CN101820414A - Host access control system and method - Google Patents
Host access control system and method Download PDFInfo
- Publication number
- CN101820414A CN101820414A CN201010104940A CN201010104940A CN101820414A CN 101820414 A CN101820414 A CN 101820414A CN 201010104940 A CN201010104940 A CN 201010104940A CN 201010104940 A CN201010104940 A CN 201010104940A CN 101820414 A CN101820414 A CN 101820414A
- Authority
- CN
- China
- Prior art keywords
- agent client
- white list
- host
- main frame
- access control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention discloses a host access control system and a host access control method, and relates to the field of network safety for solving the problem of incapability of effectively preventing illegal access of the host to an intranet in the prior art. The method comprises the following steps that: a sender agent client judges whether a target host is in a firewall white list strategy or not, if so, directly sends a data packet, and otherwise, sends the data packet after encryption; and a receiver agent client judges whether a source host is in the firewall white list strategy or not, if so, directly receives the data packet, and otherwise, receives the data packet after decryption. The system comprises the sender agent client and the receiver agent client. Because the data is transmitted among legal hosts in the safe intranet of the invention through the encryption and decryption of a key under unified management or the firewall white list strategy, the limitation aiming to a normal host access control system is solved; and therefore, the system and the method provide a set of host access control solution with high universality, safety, controllability and extensibility.
Description
Technical field
The present invention relates to network safety filed, particularly relate to a kind of host access control system and method.
Background technology
Along with the high speed development of computer network in government and enterprises and institutions' application, intranet security more and more comes into one's own, and is particularly more and more higher to the main frame access control.At present the main frame access control is generally adopted based on ARP (Address Resolution Protocol address resolution protocol) deception or based on NAC (NetworkAdmission control) technology.
The structure chart that has host access control system in the technical scheme of cheating based on ARP now is referring to shown in Figure 1, and this system is made up of gui management module, packet capturing module, analysis module and blocking-up module.The gui management module is responsible for consumer process mutual, comprises login authentication, host policies (main frame white list) management etc.; The packet capturing module adopts the responsible extracting to ARP protocol data bag of the packet snapping method of PCAP kit, gives analysis module the extracting result and carries out analyzing and processing; Analysis module is responsible for the decoding analysis to ARP protocol data bag, gives the blocking-up module decoded result; The ARP bag that main frame white list strategy that the blocking-up module is sent here according to the gui management module and analysis module are sent here carries out logic determines, to the transmission ARP deception bag of illegal access main frame, thereby reaches the purpose that the illegal access behavior of main frame is blocked.
There is following shortcoming in host access control system based on the ARP Cheating Technology:
The main frame of having disposed the ARP fire compartment wall is inserted and can't block
Many individual's version ARP firewall systems occur at present, these systems can configuration of IP address and the binding strategy of MAC Address, prevents that ARP from cheating.
Inoperative to the part three-tier switch
At present, most of three-tier switch has the IP/MAC binding function, can filter ARP deception bag.
Existing topological diagram based on access control system in the NAC technical scheme of CISCO is referring to shown in Figure 2, this system mainly is made up of switch, the strategic server of supporting the 802.1X agreement and the main frame of having disposed the NAC client software, wherein switch authenticates by the visit of 802.1X agreement to main frame, the main frame ability access network that has only authentication to pass through; Wherein strategic server is used to dispose Access Control Policy, and switch communicates by TFTP agreement and strategic server, the acquisition strategy inventory.
There is following shortcoming in host access control system based on the NAC technical scheme of CISCO:
This technical scheme has only the switch of support 802.1X to use, and is powerless for most old-fashioned switch and hub;
Client can only be disposed the NAC client software could carry out access authentication with the switch of supporting 802.1X, has only the WIN7 acquiescence to carry the NAC client at present for WINDOWS family.
To sum up, there are defective in the fail safe and the versatility of prior art, can't effectively block the behavior that main frame illegally inserts Intranet.
Summary of the invention
The invention provides a kind of host access control system and method, can't prevent effectively that in order to solve prior art illegal host from inserting the problem of Intranet.
A kind of main frame connection control method of the present invention comprises the following steps: that the transmit leg agent client judges destination host whether in fire compartment wall white list strategy, if, then directly send packet, otherwise, send again after the encrypted packets; Recipient's agent client is judged source host whether in fire compartment wall white list strategy, if, then directly receive packet, otherwise, receive again after the decrypted data packet.
