CN102118398A - Access control method, device and system - Google Patents
Access control method, device and system Download PDFInfo
- Publication number
- CN102118398A CN102118398A CN201110079910XA CN201110079910A CN102118398A CN 102118398 A CN102118398 A CN 102118398A CN 201110079910X A CN201110079910X A CN 201110079910XA CN 201110079910 A CN201110079910 A CN 201110079910A CN 102118398 A CN102118398 A CN 102118398A
- Authority
- CN
- China
- Prior art keywords
- access
- address
- filter
- message
- access control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides an access control method, a device and a system. The access control method includes: an authentication client side acquires an access filter address equipped with an access control list; the authentication client side captures a network access message transmitted by a user and transmits the network access message to an access filter according to the access filter address so that the access filter returns stop information to the authentication client side if the destination address of the network access message is limited, which is detected by the access control list. The access control method, the device and the system realize effective and reliable access control.
Description
Technical field
The present invention relates to communication technical field, relate in particular to a kind of access control method, Apparatus and system.
Background technology
Along with networks development with popularize, the control of access to netwoks is become particularly important.Consider the control of local law of country variant and policy, gateway need filter number of site so that the user can't visit.
In the prior art, normally by domain name resolution server (the DomainName System that is arranged in the network, DNS) domain name of the website of user capture is resolved, when knowing that this domain name is pre-configured disable access domain name, the then visit of limited subscriber.Therefore, when the user visited these network address by acting server, (Domain Name System was DNS) for the parsing of visiting domain name owing to walked around domain name resolution server in access process, so can realize climbing over the walls, promptly stride across restrict access restricted web site is conducted interviews.
Summary of the invention
At above-mentioned defective, the invention provides a kind of access control method, Apparatus and system,, reliably access control effective in order to realize.
The invention provides a kind of access control method, comprising:
Authentication Client obtains the access filter address that disposes Access Control List (ACL);
The access to netwoks message that described Authentication Client intercepting user sends, according to described access filter address described access to netwoks message is sent to described access filter, so that described access filter is if know that according to described Access Control List (ACL) check the destination address of described access to netwoks message is the limited accass address, then to described Authentication Client return prevention information.
According to a further aspect in the invention, also provide a kind of Authentication Client, comprising:
The access filter address acquisition module, the address that is used to obtain the access filter that disposes Access Control List (ACL);
Packet forwarding module, be used to intercept the access to netwoks message that the user sends, address according to described access filter is sent to described access filter with described access to netwoks message, with by described access filter if according to described Access Control List (ACL) check know whether the destination address of described access to netwoks message is the limited accass address, then to described Authentication Client return prevention information.
According to a further aspect in the invention, also provide another kind of access control method, comprising:
Access filter receives access to netwoks message that the user sends and that transmit via Authentication Client;
Described access filter checks according to the Access Control List (ACL) of configuration whether the destination address of described access to netwoks message is the limited accass address; If, then to described Authentication Client return prevention information.
According to a further aspect in the invention, also provide a kind of access filter, comprising:
Access to netwoks message receiver module is used to receive access to netwoks message that the user sends and that transmit via Authentication Client;
The access to netwoks control module is used for checking according to the Access Control List (ACL) of configuration whether the destination address of described access to netwoks message is the limited accass address; If, then to described Authentication Client return prevention information.
According to a further aspect in the invention, a kind of access control system also is provided, comprises Authentication Client of the present invention, access filter of the present invention, certificate server and the authenticated exchange machine that is connected with described Authentication Client, described access filter and described certificate server respectively.
According to access control method of the present invention, Authentication Client, access filter and access control system, because Authentication Client is sent to the access filter that disposes Access Control List (ACL) with the overall network visit message that the user sends, make access filter to test to user's overall network visit according to Access Control List (ACL), to confirm whether the network that the user will visit is the limited accass network, and stop this visit during for "Yes" when judged result, thereby prevented that the user from carrying out network and climb over the walls by walking around DNS, the visit limited network has been realized effectively, the control of access to netwoks reliably.
Description of drawings
Fig. 1 is for using the network system architecture figure of access control method of the present invention.
Fig. 2 is the flow chart of access control method of the present invention.
Fig. 3 is for using another network system architecture figure of access control method of the present invention.
Fig. 4 is the flow chart of another access control method of the present invention.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer,, technical scheme of the present invention is clearly and completely described below in conjunction with accompanying drawing.
Fig. 1 is for using the network system architecture figure of access control method of the present invention.As shown in Figure 1, this network system comprises certificate server (for example being the Radius server), Authentication Client, authenticated exchange machine and access filter.Wherein, Authentication Client can be the integrated Authentication Client software that is arranged on the user terminal PC, also can be the computer that independently is arranged between user terminal PC and the authenticated exchange machine; Certificate server, Authentication Client and authenticated exchange machine are supported authentication protocol of the prior art, are that example describes access control method of the present invention with the 802.1X authentication protocol below.
