CN101820438A - Computer starting method in local area network (LAN) and LAN - Google Patents

Computer starting method in local area network (LAN) and LAN Download PDF

Info

Publication number
CN101820438A
CN101820438A CN201010101675A CN201010101675A CN101820438A CN 101820438 A CN101820438 A CN 101820438A CN 201010101675 A CN201010101675 A CN 201010101675A CN 201010101675 A CN201010101675 A CN 201010101675A CN 101820438 A CN101820438 A CN 101820438A
Authority
CN
China
Prior art keywords
computer
system server
lan
image file
virtual image
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201010101675A
Other languages
Chinese (zh)
Other versions
CN101820438B (en
Inventor
戴一奇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN2010101016757A priority Critical patent/CN101820438B/en
Publication of CN101820438A publication Critical patent/CN101820438A/en
Application granted granted Critical
Publication of CN101820438B publication Critical patent/CN101820438B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Computer And Data Communications (AREA)

Abstract

The invention discloses a computer starting method in a local area network (LAN) and the LAN. The LAN is connected with an external network through a gateway, and comprises a system server, a data server and a computer. The method comprises the following steps of: when the computer is started, determining an operating system guide from a local hard disk or a virtual image file guide from the system server, and informing the system server; when the operating system guide from the local hard disk is determined, starting the operating system guide of the computer from the local hard disk, setting a gateway available for the computer by using the system server, and rejecting the computer to access the system server and the data server; and when the virtual image file guide from the system server is determined, starting the virtual image file guide of the computer from the system server, and setting a gateway by using the system server, wherein both the gateway and the local hard disk of the computer are not available for the computer. A common computer is used as a terminal of the LAN, so the utilization rate of terminal equipment can be improved, and the networking cost can be reduced.

