CN101873216B - Host authentication method, data packet transmission method and receiving method - Google Patents

Host authentication method, data packet transmission method and receiving method Download PDF

Info

Publication number
CN101873216B
CN101873216B CN2010102211850A CN201010221185A CN101873216B CN 101873216 B CN101873216 B CN 101873216B CN 2010102211850 A CN2010102211850 A CN 2010102211850A CN 201010221185 A CN201010221185 A CN 201010221185A CN 101873216 B CN101873216 B CN 101873216B
Authority
CN
China
Prior art keywords
main frame
session
packet
authentication
record
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN2010102211850A
Other languages
Chinese (zh)
Other versions
CN101873216A (en
Inventor
布日古德
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN2010102211850A priority Critical patent/CN101873216B/en
Publication of CN101873216A publication Critical patent/CN101873216A/en
Application granted granted Critical
Publication of CN101873216B publication Critical patent/CN101873216B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a host authentication method, a data packet transmission method and a data packet receiving method in a network system. The network system comprises at least one registered host; a firewall strategy is preset for each of the at least one registered host, and comprises a list of a host authenticating record; and the host authenticating record comprises an IP address of another registered host allowed to communicate with the registered host, an encryption key, and machine fingerprints which identify the physical characteristics of another registered host. The host authentication method comprises the step of: when the registered host in the network initiates a session each time, authenticating the session with a session receiver by using pre-configured firewall settings so as to ensure that only the registered host can access the network.

