CN101714927A - Network access control method for comprehensive safety management of inner network - Google Patents
Network access control method for comprehensive safety management of inner network Download PDFInfo
- Publication number
- CN101714927A CN101714927A CN201010300360A CN201010300360A CN101714927A CN 101714927 A CN101714927 A CN 101714927A CN 201010300360 A CN201010300360 A CN 201010300360A CN 201010300360 A CN201010300360 A CN 201010300360A CN 101714927 A CN101714927 A CN 101714927A
- Authority
- CN
- China
- Prior art keywords
- terminal
- security
- intranet
- network
- access control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Small-Scale Networks (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to a network access control method for the comprehensive safety management of an inner network. The network access control method is characterized in that the safety control of a network access terminal is realized by the linkage among a comprehensive inner network safety management system, a switch and a Radius server. The network access control method is realized by the following steps: firstly, pointing an 802.1 X authentication server to the Radius server and dividing into three vlans of a working area, an access area and a repairing area by a switch with the 802.1X access authentication function; and then, configuring the access control strategies of the vlans on the Radius server and the linkage configuration with the comprehensive inner network safety management. The invention can manage and control the terminal safety and saves network resources by freeing detection in a continuous scanning mode.
Description
Technical field
The present invention relates to Terminal Security Management, the secret technical field of information data, particularly a kind of network insertion control technology of intranet security integrated management.
Background technology
Along with the fast development of informatization, the internal institution terminal is more and more, and how internally divulging a secret of the network security access-in management of network termination, and end message data become the first-selected problem of enterprise.
The network of present most of intranet security management systems connects people's control technology, mostly based on the mode of operation of " scanning one find a blocking-up ", administrative center by network access control system, network is constantly scanned, and to scanning computer carry out validity checking, judge whether this terminal is legal terminal.When finding that this terminal is illegal terminal, adopt ARP deception mode, block this accessing terminal to network.
Above-mentioned technology exists following deficiency:
1, illegal terminal can be survived a period of time on the net
Owing to need scan to all addresses of the whole network, there is certain sweep spacing cycle each address, and therefore, the certain hour of surviving in network illegally accesses terminal in during this period of time, and during this period of time, the assailant might finish the part attack.
2, in some cases. system can not find the illegal terminal that inserts
Owing to need the network range of invisible scanning, when outside the sweep limits of address in appointment of using that illegally access terminal, system can't " find " illegality equipment that inserts.
3, the Internet resources of consume valuable
Connecing people's control system need constantly scan in the hope of finding the illegal terminal that inserts network, and this can consume the Internet resources of a large amount of preciousnesses, and especially in catenet, this problem is more outstanding.
Summary of the invention
In view of the deficiency of above-mentioned technology, the purpose of this invention is to provide a kind of access control method of intranet security integrated management, can realize the management and control of terminal security.
The present invention adopts following scheme to realize: a kind of access control method of intranet security integrated management, it is characterized in that: by the security control of the realization of the interlock between Intranet Integrated Security Management System, switch and the Radius server the network insertion terminal, may further comprise the steps realization: the switch that at first has 802.1X access authentication function points to the Radius server with the 802.1X certificate server, and is divided into service area, visiting district and repairs three vlan in district; Then on the Radius server access control policy of each vlan of configuration and and the interlock of intranet security management system configuration;
Described service area is for the legal terminal visit, and promptly normal authorization authenticates and passes through and installation intranet security system client, and the terminal security inspection meets Intranet Integrated Security Management System regulation, normally all resources of accesses network;
Described reparation district is for the illegal terminal visit, i.e. normal authorization authentication is passed through and the intranet security system client is installed, but the terminal security inspection does not meet the requirement of Intranet Integrated Security Management System, can only visit remediation server;
Described visiting district is for the illegal terminal visit, and promptly unauthorized authentication or the terminal that the intranet security system client is not installed can only be visited the client downloads page of intranet security management system.
The present invention has following beneficial effect:
In case finding has the illegal terminal access network, promptly blocks at once, avoid the illegal terminal access network after, the security threat that is caused in the time-to-live.