Description

Computer starting method in a kind of local area network (LAN) and a kind of local area network (LAN)
Technical field
The present invention relates to network security technology, particularly relate to computer starting method and a kind of local area network (LAN) in a kind of local area network (LAN).
Background technology
Along with improving constantly of development of internet technology and social informatization degree, network is when bringing huge economic benefit and social benefit to people, and network security problem also becomes increasingly conspicuous.Local area network (LAN) is a kind of as network, is meant that in certain zone by many interconnected computer set that form of computer, this zone generally is meant has an area of several kms with interior zone.Local area network (LAN) can realize independently that application software is shared, file management, printer are shared, the functions such as schedule, Email and facsimile service in the working group.Local area network (LAN) seals for outer net, and it can link to each other with outer net by gateway and communicate, and therefore, is from the outside on the one hand to the security threat of local area network (LAN), for example network attack, destruction and invasion; Coming from the internal staff on the other hand has a mind to or attacks unintentionally or divulge a secret.At present, the safe practice that is used to tackle outside threat mainly contains fire compartment wall, access control, intrusion detection, authentication and encryption etc., these technology can be defendd outside attack or invasion to local area network (LAN) substantially, and it is more and more serious from the security threat of local area network (LAN) inside, therefore, the guarantee local area network (LAN) is avoided internaling attack or divulged a secret becomes current research focus.
Internaling attack or divulging a secret local area network (LAN), with directly related to the visit of the computer memory device in system server, data server and the local area network (LAN) of local area network (LAN), for example, move on the computers of unauthorized applications in local area network (LAN) such as virus, wooden horse, when access system server or data server, just it might be infected; LAN subscriber is had a mind to or the behavior of divulging a secret unintentionally, also normally utilizes output equipments such as network or computer memory device that important information is revealed away after obtaining confidential document.
Fig. 1 is the structure chart of local area network (LAN) in the prior art.As shown in Figure 1, in the prior art, local area network (LAN) 101 links to each other with outer net 103 by gateway 102, local area network (LAN) 101 comprises application server 104, Resource Server 105, the set 106 of dynamic monitoring switch and transparent computer 107, wherein, application server 104 comprises Web server 108, mail server 109 and printing server 110 etc., is used for providing various application services to transparent computer 107; Resource Server 105 comprises the data server 111 of preserving confidential document and the system server 112 that carries out system's control, and the controller that communicates to connect 113 and the switch 114 that is used for providing network to be connected to transparent computer 107 that is used to control transparent computer is provided in dynamic monitoring switch set 106; Do not have memory devices such as local hard drive in the transparent computer 107, do not have interface to be connected yet with movable storage device.
Prior art prevents the method that local area network (LAN) 101 internal securities threaten, and is to utilize transparent computer 107 among Fig. 1 as the terminal of local area network (LAN) 101.Transparent computer 107 does not have memory devices such as local hard drive, and it is from system server read operation system, and in the various application programs of local runtime, operation result is stored in the memory device of server.Because transparent computer 107 does not have memory devices such as local hard drive, thereby just can not store any file yet,, just can guarantee the safety of local area network (LAN) 101 as long as effectively take precautions against security threat from the outside.
In the prior art, owing to do not have memory devices such as local hard drive as the transparent computer of terminal, self can not preserve operating system, can only read from system server, therefore, this transparent computer leaves this local area network (LAN) and just can't use, and this greatly reduces the utilization rate of terminal equipment.
In addition, local area network (LAN) of the prior art adopts transparent computer as terminal, buys transparent computer if must increase extra cost when wanting to dispose local area network (LAN).And, because the structure of transparent computer and common computer is different, thereby the also inevitable difference to some extent of the structure of the local area network (LAN) of being set up, this has also increased the organizing cost of the local area network (LAN) that uses transparent terminal.
In sum, the transparent computer of existing employing has reduced the utilization rate of terminal as the local area network (LAN) of terminal, and has improved networking cost.
Summary of the invention
The invention discloses the computer starting method in a kind of local area network (LAN), this method can improve the utilization rate of terminal, reduces networking cost.
The invention also discloses a kind of local area network (LAN), this local area network (LAN) can improve the utilization rate of terminal, and networking cost is low.
For achieving the above object, technical scheme of the present invention is achieved in that
Computer starting method in a kind of local area network (LAN), this local area network (LAN) is connected with outer net by gateway, and this local area network (LAN) comprises system server, data server and computer, and this method comprises:
Computer is determined to guide from the booting operating system or the virtual image file from system server of local hard drive when starting, and the reporting system server;
When the booting operating system determined from local hard drive, this computer starts from the booting operating system on the local hard drive, and system server is provided with gateway and can uses for this computer, and refuses this computer access system server and data server;
When the virtual image file guiding determined from system server, this computer starts from the virtual image file guiding on the system server, and it is all unavailable for this computer that system server is provided with the local hard drive of gateway and this computer.
Virtual image file on the described system server is by Intel Virtualization Technology the operating system of this computer local hard drive to be mirrored to system server, thereby on system server, form.
When the booting operating system determined from local hard drive, this method further comprises: system server is not monitored the Access Events of this computer;
When definite virtual image file from system server guided, this method further comprises: system server was monitored the Access Events of this computer.
When definite virtual image file from system server guided, this method further comprised:
The use pattern of system server inquiry computer;
Computer determines that the use pattern is privately owned pattern or mode standard, and the reporting system server;
When the use pattern of computer was privately owned pattern, system server was stored in described virtual image file with this computer to the modification of operating system;
When computer use pattern as mode standard the time, system server is not saved in described virtual image file with this computer to the modification of operating system.
Monitoring module on the system server sets in advance to be forced controlled condition and forces control law;
When the virtual image file of computer from system server guided, this method further comprised:
Monitoring module on the system server records the Access Events of this computer in the daily record;
Monitoring module on the system server judges according to described daily record whether the Access Events of this computer meets described pressure controlled condition, if then according to described pressure control law, this computer is forced control.
A kind of local area network (LAN), this local area network (LAN) is connected with outer net by gateway, and described local area network (LAN) comprises: system server, data server and computer; Wherein,
Computer is used for when starting, determines to guide from the booting operating system or the virtual image file from system server of local hard drive, and the reporting system server; When the booting operating system determined from local hard drive, the booting operating system from local hard drive starts; When definite virtual image file from system server guided, the virtual image file guiding from system server started;