Description

Host authentication method, data packet sending method and method of reseptance
Technical field
The present invention relates to host authentication method and a kind of data packet sending method and data packet receiving method in a kind of network; More particularly; Thereby the present invention relates to a kind ofly improve the method for internet security and the data packet sending method and the data packet receiving method that use said host authentication method through each session between authorization host being carried out one-time identity authentication.
Background technology
A client computer needs through authentication processing when access network usually, thereby guarantees to have only authorized user ability access network.Yet; Some networks (like local area network (LAN)) have higher requirement; The resource of the computer of only licensing in can accesses network; Like server, printer etc., can prevent like this that indivedual employees from using to be engaged in the activity that destroys network security behind the personal computer access network that for example the customer data on the replication server is to individual's notebook computer or even use PC to server implementation malicious attack.This authentication of carrying out based on the access main frame is called as host authenticates.
Present host authenticates technology mainly is divided into two types.One type is through access control software is installed on the operating system of server; When the client access server, the safe condition of access control software inspection client computer is visited if meet strategy then allow; If do not meet, and provide relevant prompting with denied access.And, be installed in the safe condition that access control software on the client terminal also can be checked the other side when when client terminal conducts interviews each other.The weak point of this type host authenticates technology is, in case user's client computer through the authentication of service end, then in certain time period, the user can also use non-trust computer personation to trust main frame and visit server, causes and divulges a secret.
Another kind of host authenticates technology is based on the host authenticates of special communication protocol, the authentication techniques of for example generally using at present based on the IEEE802.1x agreement.These authentication techniques need the user to input user name, password and encrypted word through the user interface that provides equally, and the information that special-purpose then certificate server uses the user to provide is checked, and agreement is according to the rules accomplished verification process.This authentication techniques require all network equipments all will support the 802.1x agreement, and condition is harsh; Also require on subscription client, to install special-purpose software, need import username and password during user's logging in network and carry out authentication, complex operation; After authentication was passed through, can there be potential safety hazard in the user at same port with non-trust computer log network.
Summary of the invention
When the object of the present invention is to provide the each initiation session of a kind of main frame in network, use pre-configured fire compartment wall to be provided with this main frame carried out authentication, with the main frame of guaranteeing to have only registration could accesses network host authentication method.
Another object of the present invention is to provide a kind of and use pre-configured fire compartment wall to be provided with the main frame branch rank in network ground carrying out session authentication, thereby make particular host not need the host authentication method that authentication also can accesses network.
To achieve these goals; The present invention proposes the host authentication method in a kind of network system; In said network system, comprise at least one registration main frame; For said at least one the registration main frame each firewall policy is set in advance; Said firewall policy comprises the tabulation of authenticating host record; Said authenticating host writes down said another of IP address, encryption key and sign of another registration main frame that comprises that permission and said registration main frame intercom mutually and registers the machine fingerprint of the physical features of main frame; Said host authentication method comprises: when attempting as first main frame of said at least one registration one of main frame when setting up session connection as second main frame of one of said at least one registration main frame, a) in network layer, first main frame is searched for the authenticating host record of second main frame from this machine firewall policy; If find the authenticating host record of said second main frame; Then first main frame sends to second main frame at the machine fingerprint of the TCP that is used for initiation session or this machine of UDP session connection packet insertion with said session connection packet, and is that said session connection foundation comprises that the session tunnel of this session connection and session authentication state are the first session authentication track record of " initiator etc. are to be certified "; B) second main frame is after receiving said session connection packet; Search for the authenticating host record of first main frame from this machine firewall policy; And if find the machine fingerprint that carries in machine fingerprint and the said session connection packet in the authenticating host record of authenticating host record and said first main frame of said first main frame identical; Then second main frame produces the random number that is used to identify this session authentication; Foundation comprises the session tunnel of this session connection, said random number and the session authentication state second session authentication track record for " recipient etc. are to be certified "; Use encryption key in the authenticating host record of said first main frame with said random number encryption, make up the authentication request bag that comprises encrypted random number, and said authentication request bag is sent to first main frame; From said session connection packet, remove the machine fingerprint that carries then, and give the protocol stack upper strata with said session connection packet and handle; C) first main frame is behind the said authentication request bag that receives from second main frame; Extract encrypted random number from said authentication request bag; Use the decruption key of first main frame self that encrypted random number is deciphered; Structure comprises the authentication response bag of said decrypted random number, bag is responded in said authentication sent to second main frame, and the session authentication state in the said first session authentication track record is set to " authentication success "; And d) second main frame is behind the said authentication response bag that receives from first main frame; To respond the decrypted random number of bag extraction and be stored in from said authentication and compare corresponding to the random number the second session authentication track record of said session; If said two random numbers equate; Session authentication state in the then said second session authentication track record is set to " authentication success ", if said two random numbers are unequal, then deletes the said second session authentication track record.
Session tunnel in the said session authentication track record can comprise source IP address, source port, target ip address, target port and the protocol type of session.
If in step a); First main frame does not find the authenticating host record of second main frame of the target ip address that is in the session connection packet from this machine firewall policy; Then discardable said session connection packet; And the End Host authentication processing, and if in step b), second main frame does not find the authenticating host record of first main frame of the source IP address that is in said session connection packet from this machine firewall policy; Then discardable said session connection packet, and End Host authentication processing.
Said firewall policy also can comprise the tabulation that need not the authenticating host record, and the said authenticating host record that need not is used to define the registration main frame in the subnet section that need not authentication, and it comprises IP address and netmask.
If in step a); First main frame does not find the authenticating host record of second main frame of the target ip address that is in the session connection packet, then first main frame can be in the tabulation that need not authenticating host record of its firewall policy search be connected with session that target ip address in packet header of data bag matees need not the authenticating host record; If that finds coupling need not the authenticating host record, then can be this session and set up the first session authentication track record of session authentication state, and send said session connection packet and finish said host authenticates and handle for " authentication success "; If that does not find coupling need not the authenticating host record, then discardable said session connection packet and finish said host authenticates and handle; If in step b); Second main frame does not find the authenticating host record of first main frame of the source IP address that is in the session connection packet, then second main frame can be in the tabulation that need not authenticating host record of its firewall policy search be connected with session that source IP address in packet header of data bag matees need not the authenticating host record; If that finds coupling need not the authenticating host record, then can be this session and set up the second session authentication track record of session authentication state, and send said session connection packet and finish said host authenticates and handle for " authentication success "; If that does not find coupling need not the authenticating host record, then discardable said session connection packet and finish said host authenticates and handle.
Said firewall policy also can comprise by one or more being used for the tabulation that the general firewall policy of main frame that strategy handles is formed is carried out in the communication of the predetermined port on the main frame the predetermined network segment of the predetermined port to the second from the main frame of the first predetermined network segment; The general firewall policy of said main frame comprises: source IP address, source network mask, target ip address, objective network mask, source port number range, target port number range, protocol type and behavioral strategy, said behavioral strategy comprise allow packet through and the refusal packet pass through.
In step a); First main frame can be before the tabulation of searching for the authenticating host record and need not the tabulation of authenticating host record, the general firewall policy of main frame that the session tunnel of search and said session connection packet matees in the tabulation of the general firewall policy of main frame; If finding general firewall policy of the main frame of coupling and behavioral strategy wherein is to allow to pass through, then first main frame continues the tabulation of search authenticating host record and need not the tabulation of authenticating host record and handle accordingly; If not finding general firewall policy of the main frame of coupling or behavioral strategy wherein is that refusal passes through, then abandon said session connection packet, do not carry out host authenticates and handle; With in step b); Second main frame can be before the tabulation of searching for said authenticating host record and need not the tabulation of authenticating host record, the general firewall policy of main frame that the session tunnel of search and said session connection packet matees in the tabulation of the general firewall policy of main frame; If finding general firewall policy of said main frame and behavioral strategy wherein is to allow to pass through, then second main frame can continue to search for the tabulation of authenticating host record and need not the tabulation of authenticating host record and carry out corresponding authentication processing; If not finding general firewall policy of the main frame of coupling or behavioral strategy wherein is that refusal passes through, then discardable said session connection packet does not carry out host authenticates and handles.
When said first main frame or second main frame were arranged on the inboard server of hardware firewall, said first main frame or second main frame can be downloaded the firewall policy that disposes for this machine from the policy control center that the hardware firewall that coexists is inboard when starting.
When said first main frame is client computer; At operation c); First main frame is behind the said authentication request bag that receives from second main frame; If said client computer confirms it is the authentication request bag through IP or the special marking in the TCP/UDP head at the bag of said reception, then carry out and extract the operation that random number, deciphering, structure authentication are responded bag and the session authentication state is set.If confirming the bag of said reception is not the authentication request bag, then abandons the bag of said reception, and finish said host authenticates and handle.
Said second main frame can be a hardware firewall; Said hardware firewall is downloaded the firewall policy that is positioned at the inboard whole registration main frames of fire compartment wall from the inboard policy control center of hardware firewall; And in step b), said hardware firewall at first can use the target ip address in the session connection packet of reception to search for corresponding firewall policy, if there is corresponding firewall policy; Then use the firewall policy that searches to proceed authentication processing; If do not find corresponding firewall policy, abandon said session connection packet, and the End Host authentication processing.
Said conversation request bag and session are responded bag and can sent and receive through the predetermined session tunnel between first main frame and second main frame respectively.
In order to realize above-mentioned purpose of the present invention; Data packet sending method in a kind of network registry main frame is provided; For each said at least one registration main frame is provided with firewall policy in advance; Said firewall policy comprises the tabulation of authenticating host record; Said authenticating host writes down said another of IP address, encryption key and sign of another registration main frame that comprises that permission and said registration main frame intercom mutually and registers the machine fingerprint of the physical features of main frame, in said registration main frame, carries out following data packet sending method: obtain TCP or UDP transmission packet from the network protocol stack upper strata; Determine whether to have set up the session authentication track record that is used for by the session tunnel of the data in said transmission packet packet header indication; If having said session authentication track record and session authentication state wherein is " authentication success ", then sends to network protocol stack lower floor said transmission data packet delivery, and finish said packet and send processing.
If there is not said session authentication track record, then whether there is the authenticating host record of the target ip address in the said transmission packet packet header in the firewall policy of definite this machine; If with have said authenticating host record; Then setting up the decruption key and the session authentication state that comprise in said session tunnel, the said authenticating host record for this session is the session authentication track record of " initiator etc. are to be certified "; In the precalculated position of said transmission packet, insert the machine fingerprint of this machine, send processing for the lower floor of network protocol stack said transmission data packet delivery then.
Said session tunnel can comprise source IP address, source port, target ip address, target port and the communication protocol of sending packet packet header.
If in the firewall policy of this machine, do not find the authenticating host record of the target ip address in the said transmission packet packet header, then can abandon said transmission packet, and finish the transmission processing of said packet.
Said firewall policy can also comprise the tabulation that need not the authenticating host record, and the said authenticating host record that need not is used to define the registration main frame in the subnet section that need not authentication, and it comprises IP address and netmask.
If the registration main frame does not find the authenticating host record by the target ip address sign of sending packet packet header in this machine firewall policy, then register main frame and can use target ip address in packet header of said transmission packet to need not the authenticating host record in the list search coupling that need not the authenticating host record of its firewall policy; If that finds coupling need not the authenticating host record, then register main frame for this session set up the session authentication state for " authentication success " and the session authentication track record, and said transmission data packet delivery sent processing to network protocol stack lower floor; If that does not find coupling need not the authenticating host record, then register main frame and abandon said transmission packet and finish said packet and send and handle.