Do not belong to when terminal address under the scope situation of appointment, so long as illegal terminal, do not obtain the user of proper authorization, system forbids access network.
System need not to adopt " constantly scanning " mode, but by the authorization between switch and the system, illegal terminal is blocked.
Description of drawings
Fig. 1 is a principle of the invention schematic diagram.
Embodiment
The present invention will be further described below in conjunction with drawings and Examples.
As shown in Figure 1, the present invention utilizes the network insertion control technology that controlled target has been turned to terminal, set about from terminal, security strategy by keeper's appointment, the main frame that inserts internal network is carried out fail safe detect, refuse unsafe computer automatically and insert internal network till these computers meet security strategy in the network.Its framework that adopts is client/server (C/S) pattern, and browser/server (B/S) pattern is then adopted in management, and the keeper can login the intranet security management system and terminal is issued security strategy by the webpage mode, realizes the management and control of terminal security.In particular, the invention is characterized in: by the security control of the realization of the interlock between Intranet Integrated Security Management System, switch and the Radius server the network insertion terminal, may further comprise the steps realization: the switch that at first has 802.1X access authentication function points to the Radius server with the 802.1X certificate server, and is divided into service area, visiting district and repairs three vlan in district; Then on the Radius server access control policy of each vlan of configuration and and the interlock of intranet security management system configuration;
Described service area is for the legal terminal visit, and promptly normal authorization authenticates and passes through and installation intranet security system client, and the terminal security inspection meets Intranet Integrated Security Management System regulation, normally all resources of accesses network;
Described reparation district is for the illegal terminal visit, i.e. normal authorization authentication is passed through and the intranet security system client is installed, but the terminal security inspection does not meet the requirement of Intranet Integrated Security Management System, can only visit remediation server;
Described visiting district is for the illegal terminal visit, and promptly unauthorized authentication or the terminal that the intranet security system client is not installed can only be visited the client downloads page of intranet security management system.
Its concrete operation principle comprises following mode:
Behind accessing terminal to network, do not carry out 802.1X authentication at the appointed time, the vlan state that terminal connects switch ports themselves can jump to visiting district automatically, and the port that connects switch is to be in the logic closed condition, promptly refuses accessing terminal to network.
To authenticating by 802.1X, this moment, whether the intranet security management system can automatic sense terminals install client-side program, to the terminal of client is not installed, system's meeting and Radius server link, by sending instructions under the Radius server, the port vlan state exchange that connects switch is become visiting district, and promptly this terminal can only be visited the client downloads page of intranet security Tomcat-AdminPortal, so that carry out the installation of client-side program.
To client-side program is installed, but not by the terminal of 802.1X access authentication, switch ports themselves can jump to visiting district, closes because switch ports themselves is a logic, promptly refuses accessing terminal to network.In the case, may be that terminal local network configuration does not meet the scope that network regulation or IP do not belong to network insertion.
To client-side program and the terminal by 802.1X authentication are installed, but the terminal security inspection does not meet the requirement of system safety strategy, as Anti-Virus, system are not installed are had leak, software etc. is installed in violation of rules and regulations; This moment, switch ports themselves can jump to automatically repaired the district, promptly only allows the terminal access remediation server by the interlock between the server, and the leak that system is existed, Anti-Virus, software etc. is repaired or installed in violation of rules and regulations.
To client-side program is installed, by the terminal that 802.1X authentication and safety check compliance with system security strategy require, this moment, switch ports themselves belonged to the service area, promptly network is let pass, and can visit the server zone or the resource of Intranet.
Be noted that in addition the 802.1x agreement is a kind of network insertion control (port based networkaccess control) agreement based on port." based on the network insertion control of port " is meant that this one-level of port at the local area network (LAN) access control equipment authenticates and controls the equipment that is inserted.If the subscriber equipment that is connected on the port can just can be visited the resource in the local area network (LAN) by authentication; If can not be, then can't visit resource in the local area network (LAN) and grab to be equivalent to connect and disconnected by physics by authentication.