System server is used for gateway being set can using for this computer, and refuse this computer access system server and data server when computer is determined booting operating system from local hard drive; When the definite virtual image file from system server of computer guided, the local hard drive that gateway and this computer are set was all unavailable for this computer;
Data server is used to preserve data.
Described system server is mirrored to system server by Intel Virtualization Technology with the operating system on the computer local hard drive, thereby obtains the virtual image file.
System server further comprises monitoring module;
When computer was determined booting operating system from local hard drive, described monitoring module was not monitored the Access Events of this computer;
When the definite virtual image file from system server of computer guided, described monitoring module was monitored the Access Events of this computer.
System server when the definite virtual image file from system server of computer guides, is further used for inquiring the use pattern of computer, and the use pattern of receiving computer is determined information; If the use pattern of computer is privately owned pattern, then computer is saved in described virtual image file to the modification of operating system; If the pattern of using of computer is mode standard, then computer is not saved in described virtual image file to the modification of operating system:
Computer is further used for the receiving system server to using the inquiry of pattern, determines that the use pattern is privately owned pattern or mode standard, and determines information to system server transmission use pattern; Operating system is made amendment.
System server further comprises monitoring module, is used to set in advance force controlled condition and force control law;
Monitoring module, be used for when the virtual image file guiding of computer from system server starts, the Access Events of this computer is recorded in the daily record, and judge according to described daily record whether the Access Events of computer meets described pressure controlled condition, if then computer is forced control according to described pressure control law.
This shows, the terminal computer of local area network (LAN) is when starting among the present invention, at first determine to guide from the booting operating system or the virtual image file from system server of local hard drive, and reporting system server, when the booting operating system of computer from local hard drive starts, system server is provided with gateway and can uses for this computer, and refuse this computer access system server and data server, when the virtual image file guiding of computer from system server starts, system server is provided with the local hard drive of gateway and this computer all for the disabled technical scheme of this computer, because computer is during from the booting operating system of local hard drive, be to use as the common network terminal, and can not visit relevant information in the local area network (LAN), when the virtual image file of computer from system server guides, be to use as the terminal of local area network (LAN), can visit local area network (LAN), but can not visit outer net and in local stored information, therefore accomplished dual-use, thereby improved the utilization rate of terminal equipment, reduced networking cost.
Description of drawings
Fig. 1 is the structure chart of local area network (LAN) in the prior art;
Fig. 2 is the computer starting method figure in the local area network (LAN) of the present invention's proposition;
Fig. 3 carries out positively controlled flow chart for the monitoring module of the system server that the present invention proposes to computer;
Fig. 4 is the structure chart of the local area network (LAN) of the present invention's proposition.
Embodiment
Core concept of the present invention is: in the networking of local area network (LAN), terminal is used common computer, rather than transparent computer; Computer in the local area network (LAN) is determined to guide from the booting operating system or the virtual image file from system server of local hard drive when starting, and the reporting system server; If determine booting operating system from local hard drive, this computer starts from the booting operating system on the local hard drive so, the system server gateway is set to can use for this computer, and refuses the visit of this computer to system server and data server; If definite virtual image file guiding from system server, this computer starts from the virtual image file guiding on the system server so, and system server all is set to for this computer the local hard drive of gateway and this computer unavailable.
Like this, when computer during from the booting operating system of local hard drive, be to use, and can not visit the relevant information in the local area network (LAN), when the virtual image file of computer from system server guides as the general network terminal, be to use as the terminal of local area network (LAN), can visit local area network (LAN), but can not visit outer net and, therefore accomplish dual-use in local stored information, improve the utilization rate of terminal equipment, reduced networking cost
In order to make the purpose, technical solutions and advantages of the present invention clearer, describe the present invention below in conjunction with the drawings and specific embodiments.
The networking structure of the local area network (LAN) in the embodiment of the invention is compared with existing local area network structure shown in Figure 1, and difference only is that its terminal is not transparent computer, but common calculating.Therefore, among the present invention among the embodiment local area network (LAN) structurally comprise equipment such as system server, data server and computer at least, wherein, computer in the embodiment of the invention local area network (LAN) transparent computer of the prior art relatively, have memory devices such as local hard drive, can preserve the local operation system, and can start from the guiding of local operation system.
Fig. 2 is the computer starting method figure in the local area network (LAN) of the present invention's proposition.As shown in Figure 2, this method may further comprise the steps:
Step 201: during computer starting, the guidance mode of system server inquiry computer, computer are determined to guide from the booting operating system of local hard drive or the virtual image file from system server, and the reporting system server.
Here, the computer in the local area network (LAN) is when starting, and system server is determined the position of computer read operation system by the guidance mode of inquiry computer, and the authority of visiting local area network (LAN) and outer net behind the computer starting.
In the present embodiment, the computer in the local area network (LAN) has two kinds of guidance modes, and a kind of guidance mode is the booting operating system from local hard drive, and another kind of guidance mode is the virtual image file guiding from the system server.Describe for simplifying, in the description of back, will abbreviate the local hard drive guidance mode as, will abbreviate virtual image file guidance mode as from the guiding of the virtual image file on the system server from the booting operating system of local hard drive.Here, the virtual image file on the system server forms by the following method: by Intel Virtualization Technology, the operating system of computer local hard drive is mirrored to system server, thereby forms the virtual image file on system server.
Computer in the local area network (LAN) adopts different guidance modes, mean the position difference of computer read operation system, and the authority of computer access local area network (LAN) and outer net is also different.
As the response to the inquiry of system server, computer can have three kinds of modes to determine that guidance mode is the local hard drive guidance mode: first kind of mode is to select the local hard drive guidance mode in the option that system server provides; The second way is a computer when starting, and the user directly starts from the local hard drive guidance mode by " Esc " key on the keypad; The third mode is the basic input output system (BIOS) that computer is set, and computer can not be connected with system server or data server, thereby can not visit the confidential document in the local area network (LAN), can only adopt the local hard drive guidance mode.
As the response to the inquiry of system server, computer can be selected the guidance mode of virtual image file guidance mode as self in the option that system server provides, thereby starts.
When computer determine to adopt the local hard drive guidance mode, execution in step 202 and 203 successively; When computer determines to adopt virtual image file guidance mode, execution in step 204 and 205, and step 206 successively or 207.