A kind of host access control system of the present invention comprises: the transmit leg agent client, whether be used for judging destination host at fire compartment wall white list strategy, if, then directly send packet, otherwise, send again after the encrypted packets; Whether recipient's agent client is used for judging source host at fire compartment wall white list strategy, if, then directly receive packet, otherwise, receive again after the decrypted data packet.
Beneficial effect of the present invention is as follows:
Owing to transmit data by the key encryption and decryption transmission data of unified management or by fire compartment wall white list strategy between the legal hosts in the safety Intranet of the present invention, so solved limitation, be the solution of the stronger main frame access control of a cover versatility, fail safe, controllability and extensibility at the normal hosts interface control system.
Description of drawings
Fig. 1 is existing structure chart based on host access control system in the technical scheme of ARP deception;
Fig. 2 is existing topological diagram based on host access control system in the NAC technical scheme of CISCO;
Fig. 3 is the system topology figure in the embodiment of the invention;
Fig. 4 is the modular system building-block of logic in the embodiment of the invention;
Fig. 5 is the method step flow chart in the embodiment of the invention;
Fig. 6 is the control centre's application layer data bag process chart in the embodiment of the invention;
Fig. 7 is the NDIS layer filtration drive fundamental diagram in the embodiment of the invention.
Embodiment
For the effectively behavior of illegal (unauthorized) access security Intranet of blocking-up main frame, the invention provides a kind of host access control system and method, below describe in detail.
System topology in the embodiment of the invention referring to shown in Figure 3, can adopt the C/S architecture, and it comprises some proxies that comprise agent client, further manages each proxy by control centre.Control centre is responsible for the monitoring management of proxy and the management of host policies, proxy (can be realized by proxy software by agent client, below repeat no more) communicate with control centre, receive dynamic encryption key, main frame white list strategy, firewall policy from control centre.
More specifically, whether the transmit leg agent client is used for judging destination host at fire compartment wall white list strategy, if, then directly send packet, otherwise, send again after the encrypted packets; Whether recipient's agent client is used for judging source host at fire compartment wall white list strategy, if, then directly receive packet, otherwise, receive again after the decrypted data packet.
Realize installation, registration and the login authentication of proxy are controlled by the main frame white list strategy of control centre, the main frame that has only strategy to allow can successful installation agent host software.
The used key of transmit leg agent client and recipient's agent client encryption and decryption generates by control centre is unified, logining successfully, the back obtains key from control centre, balance based on Cipher Strength and performance considers that encryption and decryption adopts RC4 stream enciphering and deciphering algorithm, and key length is 256.The used fire compartment wall white list strategy of transmit leg agent client and recipient's agent client also is after transmit leg agent client and recipient's agent client login control centre, is issued by control centre.
As seen, can mutual communication for the main frame of having disposed agent software, can be described as trusted host, so for the main frame of not disposing agent software because the packet of its packet that sends or reception does not have encryption and decryption to communicate with trusted host, thereby realize the access control of illegal host.In addition, for the server that can't dispose proxy software or main frame (for example main frame or the server of gateway device, other network equipment or other non-WINDOWS platform), this main frame can be joined fire compartment wall white list exception strategy, this strategy records the IP address or the MAC Address of the legal hosts that does not comprise proxy software, to not do enciphering/deciphering to the network communication data bag of these main frames and handle, thus the compatibility and the adaptive capacity of raising native system.
System logic structure in the embodiment of the invention referring to shown in Figure 4, is made up of with the proxy software that is deployed in proxy control centre, introduces the details of each part below:
Control centre is made up of main service routine, com component and WEB program three parts as the master control center of native system.
The WEB program is as notifying main service routine with the part operation incident of user interactions certain customers by com component.
Com component is given main service routine the event notice of WEB as the middle bridge of WEB program and main service routine, again the result of main service routine is returned to the WEB program.
Main service routine is made up of service routine primary module, policy management module, communication module, com interface module and log pattern etc. as the part of the core of control centre.Wherein the service routine primary module is as the total activation module; Policy management module is in charge of main frame white list strategy, fire compartment wall white list, host firewall strategy, dynamic key strategy etc.; Communication module is responsible for communicating with proxy software, and what comprise parameter and strategy issues with the reception of daily record etc.; The com interface module is responsible for handling the incident from com component; Log pattern is responsible for the monitoring daily record of treatment system.