Said firewall policy can also comprise by one or more being used for the tabulation that the general firewall policy of main frame that strategy handles is formed is carried out in the communication of the predetermined port on the main frame the predetermined network segment of the predetermined port to the second from the main frame of the first predetermined network segment; The general firewall policy of said main frame comprises: source IP address, source network mask, target ip address, objective network mask, source port number range, target port number range, protocol type and behavioral strategy, said behavioral strategy comprise allow packet through and the refusal packet pass through.
Before the tabulation of searching for the authenticating host record and need not the tabulation of authenticating host record, register the general firewall policy of main frame that main frame can be searched for and the session tunnel of said transmission packet matees in the tabulation of the general firewall policy of main frame; If finding general firewall policy of the main frame of coupling and behavioral strategy wherein is to allow to pass through, then registers main frame and continue the tabulation of search authenticating host record and need not the tabulation of authenticating host record and handle accordingly; If not finding general firewall policy of the main frame of coupling or behavioral strategy wherein is that refusal passes through, then abandon said transmission packet, finish the transmission of said transmission packet and handle.
When said registration main frame was arranged on the server of hardware firewall inboard, said server can be downloaded the firewall policy for the configuration of this machine from the policy control center that the hardware firewall that coexists is inboard when starting.
In order to realize above-mentioned purpose of the present invention; Data packet receiving method in a kind of network registry main frame is provided; For each said at least one registration main frame is provided with firewall policy in advance; Said firewall policy comprises the tabulation of authenticating host record; Said authenticating host writes down said another of IP address, encryption key and sign of another registration main frame that comprises that permission and said registration main frame intercom mutually and registers the machine fingerprint of the physical features of main frame, in said registration main frame, carries out following data packet receiving method: obtain TCP or UDP reception packet from network protocol stack lower floor; Determine whether to exist the session authentication track record in the session tunnel of indicating by the data in said reception packet packet header; If there is not said session track record; Then in the tabulation of the authenticating host of this machine firewall policy record search by the authenticating host record of the source IP address sign that receives packet packet header; If find said authenticating host record; Then extract the machine fingerprint, and the machine fingerprint in the said authenticating host record and the machine fingerprint of extraction are compared from the precalculated position of said reception packet.If said two machine fingerprints are identical; Then produce the random number that is used to indicate this time session authentication; Use encryption key in the said authenticating host record with said random number encryption; Structure comprises the authentication request bag of said encrypted random number; Pass to network protocol stack lower floor and send processing, setting up the random number and the session authentication state that comprise said session tunnel, generation is the session authentication track record of " recipient etc. are to be certified ", from said reception packet, removes the machine fingerprint; Receive processing for the upper strata of network protocol stack said reception data packet delivery; Finish the reception of said packet then and handle, wherein, source IP address in the said reception packet packet header and source port are respectively as target ip address in the packet header of authentication request bag and target port; Target ip address in the said reception packet packet header and target port are respectively as source IP address in the packet header of authentication request bag and source port, and the communication protocol in the authentication request packet header is the protocol number in the said reception packet packet header; If confirm to find said session authentication track record; Confirm that then the session authentication state in this session authentication track record is " authentication success "; If " authentication success "; Then receive processing for the upper strata of network protocol stack said reception data packet delivery, finish the reception of said reception packet then and handle; But if confirm to find said session authentication track record session authentication state is not " authentication success ", confirms that then said session authentication state is " initiator etc. are to be certified " or " recipient etc. are to be certified ".If said session authentication state is " initiator etc. are to be certified "; Then from receive packet, extract encrypted random number; Use the decruption key of said registration main frame self that encrypted random number is deciphered; Establishment comprises the authentication response bag of the random number of deciphering; And the lower floor that passes to network protocol stack sends; As target ip address and target port in the packet header of authentication response bag, target ip address in the in like manner said reception packet packet header and target port are responded source IP address and source port in the packet header of wrapping as authentication respectively respectively for source IP address in the said reception packet packet header and source port, and the communication protocol in the head of authentication response bag is the protocol number in the said reception packet packet header; If said session authentication state is " recipient etc. are to be certified ", then registers main frame and extract random number, and random number of extracting and the random number in the said session authentication track record are compared from receiving packet; If both equate, then the session authentication state in the said session authentication track record is updated to " authentication success ", if both are unequal, then delete said session authentication track record.
Said session tunnel can comprise target ip address, target port, source IP address, source port and the communication protocol in this reception packet packet header.
If in the firewall policy of this machine, do not find the authenticating host record of the source IP address in the said reception packet packet header, then can abandon said reception packet, and finish the reception processing of said packet.
Said firewall policy can also comprise the tabulation that need not the authenticating host record, and the said authenticating host record that need not is used to define the registration main frame in the subnet section that need not authentication, and it comprises IP address and netmask.
If in this machine firewall policy, do not find authenticating host record, then register main frame and can use source IP address in packet header of said reception packet to need not the authenticating host record in the list search coupling that need not the authenticating host record of its firewall policy by the source IP address sign that receives packet packet header.If that finds coupling need not the authenticating host record, then register main frame and set up the session authentication track record of session authentication state, and said reception data packet delivery is received processing to the network protocol stack upper strata for " authentication success " for this session; If that does not find coupling need not the authenticating host record, the reception that then abandons said reception packet and finish said packet is handled.
Said firewall policy can also comprise by one or more being used for the tabulation that the general firewall policy of main frame that strategy handles is formed is carried out in the communication of the predetermined port on the main frame the predetermined network segment of the predetermined port to the second from the main frame of the first predetermined network segment; The general firewall policy of said main frame comprises: source IP address, source network mask, target ip address, objective network mask, source port number range, target port number range, protocol type and behavioral strategy, said behavioral strategy comprise allow packet through and the refusal packet pass through.
Registering main frame can be before the tabulation of searching for the authenticating host record and need not the tabulation of authenticating host record, the general firewall policy of main frame that the session tunnel of search and said reception packet matees in the tabulation of the general firewall policy of main frame; If finding general firewall policy of the main frame of coupling and behavioral strategy wherein is to allow to pass through, then continues the tabulation of search authenticating host record and need not the tabulation of authenticating host record and handle accordingly; If not finding general firewall policy of the main frame of coupling or behavioral strategy wherein is that refusal passes through, then abandon said reception packet, finish the reception of said reception packet and handle.
When said registration main frame was arranged on the server of hardware firewall inboard, said server can be downloaded the firewall policy for the configuration of this machine from the policy control center that the hardware firewall that coexists is inboard when starting.
When said registration main frame was client computer, if client computer is being the authentication request bag according to the special marking affirmation reception packet that receives in the packet, then the operation of wrapping and the session authentication state being set was responded in execution extraction random number, deciphering, structure authentication.If confirming the bag of said reception is not the authentication request bag, then abandons the bag of said reception, and finish the reception processing of said packet.
Said registration main frame can be a hardware firewall; Said hardware firewall is downloaded the firewall policy for inboard whole these machines of registration of fire compartment wall from the inboard policy control center of hardware firewall; And in search during firewall policy, said hardware firewall at first uses the target ip address in the reception packet of reception to search for corresponding firewall policy, if there is corresponding firewall policy; Then use the firewall policy that searches to proceed authentication processing; If do not find corresponding firewall policy, then abandon said reception packet, and finish said processing.
Description of drawings
Through below in conjunction with the description carried out of accompanying drawing that an example exemplarily is shown, of the present invention above-mentionedly will become apparent with other purposes and characteristics, wherein:
Fig. 1 illustrates the sketch map of use according to the network system of the host authentication method of exemplary embodiment of the present invention;
Fig. 2 shows the sketch map of use according to the network system of the host authentication method of another exemplary embodiment of the present invention;
Fig. 3 illustrates the logic diagram of realization according to the authentication control agent of host authentication method of the present invention;
Fig. 4 is the messages/information flow graph according to the host authentication method of exemplary embodiment of the present invention;
Fig. 5 is the flow chart that illustrates according to the processing of the host authentication method of exemplary embodiment of the present invention; With
Fig. 6 A and Fig. 6 B illustrate the data packet sending method of the main frame that uses the host authentication method among Fig. 5 and the flow chart of data packet receiving method.
Embodiment
Below, specify embodiments of the invention with reference to accompanying drawing.
Note that in this application that except that special pointing out client computer or server in term " main frame " the general reference network do not carry out clear and definite division to it the concrete role beyond the said authentication function.That is to say, can be as the client-server of " main frame " as authentication and authentic object.In addition; " session " mentioned in the present invention is in logic through being carried out conversation-based communication (like Transmission Control Protocol) or based on the general designation of connectionless communication (like udp protocol) by the specific communications tunnel; And the above-mentioned communication tunnel that is used for this " session " be exactly the application's " session tunnel "; For example; Tcp data is communicated by letter or UDP message communication is one " session " through being undertaken by port one on the main frame that is positioned at IP address 11 and port 2 on the main frame that is positioned at IP address 22, and constitutes the session tunnel of two these sessions of main frame by the IP address 2 on the IP address on the main frame 11 and port one, the main frame 2 and port 2 and the communication protocol used.The host authenticates that the application proposes is meant carries out authentication to said " session " carried out between main frame.
Fig. 1 shows the network system of use according to the host authentication method of exemplary embodiment of the present invention, and Fig. 2 shows the network system of use according to the host authentication method of another exemplary embodiment of the present invention.See figures.1.and.2, the hardware firewall inboard in said network system is provided with policy control center 140 and host authenticates center 130.Policy control center 140 can be moved on two computers in network respectively with host authenticates center 130, also can on same computer, move.According to another embodiment of the present invention, can policy control center 140 and host authenticates center 130 be realized in same software module.
Logically, in network system, any main frame all must be registered through policy control center 140 in advance becomes the registration main frame, can with network in allow other main-machine communications of its visit.When accomplishing registration, policy control center 140 has the identical authentication information about this main frame with this main frame.After this, the registration main frame with another registration host session when communicating by letter, use the authentication information of registered in advance to carry out authentication, have only through could be successfully after the authentication with to side communication.
140 receptions comprise the IP address of main frame and the main frame account foundation request of (like the sequence number of mainboard and the MAC Address of network interface card etc.) machine fingerprint (character string forms) of the physical features of this main frame of sign from the policy control center at host authenticates center 130; Generate the keys for encryption/decryption of this main frame, and set up the main frame accounts information of the IP address comprise this main frame, machine fingerprint, keys for encryption/decryption; Then, send the keys for encryption/decryption of this main frame to policy control center 140.In addition, host authenticates center 130 also receives the main frame Account Closure request that comprises host IP address at policy control center 140, deletes corresponding main frame accounts information.The main frame accounts information also optionally comprises login state and the state information that has other main frames of this main frame accounts information.Below be the structure of exemplary main frame accounts information:
Struct main frame accounts information
IP address field;
Machine fingerprint field;
Encryption key field;
The decruption key field;
The login state field; // login state, exit state
Mode field; // record has or not expired, if there be expired then require to have this main frame accounts information
// other main frames upgrade the encryption key field of this main frame account
Struct have this main frame account other main frames
// can guarantee that timely notice has the main frame lastest imformation of this main frame account
IP address field;
Mode field; Whether this IP address field of // record has expired, has then and upgrades
};
}
The main frame in the registered networks is responsible at policy control center 140, and the relevant firewall policy of storage, the said main frame of distribution & management.In the registration process of said main frame; Policy control center 140 receives and comprises the IP address of main frame and the register requirement of machine fingerprint; Use said IP address and machine fingerprint to ask to set up the main frame account for this main frame to host authenticates center 130; Obtain the keys for encryption/decryption of this main frame from host authenticates center 130, and the firewall policy of this main frame of initialization, and set up the host firewall strategy record that comprises aforesaid main frame accounts information and firewall policy; Then, keys for encryption/decryption and the firewall policy with this main frame sends to this main frame.Said firewall policy comprises: comprise the tabulation of the authenticating host record of some IP of having address, machine fingerprint and encryption key.Wherein, said machine fingerprint and encryption key are used under the situation of registration main frame as the session recipient itself.In addition, said firewall policy can comprise also by a plurality of and need not the tabulation that authenticating hosts records is formed that the said authenticating host record that need not is used to define the interior registration main frame of subnet section that need not authentication, comprises IP address and netmask.In addition; Said firewall policy also comprises the tabulation of being made up of the general firewall policy of a plurality of main frames usually; The general firewall policy of said main frame can be defined in before the host authenticates processing, should do the behavioral strategy how to handle earlier for the specific communication in the network system.In addition, said firewall policy can also comprise the tabulation of the camouflage host policies that is used for other main frames of client-side camouflage.Below be the structure that exemplary host firewall strategy writes down:
Struct host firewall strategy record
Struct main frame accounts information
// ... like in the heart main frame accounts information in the host authenticates
};
Struct authenticating host record
IP address field;
Machine fingerprint field; // use during as the session recipient
Encryption key field; // use during as the session recipient
; // this structure can be chained list, also can be array, also can be hash
Struct need not authenticating host record
// this structures shape is not carried out authentication to packet
IP address field;
Netmask;
; // this structure can be chained list, also can be array, also can be hash
The general firewall policy of Struct main frame
The source IP address field;
The source network mask field;
The target ip address field;
The objective network mask field;
Destination port range;
The target port scope;
Protocol type;
The behavioral strategy type; // allow, refuse; Optional [redirected, viscosity]
Other data structures of Struct // optional
Be redirected the IP address;
Reorientation port;
};
; // this structure can be chained list, also can be array, also can be hash
Struct camouflage host policies // optional, can pretend the IP address of main frame
IP address field;
Netmask;
The MAC Address field;
The general firewall policy of Struct main frame
The source IP address field;
The source network mask field;
The target ip address field;
The objective network mask field;
Destination port range;
The target port scope;
Protocol type;
The behavioral strategy type; // refusal, redirected, viscosity
Other data structures of Struct
Be redirected the IP address;
Reorientation port;
};
; // this structure can be chained list, also can be array, also can be hash
; // this structure can be chained list, also can be array, also can be hash
; // this structure can be chained list, also can be array, also can be hash
With reference to above host firewall policy construction; According to another exemplary embodiment of the present invention, the general firewall policy of main frame comprise source IP address, source network mask, target ip address, objective network mask, source port number range, target port number range, protocol type, behavioral strategy type (as allowing, refusal, being redirected etc.) and redirection list (comprise some by be redirected that IP address and reorientation port form to).The general firewall policy of said main frame is used to be defined in and carries out before host authenticates handles; This registration main frame uses communicating by letter that predetermined port on the main frame in predetermined port and the predetermined subnet of predetermined protocol and another carries out how to handle to the main frame in the predetermined subnet, as permission through, refuse to pass through etc.The indication of " permission " behavioral strategy allows said communication data packet to pass through.Further judging whether to carry out host authenticates based on the tabulation of authenticating host record and the tabulation that need not the authenticating host record again for the packet that allows to pass through handles.The indication of " refusal " behavioral strategy does not allow said communication data packet to pass through, and abandons said packet, does not handle and do not proceed host authenticates.Adopt this tactful purpose to be,, filter out a large amount of invalid data bags, thereby improve the performance of authentication and processing data packets in the very first time.
With reference to above host firewall policy construction, the camouflage host policies comprises IP address, netmask, MAC Address and the general firewall policy of aforesaid main frame.The camouflage host policies is used to register main frame makes amendment to the packet that flows to the main frame in the predetermined subnet section, thereby plays the effect of camouflage fictitious host computer, adopts the behavioral strategy in the general firewall policy of main frame that is embedded in the camouflage host policies to pretend.
Policy control center 140 also receives the de-registration request of main frame except the registered network main frame.At first, policy control center 140 receives the de-registration request of the de-registration request of main frame to host authenticates center 130 these main frames of proposition, requires the corresponding main frame accounts information of deletion; Secondly, illegal command is sent to the main frame that all have this host machine finger print information in policy control center 140; At last, delete this main frame accounts information, accomplish this de-registration request.
Policy control center 140 can be stored in each host firewall strategy record of registering main frame in the private database, also can be with the stored in form of encrypt file on hard disk.
The process of above-mentioned host registration and cancellation can be accomplished with encrypted form through the application program that is installed in main frame and policy control center 140 by the keeper, also can be through revising the manual completion of associated documents.
In the network system of exemplary embodiment shown in Figure 1; Except being provided with host authenticates center 130 with the policy control center 140 being positioned at the hardware firewall inboard; The software module that is used to carry out host authentication method of the present invention is installed on server 150, and promptly the server end control agent 110; On the client computer in another subnet 170 in the fire compartment wall outside, the software module that is used to carry out host authentication method of the present invention is installed, promptly the client control agent 120.Host authentication method of the present invention is equally applicable at fire compartment wall inboard client computer (not shown) and other server (not shown).According to exemplary embodiment of the present invention, the software module (like client control agent 120 and server end control agent 110) that is used for session authentication and handles is installed on all main frames of registering (like client computer 170 and server 150).
Communication between client computer 170 and the server 150 is routed to each other through router one 60.Session by 170 pairs of servers of client computer 150 are initiated is carried out authentication by 110 pairs of client control agents of server end control agent 120; In like manner, the session of being initiated by 150 pairs of client computer of server 170 is carried out authentication by client control agent 120 to server end control agent 110.In the exemplary embodiment shown in Fig. 1, use the firewall policy that is stored on this machine to carry out authentication as the main frame of client computer.In verification process, directly do not communicate by letter with the policy control center.As the main frame of server storage host firewall policy record not itself, but when startup of server, transfer whole firewall policy information of said server host once from policy control center 140, just its host firewall strategy record.Therefore; As the server of main frame and client computer except that the source of firewall policy as stated is different; Processing aspect host authenticates is basic identical; Difference is that mainly server obtains the accounts information and the firewall policy of particular host from policy control center 140, and client computer uses the corresponding information that is stored in this machine to carry out authentication.
Fig. 2 illustrates the network system according to the host authentication method of another exemplary embodiment of the present invention.Except the host authenticates center 130 that is provided with in an identical manner with the policy control center 140, the client control agent that on client computer, is equipped with also with Fig. 1 in be provided with identical.But, in Fig. 2, host identities checking agency 210 is installed on hardware firewall, it is used for the session communication through said hardware firewall is carried out authentication.That is to say that host identities checking agency 210 carries out authentication for the main frame that is positioned at outside the fire compartment wall to whole sessions of the main frame (comprising server and client computer etc.) of fire compartment wall.For this reason, on the registration main frame (like server 150) of fire compartment wall inboard, the module that is used for the host identities authentication need be installed.Yet; Still need the authorization host in the said network system to register; Different is that the firewall policy that will be positioned at whole registration main frames of hardware firewall is not distributed to corresponding registration main frame, but is transferred in the host identities authentication processing, to use by host identities checking agency 210; In addition; This network configuration need be provided with in its firewall policy; Make all and the communications setting of the outer main frame of fire compartment wall is passed through for allowing by the inboard main frame of fire compartment wall; And need not to carry out any authentication, thereby host identities checking agency 210 does not handle the communication of this direction.
Therefore, in the exemplary embodiment of the present invention shown in Fig. 2, host identities checking agency 210 carries out the host identities authentication processing for a plurality of inboard main frames of hardware firewall that are positioned at, and it obtains the firewall policy data from policy control center 140.In addition, can find out that host identities checking agency 210 is still comparatively similar with the client control agent on to the concrete processing of packet.
Fig. 3 illustrates the logic diagram of realization according to the authentication control agent (like the checking of the host identities among the server end control agent 110 among Fig. 1, client control agent 120 and Fig. 2 agency 210) of host authentication method of the present invention.The authentication control agent comprises application program control module 310, host authenticates module 320 and firewall policy module 330.Host authenticates module 320 and the network layer operation of firewall policy module 330 at network protocol stack, and application program control module 310 is in its application layer upper strata operation.
What firewall policy module 330 had previous registration is the firewall policy of this machine or agency's registration main frame setting, and said firewall policy has the structure of foregoing host firewall strategy record.Particularly; In host authenticates is handled; The IP address that firewall policy module 330 uses host authenticates module 320 to provide is searched for the tabulation of authenticating host record and need not the tabulation (if having) of authenticating host record in the firewall policy of this machine or agency's registration main frame, and Search Results is offered host authenticates module 320.If do not find corresponding record, the IP address of host that then notifying host authenticates module 320 to be in provides is not the registration main frame.If there is the tabulation of the general firewall policy of main frame; Then firewall policy module 330 can also be searched for the general firewall policy of main frame of the session tunnel coupling that provides with host authenticates module 310 in the tabulation of the general firewall policy of main frame, and Search Results is offered host authenticates module 320; If do not have the general firewall policy of main frame of coupling, then notify the host authenticates module not need special processing is carried out in said session.
Firewall policy module in the client control agent 120 reads firewall policy from database or the file that is stored on this machine; And the firewall policy module in the server end control agent 110 is when starting, 140 firewall policies downloaded to this server setting from the policy control center.Firewall policy module among the host identities checking agency 210 from the policy control center 140 requests download the firewall policy of the whole registration main frames that are positioned at hardware firewall.
Host authenticates module 310 is cores of authentication control agent, and it determines whether and need carry out authentication to session, to other host authenticates oneself or oneself agency's main frame, and other main frames is carried out authentication.
The Long-distance Control of application program control module 310 reception strategy control centres 140 is provided with through control interface specific strategy to FWSM.
Fig. 4 illustrates the messages/information flow graph according to the host authentication method of exemplary embodiment of the present invention.In Fig. 4, suppose that host A and host B all are the registration main frames in the network, host A and host B are all in the tabulation of the authenticating host record of the other side's firewall policy, and host A is initiated TCP/UDP communication to host B.
With reference to Fig. 4; Host A with authentication control agent detects the TCP/SYN packet or the UDP message bag (being called " the first session data bag " here) of initiating communication first in network layer; It uses this machine firewall policy to confirm whether need host authenticates with this session of host B, just uses IP address corresponding record of search in the tabulation of the authenticating host record of its firewall policy of host B.If find corresponding record, confirm that then this session needs authentication.After confirming to need authentication; Host A is set up the session authentication track record that comprises session tunnel and session authentication state for this session; And the session authentication state of this session is set to SEND_WAIT_AUTH (initiator etc. are to be certified); Then the machine fingerprint of this machine is inserted in the precalculated position (comprise TCP head and IP head are carried out necessary verification and re-computation) of said packet, the said first session data bag that has the machine fingerprint is sent to host B.
Host B is after network layer detects the said first session data bag; This machine firewall policy of use confirms whether need host authenticates with this session of host B, just uses IP address corresponding record of search in the tabulation of the authenticating host record of its firewall policy of host A.If find corresponding record, confirm that then this session needs authentication.After confirming to need authentication; Machine fingerprint during host B writes down machine fingerprint that carries in the said first session data bag and corresponding authenticating host again compares; If both are identical, then produce the random number of this session authentication of indication, use the encryption key in the authenticating host record that said random number is encrypted; Structure comprises the authentication request bag of the random number of encryption, and said authentication request bag is passed to network protocol stack lower floor sends to host A.Then; Host B is set up and is comprised that session tunnel, said random number and session authentication state are the session authentication track record of RECV_WAIT_AUTH (recipient etc. are to be certified), and removes the upper strata processing that the machine fingerprint is also given the said first session data bag network protocol stack from the first session data bag.
Host A is after network layer detects said authentication request bag; The session authentication state of this session is updated to AUTH (authentication success); Extract the random number of encrypting from said authentication request bag; The decruption key of use host A self makes up the random number deciphering of said encryption the authentication that comprises the decrypted random number and responds bag, and said authentication response bag is sent to host B.
Host B is responded bag from said authentication and is extracted random number after network layer detects said authentication and responds bag, and random number of extracting and previous random number for this session generation are compared.If both equate that then the session authentication state with this session is updated to AUTH (authentication success).Session authentication state at host A and host B all is under the situation of AUTH, and said two main frames can intercom through this session tunnel mutually, does not handle and do not need again any transmission packet in this session to be carried out any modification with the reception packet.
Said conversation request bag and session are responded bag owing to be processed in network layer at host A and host B, thus can be constructed as through original session tunnel send and reception, in TCP/UDP or IP packet header the TCP/UDP protocol package of special marking.Yet, also can for example carry out session authentication through udp protocol at the independent communication passage that is provided for the whole dialogues between two main frames are carried out authentication on host A and the host B respectively at the reservation port on the host A and another reservation port on the host B.In this case, said conversation request bag and session are responded Bao Douxu and are comprised the session tunneling data that is used to discern said session to be certified.