Radius is the abbreviation of Remote Authentication Dial In User Service, i.e. remote authentication dial-in user's service.Want by certain network (as Ethernet) and NAS (network access server) as the user thus connect when obtaining the right of accesses network, NAS can be chosen in and carry out the local authentication charging on the NAS, or user profile passed to radius server, carry out authentication and accounting by Radius; Radius protocol has stipulated how to transmit user profile and accounting information between NAS and the radius server; Radius server is responsible for receiving user's connection request, finishes checking, and returns to NAS for passing service the required configuration information of user.
The present invention has following advantage:
1, assists in ensuring that all user network equipments all meet security strategy, thereby increase substantially the fail safe of network, be not subjected to the influence of scale and complexity.
2, detection and control attempt to connect all terminals of network, are not subjected to the influence of its access method, thereby improve enterprise security and extensibility.
3, prevent not meet strategy and the terminal equipment that can not manage influences network availability or customer productivity.
4, reduce with identification and repair and do not meet the operating cost relevant strategy, that can not manage with infected system.
5, when accessing terminal to network, just carry out access control, do not have the time-to-live point of terminal on network.
6, reduce the offered load ability, need not terminal to be detected, can directly carry out access control illegal terminal by " scanning " mode.
The above only is preferred embodiment of the present invention, and all equalizations of being done according to the present patent application claim change and modify, and all should belong to covering scope of the present invention.
Claims (6)
1. the access control method of an intranet security integrated management, it is characterized in that: by the security control of the realization of the interlock between Intranet Integrated Security Management System, switch and the Radius server the network insertion terminal, may further comprise the steps realization: the switch that at first has 802.1X access authentication function points to the Radius server with the 802.1X certificate server, and is divided into service area, visiting district and repairs three vlan in district; Then on the Radius server access control policy of each vlan of configuration and and the interlock of intranet security management system configuration;
Described service area is for the legal terminal visit, and promptly normal authorization authenticates and passes through and installation intranet security system client, and the terminal security inspection meets Intranet Integrated Security Management System regulation, normally all resources of accesses network;
Described reparation district is for the illegal terminal visit, i.e. normal authorization authentication is passed through and the intranet security system client is installed, but the terminal security inspection does not meet the requirement of Intranet Integrated Security Management System, can only visit remediation server;
Described visiting district is for the illegal terminal visit, and promptly unauthorized authentication or the terminal that the intranet security system client is not installed can only be visited the client downloads page of intranet security management system.
2. the access control method of intranet security integrated management according to claim 1, it is characterized in that: behind accessing terminal to network, do not carry out the 802.1X authentication at the appointed time, the vlan state that terminal connects switch ports themselves can jump to visiting district automatically, and the port of connection switch is to be in the logic closed condition.
3. the access control method of intranet security integrated management according to claim 1, it is characterized in that: to authenticating by 802.1X, whether the intranet security management system can automatic sense terminals install client-side program, to the terminal of client is not installed, system's meeting and Radius server link, by sending instructions under the Radius server, the port vlan state exchange that connects switch is become visiting district.
4. the access control method of intranet security integrated management according to claim 1 is characterized in that: to client-side program is installed, but not by the terminal of 802.1X access authentication, switch ports themselves can jump to visiting district.
5. the access control method of intranet security integrated management according to claim 1, it is characterized in that: to the terminal of client-side program being installed and authenticating by 802.1X, but the terminal security inspection does not meet the requirement of system safety strategy, as Anti-Virus, system are not installed are had leak, software in violation of rules and regulations is installed; This moment, switch ports themselves can jump to automatically repaired the district by the interlock between the server.