Comprise in the proxy software: communication module, be used for communicating by letter with control centre, initiate registration, login process, and receive the fire compartment wall white list strategy that issues and encryption and decryption key etc.The service routine primary module is as the total activation module.FWSM is a corn module, be used to realize encryption and decryption to network packet, specifically can adopt the network-driven filter based on WINDOWS NDIS (NDIS) exploitation, this driving filter has been realized network packet enciphering/deciphering processing targetedly.
Referring to shown in Figure 5, the method in the embodiment of the invention comprises following key step:
S1, transmit leg agent client are judged destination host whether in fire compartment wall white list strategy, if, then directly send packet, otherwise, send again after the encrypted packets.
S2, recipient's agent client are judged source host whether in fire compartment wall white list strategy, if, then directly receive packet, otherwise, receive again after the decrypted data packet.
More specifically, the main frame white list strategy of control centre is realized the installation and the login authentication of proxy are controlled, and the main frame that has only strategy to allow can the installation agent host software.Referring to shown in Figure 6, control centre communicates by letter with proxy and adopts the TCP mode, control centre is as monitoring end, and proxy is as the originating end that connects, and wherein control centre's application layer data bag handling process is as follows: the request that control centre receives and the buffering main frame is sent; Handle this requested packets afterwards.If the login authentication bag is then obtained the MAC information of originating end main frame from the login authentication bag; Judge according to main frame white list strategy whether this main frame is legal, if legal, then construct legal respond packet, and typing transmit queue etc. is pending, otherwise construct illegal respond packet, and typing transmit queue etc. is pending.If the register requirement bag is then obtained the MAC information of originating end main frame from the register requirement bag; Judge according to main frame white list strategy whether this main frame is legal, if legal, then construct legal respond packet, and typing transmit queue etc. is pending, otherwise construct illegal respond packet, and typing transmit queue etc. is pending.If other type bag is then obtained the MAC information of originating end main frame from other type bag; Judge whether to land or register whether overtime, if, then construct illegal respond packet, and typing transmit queue etc. is pending, otherwise, buffering area is returned in this request waits for that this main frame successfully registers or login.
Above-mentioned encryption and decryption key generates by control centre is unified, can obtain key from control centre after main frame is logined successfully, considers based on the balance of Cipher Strength and performance, and encryption and decryption adopts RC4 stream enciphering and deciphering algorithm, and key length is 256.Specifically can adopt the network-driven filter based on WINDOWS NDIS (NDIS) exploitation, this driving filter has been realized network packet enciphering/deciphering processing targetedly.Above-mentioned fire compartment wall white list strategy also is after transmit leg agent client and recipient's agent client login control centre, is issued by control centre.Concrete NDIS layer filtration drive operation principle, referring to shown in Figure 7, transmission flow is as follows: packet to be sent enters transmit queue; From the IP bag, obtain target ip address and MAC Address; Judge according to fire compartment wall white list strategy whether target ip address or MAC Address are exception, if then directly send, otherwise send again after the encrypted packets.The reception flow process is as follows: packet to be received enters the reception formation; From the IP bag, obtain source IP address and MAC Address; Judge according to fire compartment wall white list strategy whether source IP address or MAC Address are exception, if then directly receive, otherwise receive again after the decryption processing.
As seen, can mutual communication for the main frame of having disposed agent software, can be described as trusted host, thus for the main frame of not disposing agent software because the bag of its bag that sends or reception does not have encryption and decryption to communicate with trusted host, thereby realize the access control of illegal host.In addition, for the server that can't dispose proxy software or main frame (for example main frame or the server of gateway device, other network equipment or other non-WINDOWS platform), this main frame can be joined fire compartment wall white list exception strategy, this strategy records the IP address or the MAC Address of the legal hosts that does not comprise proxy software, to not do enciphering/deciphering to the network communication data bag of these main frames and handle, thus the compatibility and the adaptive capacity of raising native system.
To sum up, the invention solves limitation, the solution of the stronger main frame access control of a cover versatility, fail safe, controllability and extensibility is provided at the normal hosts interface control system.
Versatility: both be adapted to adopt the LAN environment of legacy network InterWorking Equipment (as HUB, old-fashioned switch etc.), and be fit to adopt advanced (as three-tier switch) environment again, so whole adaptability is stronger.
Fail safe: the communication data packet of trusted host is carried out enciphering/deciphering handle, use no matter how illegal host inserts all any main frame in can't the access security local area network (LAN), so fail safe is higher.
Controllability: native system can be authorized the installation and the login authentication of proxy, so controllability is higher.