Fig. 5 is the flow chart that illustrates according to the processing of the host authentication method of exemplary embodiment of the present invention, more specifically is illustrated in host A and the processing in the host B among Fig. 4.Wherein, host A is equivalent to the main frame of the initiation session among Fig. 5, and host B is equivalent to the main frame of the reception session among Fig. 5.
With reference to Fig. 5; At first; At operation S510; The main frame of initiation session detects the first session data bag from the network protocol stack upper strata in network layer, and the first session data bag in the present invention is TCP/SYN or sends the packet of UDP message through the COM1 on the COM1 on this machine and another main frame (receiving the main frame of session) first.
At operation S520, the target ip address in the head of the first session data bag that the main frame use of initiation session detects is the corresponding record of search in the tabulation of the authenticating host record of its firewall policy.If find corresponding authenticating host record; Then at operation S530; The main frame of initiation session is set up the session authentication track record for this session; The machine fingerprint of this machine is inserted in the said first session data bag,, the said bag that has the machine fingerprint is sent to the main frame that receives session to after the verification in the pertinent protocol header and calculating again and revise.Said session authentication track record comprises the session tunnel and the session authentication state of this session; Said session tunnel comprises source IP address and source port, target ip address and target port and the communication protocol in the said first session data bag packet header, and the session authentication state is set to SEND_WAIT_AUTH (initiator etc. are to be certified).If S520 does not find corresponding authenticating host record in operation, then lose the first session data bag and finish authentication processing.
According to another embodiment of the present invention; Firewall policy also comprises the tabulation that need not the authenticating host record; If S520 does not find corresponding authenticating host record in operation, then the target ip address in the packet header of the first session data bag that use to detect of the main frame of initiation session need not the authenticating host record in the list search coupling that need not the authenticating host record of its firewall policy.If that finds coupling need not the authenticating host record, then the main frame of initiation session is set up the session authentication track record that the session authentication state is AUTH for this session, and sends the said first session data bag.If that does not find coupling need not the authenticating host record, then abandon the said first session data bag and finish said host authenticates and handle.It is to be noted; The main frame of initiation session is not necessarily searched for the tabulation of authenticating host record earlier and is searched for the tabulation that need not the authenticating host record again; Also can search for the tabulation that need not authenticating host record earlier and handle accordingly, and then the tabulation of search authenticating host record and handling accordingly.
According to another embodiment of the present invention; Firewall policy also comprises the tabulation of the general firewall policy of main frame; Before the tabulation of operation S520 search authenticating host record and need not the tabulation of authenticating host record, the main frame of initiation session search for the general firewall policy of main frame that the session tunnel with the said first session data bag matees in the tabulation of the general firewall policy of main frame.If finding general firewall policy of the main frame of coupling and behavioral strategy wherein is to allow to pass through, then as stated, the tabulation of search authenticating host record and need not the tabulation of authenticating host record and handle accordingly.If not finding general firewall policy of the main frame of coupling or behavioral strategy wherein is that refusal passes through, then abandon the said first session data bag, do not carry out host authenticates and handle.
At operation S540, after network layer detects the said first session data bag, use the source IP address corresponding record of search in the tabulation of the authenticating host record of its firewall policy in packet header of the detected first session data bag at the main frame that receives session.If find the machine fingerprint that carries in the first session data bag of machine fingerprint and detection in corresponding authenticating host record and the said authenticating host record identical; Then at operation S550; The main frame that receives session produces the random number of this session authentication of indication; Use the encryption key in the authenticating host record that said random number is encrypted, make up the authentication request bag of the random number that comprises encryption, and pass to network protocol stack lower floor and send to host A.Then; Host B is set up for this session and is comprised that said session tunnel, said random number and session authentication state are the session authentication track record of RECV_WAIT_AUTH (recipient etc. are to be certified); Remove the machine fingerprint from the said first session data bag, and give the upper strata processing of network protocol stack the said first session data bag.
At operation S540; If the machine fingerprint that carries in the machine fingerprint in the authenticating host record that in this machine firewall policy, does not find corresponding authenticating host record or find and the first session data bag of detection is different, the main frame that then receives session can finish authentication processing.
According to another exemplary embodiment of the present invention; Firewall policy also comprises the tabulation that need not the authenticating host record; If S540 does not find corresponding authenticating host record in this machine firewall policy in operation, the main frame that then receives session uses source IP address in the said first session data bag packet header to need not the authenticating host record in the list search coupling that need not the authenticating host record of its firewall policy.If that finds coupling need not the authenticating host record, then the main frame of initiation session is set up the session authentication track record that the session authentication state is AUTH for this session, and the said first session data bag is passed to the network protocol stack upper strata receives processing.If that does not find coupling need not the authenticating host record, then abandon the said first session data bag and finish said host authenticates and handle.It is to be noted; The main frame of reception session is not necessarily searched for the tabulation of authenticating host record earlier and is searched for the tabulation that need not the authenticating host record again; Also can search for the tabulation that need not authenticating host record earlier and handle accordingly, and then the tabulation of search authenticating host record and handling accordingly.
According to another embodiment of the present invention; Firewall policy also comprises the tabulation of the general firewall policy of main frame; Before operation S540 searched for the tabulation of said authenticating host record and need not the tabulation of authenticating host record, the main frame that receives session search for the general firewall policy of main frame that the session tunnel with the said first session data bag matees in the tabulation of the general firewall policy of main frame.If finding general firewall policy of said main frame and behavioral strategy wherein is to allow to pass through, then as stated, the main frame of reception session is searched for the tabulation of authenticating host record and need not the tabulation of authenticating host record and carry out corresponding authentication processing.If not finding general firewall policy of the main frame of coupling or behavioral strategy wherein is that refusal passes through, then abandon the said first session data bag, do not carry out host authenticates and handle.
At operation S560; The main frame of initiation session is after receiving said authentication request bag; Extract encrypted random number from said authentication request bag; The decruption key of this machine of use self is deciphered encrypted random number, make up the authentication comprise said decrypted random number and respond bag, and the lower floor that passes to network protocol stack sends to the main frame that receives session.In addition, the main frame of initiation session is updated to AUTH (authentication success) with the session authentication state in its session authentication track record.Here; If the registration main frame of said initiation session is a client computer; Then according to another exemplary embodiment of the present invention; The main frame of said initiation session is through after the IP of the bag of said reception or the special marking in the TCP/UDP head are confirmed to be the authentication request bag, just makes up, sends authentication and respond and wrap and the session authentication state is updated to AUTH.
At operation S570, the main frame that receives session receives said authentication and responds after the bag, responds bag from said authentication and extracts random number, and the random number in the session authentication track record of the random number of extracting and this session is compared.If two random numbers equate that then at operation S580, the main frame that receives session is updated to AUTH (authentication success) with the session authentication state in the session authentication track record.On the contrary, if two random numbers are unequal, then receive the session authentication track record of this session of main frame deletion of session.
Since then; At the main frame of initiation session and the session authentication state of the main frame that receives session all is under the situation of AUTH; Said two main frames can intercom through this session tunnel mutually, do not handle and do not need again any transmission packet in this session to be carried out any modification with the reception packet.
Said conversation request bag and session are responded bag owing to be processed in network layer at host A and host B, thus can be constructed as through original session tunnel send and reception, in TCP/UDP or IP packet header the TCP/UDP protocol package of special marking.Yet, also can for example carry out session authentication through udp protocol at the independent communication passage that is provided for the whole dialogues between two main frames are carried out authentication on host A and the host B respectively at the reservation port on the host A and another reservation port on the host B.In this case; Said conversation request bag and session are responded Bao Douxu and are comprised the session tunneling data that is used for discerning said session to be certified and use predetermined special marking to identify in the predetermined field in packet header, and are sent out and receive through said independent communication passage.
Fig. 6 A and Fig. 6 B illustrate the data packet sending method of the main frame that uses the host authentication method among Fig. 5 and the flow chart of data packet receiving method.Suppose at this packet that relates to it all is to use the TCP/UDP packet that sends and receive in network (like the local area network (LAN)) system scope of host authentication method of the present invention.
With reference to Fig. 6 A, at operation S6005, the main frame of registering with the host registration method that proposes according to the present invention detects from upper strata packet to be sent in network layer, sends packet like TCP or UDP.
At first; At operation S6010; The registration main frame determines whether that success identity is based on the session of source IP address, source port, target ip address, target port and the communication protocol in this transmission packet packet header; That is to say that having the session authentication track record of this session and the session authentication state in this session authentication track record is AUTH (authentication success).If the registration main frame is confirmed this session of success identity, then proceed to operation S6060, the registration main frame sends to the lower floor of network protocol stack said transmission data packet delivery.
If at operation S6010; The registration main frame is confirmed this session of bad authentication still (not having the session authentication track record of this session or the session authentication state in the session authentication track record is not AUTH); Then at operation S6020; The registration main frame confirms that this session is session for the first time, that is to say, does not have the session authentication track record of this session.If confirming this session is session for the first time, then operating S6030, the registration main frame authenticating host record that search is identified by the target ip address that sends packet packet header in the tabulation of the authenticating host record of this machine firewall policy.If found corresponding authenticating host record; Then at operation S6040; The registration main frame is set up the session authentication track record that comprises session tunnel and session authentication state for this session; Wherein, the session tunnel is source IP address, source port, target ip address, target port and the communication protocol in transmission packet packet header, and said session authentication state is made as SEND_WAIT_AUTH (initiator etc. are to be certified).Then, at operation S6050, the registration main frame is inserted into the precalculated position of said transmission packet with the machine fingerprint of this machine, and TCP/UDP head and IP head are carried out necessary verification and re-computation processing.At operation S6060, the lower floor that the said TCP/UDP bag that has the machine fingerprint is passed to network protocol stack sends processing.
If the registration main frame is at operation S6020; Confirm it is not session for the first time (promptly had the session authentication track record of this session but session authentication state wherein is not AUTH); Then detected transmission packet is not done any processing, finish data packet sending method according to exemplary embodiment of the present invention.
According to exemplary embodiment of the present invention; If the registration main frame is at operation S6030; Confirm in this machine firewall policy, not find authenticating host record, show that then the main frame that is positioned at target ip address is not the registration main frame, the session authentication failure by the target ip address sign of sending packet packet header; Thereby detected transmission packet is not done any processing, finish data packet sending method according to exemplary embodiment of the present invention.According to another exemplary embodiment of the present invention; Firewall policy also comprises the tabulation that need not the authenticating host record; If at operation S6030; In this machine firewall policy, do not find authenticating host record, then register main frame and use target ip address in packet header of said transmission packet to need not the authenticating host record in the list search coupling that need not the authenticating host record of its firewall policy by the target ip address sign of sending packet packet header.If that finds coupling need not the authenticating host record, then register main frame and set up the session authentication track record that the session authentication state is AUTH, and said transmission data packet delivery is sent processing to network protocol stack lower floor for this session.If that does not find coupling need not the authenticating host record, then abandon said transmission packet and finish said packet and send and handle.
According to another embodiment of the present invention; Firewall policy also comprises the tabulation of the general firewall policy of main frame; Before the tabulation of operation S6030 search authenticating host record and need not the tabulation of authenticating host record, the registration main frame search for the general firewall policy of main frame that the session tunnel with said transmission packet matees in the tabulation of the general firewall policy of main frame.If finding general firewall policy of the main frame of coupling and behavioral strategy wherein is to allow to pass through, then as stated, the tabulation of search authenticating host record and need not the tabulation of authenticating host record and handle accordingly.If not finding general firewall policy of the main frame of coupling or behavioral strategy wherein is that refusal passes through, then abandon said transmission packet, finish the transmission of said transmission packet and handle.
This shows; Through data packet sending method of the present invention; Can on the registration main frame, when carrying out session, carry out disposable authentication to session; In case authentication success no longer directly passes through network layer to the session data bag between the registration main frame that is in two ends, session tunnel, and does not carry out any other relevant treatment.