Step 202: when the guidance mode of determining computer is the local hard drive guidance mode, system server is provided with gateway and can uses for this computer, the monitoring module that refusal computer access self and data server, system server are provided with self is not monitored the Access Events of this computer.
Here, the guidance mode of computer is the local hard drive guidance mode, mean that this computer starts from the booting operating system of local hard drive, and this computer can be by the gateway access outer net, but do not visit the authority of local area network (LAN), promptly can not access system server and data server.
The state of gateway is for can use with respect to this computer, and computer can connect with outer net by gateway like this, and realization is communicated by letter with outer net.
Data server refusal computer access self and data server, the confidential document of computer in can not the access data services device then, thus prevent to divulge a secret, ensured the safety of local area network (LAN).
System server comprises monitoring module.
Further, when the guidance mode of computer is the local hard drive guidance mode, because computer can not access system server and application server, this computer can not threaten the safety of local area network (LAN), monitoring module in the system server does not need to monitor the Access Events of this computer, therefore, system server monitoring module that self is set is not monitored the Access Events of this computer.The Access Events of computer is done specific descriptions in the back.
Step 203: computer starts from the booting operating system on the local hard drive.
Here, the terminal in the local area network (LAN) of present embodiment is not transparent computer, but has the computer of local hard drive, and local hard drive is used for storing local operating system.
Need to prove that the execution sequence of step 202 and step 203 does not limit, can be simultaneously, also can be that step 203 was carried out before step 202.
Step 204: when the guidance mode of determining computer was virtual image file guidance mode, it is all unavailable for this computer that system server is provided with the local hard drive of gateway and this computer, and the monitoring module that self is set is monitored the Access Events of this computer.
Here, when the guidance mode of computer is virtual image file guidance mode, mean that computer has the authority of visit local area network (LAN), thereby the confidential document in can the access data services device.The state that system server is provided with the local hard drive of computer is unavailable with respect to this computer, can prevent that computer is saved in the confidential document of visit in the local hard drive of computer; The state that system server is provided with gateway can prevent that for unavailable with respect to this computer computer from transmitting confidential document by gateway to outer net, such divulging a secret of confidential document that the data server that effectively prevented local area network (LAN) preserves is set.
Further, when the guidance mode of computer is virtual image file guidance mode, because computer has the authority of access system server and data server, might threaten the safety of local area network (LAN), monitor the Access Events of this computer with regard to needing monitoring module in the system server, therefore, system server monitoring module that self is set is monitored the Access Events of this computer.Monitoring module is done specific descriptions in the back to the monitoring of the Access Events of this computer.
Step 205: computer starts from the virtual image file guiding on the system server, the use pattern of system server inquiry computer, and computer determines that the use pattern is privately owned pattern or mode standard, and the reporting system server.
Here, when the guidance mode of computer was virtual image file guidance mode, computer started from the virtual image file guiding on the system server.
Among the present invention, the use pattern of computer has two kinds, and a kind of is privately owned pattern, and a kind of is mode standard.The use pattern difference of computer, computer is also different to the preserving type of the modification that operating system is made.System server obtains the use pattern that computer adopts by the mode of inquiry, thereby the preserving type of the modification that computer makes operating system is set.
Computer determines after the use pattern, and according to the difference of the pattern of use, the modification that computer is made operating system is preserved according to different modes in step 206 and step 207 respectively.
Step 206: when the use pattern of computer was privately owned pattern, system server was stored in the virtual image file with this computer to the modification of operating system.
Here, under privately owned pattern, system server is stored in computer after the virtual image file to the modification of operating system, and in all later sessions of this computer, the modification in this session can both continue to keep to be used.Wherein, a session of computer, be meant from the user and login this computer, whole process till the login this time of this user log off, in a session of computer, computer conducts interviews to local area network (LAN) or outer net with the user of login on this computer identity all the time.
Step 207: when computer use pattern as mode standard the time, system server is not saved in the virtual image file with this computer to the modification of operating system.
Here, under mode standard, computer is only effective in this session of computer to the modification of operating system, and be not saved in the virtual image file, after computer withdrawed from this session, this modification promptly was cancelled, and this modification can not keep use again in the session afterwards.
When computer adopts privately owned pattern, computer can be saved in the virtual image file on the system server the modification of operating system, thereby make in computer all sessions afterwards and can both use this modification, this helps operating system and constantly obtains upgrading, guarantees the lasting safety of operating system; When computer adopts mode standard, computer can not be saved in the virtual image file to the modification of operating system, these are only revised and use in this session, and this can prevent that computer from having a mind to operating system or destruction unintentionally in this session, help guaranteeing the safety of operating system.
In order to guarantee the safety of local area network (LAN), when the guidance mode of determining computer was virtual image file guidance mode, the monitoring module on the system server further was responsible for the Access Events of supervisory control comuter.
The various Access Events of computer, it can be the incident of another computer in the computer access local area network (LAN), also can be the incident of the confidential document preserved in the computer access data server, can also be incident of the application server in the computer access local area network (LAN) etc.In the prior art, computer has the highest level of security and current safety rank, is kept at confidential document in the data server and then has the level of security of self, here, level of security is represented a kind of authority, and level of security is high more, represents that then corresponding authority is also high more.The highest level of security of computer, the highest authority of the expression visit confidential document that computer had, the level of security of the confidential document that computer can be visited can not be higher than the highest level of security of computer, and the highest level of security of another computer must equate with the highest level of security of self in the local area network (LAN) that computer can be visited.The current safety rank of computer, the authority of the current visit confidential document that has of expression computer, the level of security of the current confidential document that can visit of computer can not be higher than the current safety rank of computer.The current safety rank of computer can change, but the highest level of security that can not surpass this computer, if the level of security of confidential document is higher than the current safety rank of computer, but be lower than its highest level of security, computer also can be by dynamically adjusting other mode of current safety level so, the current safety rank of self brought up to the level of security of this confidential document equate, thereby realize visit this confidential document.
