratification requires and user login method flexibly.
Description of drawings
Fig. 1 is overall flow figure of the present invention.
Fig. 2 is overall schematic of the present invention.
Dotted line is user log-in authentication identity step among the figure.
Fig. 3 is client flow chart of the present invention.
Fig. 4 is certificate server flow chart of the present invention.
Fig. 5 is gateway flow chart of the present invention.
Embodiment
The present invention is described in further detail below in conjunction with drawings and Examples.
Concrete steps of the present invention are:
Step 1: client is collected new link information (Fig. 3):
The first step: client is obtained user profile, sends user and password to certificate server, obtains this user's relevant user information, such as user ID.
Second step: judge whether the user initiates new extranet access and connect, if turned for the 3rd step, otherwise continue this step.
The 3rd step: client background is obtained relevant information and the client host information of new connection.
The 4th step: client is sent to certificate server together to the described join dependency information of previous step, user profile and client host information, in order to certificate server the authority audit is carried out in this connection.Go to second step after being sent, re-execute four steps of second step to the until program withdraws from.
Step 2: user's extranet access in gateway obtaining step 1 second step connects, and this connection is temporarily blocked, and put it into and treat that audit connects formation.And the operation of beginning execution in step 4.Completing steps 4 operations then continue step 5 operation, the connection request of afterwards waiting step 1 transmission.(shown in Fig. 5 label 2 parts)
Step 3: obtain access to netwoks control list (ACL) regulations, link information is handled it and charged to daily record (Fig. 4)
1) judge whether user's connection exceeds the term of validity:
Whether the connection of judging the active user according to the timestamp in the user connection information exceeds the term of validity, as exceeds the term of validity, then prompting user and close connection; Otherwise, to step 2)
2) obtain the access control right group at user place:
When the user connected with certificate server for the first time, certificate server was set up this user's link information, comprising the Access Control List (ACL) group at user place.
Access Control List (ACL) is as follows:
Group ID | Source port | Destination interface | Source IP | Purpose IP | Agreement | Determine | (software) |
101 | All | 80,8080 | 192.168.0.2 | 202.114.0.10 | TCP | Abandon | A sudden peal of thunder |
102 | 80 | All | 192.168.0.10- 20 | 192.168.0.5-8 | UDP | Let pass | |
103 | 45-70 | 20,21 | All | All | ICMP | Refusal | KuGoo |
User ID | Affiliated bundle of permissions ID |
1 | 103,102 |
2 | 101 |
3 | 102 |
Band () is option in the above-mentioned table, and the option of this Access Control List (ACL) also comprises operating system name (can comprise the kernel version), the term of validity, sign etc.
1) initialization Access Control List (ACL)
When the Access Control List (ACL) data of user place group exist in the internal memory and do not have when expired, to step 3); Otherwise Query Database obtains the Access Control List (ACL) under this user, and this access control list information is left in the internal memory.
2) this link information is made decision
According to the access rule in the Access Control List (ACL) with is connected source IP address, purpose IP address, source port, the destination interface of connection, the user who initiates this connection, this application program under connecting etc. and carries out rule match, if the match is successful, take corresponding strategy; If the match is successful, will take default policy, abandon this connection;
3) link information and the Access Control List (ACL) result with this user writes daily record, in order to management.
4) check that the user connects formation, if any information, then to step 1), otherwise poll is waited for the user connection information appearance.
Step 4: the result (shown in Fig. 5 41-43) of the link information of gateway in the authentication server challenges step 2.
1) gateway connects the specifying information that obtains this connection the formation from waiting to audit, and with this information copy to sending in the buffering area.
2) if this transmission buffering area is full, then the information in this buffering area is sent to certificate server; Otherwise, to step 1)
3) receive the connection processing decision that certificate server sends it back.
Step 5: to this link information handle it (shown in Fig. 5 51-52)
1) detect in the reception buffer zone whether information is arranged, if having, then to step 2), otherwise poll is waited for.
2) according to the result of link information, by operating system low layer mechanism corresponding processing is made in user's connection.
The content that is not described in detail in this specification belongs to the known prior art of this area professional and technical personnel.