According to data packet sending method of the present invention, can not be in the trust main frame of being scheduled to the IP address network segment and carry out the authentication processing, and make registration main frame and said trust main frame freely to engage in the dialogue part.Therefore, can carry out the different authentication processing of degree of belief to different main frames, improve communications security and flexibility in the local area network (LAN) based on different authentication requestings.
Below, will specify the data packet receiving method of on the registration main frame, carrying out with reference to Fig. 6 B according to exemplary embodiment of the present invention.At operation S6105, the registration main frame is obtained the reception packet from network protocol stack lower floor, like TCP or the UDP message bag that receives.
At operation S6110, the registration main frame determines whether to exist the session authentication track record based on the session of target ip address, target port, source IP address, source port and the communication protocol in this reception packet packet header.If there is the session authentication track record,, confirm that further the session authentication state in this session authentication track record is AUTH (authentication success) then at operation S6120.If AUTH, then explanation registration main frame is confirmed this session of success identity, then proceeds to operation S6130, and the registration main frame receives processing for the upper strata of network protocol stack said reception data packet delivery.
On the other hand,, then operating S6112, the registration main frame authenticating host record that search is identified by the source IP address that receives packet packet header in the tabulation of the authenticating host record of this machine firewall policy if confirm not exist the session track record at operation S6110.
If found corresponding authenticating host record; Then at operation S6113; The registration main frame extracts the machine fingerprint from the precalculated position of said reception packet, and at operation S6114, the machine fingerprint in the said authenticating host record and the machine fingerprint of extraction is compared.If both are identical; Then at operation S6116; The registration main frame produces the random number of this time of indication session authentication; Use encryption key in the said authenticating host record with said random number encryption, make up the authentication request bag that comprises said encrypted random number, pass to network protocol stack lower floor and send processing.Source IP address in the said reception packet packet header and source port are respectively as target ip address in the packet header of authentication request bag and target port; Target ip address in the in like manner said reception packet packet header and target port are respectively as source IP address in the packet header of authentication request bag and source port, and the communication protocol in the authentication request packet header can be the protocol number in the said reception packet packet header.
Then; At operation S6118; The registration main frame is set up for this session and is comprised the random number of session tunnel, generation and the session authentication track record of session authentication state; Wherein, the session tunnel is target ip address, target port, source IP address, source port and the communication protocol in said reception packet packet header, and said session authentication state is made as RECV_WAIT_AUTH (recipient etc. are to be certified).
At operation S6119; The registration main frame removes the machine fingerprint that wherein carries from receive packet, and carries out necessary verification and re-computation processing, then; Proceed to operation S6130, receive processing for the upper strata of network protocol stack said reception data packet delivery.
Turn back to operation S6120, if confirm that the session authentication state in the session authentication track record is not AUTH, then at operation S6121, the registration main frame confirms that said session authentication state is SEND_WAIT_AUTH.If SEND_WAIT_AUTH, then at operation S6122, the registration main frame extracts encrypted random number from receiving packet, and the decruption key of use main frame self is with the encrypted random number deciphering of extracting.At operation S6123, create the authentication of the random number comprise deciphering and respond bag, and the lower floor that passes to network protocol stack sends.Source IP address in the said reception packet packet header and source port are responded target ip address and target port in the packet header of wrapping as authentication respectively; Target ip address in the in like manner said reception packet packet header and target port are responded source IP address and source port in the packet header of wrapping as authentication respectively, and the communication protocol that authentication is responded in the packet header can be the protocol number in the said reception packet packet header.In addition, according to another exemplary embodiment of the present invention,, then register main frame and confirming to receive under the situation that packet is the authentication request bag just executable operations S6122 according to receiving special marking in the packet if this registration main frame is a client computer.Then, proceed to operation S6127, the registration main frame is updated to AUTH with the session authentication state in the session authentication track record, finishes said packet and receives processing.
On the other hand, if confirm that at operation S6121 the session authentication state is not SEND_WAIT_AUTH, then confirm that at operation S6124 the session authentication state is RECV_WAIT_AUTH.If RECV_WAIT_AUTH, then at operation S6125, the registration main frame extracts random number from the precalculated position that receives packet, and at operation S6126, random number of extracting and the random number in the session authentication track record is compared.If both are identical, then at operation S6127, the registration main frame is updated to AUTH with the session authentication state in the session authentication track record, finishes said packet and receives processing.If two random number differences, then at operation S6128, the current session authentication track record of registration main frame deletion finishes said packet and receives processing.
According to another exemplary embodiment of the present invention; The firewall policy of registration main frame also comprises the tabulation that need not the authenticating host record; If at operation S6112; In this machine firewall policy, do not find authenticating host record, then register main frame and use source IP address in packet header of said reception packet to need not the authenticating host record in the list search coupling that need not the authenticating host record of its firewall policy by the source IP address sign that receives packet packet header.If that finds coupling need not the authenticating host record, then register main frame and set up the session authentication track record that the session authentication state is AUTH, and said reception data packet delivery is received processing to the network protocol stack upper strata for this session.If that does not find coupling need not the authenticating host record, the reception that then abandons said reception packet and finish said packet is handled.
According to another embodiment of the present invention; Firewall policy also comprises the tabulation of the general firewall policy of main frame; At operation S6112; Registered main frame before the tabulation of searching for the authenticating host record and need not the tabulation of authenticating host record, the general firewall policy of main frame that the session tunnel of search and said reception packet matees in the tabulation of the general firewall policy of main frame.If finding general firewall policy of the main frame of coupling and behavioral strategy wherein is to allow to pass through, then as stated, the tabulation of search authenticating host record and need not the tabulation of authenticating host record and handle accordingly.If not finding general firewall policy of the main frame of coupling or behavioral strategy wherein is that refusal passes through, then abandon said reception packet, finish the reception of said reception packet and handle.
According to above-mentioned exemplary embodiment,, can in network, not be in the trust main frame of being scheduled to the IP address and carry out the authentication processing, and make registration main frame and said trust main frame freely to engage in the dialogue part according to data packet receiving method of the present invention.Therefore, can carry out the different authentication processing of degree of belief to different main frames, improve communications security and flexibility in the local area network (LAN) based on different authentication requestings.
In the exemplary embodiment shown in Fig. 6 A and Fig. 6 B; Said conversation request bag and session are responded bag owing in the network layer of each registration main frame, be processed, thus can be constructed as send and receive through original session tunnel, in TCP/UDP or IP packet header the TCP/UDP protocol package of special marking.Yet; Also can registration be provided for respectively on the main frame its with network in whole dialogues between other registration main frames independent communication passage of carrying out authentication, for example another reservation port on the reservation port on the first registration main frame and the second registration main frame carries out the whole session authentications between two registration main frames through udp protocol.In this case; Said conversation request bag and session are responded Bao Douxu and are comprised the session tunnel that is used for discerning said session to be certified and use predetermined special marking to identify in the predetermined field in packet header, and are sent out and receive through said independent communication passage.
In the host authentication method that the present invention proposes, when the search firewall policy, the tabulation that can search for the authenticating host record earlier, tabulation that also can the general firewall policy of first base unit search, and be not limited to the execution mode shown in Fig. 5, Fig. 6 A and Fig. 6 B.
In addition; According to another exemplary embodiment of the present invention; In the host firewall strategy, comprise the tabulation of the general firewall policy of main frame and in the behavioral strategy item of the general firewall policy of main frame, comprise " being redirected " and " viscosity processing " at least one the time, mark " A " is located to carry out corresponding strategy and is handled in Fig. 5 and Fig. 6 B.For example; Locate at " A "; That is to say; In firewall policy, do not find the authenticating host record of the main frame of initiation session still to find and the general firewall policy of the corresponding main frame of said session as the registration main frame that receives session, and the behavioral strategy in the general firewall policy of said main frame is redirected " or " viscosity processing ".At this moment, said registration main frame as the reception session is set up the session authentication track record that the session authentication state is AUTH, and can carry out like the operation that is redirected or viscosity is handled according to the policing type in the respective record in the general firewall policy of main frame.
If said operation is a redirect operation; Then registering main frame writes down in the session authentication track record and is redirected the IP address with reorientation port and revise and receive packet and (source IP address is wherein revised the destination port number that becomes in its own IP address and the reception packet with source port; Wherein target ip address and target port are modified as to being redirected IP address and reorientation port number), then modified data packet delivery is sent to network protocol stack lower floor; For the packet from Redirect Address and port, the registration main frame is similarly handled, and makes up the main frame (normally unregistered main frame) from this machine to initiation session.
If being viscosity, said operation handles; Then register main frame and rebuild TCP/SYN/ACK response bag to the tcp data bag; Window wherein is made as smaller value (as 10), and the data packet delivery that rebuilds is sent to the main frame (normally unregistered main frame) of initiation session to network protocol stack lower floor.The intention of doing like this is to show that to the other side's client computer this machine does not have enough space storage the other side's packet.When also receiving the packet from this session tunnel other end afterwards, still repeat the aforesaid operation of answering packet that rebuilds and send it back.
Below, will specifically describe host authenticates that is arranged on the host identities checking agency 210 in the hardware firewall and the processing that packet receives.In this network settings, host identities checking agency 210 does not carry out authentication to the session of the main frame direction of the main frame in fire compartment wall outside fire compartment wall, so need in firewall policy, carry out corresponding setting by the session communication to this direction.
To the session of the main frame of the main frame outside hardware firewall in the fire compartment wall, host identities checking agency 210 when the search firewall policy, the firewall policy of ferret out main frame at first.If there is corresponding firewall policy; Then host identities checking agency 210 uses the source IP address that receives packets to search for corresponding authenticating host record, and in the tabulation of the general firewall policy of main frame the general firewall policy of main frame of search and the session tunnel coupling of said reception packet.What therefore, the client control agent 120 among the firewall policy of host identities checking agency 210 search and Fig. 1 and server end control agent 110 were searched for is different.In addition, in host identities checking agency 210 host authentication method and data packet receiving method processing, there is not the session authentication state of SEND_WAIT_AUTH yet.But in addition, said host authenticates and packet receive basic identical shown in processing and Fig. 5 and Fig. 6 B.
In addition; According to host authentication method of the present invention, data packet sending method and data packet receiving method; When the free of data bag transmission/reception activity or after having broken off the scheduled time in the given time of certified session tunnel, can the session authentication track record of said session be deleted like the connection of TCP.According to another exemplary embodiment of the present invention; Two registration main frames of session are the predetermined session survival test packet of cycle exchange with the scheduled time; If the session survival test packet of predetermined number does not obtain responding; Confirm that then this session stops, deletion session authentication track record.
The firewall policy that comprises authenticating host record and/or need not the authenticating host record according to the present invention is not limited to the data structure that in exemplary embodiment of the present invention, provides, can also adopt other constituted mode.For example, can and/or need not at the authenticating host record to add the packet direction in the authenticating host record, said packet direction comprises: packet transmission, packet reception and packet send and receive.For the packet direction is the host authenticates record that packet sends, and can not comprise machine fingerprint and encryption key.In this case; When determining whether to carry out authentication (promptly at operation S520 and S6030), target ip address coupling and packet direction in the packet header of search and the packet of handling are that packet sends or packet sends the authenticating host record that receives and/or need not the authenticating host record to the registration main frame of initiation session at the search firewall policy; When determining whether to carry out authentication (promptly at operation S540 and S6112), source IP address coupling and packet direction in the packet header of search and the packet of handling are that packet receives or packet sends the authenticating host record that receives and/or need not the authenticating host record to the registration main frame that receives session at the search firewall policy.Other operational processes among Fig. 5, Fig. 6 A and Fig. 6 B are basic identical.
This shows,, can carry out disposable authentication the session of the registration main frame in the network according to host authentication method of the present invention; And after authentication is passed through; The packet of said session no longer passes through special processing, realizes so only allowing the session between the registration main frame (client computer or server), and the session that refusal is connected with unregistered main frame; Improved internet security, effectively authentication has been carried out in the session between the main frame simultaneously.On this basis, through the fire compartment wall setting of classification, the main frame that also allows the part utmost good faith makes host authenticates more flexible without the main frame of authentication in just can accesses network.
Although show and the description certain embodiments of the invention, invented the embodiment that is not limited to describe.On the contrary, it should be appreciated by those skilled in the art,, can in these embodiment, make a change not breaking away under principle of the present invention, spirit and the situation by accompanying claims and its equivalent institute restricted portion.