Extensibility: desktop host operating system major part still is the WINDOWS system of Microsoft at present, development (as UBUNTU etc.) along with LINUX desktop platform, to there be part desktop main frame to adopt LINUX operating system from now on, in order to make the end host that LINUX operating system is installed also be linked into native system safely, then can utilize the Netfilter firewall technology of LINUX platform to develop corresponding agent software, function is identical with the WINDOWS platform, so the technical program has stronger extensibility.
Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, if of the present invention these are revised and modification belongs within the scope of claim of the present invention and equivalent technologies thereof, then the present invention also is intended to comprise these changes and modification interior.
Claims (10)
1. a main frame connection control method is characterized in that, comprises the following steps:
The transmit leg agent client is judged destination host whether in fire compartment wall white list strategy, if, then directly send packet, otherwise, send again after the encrypted packets;
Recipient's agent client is judged source host whether in fire compartment wall white list strategy, if, then directly receive packet, otherwise, receive again after the decrypted data packet.
2. main frame connection control method as claimed in claim 1 is characterized in that, control centre is by the registration and the login of the agent client in the legal hosts in the main frame white list control net.
3. main frame connection control method as claimed in claim 2 is characterized in that, the used key of described transmit leg agent client and recipient's agent client encryption and decryption generates by control centre is unified, and issues after login.
4. main frame connection control method as claimed in claim 1 is characterized in that, records the IP address or the MAC Address of the legal hosts that does not comprise agent client in the described fire compartment wall white list strategy.
5. main frame connection control method as claimed in claim 1, it is characterized in that the described process of process in fire compartment wall white list strategy and encryption and decryption that judges whether is by realizing based on the network-driven filter of WINDOWS NDIS exploitation.
6. a host access control system is characterized in that, comprising:
Whether the transmit leg agent client is used for judging destination host at fire compartment wall white list strategy, if, then directly send packet, otherwise, send again after the encrypted packets;
Whether recipient's agent client is used for judging source host at fire compartment wall white list strategy, if, then directly receive packet, otherwise, receive again after the decrypted data packet.
7. host access control system as claimed in claim 6 is characterized in that, also comprises:
Control centre is used for registration and login by the agent client of legal hosts in the main frame white list control net.
8. host access control system as claimed in claim 7 is characterized in that, described transmit leg agent client and the used key of recipient's agent client encryption and decryption are generated by control centre, and issue after login.
9. host access control system as claimed in claim 7 is characterized in that, described fire compartment wall white list strategy is issued by control centre after transmit leg agent client and recipient's agent client login control centre.
10. as claim 6 or 9 described host access control systems, it is characterized in that, record the IP address or the MAC Address of the legal hosts that does not comprise agent client in the described fire compartment wall white list strategy.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010104940A CN101820414A (en) | 2010-01-29 | 2010-01-29 | Host access control system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010104940A CN101820414A (en) | 2010-01-29 | 2010-01-29 | Host access control system and method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101820414A true CN101820414A (en) | 2010-09-01 |
Family
ID=42655365
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010104940A Pending CN101820414A (en) | 2010-01-29 | 2010-01-29 | Host access control system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101820414A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105721188A (en) * | 2014-12-04 | 2016-06-29 | 北京神州泰岳信息安全技术有限公司 | Firewall strategy check method and system |
| CN107483514A (en) * | 2017-10-13 | 2017-12-15 | 北京知道创宇信息技术有限公司 | Attack monitoring device and smart machine |
| CN109561103A (en) * | 2018-12-26 | 2019-04-02 | 北京城强科技有限公司 | A kind of Intranet boundary management-control method for hub |
| WO2020042471A1 (en) * | 2018-08-31 | 2020-03-05 | 平安科技(深圳)有限公司 | Firewall policy verification method, system and device, and readable storage medium |
| CN111859376A (en) * | 2020-07-21 | 2020-10-30 | 广州锦行网络科技有限公司 | Method for discovering intranet attacker based on windows login information |