The embodiment that monitoring module is monitored the Access Events of computer according to monitoring strategies of the prior art is as follows: when in the computer access local area network (LAN) during another computer, monitoring module is the highest level of security of these two computers relatively, if the highest level of security of the two equates, then allow to communicate between two computers, otherwise do not allow them to communicate.When the confidential document in the computer access data server, monitoring module compares the level of security of the current safety rank of computer, the highest level of security and confidential document, if the level of security of confidential document is not higher than the current safety rank of computer, allow this confidential document of this computer access so; If the level of security of confidential document is higher than the current safety rank of computer, but the highest level of security that is not higher than computer, monitoring module notice computer dynamic is adjusted the current safety rank so, it is brought up to the level of security of this confidential document equate, allow this confidential document of this computer access then; If the level of security of confidential document is higher than the highest level of security of computer, monitoring module does not allow this confidential document of this computer access so.When the computer access application server, monitoring module is at first inquired about the authority whether this computer has access application server, if this computer has the authority of access application server, then monitoring module allows this computer access application server, if no, monitoring module does not allow this computer access application server so.
Be an embodiment of the Access Events of monitoring module supervisory control comuter more than, the mode of monitoring module supervisory control comuter Access Events is not limited only to aforesaid way, and belongs to prior art, enumerates no longer one by one herein.
When the guidance mode of determining computer is the local hard drive guidance mode, as described in step 202, computer can not access system server and application server, thereby this computer can not threaten the safety of local area network (LAN), monitoring module in the system server does not need to monitor the Access Events of this computer, therefore, system server monitoring module that self is set is not monitored the Access Events of this computer.
Among the present invention, computer in the local area network (LAN) is at first determined its guidance mode when starting, the guidance mode difference, the position difference of computer read operation system, the authority of visit local area network (LAN) and outer net is also inequality behind the computer starting, when adopting the local hard drive guidance mode, computer can not be visited the confidential document in the local area network (LAN), but can be communicated with outer net by gateway, thereby realization is shared with external information, and when adopting virtual image file guidance mode, computer can not be communicated with outer net, can not on local hard drive, preserve file, but can visit the confidential document in the local area network (LAN), the computer starting method in this local area network (LAN) had both effectively guaranteed the safety of local area network (LAN), and computer is normally used under the situation that breaks away from local area network (LAN), relative prior art, this has improved the utilization rate of terminal equipment greatly.
In addition, because local area network terminal is to adopt common common computer on the market among the present invention, need not as transparent computer of the prior art, to pass through particular design and manufacturing, when on-premise network, only need to get final product according to market price purchase of equipment, and the structure of local area network (LAN) also is to adopt universal architecture, need not redesign, therefore, relative prior art, equipment purchase cost of the present invention and networking cost are all very low.
Fig. 3 carries out positively controlled flow chart for the monitoring module of the system server that the present invention proposes to computer, as shown in Figure 3, the monitoring module of system server can further be forced control to the computer in the local area network (LAN), to prevent that computer from having a mind to or illegal operation unintentionally in visit.Monitoring module carries out positively controlled flow process to computer and comprises:
Step 301: the monitoring module on the system server sets in advance to be forced controlled condition and forces control law.
Here, the monitoring module on the system server need set in advance to be forced controlled condition and forces control law, forces control thereby Access Events is met the computer of forcing controlled condition according to the pressure control law.
Force an embodiment of controlled condition as follows: same computer is visited same confidential document more than three times in a session, and all monitored at every turn module refusal, to meeting the computer of this pressure controlled condition, monitoring module can be forced control to it, and forcing control law accordingly is forced shutdown; Force another embodiment of controlled condition to be: same computer in a session more than three times request and the highest level of security be higher than the request that self computer communicates, to meeting the computer of this pressure controlled condition, monitoring module can be forced control to it, and forcing control law accordingly is warning.
More than for forcing two embodiment of controlled condition and pressure control law, pressure controlled condition described in the present invention and pressure control law are not limited only to above two embodiment, may causing local area network (LAN) that every computer is done divulged a secret or the illegal operation of security threat, can belong to pressure controlled condition, and monitoring module meet at Access Events the computer of forcing controlled condition the operation that can carry out, can belong to the pressure control law.
Step 302: when the guidance mode of computer was virtual image file guidance mode, the monitoring module on the system server recorded the Access Events of computer in the daily record.
Here, monitoring module is to carry out network analysis to the purpose that the Access Events of computer writes down, thereby finds Access Events to meet the computer of the pressure controlled condition that is provided with in the step 301, then according to forcing control law that it is forced control.
The Access Events of computer identical with described in Fig. 2 step 205 do not do to be repeated in this description at this.
Step 303: the monitoring module on the system server judges according to daily record whether the Access Events of computer meets pressure controlled condition.
Here, if monitoring module, judges that the Access Events of a computer in the local area network (LAN) meets pressure controlled condition according to daily record, then execution in step 304, otherwise, execution in step 305.
Step 304: the monitoring module on the system server is forced control according to forcing control law to computer.
Here, monitoring module judges that in step 303 Access Events of a computer in the local area network (LAN) meets the pressure controlled condition that is provided with in the step 301, and just the pressure control law that is provided with according to step 301 is forced control to this computer.
Step 305: the monitoring module on the system server is not forced control to computer.
Here, monitoring module judges that in step 303 Access Events of a computer in the local area network (LAN) does not meet the pressure controlled condition that is provided with in the step 301, just this computer is not forced control.
In addition, the invention allows for a kind of local area network (LAN), Fig. 4 is the structure chart of the local area network (LAN) of the present invention's proposition.As shown in Figure 4, the networking structure of this local area network (LAN) and the difference of Fig. 1 are that terminal is not transparent computer, but common computer.This local area network (LAN) 401 is connected with outer net 403 by gateway 402, and this local area network (LAN) 401 comprises: application server 404, Resource Server 405, the set 406 of dynamic monitoring switch and computer 407.Wherein,
Application server 404 comprises Web server 408, mail server 409 and printing server 410 etc., is used for providing to computer 407 various application services such as Web service, mail service and print service;
Resource Server 405 comprises data server 411 and system server 412;
Data server 411 is used to preserve data, wherein, comprises confidential document;
System server 412 is used for the guidance mode of inquiry computer 407 when computer 407 starts; If computer 407 is determined to adopt the local hard drive guidance mode, gateway 402 then is set uses, and refuse this computer 407 access data services devices 411 and system server 412 for this computer 407; If computer 407 determines to adopt virtual image file guidance mode, the local hard drive that then is provided with on gateway 402 and the computer 407 is all unavailable for this computer; Virtual image file on the system server 412 is by Intel Virtualization Technology the operating system on computer 407 local hard drives to be mirrored to system server 412, thereby on system server 412, form;