Claims (29)

1. the host authentication method in the network system; In said network system, comprise at least one registration main frame; For said at least one the registration main frame each firewall policy is set in advance; Said firewall policy comprises the tabulation of authenticating host record, and said authenticating host writes down said another of IP address, encryption key and sign of another registration main frame that comprises that permission and said registration main frame intercom mutually and registers the machine fingerprint of the physical features of main frame, and said host authentication method comprises:
When attempting as first main frame of said at least one registration one of main frame when setting up session connection as second main frame of one of said at least one registration main frame,
A) in network layer; First main frame is searched for the authenticating host record of second main frame from this machine firewall policy; If find the authenticating host record of said second main frame; Then first main frame inserts the machine fingerprint of this machine at TCP that is used for initiation session or UDP session connection packet; Said session connection packet is sent to second main frame, and be that said session connection foundation comprises that the session tunnel of this session connection and session authentication state are the first session authentication track record of " initiator etc. are to be certified ";
B) second main frame is after receiving said session connection packet; Search for the authenticating host record of first main frame from this machine firewall policy; And if find the machine fingerprint that carries in machine fingerprint and the said session connection packet in the authenticating host record of authenticating host record and said first main frame of said first main frame identical; Then second main frame produces the random number that is used to identify this session authentication; Foundation comprises the session tunnel of this session connection, said random number and the session authentication state second session authentication track record for " recipient etc. are to be certified "; Use encryption key in the authenticating host record of said first main frame with said random number encryption, make up the authentication request bag that comprises encrypted random number, and said authentication request bag is sent to first main frame; From said session connection packet, remove the machine fingerprint that carries then, and give the protocol stack upper strata with said session connection packet and handle;
C) first main frame is behind the said authentication request bag that receives from second main frame; Extract encrypted random number from said authentication request bag; Use the decruption key of first main frame self that encrypted random number is deciphered; Structure comprises the authentication response bag of said decrypted random number, bag is responded in said authentication sent to second main frame, and the session authentication state in the said first session authentication track record is set to " authentication success "; With
D) second main frame is behind the said authentication response bag that receives from first main frame; To respond the decrypted random number of bag extraction and be stored in from said authentication and compare corresponding to the random number the second session authentication track record of said session; If said two random numbers equate; Session authentication state in the then said second session authentication track record is set to " authentication success ", if said two random numbers are unequal, then deletes the said second session authentication track record.
2. host authentication method as claimed in claim 1 is characterized in that, the session tunnel in the said session authentication track record comprises source IP address, source port, target ip address, target port, the protocol type of session.
3. host authentication method as claimed in claim 2 is characterized in that,
If in step a), first main frame does not find the authenticating host record of second main frame of the target ip address that is in the session connection packet from this machine firewall policy, then abandons said session connection packet, and the End Host authentication processing, and
If in step b), second main frame does not find the authenticating host record of first main frame of the source IP address that is in said session connection packet from this machine firewall policy, then abandons said session connection packet, and the End Host authentication processing.
4. host authentication method as claimed in claim 2; It is characterized in that; Said firewall policy also comprises the tabulation that need not the authenticating host record, and the said authenticating host record that need not is used to define the registration main frame in the subnet section that need not authentication, and it comprises IP address and netmask.
5. host authentication method as claimed in claim 4 is characterized in that,
If in step a); First main frame does not find the authenticating host record of second main frame of the target ip address that is in the session connection packet, and then the search in the tabulation that need not authenticating host record of its firewall policy of first main frame is connected with session that target ip address in packet header of data bag matees need not the authenticating host record; If that finds coupling need not the authenticating host record, then set up the first session authentication track record of session authentication state, and send said session connection packet and finish said host authenticates and handle for " authentication success " for this session; If that does not find coupling need not the authenticating host record, then abandon said session connection packet and finish said host authenticates and handle;
If in step b); Second main frame does not find the authenticating host record of first main frame of the source IP address that is in the session connection packet, and then the search in the tabulation that need not authenticating host record of its firewall policy of second main frame is connected with session that source IP address in packet header of data bag matees need not the authenticating host record; If that finds coupling need not the authenticating host record, then set up the second session authentication track record of session authentication state, and send said session connection packet and finish said host authenticates and handle for " authentication success " for this session; If that does not find coupling need not the authenticating host record, then abandon said session connection packet and finish said host authenticates and handle.
6. host authentication method as claimed in claim 4; It is characterized in that; Said firewall policy also comprises by one or more being used for the tabulation that the general firewall policy of main frame that strategy handles is formed is carried out in the communication of the predetermined port on the main frame the predetermined network segment of the predetermined port to the second from the main frame of the first predetermined network segment; The general firewall policy of said main frame comprises: source IP address, source network mask, target ip address, objective network mask, source port number range, target port number range, protocol type and behavioral strategy, said behavioral strategy comprise allow packet through and the refusal packet pass through.
7. host authentication method as claimed in claim 6 is characterized in that,
In step a), first main frame before the tabulation of search authenticating host record and need not the tabulation of authenticating host record, the general firewall policy of main frame of search and the session tunnel coupling of said session connection packet in the tabulation of the general firewall policy of main frame; If finding general firewall policy of the main frame of coupling and behavioral strategy wherein is to allow to pass through, then first main frame continues the tabulation of search authenticating host record and need not the tabulation of authenticating host record and handle accordingly; If not finding general firewall policy of the main frame of coupling or behavioral strategy wherein is that refusal passes through, then abandon said session connection packet, do not carry out host authenticates and handle; With
In step b); Second main frame before the tabulation of the said authenticating host of search record and need not the tabulation of authenticating host record, the general firewall policy of main frame of search and the session tunnel coupling of said session connection packet in the tabulation of the general firewall policy of main frame; If finding general firewall policy of said main frame and behavioral strategy wherein is to allow to pass through, then second main frame continues the tabulation of search authenticating host record and need not the tabulation of authenticating host record and carry out corresponding authentication processing; If not finding general firewall policy of the main frame of coupling or behavioral strategy wherein is that refusal passes through, then abandon said session connection packet, do not carry out host authenticates and handle.
8. like each the described host authentication method in the claim 1~7; It is characterized in that; When said first main frame or second main frame are arranged on the inboard server of hardware firewall; Said first main frame or second main frame are downloaded the firewall policy for the configuration of this machine from the policy control center that the hardware firewall that coexists is inboard when starting.
9. like each the described host authentication method in the claim 1~7, it is characterized in that said second main frame is a hardware firewall; Said hardware firewall is downloaded the firewall policy that is positioned at the inboard whole registration main frames of fire compartment wall from the inboard policy control center of hardware firewall; And in step b), said hardware firewall at first uses the target ip address in the session connection packet of reception to search for corresponding firewall policy, if there is corresponding firewall policy; Then use the firewall policy that searches to proceed authentication processing; If do not find corresponding firewall policy, abandon said session connection packet, and the End Host authentication processing.
10. host authentication method as claimed in claim 2 is characterized in that, when said session connection free of data is communicated by letter in said session connection is broken off perhaps between certain survival period, deletes said session authentication track record.
11. host authentication method as claimed in claim 2 is characterized in that, said conversation request bag and session are responded bag and are sent and receive through the predetermined session tunnel between first main frame and second main frame respectively.
12. the data packet sending method in the network registry main frame; For each at least one registration main frame is provided with firewall policy in advance; Said firewall policy comprises the tabulation of authenticating host record; Said authenticating host writes down said another of IP address, encryption key and sign of another registration main frame that comprises that permission and said registration main frame intercom mutually and registers the machine fingerprint of the physical features of main frame, in said registration main frame, carries out following data packet sending method:
The TCP or the UDP that obtain from the network protocol stack upper strata send packet;
Determine whether to have set up the session authentication track record that is used for by the session tunnel of the data in said transmission packet packet header indication;
If having said session authentication track record and session authentication state wherein is " authentication success ", then sends to network protocol stack lower floor said transmission data packet delivery, and finish said packet and send processing;
If there is not said session authentication track record, then whether there is the authenticating host record of the target ip address in the said transmission packet packet header in the firewall policy of definite this machine; With
If there is said authenticating host record; Then set up and comprise that said session tunnel and session authentication state are the session authentication track record of " initiator etc. are to be certified " for this session; In the precalculated position of said transmission packet, insert the machine fingerprint of this machine, send processing for the lower floor of network protocol stack said transmission data packet delivery then.
13. data packet sending method as claimed in claim 12 is characterized in that, said session tunnel is for sending source IP address, source port, target ip address, target port and the communication protocol in packet packet header.
14. data packet sending method as claimed in claim 13; It is characterized in that; If in the firewall policy of this machine, do not find the authenticating host record of the target ip address in the said transmission packet packet header, then abandon said transmission packet, and finish the transmission processing of said packet.
15. data packet sending method as claimed in claim 13; It is characterized in that; Said firewall policy also comprises the tabulation that need not the authenticating host record, and the said authenticating host record that need not is used to define the registration main frame in the subnet section that need not authentication, and it comprises IP address and netmask.
16. data packet sending method as claimed in claim 15; It is characterized in that; If the registration main frame does not find the authenticating host record by the target ip address sign of sending packet packet header in this machine firewall policy, then register main frame and use target ip address in packet header of said transmission packet to need not the authenticating host record in the list search coupling that need not the authenticating host record of its firewall policy;
If that finds coupling need not the authenticating host record, then register main frame for this session set up the session authentication state for " authentication success " and the session authentication track record, and said transmission data packet delivery sent processing to network protocol stack lower floor;
If that does not find coupling need not the authenticating host record, then register main frame and abandon said transmission packet and finish said packet and send and handle.
17. data packet sending method as claimed in claim 15; It is characterized in that; Said firewall policy also comprises by one or more being used for the tabulation that the general firewall policy of main frame that strategy handles is formed is carried out in the communication of the predetermined port on the main frame the predetermined network segment of the predetermined port to the second from the main frame of the first predetermined network segment; The general firewall policy of said main frame comprises: source IP address, source network mask, target ip address, objective network mask, source port number range, target port number range, protocol type and behavioral strategy, said behavioral strategy comprise allow packet through and the refusal packet pass through.
18. data packet sending method as claimed in claim 17; It is characterized in that; Before the tabulation of searching for the authenticating host record and need not the tabulation of authenticating host record, register the general firewall policy of main frame that main frame is searched for and the session tunnel of said transmission packet matees in the tabulation of the general firewall policy of main frame;
If finding general firewall policy of the main frame of coupling and behavioral strategy wherein is to allow to pass through, then registers main frame and continue the tabulation of search authenticating host record and need not the tabulation of authenticating host record and handle accordingly;
If not finding general firewall policy of the main frame of coupling or behavioral strategy wherein is that refusal passes through, then abandon said transmission packet, finish the transmission of said transmission packet and handle.
19. like each the described data packet sending method in the claim 12~18; It is characterized in that; When said registration main frame is arranged on the server of hardware firewall inboard; Said server is downloaded the firewall policy for the configuration of this machine from the policy control center that the hardware firewall that coexists is inboard when starting.
20. each the described data packet sending method as in the claim 12~18 is characterized in that, when said session connection free of data is communicated by letter in said session connection is broken off perhaps between certain survival period, deletes the session authentication track record of said session.
21. the data packet receiving method in the network registry main frame; For each at least one registration main frame is provided with firewall policy in advance; Said firewall policy comprises the tabulation of authenticating host record; Said authenticating host writes down said another of IP address, encryption key and sign of another registration main frame that comprises that permission and said registration main frame intercom mutually and registers the machine fingerprint of the physical features of main frame, in said registration main frame, carries out following data packet receiving method:
The TCP or the UDP that obtain from network protocol stack lower floor receive packet;
Determine whether to exist the session authentication track record in the session tunnel of indicating by the data in said reception packet packet header;
If there is not said session track record; Then in the tabulation of the authenticating host of this machine firewall policy record search by the authenticating host record of the source IP address sign that receives packet packet header; If find said authenticating host record; Then extract the machine fingerprint, and the machine fingerprint in the said authenticating host record and the machine fingerprint of extraction are compared from the precalculated position of said reception packet
If said two machine fingerprints are identical; Then produce the random number that is used to indicate this time session authentication; Use encryption key in the said authenticating host record with said random number encryption; Structure comprises the authentication request bag of said encrypted random number; Pass to network protocol stack lower floor and send processing, setting up the random number and the session authentication state that comprise said session tunnel, generation is the session authentication track record of " recipient etc. are to be certified ", from said reception packet, removes the machine fingerprint; Receive processing for the upper strata of network protocol stack said reception data packet delivery; Finish the reception of said packet then and handle, wherein, source IP address in the said reception packet packet header and source port are respectively as target ip address in the packet header of authentication request bag and target port; Target ip address in the said reception packet packet header and target port are respectively as source IP address in the packet header of authentication request bag and source port, and the communication protocol in the authentication request packet header is the protocol number in the said reception packet packet header;
If confirm to find said session authentication track record; Confirm that then the session authentication state in this session authentication track record is " authentication success "; If " authentication success "; Then receive processing for the upper strata of network protocol stack said reception data packet delivery, finish the reception of said reception packet then and handle;
But if confirm to find said session authentication track record session authentication state is not " authentication success ", confirms that then said session authentication state is " initiator etc. are to be certified " or " recipient etc. are to be certified ",
If said session authentication state is " initiator etc. are to be certified "; Then from receive packet, extract encrypted random number; Use the decruption key of said registration main frame self that encrypted random number is deciphered; Establishment comprises the authentication response bag of the random number of deciphering; And the lower floor that passes to network protocol stack sends; As target ip address and target port in the packet header of authentication response bag, target ip address in the in like manner said reception packet packet header and target port are responded source IP address and source port in the packet header of wrapping as authentication respectively respectively for source IP address in the said reception packet packet header and source port, and the communication protocol in the head of authentication response bag is the protocol number in the said reception packet packet header;
If said session authentication state is " recipient etc. are to be certified ", then registers main frame and extract random number, and random number of extracting and the random number in the said session authentication track record are compared from receiving packet; If both equate, then the session authentication state in the said session authentication track record is updated to " authentication success ", if both are unequal, then delete said session authentication track record.
22. data packet receiving method as claimed in claim 21 is characterized in that, said session tunnel is made up of target ip address, target port, source IP address, source port and the communication protocol in this reception packet packet header.
23. data packet receiving method as claimed in claim 22; It is characterized in that; If in the firewall policy of this machine, do not find the authenticating host record of the source IP address in the said reception packet packet header, then abandon said reception packet, and finish the reception processing of said packet.
24. data packet receiving method as claimed in claim 22; It is characterized in that; Said firewall policy also comprises the tabulation that need not the authenticating host record, and the said authenticating host record that need not is used to define the registration main frame in the subnet section that need not authentication, and it comprises IP address and netmask.
25. data packet receiving method as claimed in claim 24; It is characterized in that; If in this machine firewall policy, do not find authenticating host record, then register main frame and use source IP address in packet header of said reception packet to need not the authenticating host record in the list search coupling that need not the authenticating host record of its firewall policy by the source IP address sign that receives packet packet header;
If that finds coupling need not the authenticating host record, then register main frame for this session set up the session authentication state for " authentication success " and the session authentication track record, and said reception data packet delivery received processing to the network protocol stack upper strata; If that does not find coupling need not the authenticating host record, the reception that then abandons said reception packet and finish said packet is handled.
26. data packet receiving method as claimed in claim 24; It is characterized in that; Said firewall policy also comprises by one or more being used for the tabulation that the general firewall policy of main frame that strategy handles is formed is carried out in the communication of the predetermined port on the main frame the predetermined network segment of the predetermined port to the second from the main frame of the first predetermined network segment; The general firewall policy of said main frame comprises: source IP address, source network mask, target ip address, objective network mask, source port number range, target port number range, protocol type and behavioral strategy, said behavioral strategy comprise allow packet through and the refusal packet pass through.
27. data packet receiving method as claimed in claim 26; It is characterized in that; Registered main frame before the tabulation of searching for the authenticating host record and need not the tabulation of authenticating host record, the general firewall policy of main frame that the session tunnel of search and said reception packet matees in the tabulation of the general firewall policy of main frame; If finding general firewall policy of the main frame of coupling and behavioral strategy wherein is to allow to pass through, then continues the tabulation of search authenticating host record and need not the tabulation of authenticating host record and handle accordingly; If not finding general firewall policy of the main frame of coupling or behavioral strategy wherein is that refusal passes through, then abandon said reception packet, finish the reception of said reception packet and handle.
28. like each the described data packet receiving method in the claim 21~27; It is characterized in that; When said registration main frame is arranged on the server of hardware firewall inboard; Said server is downloaded the firewall policy for the configuration of this machine from the policy control center that the hardware firewall that coexists is inboard when starting.
29. like each the described data packet receiving method in the claim 21~27; It is characterized in that; Said registration main frame is a hardware firewall, and said hardware firewall is downloaded the firewall policy for inboard whole these machines of registration of fire compartment wall from the inboard policy control center of hardware firewall, and when the search firewall policy; Said hardware firewall at first uses the target ip address in the reception packet of reception to search for corresponding firewall policy; If there is corresponding firewall policy, then use the firewall policy that searches to proceed authentication processing, if do not find corresponding firewall policy; Then abandon said reception packet, and finish said processing.
CN2010102211850A 2010-07-08 2010-07-08 Host authentication method, data packet transmission method and receiving method Expired - Fee Related CN101873216B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2010102211850A CN101873216B (en) 2010-07-08 2010-07-08 Host authentication method, data packet transmission method and receiving method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2010102211850A CN101873216B (en) 2010-07-08 2010-07-08 Host authentication method, data packet transmission method and receiving method