Claims (3)
1. fine-granularity network access control method based on user connection information, be to realize that by the tripartite framework of gateway, certificate server, client being connected Client-initiated with authority based on user identity connects the method for network access control of auditing, its concrete steps are:
Step 1: client is monitored: when the user initiates new connection and attempts to access the outer net resource of being isolated by gateway, client is collected the relevant information of this connection, this relevant information comprises: the hardware information of client and the network connection information of system activity, these information and user profile are sent to the certificate server processing in the lump, by certificate server decision next step operation to this connection;
Step 2: gateway operates the relevant information of described connection: gateway receives the access outer net resource that step 1 sends and connects, and this is connected temporary transient the obstruction, and puts it into and treat that audit connects formation, and the operation of the step 4 that brings into operation;
Step 3: certificate server carries out the authority audit to the relevant information of the described connection that step 1 sends, and specifically comprises:
The first step: judge whether whether have access to netwoks control tabulation and this connection in the internal memory expired:
1) if this connection is out of date, then refuses this connection; Otherwise continue;
2) if do not exist in the certificate server internal memory and the access to netwoks of this join dependency control list (ACL) regulations, obtain the relevant information of access to netwoks control tabulation from database server, and it is read in internal memory;
Second step: according to the Access Control List (ACL) in the internal memory relevant information of the described connection of step 1 is carried out permission match, if match the bundle of permissions under this connection, then according to the access control rule that matches corresponding decision is made in this connection; Otherwise take default policy, abandon this connection;
The 3rd step: with the relevant information of the described connection of step 1 and to the matching process writing system daily record of the relevant information of this connection in order to management;
Step 4: gateway inquiry is judged: the result of the relevant information of the described connection in the formation to be audited of gateway in the authentication server challenges step 2, wait for certificate server to connect and under the authority auditing decisions of packet;
Step 5: gateway receives the authority auditing decisions that certificate server sends over, and uses this decision, the connection of step 1 is taked let pass/abandon/processing refused.
2. the fine-granularity network access control method based on user connection information as claimed in claim 1, it is characterized in that: step 3 certificate server is at first searched the bundle of permissions under this user, next judges whether the Rule Information of this bundle of permissions exists in the internal memory, the relevant information of the described connection of then step 1 being initiated according to the Rule Information of this bundle of permissions is done the Rule Information coupling, if match the Rule Information under this connection, according to the access to netwoks control law user's connection is made a decision again.
3. the fine-granularity network access control method based on user connection information as claimed in claim 1, it is characterized in that: the user network connection table is set in the user network access device, in gateway, arranges to connect user right table and the access to netwoks control of tabulating, arrange in server is tabulated:
Described user network connection table comprises process name under the source IP address, purpose IP address, source port, destination interface, user name, connection of connection, timestamp;
Described connection comprises source IP address, purpose IP address, source port, destination interface, timestamp, the formation ID of connection to tabulation;
Described user right table comprises the bundle of permissions that user ID and user are affiliated;
Described access to netwoks control tabulation comprises bundle of permissions ID, source IP address, purpose IP address, source port, destination interface, agreement, dbase, decision.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2009100633554A CN101616076B (en) | 2009-07-28 | 2009-07-28 | Fine-granularity network access control method based on user connection information |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2009100633554A CN101616076B (en) | 2009-07-28 | 2009-07-28 | Fine-granularity network access control method based on user connection information |
Publications (2)
Publication Number | Publication Date |
---|---|
CN101616076A CN101616076A (en) | 2009-12-30 |
CN101616076B true CN101616076B (en) | 2013-01-23 |
Family
ID=41495495
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN2009100633554A Expired - Fee Related CN101616076B (en) | 2009-07-28 | 2009-07-28 | Fine-granularity network access control method based on user connection information |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN101616076B (en) |