6. the access control method of intranet security integrated management according to claim 1, it is characterized in that: to the terminal of client-side program being installed, requiring by 802.1X authentication and safety check compliance with system security strategy, this moment, switch ports themselves belonged to the service area, be that network is let pass, can visit the server zone or the resource of Intranet.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010103003605A CN101714927B (en) | 2010-01-15 | 2010-01-15 | Network access control method for comprehensive safety management of inner network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010103003605A CN101714927B (en) | 2010-01-15 | 2010-01-15 | Network access control method for comprehensive safety management of inner network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101714927A true CN101714927A (en) | 2010-05-26 |
| CN101714927B CN101714927B (en) | 2012-04-18 |
Family
ID=42418219
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010103003605A Active CN101714927B (en) | 2010-01-15 | 2010-01-15 | Network access control method for comprehensive safety management of inner network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101714927B (en) |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102932244A (en) * | 2012-10-25 | 2013-02-13 | 中国航天科工集团第二研究院七〇六所 | Trusted access gateway based on bidirectional trustiness verification |
| CN103634119A (en) * | 2013-12-13 | 2014-03-12 | 北京星网锐捷网络技术有限公司 | Authentication method, application client, application server and authentication server |
| CN103973678A (en) * | 2014-04-28 | 2014-08-06 | 刘建兵 | Access control method for terminal computer |
| CN105025016A (en) * | 2015-06-30 | 2015-11-04 | 公安部第一研究所 | Internal-network terminal admission control method |
| CN105636029A (en) * | 2015-06-30 | 2016-06-01 | 巫立斌 | Wireless network safety protection method |
| US9413553B2 (en) | 2012-10-31 | 2016-08-09 | International Business Machines Corporation | Network access control based on risk factor |
| CN106411929A (en) * | 2016-11-08 | 2017-02-15 | 西安云雀软件有限公司 | Method for placing illegal terminal into corresponding isolation area according to terminal safety level |
| CN107277040A (en) * | 2017-07-20 | 2017-10-20 | 西安云雀软件有限公司 | A kind of method for carrying out terminal Access Control in Intranet |
| CN107770119A (en) * | 2016-08-15 | 2018-03-06 | 台山市金讯互联网络科技有限公司 | A kind of control method of network admittance specified domain |
| CN109101789A (en) * | 2018-06-28 | 2018-12-28 | 中译语通科技股份有限公司 | A kind of data safety control method |
| CN109617892A (en) * | 2018-12-26 | 2019-04-12 | 北京城强科技有限公司 | A kind of Intranet boundary management-control method |
| CN113285929A (en) * | 2021-05-10 | 2021-08-20 | 新华三技术有限公司 | Terminal validity detection method and device |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101141448A (en) * | 2007-09-28 | 2008-03-12 | 西安大唐电信有限公司 | Method for implementing IEEE802.1x user port authentication in ethernet passive optical network |
| CN101232509A (en) * | 2008-02-26 | 2008-07-30 | 杭州华三通信技术有限公司 | Equipment, system and method for supporting insulation mode network access control |
| CN101272627B (en) * | 2008-04-30 | 2010-12-22 | 杭州华三通信技术有限公司 | Network access control method and apparatus for implementing roaming |
| CN101374110B (en) * | 2008-10-22 | 2011-05-11 | 成都市华为赛门铁克科技有限公司 | Method, system and equipment for processing packet of wireless service network |
-
2010
- 2010-01-15 CN CN2010103003605A patent/CN101714927B/en active Active
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102932244B (en) * | 2012-10-25 | 2015-08-12 | 中国航天科工集团第二研究院七〇六所 | Based on the trusted access gateway of two-way Trusting eBusiness |
| CN102932244A (en) * | 2012-10-25 | 2013-02-13 | 中国航天科工集团第二研究院七〇六所 | Trusted access gateway based on bidirectional trustiness verification |
| US9413553B2 (en) | 2012-10-31 | 2016-08-09 | International Business Machines Corporation | Network access control based on risk factor |
| CN103634119B (en) * | 2013-12-13 | 2017-02-15 | 北京星网锐捷网络技术有限公司 | Authentication method, application client, application server and authentication server |
| CN103634119A (en) * | 2013-12-13 | 2014-03-12 | 北京星网锐捷网络技术有限公司 | Authentication method, application client, application server and authentication server |