Dynamic monitoring switch set 406 comprises controller 413 and switch 414;
Controller 413 is used for the communicating to connect of each computer of local area network (LAN) 401 controlled;
Switch 414 is used to each computer in the local area network (LAN) 401 to provide network to connect;
Computer 407 is used for when starting, determines to adopt local hard drive guidance mode or virtual image file guidance mode, and reporting system server 412; If determine to adopt the local hard drive guidance mode, then the booting operating system from the local hard drive starts; If determine to adopt virtual image file guidance mode, then the virtual image file guiding from the system server 412 starts; Here, compare with the transparent computer of prior art, computer 407 comprises memory devices such as local hard drive, can preserve the local operation system, is used for reading and starting for computer.
Because the function of the application server 404 in the local area network (LAN) 401 of the present invention, the set 406 of dynamic monitoring switch and data server 411 is same as the prior art, seldom does description among the present invention.
This shows, among the present invention, computer 407 in the local area network (LAN) 401 is at first confirmed its guidance mode when starting, when adopting the local hard drive guidance mode, the confidential document of computer 407 in can not access data services device 411, but can be communicated with outer net 403 by gateway 402, thereby realization is shared with external information, when adopting virtual image file guidance mode, computer 407 can not be communicated with outer net 403, can not on local hard drive, preserve file, but the confidential document in the energy access data services device 411, this local area network (LAN) had both effectively guaranteed the safety of network data, and computer 407 is normally used under the situation that breaks away from local area network (LAN) 401, relative prior art, this has improved the service efficiency of terminal equipment greatly.
In addition, because local area network (LAN) 401 employed terminals are computer common on the market among the present invention, need not as transparent computer of the prior art, to pass through particular design and manufacturing, when on-premise network, only need to get final product according to market price purchase of equipment, and the structure of local area network (LAN) also is to adopt universal architecture, need not redesign, therefore, relative prior art, equipment purchase cost of the present invention and networking cost are all very low.
In order further to guarantee the safety of local area network (LAN) 401, among the present invention, system server 412 further comprises monitoring module, when computer 407 is determined to adopt the local hard drive guidance mode, because computer 407 can not access data services device 411 and system server 412, therefore, monitoring module need not monitored this computer 407.
Among the present invention, for the long-term safety that continues that further makes local area network (LAN) is guaranteed, when computer determined to adopt virtual image file guidance mode, the computer in the local area network (LAN) 401 407 is provided with two kinds of use patterns: a kind of was privately owned pattern, and a kind of is mode standard.The use pattern difference of computer 407, the preserving type of the modification that 407 pairs of operating systems of computer are made is also different.System server 412 obtains the use pattern that computer 407 adopts by the mode of inquiry, thereby the preserving type of the modification that 407 pairs of operating systems of computer make is set, therefore,
System server 412 when the guidance mode of computer is virtual image file guidance mode, is further used for inquiring the use pattern of computer 407, and the use pattern of receiving computer is determined information; If the use pattern of computer 407 is privately owned pattern, then the modification with 407 pairs of operating systems of computer is saved in the virtual image file, if the pattern of using of computer 407 is mode standard, then the modification of 407 pairs of operating systems of computer is not saved in the virtual image file;
Computer 407 is further used for 412 pairs of inquiries of using pattern of receiving system server, determines that the use pattern is privately owned pattern or mode standard, and determines information to system server 412 transmission use patterns; Operating system is made amendment.
Further, for prevent that computer from having a mind to or unintentionally illegal operation the safety of local area network (LAN) 401 is threatened, monitoring module among the present invention on the system server 412 also has the pressure controlled function at the computer in the local area network (LAN) 401, and its concrete structure is as follows:
Monitoring module on the system server 412 is further used for when the guidance mode of computer is virtual image file guidance mode, sets in advance to force controlled condition and force control law; When the guidance mode of computer 407 is virtual image file guidance mode, the Access Events of computer 407 is recorded in the daily record; According to daily record, judge whether the Access Events of computer 407 meets pressure controlled condition, if meet pressure controlled condition, then according to forcing control law, computer 407 is forced control,, then computer 407 is not forced control if do not meet pressure controlled condition.
This shows that the present invention has the following advantages:
(1) among the present invention, computer in the local area network (LAN) is at first determined its guidance mode when starting, the guidance mode difference, the position difference of computer read operation system, the authority of visit local area network (LAN) and outer net is also inequality behind the computer starting, when adopting the local hard drive guidance mode, computer can not be visited the confidential document in the local area network (LAN), but can be communicated with outer net by gateway, thereby realization is shared with external information, and when adopting virtual image file guidance mode, computer can not be communicated with outer net, can not on local hard drive, preserve file, but can visit the confidential document in the local area network (LAN), the computer starting method in this local area network (LAN) had both effectively guaranteed the safety of local area network (LAN), and computer is normally used under the situation that breaks away from local area network (LAN), relative prior art, this has improved the utilization rate of terminal equipment greatly.
(2) among the present invention, because local area network terminal is to adopt common common computer on the market, need not as transparent computer of the prior art, to pass through particular design and manufacturing, when on-premise network, only need to get final product according to market price purchase of equipment, and the structure of local area network (LAN) also is to adopt universal architecture, need not redesign, therefore, relative prior art, equipment purchase cost of the present invention and networking cost are all very low.
(3) among the present invention, computer has privately owned pattern and two kinds of use patterns of mode standard, when adopting privately owned pattern, system server can be saved in computer in the virtual image file on the system server the modification of operating system, thereby make in computer all sessions afterwards and can both use this modification, this helps operating system and constantly obtains upgrading, guarantees the fail safe of operating system; When computer adopts mode standard, system server can not be saved in the virtual image file with computer to the modification of operating system, these are only revised and use in this session, and this can prevent that the user from having a mind to operating system or destroy unintentionally, help the fail safe of operating system.Therefore, with respect to prior art, the present invention can improve the fail safe of computer operating system greatly.
(4) among the present invention; because the monitoring module of system server has the pressure controlled function at computer in the local area network (LAN); if the computer in the local area network (LAN) is had a mind to or the faulty operation that is not intended to carry out meets pressure controlled condition; monitoring module will be according to forcing control law that it is forced control so; therefore; with respect to prior art, the present invention can more effectively protect the safety of local area network (LAN).
The above only is preferred embodiment of the present invention, and is in order to restriction the present invention, within the spirit and principles in the present invention not all, any modification of being made, is equal to replacement, improvement etc., all should be included within the scope of protection of the invention.