Families Citing this family (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101917423A (en) * | 2010-08-05 | 2010-12-15 | 上海酷族信息技术有限公司 | Operating method for safety protection of database |
CN102104607B (en) * | 2011-03-10 | 2013-11-06 | 易程(苏州)软件股份有限公司 | Method, device and system for controlling safety of service access |
CN102999713A (en) * | 2012-11-15 | 2013-03-27 | 沈阳中科博微自动化技术有限公司 | Multi-user remote data operating method with authority management |
CN103457878B (en) * | 2013-09-05 | 2016-03-23 | 电子科技大学 | A kind of access control method based on stream |
CN104869180B (en) * | 2014-02-26 | 2018-12-04 | 中国电信股份有限公司 | The method and apparatus of controlling terminal communication range |
CN105024982A (en) * | 2014-04-29 | 2015-11-04 | 中国移动通信集团设计院有限公司 | Method and device for network access and server |
CN104753926B (en) * | 2015-03-11 | 2019-04-12 | 华中科技大学 | A kind of gateway admittance control method |
CN106131090B (en) * | 2016-08-31 | 2021-11-09 | 北京力鼎创软科技有限公司 | Method and system for user to access network under web authentication |
CN107819732B (en) * | 2016-09-13 | 2021-07-13 | 中兴通讯股份有限公司 | Method and device for user terminal to access local network |
CN106506468A (en) * | 2016-10-31 | 2017-03-15 | 盛科网络(苏州)有限公司 | A kind of method that minimizing ACE entries are consumed |
CN110855687A (en) * | 2019-11-18 | 2020-02-28 | 惠州学院 | Network space security situation perception detection analysis system and method |
CN117336101B (en) * | 2023-11-29 | 2024-02-23 | 南京中孚信息技术有限公司 | Fine-grained network access control method, system, equipment and medium |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1437361A (en) * | 2002-02-07 | 2003-08-20 | 华为技术有限公司 | Network access control method based on network address |
CN1627683A (en) * | 2003-12-09 | 2005-06-15 | 鸿富锦精密工业(深圳)有限公司 | Unitary authentication authorization management system and method |
CN101034981A (en) * | 2006-03-07 | 2007-09-12 | 上海品伟数码科技有限公司 | Network access control system and its control method |
-
2009
- 2009-07-28 CN CN2009100633554A patent/CN101616076B/en not_active Expired - Fee Related
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1437361A (en) * | 2002-02-07 | 2003-08-20 | 华为技术有限公司 | Network access control method based on network address |
CN1627683A (en) * | 2003-12-09 | 2005-06-15 | 鸿富锦精密工业(深圳)有限公司 | Unitary authentication authorization management system and method |
CN101034981A (en) * | 2006-03-07 | 2007-09-12 | 上海品伟数码科技有限公司 | Network access control system and its control method |
Non-Patent Citations (1)
Title |
---|
王润高.网络资源访问控制技术的研究与实现.《西北工业大学硕士学位论文》.2007, * |
Also Published As
Publication number | Publication date |
---|---|
CN101616076A (en) | 2009-12-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN101616076B (en) | Fine-granularity network access control method based on user connection information | |
US10212134B2 (en) | Centralized management and enforcement of online privacy policies | |
JP5396051B2 (en) | Method and system for creating and updating a database of authorized files and trusted domains | |
US8528047B2 (en) | Multilayer access control security system | |
EP3264720B1 (en) | Using dns communications to filter domain names | |
US11496387B2 (en) | Auto re-segmentation to assign new applications in a microsegmented network | |
US20080046989A1 (en) | System and method for remote authentication security management | |
US20080040790A1 (en) | Security Protection Apparatus And Method For Endpoint Computing Systems | |
US20100146599A1 (en) | Client-based guest vlan | |
US20090313682A1 (en) | Enterprise Multi-interceptor Based Security and Auditing Method and Apparatus | |
US9882965B2 (en) | Techniques for network process identity enablement | |
US8548998B2 (en) | Methods and systems for securing and protecting repositories and directories | |
CN103905395B (en) | WEB access control method and system based on redirection | |
US7841005B2 (en) | Method and apparatus for providing security to web services | |
US20080133719A1 (en) | System and method of changing a network designation in response to data received from a device | |
CN108173838A (en) | A kind of control auditing method accessed the network equipment | |
CN101540755A (en) | Method, system and device for recovering data | |
CN107317816A (en) | A kind of method for network access control differentiated based on client application | |
CN100525310C (en) | Operationable safety P2P service system and realizing method | |
CN104717062B (en) | The method and device that a kind of visitor based on BYOD management systems quickly accesses | |
JP2019504391A (en) | Network architecture for controlling data signaling | |
US10560478B1 (en) | Using log event messages to identify a user and enforce policies | |
CN108183882B (en) | A kind of network security auditing method based on intelligent router | |
CN115065548B (en) | Enhanced network security access area data management and control system and method | |
US20230018210A1 (en) | Application identity-based enforcement of datagram protocols |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20130123 Termination date: 20150728 |
|
EXPY | Termination of patent right or utility model |