Publications (2)

Publication Number Publication Date
CN101873216A CN101873216A (en) 2010-10-27
CN101873216B true CN101873216B (en) 2012-09-05

Family

ID=42997892

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2010102211850A Expired - Fee Related CN101873216B (en) 2010-07-08 2010-07-08 Host authentication method, data packet transmission method and receiving method

Country Status (1)

Country Link
CN (1) CN101873216B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102333080A (en) * 2011-08-02 2012-01-25 杭州迪普科技有限公司 Method and device for preventing message from attacking
EP2706717A1 (en) * 2012-09-11 2014-03-12 Thomson Licensing Method and devices for registering a client to a server
CN103607416B (en) * 2013-12-09 2019-04-30 吴东辉 A kind of method and application system of the certification of network terminal machine identity
US10693636B2 (en) * 2017-03-17 2020-06-23 Guigen Xia Authenticated network
CN107592315B (en) * 2017-09-19 2019-11-12 北京知道创宇信息技术股份有限公司 For the client of encrypted transmission data, server, network system and method
CN107819579B (en) * 2017-12-13 2021-08-24 西安Tcl软件开发有限公司 User request processing method, server and computer readable storage medium
CN109698791B (en) * 2018-11-29 2021-05-11 北京天元特通科技有限公司 Anonymous access method based on dynamic path

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101119362A (en) * 2007-07-19 2008-02-06 南京联创网络科技有限公司 Self-defining installation, login and uninstall method of computer security agent
CN101582761A (en) * 2008-05-15 2009-11-18 郑建德 Identity authentication system adopting password firewall

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101119362A (en) * 2007-07-19 2008-02-06 南京联创网络科技有限公司 Self-defining installation, login and uninstall method of computer security agent
CN101582761A (en) * 2008-05-15 2009-11-18 郑建德 Identity authentication system adopting password firewall

Also Published As

Publication number Publication date
CN101873216A (en) 2010-10-27

Similar Documents

Publication Publication Date Title
EP1498800B1 (en) Security link management in dynamic networks
CN101873216B (en) Host authentication method, data packet transmission method and receiving method
US11451959B2 (en) Authenticating client devices in a wireless communication network with client-specific pre-shared keys
US20090031399A1 (en) Method and Apparatus for Content Based Authentication for Network Access
US20120284506A1 (en) Methods and apparatus for preventing crimeware attacks
JP2005503047A (en) Apparatus and method for providing a secure network
US20180115520A1 (en) Dark virtual private networks and secure services
JP4698751B2 (en) Access control system, authentication server system, and access control program
US20150328119A1 (en) Method of treating hair
CN113849815B (en) Unified identity authentication platform based on zero trust and confidential calculation
JP2009157781A (en) Remote access method
US20150281211A1 (en) Network security
US10523633B2 (en) Method of communicating between secured computer systems, a computer network infrastructure and a computer program product
CN106576050B (en) Three-tier security and computing architecture
Hoeper et al. Where EAP security claims fail
EP1836559B1 (en) Apparatus and method for traversing gateway device using a plurality of batons
JPH11203248A (en) Authentication device and recording medium for storing program for operating the device
JP4018584B2 (en) Wireless connection device authentication method and wireless connection device
JP6488001B2 (en) Method for unblocking an external computer system in a computer network infrastructure, a distributed computer network having such a computer network infrastructure, and a computer program product
JP6754149B1 (en) Programs, web servers, authentication methods and authentication systems
JP2005086656A (en) Authentication discrimination bridge, program, wireless lan communication system, and wireless lan communication method
Kasslin et al. Kerberos V Security: ReplayAttacks
CN114222296A (en) Secure access method and system of wireless network
KR20020021404A (en) Peer-to-peer network user authentication protocol
Prasetijo et al. Firewalling a Secure Shell Service

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C53 Correction of patent for invention or patent application
CB03 Change of inventor or designer information

Inventor after: Buri Gude

Inventor after: De Xuehong

Inventor before: Buri Gude

COR Change of bibliographic data

Free format text: CORRECT: INVENTOR; FROM: BURI GUDE TO: BURI GUDE XUEHONG DE

CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20120905

Termination date: 20180708

CF01 Termination of patent right due to non-payment of annual fee