Claims (10)

1. the computer starting method in the local area network (LAN), this local area network (LAN) is connected with outer net by gateway, and this local area network (LAN) comprises system server, data server and computer, it is characterized in that, and this method comprises:
Computer is determined to guide from the booting operating system or the virtual image file from system server of local hard drive when starting, and the reporting system server;
When the booting operating system determined from local hard drive, this computer starts from the booting operating system on the local hard drive, and system server is provided with gateway and can uses for this computer, and refuses this computer access system server and data server;
When the virtual image file guiding determined from system server, this computer starts from the virtual image file guiding on the system server, and it is all unavailable for this computer that system server is provided with the local hard drive of gateway and this computer.
2. method according to claim 1 is characterized in that, the virtual image file on the described system server is by Intel Virtualization Technology the operating system of this computer local hard drive to be mirrored to system server, thereby on system server, form.
3. method according to claim 1 and 2 is characterized in that,
When the booting operating system determined from local hard drive, this method further comprises: system server is not monitored the Access Events of this computer;
When definite virtual image file from system server guided, this method further comprises: system server was monitored the Access Events of this computer.
4. method according to claim 1 and 2 is characterized in that, when definite virtual image file from system server guided, this method further comprised:
The use pattern of system server inquiry computer;
Computer determines that the use pattern is privately owned pattern or mode standard, and the reporting system server;
When the use pattern of computer was privately owned pattern, system server was stored in described virtual image file with this computer to the modification of operating system;
When computer use pattern as mode standard the time, system server is not saved in described virtual image file with this computer to the modification of operating system.
5. method according to claim 1 and 2 is characterized in that, system server sets in advance to be forced controlled condition and force control law;
When the virtual image file of computer from system server guided, this method further comprised:
System server records the Access Events of this computer in the daily record;
System server judges according to described daily record whether the Access Events of this computer meets described pressure controlled condition, if then according to described pressure control law, this computer is forced control.
6. local area network (LAN), this local area network (LAN) is connected with outer net by gateway, it is characterized in that, and described local area network (LAN) comprises: system server, data server and computer; Wherein,
Computer is used for when starting, determines to guide from the booting operating system or the virtual image file from system server of local hard drive, and the reporting system server; When the booting operating system determined from local hard drive, the booting operating system from local hard drive starts; When definite virtual image file from system server guided, the virtual image file guiding from system server started;
System server is used for gateway being set can using for this computer, and refuse this computer access system server and data server when computer is determined booting operating system from local hard drive; When the definite virtual image file from system server of computer guided, the local hard drive that gateway and this computer are set was all unavailable for this computer;
Data server is used to preserve data.
7. local area network (LAN) according to claim 6 is characterized in that, described system server, by Intel Virtualization Technology with the operating system on the computer local hard drive be mirrored to from one's body, thereby form the virtual image file.
8. according to claim 6 or 7 described local area network (LAN)s, it is characterized in that system server further comprises monitoring module;
When computer was determined booting operating system from local hard drive, described monitoring module was not monitored the Access Events of this computer;
When the definite virtual image file from system server of computer guided, described monitoring module was monitored the Access Events of this computer.
9. according to claim 6 or 7 described local area network (LAN)s, it is characterized in that,
System server when the definite virtual image file from system server of computer guides, is further used for inquiring the use pattern of computer, and the use pattern of receiving computer is determined information; If the use pattern of computer is privately owned pattern, then computer is saved in described virtual image file to the modification of operating system; If the pattern of using of computer is mode standard, then computer is not saved in described virtual image file to the modification of operating system;
Computer is further used for the receiving system server to using the inquiry of pattern, determines that the use pattern is privately owned pattern or mode standard, and determines information to system server transmission use pattern; Operating system is made amendment.
10. according to claim 6 or 7 described local area network (LAN)s, it is characterized in that system server further comprises monitoring module, be used to set in advance and force controlled condition and force control law;
Monitoring module, be used for when the virtual image file guiding of computer from system server starts, the Access Events of this computer is recorded in the daily record, and judge according to described daily record whether the Access Events of computer meets described pressure controlled condition, if then computer is forced control according to described pressure control law.
CN2010101016757A 2010-01-27 2010-01-27 Computer starting method in local area network (LAN) and LAN Expired - Fee Related CN101820438B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2010101016757A CN101820438B (en) 2010-01-27 2010-01-27 Computer starting method in local area network (LAN) and LAN