| CN111865868A (en) * | 2019-04-24 | 2020-10-30 | 顺丰科技有限公司 | Cross-network regional service calling method and system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101141243A (en) * | 2006-09-08 | 2008-03-12 | 飞塔信息科技(北京)有限公司 | Device and method for carrying out security check and content filtering on communication data |
| CN101232635A (en) * | 2007-01-25 | 2008-07-30 | 上海粱江通信系统有限公司 | Method and system for purifying short messages based on signaling process technique |
| CN101436958A (en) * | 2007-11-16 | 2009-05-20 | 太极计算机股份有限公司 | Method for resisting abnegation service aggression |
| CN101567888A (en) * | 2008-12-29 | 2009-10-28 | 郭世泽 | Safety protection method of network feedback host computer |
-
2010
- 2010-01-29 CN CN201010104940A patent/CN101820414A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101141243A (en) * | 2006-09-08 | 2008-03-12 | 飞塔信息科技(北京)有限公司 | Device and method for carrying out security check and content filtering on communication data |
| CN101232635A (en) * | 2007-01-25 | 2008-07-30 | 上海粱江通信系统有限公司 | Method and system for purifying short messages based on signaling process technique |
| CN101436958A (en) * | 2007-11-16 | 2009-05-20 | 太极计算机股份有限公司 | Method for resisting abnegation service aggression |
| CN101567888A (en) * | 2008-12-29 | 2009-10-28 | 郭世泽 | Safety protection method of network feedback host computer |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105721188A (en) * | 2014-12-04 | 2016-06-29 | 北京神州泰岳信息安全技术有限公司 | Firewall strategy check method and system |
| CN107483514A (en) * | 2017-10-13 | 2017-12-15 | 北京知道创宇信息技术有限公司 | Attack monitoring device and smart machine |
| WO2020042471A1 (en) * | 2018-08-31 | 2020-03-05 | 平安科技(深圳)有限公司 | Firewall policy verification method, system and device, and readable storage medium |
| CN109561103A (en) * | 2018-12-26 | 2019-04-02 | 北京城强科技有限公司 | A kind of Intranet boundary management-control method for hub |
| CN109561103B (en) * | 2018-12-26 | 2021-09-21 | 北京城强科技有限公司 | Intranet boundary control method for concentrator |
| CN111865868A (en) * | 2019-04-24 | 2020-10-30 | 顺丰科技有限公司 | Cross-network regional service calling method and system |
| CN111859376A (en) * | 2020-07-21 | 2020-10-30 | 广州锦行网络科技有限公司 | Method for discovering intranet attacker based on windows login information |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102047262B (en) | Authentication for distributed secure content management system | |
| US8683059B2 (en) | Method, apparatus, and computer program product for enhancing computer network security | |
| US20050108393A1 (en) | Host-based network intrusion detection systems | |
| CN201194396Y (en) | Safe gateway platform based on transparent proxy gateway | |
| US20040088409A1 (en) | Network architecture using firewalls | |
| Oniga et al. | Analysis, design and implementation of secure LoRaWAN sensor networks | |
| JP2016106296A (en) | Logic apparatus, processing method and processing apparatus | |
| WO2007010395A2 (en) | Dns based enforcement for confinement and detection of network malicious activities | |
| US9210128B2 (en) | Filtering of applications for access to an enterprise network | |
| CN101802837A (en) | System and method for providing network and computer firewall protection with dynamic address isolation to a device | |
| JP2008271339A (en) | Security gateway system, method and program thereof | |
| CN101820414A (en) | Host access control system and method | |
| CN103647772A (en) | Method for carrying out trusted access controlling on network data package | |
| CN101340275B (en) | Data card, data processing and transmitting method | |
| CN202652534U (en) | Mobile terminal safety access platform | |
| Li et al. | Research on sensor-gateway-terminal security mechanism of smart home based on IOT | |
| CN116248405A (en) | Network security access control method based on zero trust and gateway system and storage medium adopting same | |
| Pan et al. | Secure online examination architecture based on distributed firewall | |
| JP2000163283A (en) | Remote site computer monitor system | |
| Skorpil et al. | Internet of things security overview and practical demonstration | |
| Yue et al. | The research of firewall technology in computer network security | |
| CN101360096B (en) | System security planning scheme applied to digital medication | |
| KR100539760B1 (en) | System and method for inducing installing agent using internet access control | |
| WO2001091418A2 (en) | Distributed firewall system and method | |
| US20080059788A1 (en) | Secure electronic communications pathway |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| DD01 | Delivery of document by public notice |
Addressee: Wu Bingtang Document name: Notification of Passing Preliminary Examination of the Application for Invention |
|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| DD01 | Delivery of document by public notice |
Addressee: Wu Bingtang Document name: Notification of Publication and of Entering the Substantive Examination Stage of the Application for Invention |
|
| DD01 | Delivery of document by public notice |
Addressee: Wu Bingtang Document name: Notification of Passing Examination on Formalities |
|
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20100901 |
|
| RJ01 | Rejection of invention patent application after publication |