| CN103973678A (en) * | 2014-04-28 | 2014-08-06 | 刘建兵 | Access control method for terminal computer |
| CN103973678B (en) * | 2014-04-28 | 2017-04-26 | 刘建兵 | Access control method for terminal computer |
| CN105025016A (en) * | 2015-06-30 | 2015-11-04 | 公安部第一研究所 | Internal-network terminal admission control method |
| CN105636029A (en) * | 2015-06-30 | 2016-06-01 | 巫立斌 | Wireless network safety protection method |
| CN107770119A (en) * | 2016-08-15 | 2018-03-06 | 台山市金讯互联网络科技有限公司 | A kind of control method of network admittance specified domain |
| CN106411929A (en) * | 2016-11-08 | 2017-02-15 | 西安云雀软件有限公司 | Method for placing illegal terminal into corresponding isolation area according to terminal safety level |
| CN107277040A (en) * | 2017-07-20 | 2017-10-20 | 西安云雀软件有限公司 | A kind of method for carrying out terminal Access Control in Intranet |
| CN109101789A (en) * | 2018-06-28 | 2018-12-28 | 中译语通科技股份有限公司 | A kind of data safety control method |
| CN109617892A (en) * | 2018-12-26 | 2019-04-12 | 北京城强科技有限公司 | A kind of Intranet boundary management-control method |
| CN109617892B (en) * | 2018-12-26 | 2021-12-17 | 北京城强科技有限公司 | Intranet boundary management and control method |
| CN113285929A (en) * | 2021-05-10 | 2021-08-20 | 新华三技术有限公司 | Terminal validity detection method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101714927B (en) | 2012-04-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101714927B (en) | Network access control method for comprehensive safety management of inner network | |
| CN101227468B (en) | Method, device and system for authenticating user to network | |
| CN100539501C (en) | Unified Identity sign and authentication method based on domain name | |
| CN100496025C (en) | Ternary equal identification based reliable network access control method | |
| CN103179130B (en) | A kind of information system intranet security management platform and management method | |
| CN101355459B (en) | Method for monitoring network based on credible protocol | |
| CN104202338B (en) | A kind of safety access method being applicable to enterprise-level Mobile solution | |
| CN102724186B (en) | Phishing website detection system and detection method | |
| US20140020067A1 (en) | Apparatus and method for controlling traffic based on captcha | |
| US20120324545A1 (en) | Automated security privilege setting for remote system users | |
| WO2018157247A1 (en) | System and method for securing communications with remote security devices | |
| CN102035838B (en) | Trust service connecting method and trust service system based on platform identity | |
| CN101540755B (en) | Method, system and device for recovering data | |
| CN102355467B (en) | Power transmission and transformation equipment state monitoring system security protection method based on trust chain transmission | |
| CN106899561B (en) | TNC (network node controller) authority control method and system based on ACL (Access control List) | |
| CN102045310B (en) | Industrial Internet intrusion detection as well as defense method and device | |
| CN103069767A (en) | Consigning authentication method | |
| CN102972005A (en) | Consigning authentication method | |
| Tsow | Phishing with Consumer Electronics-Malicious Home Routers. | |
| CN204697072U (en) | A kind of secure accessing managing and control system of network end nodes | |
| CN103067343B (en) | Prevent from distorting the method and system of usage of ActiveX control | |
| AlZomai et al. | Strengthening sms-based authentication through usability | |
| CN101394394A (en) | Centralized authentication access mode for cipher server | |
| KR101997181B1 (en) | Apparatus for managing domain name servide and method thereof | |
| CN101562620B (en) | Method of terminal exchange access and control device thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: Network access control method for comprehensive safety management of inner network Effective date of registration: 20161118 Granted publication date: 20120418 Pledgee: CITIC Bank Limited by Share Ltd. Fuzhou branch Pledgor: FUJIAN ETIM INFORMATION & TECHNOLOGY Co.,Ltd. Registration number: 2016350000134 |
|
| PLDC | Enforcement, change and cancellation of contracts on pledge of patent right or utility model | ||
| PP01 | Preservation of patent right |
Effective date of registration: 20220816 Granted publication date: 20120418 |
|
| PP01 | Preservation of patent right |