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2010101016757A CN101820438B (en) 2010-01-27 2010-01-27 Computer starting method in local area network (LAN) and LAN

Publications (2)

Publication Number Publication Date
CN101820438A true CN101820438A (en) 2010-09-01
CN101820438B CN101820438B (en) 2013-11-27

Family

ID=42655385

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2010101016757A Expired - Fee Related CN101820438B (en) 2010-01-27 2010-01-27 Computer starting method in local area network (LAN) and LAN

Country Status (1)

Country Link
CN (1) CN101820438B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102479095A (en) * 2010-11-30 2012-05-30 英业达股份有限公司 Test method for server
CN111966051A (en) * 2020-07-02 2020-11-20 佛山科学技术学院 Rapid loading method and system for industrial operating system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1152331C (en) * 1999-06-02 2004-06-02 余鲲 System for ensuring computer network information safety and corresponding method thereof
CN101430649B (en) * 2008-11-19 2011-09-14 北京航空航天大学 Virtual computation environmental system based on virtual machine

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102479095A (en) * 2010-11-30 2012-05-30 英业达股份有限公司 Test method for server
CN111966051A (en) * 2020-07-02 2020-11-20 佛山科学技术学院 Rapid loading method and system for industrial operating system

Also Published As

Publication number Publication date
CN101820438B (en) 2013-11-27

Similar Documents

Publication Publication Date Title
US6202153B1 (en) Security switching device
US6268789B1 (en) Information security method and apparatus
CN102624699B (en) Method and system for protecting data
WO2016101384A1 (en) Dual-system switch based data security processing method and apparatus
US8271642B1 (en) System, method, and computer program product for isolating a device associated with at least potential data leakage activity, based on user input
US8782782B1 (en) Computer system with risk-based assessment and protection against harmful user activity
JP2008541273A5 (en)
CN101594360B (en) Local area network system and method for maintaining safety thereof
US20100100929A1 (en) Apparatus and method for security managing of information terminal
CA2605786A1 (en) Reader control system
US20120192271A1 (en) Apparatus and Method for Enhancing Security of Data on a Host Computing Device and a Peripheral Device
CN101923678A (en) Data security protection method of enterprise management software
CN104320389A (en) Fusion identify protection system and fusion identify protection method based on cloud computing
CN102170424A (en) Mobile medium safety protection system based on three-level security architecture
CN101827081B (en) Method and system for detecting request safety
CN114244568B (en) Security access control method, device and equipment based on terminal access behavior
RU2311676C2 (en) Method for providing access to objects of corporate network
CN110543775A (en) data security protection method and system based on super-fusion concept
CN101820438B (en) Computer starting method in local area network (LAN) and LAN
CN101324913A (en) Method and apparatus for protecting computer file
Wang et al. MobileGuardian: A security policy enforcement framework for mobile devices
Ziglari et al. Deployment models: Enhancing security in cloud computing environment
EP1802033A1 (en) Exchanging configuration information between a configurator and a device
CN115795556B (en) Data processing method, device, computer equipment and storage medium
Bisoyi et al. Toward securing cyber-physical systems using exact cover set

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C17 Cessation of patent right
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20131127

Termination date: 20140127