Fig. 2 is the flow chart of access control method of the present invention.As shown in Figure 2, this access control method comprises:
Step S100, Authentication Client obtain the access filter address that disposes Access Control List (ACL);
Wherein, comprise the limited accass address that sets in advance in this Access Control List (ACL), this limited accass address is dynamic-configuration as required, and this limited accass address can be that the IP address also can be and the unique corresponding domain names in IP address.
Step S200, the access to netwoks message that described Authentication Client intercepting user sends, according to described access filter address described access to netwoks message is sent to described access filter, so that described access filter is if know that according to described Access Control List (ACL) check the destination address of described access to netwoks message is the limited accass address, then to described Authentication Client return prevention information.
Particularly, the access to netwoks message that Authentication Client can take any message intercept method intercepting user of the prior art to send, and can adopt any message forwarding method of the prior art that this access to netwoks message is sent to access filter.For example, Authentication Client encapsulates the access to netwoks message that is intercepted, and the access filter address setting that will obtain in step S100 is the destination address of this encapsulated message; Authentication Client is sent to access filter with this encapsulated message via the authenticated exchange machine, correspondingly, resolve message after receiving this encapsulated message the access filter address, obtain primitive network visit message, and extract the destination address (for example being IP address or domain name) of this primitive network visit message, i.e. the network address that will visit of user.Access filter in the Access Control List (ACL) that presets, inquire about the network address that this user will visit (if stored in the Access Control List (ACL) be domain names, but the destination address of this access to netwoks message is the IP address, then can in this control tabulation, inquire about this pairing domain names in IP address), if comprise this network address in the Access Control List (ACL), then access filter knows that this network address is the limited accass address, then this access to netwoks message is not transmitted, and to Authentication Client return prevention information.
Access control method according to the foregoing description, because Authentication Client is sent to the access filter that disposes Access Control List (ACL) with the overall network visit message that the user sends, make access filter to test to user's overall network visit according to Access Control List (ACL), to confirm whether the network that the user will visit is the limited accass network, and stop this visit during for "Yes" when judged result, thereby prevented that the user from carrying out network and climb over the walls, visit limited network by walking around DNS, realized effectively, the control of access to netwoks reliably.
Further, in the access control method of the foregoing description, Access Control List (ACL) is the IPv4 Access Control List (ACL), and described access filter is the IPv6 access filter, and correspondingly, described access filter also disposes IPv4 address and IPv6 address translation table.
Wherein, IPv4 (Internet protocol the 4th edition) uses Internet technology agreement very widely at present, and it may operate on the various bottom-layer networks, such as end-to-end serial data link (for example ppp protocol and SLIP agreement), satellite link etc.IPv6 (Internet protocol sixth version) is mutual net net engineering duty group (Internet Engineering Task Force, IETF) IP next generation protocol that is used for substituting IPv4 of design.It is unique IP address of distribution, place of each square inch on the earth that enough addresses are arranged among the IPv6, and IPv6 comprises the automatic configuring technical of node of alternative DHCP (DHCP) and ARP(Address Resolution Protocol), can under the situation of not carrying out any setting new equipment be connected to network.Present website visiting great majority are access modes of IPv4, but development along with the IPv6 technology, there has been increasing website to dispose the IPv6 network, for example we can use the IPv6 network of ipv6.google.com address visit google.com, for the user who uses the IPv6 network, by using
Www.google.comThe address can preferably be connected to the IPv6 network.
In the access control method of the foregoing description, in Access Control List (ACL) is the IPv4 Access Control List (ACL), the IPv4 network address that comprises limited accass in this Access Control List (ACL), this moment, this Access Control List (ACL) can be taked existing IPv4 Access Control List (ACL) in the prior art.Paired storing IP v4 address and corresponding IPv6 address in IPv4 address that in the IPv6 access filter, is provided with and the IPv6 address translation table, for example
Www.google.com and ipv6.google.comBe a pair of.When the destination address of the access to netwoks message that is received when the IPv6 access filter is the IPv6 address, the inquiry IPv4 address corresponding in IPv4 address and IPv6 address translation table with this IPv6 address, and whether inquiry comprises the IPv4 address of this acquisition in the IPv4 Access Control List (ACL), if comprise, can confirm that then the network address that the user will visit is the limited accass address, thereby stop.
Access control method according to the foregoing description, owing in access filter, disposed IPv4 Access Control List (ACL) and IPv4 address and IPv6 address translation table, can avoid having realized more comprehensive, effectively access control owing to do not have in the prior art to escape the access control of IPv4 by using the IPv6 access filter at the user that access control method caused of IPv6 address.And, in the access control method of the foregoing description, owing to user's network address visit is controlled by the Access Control List (ACL) that disposes in the IPv6 access filter, so when this Access Control List (ACL) is further disposed, for example different access rights are set, then can realize the access control of user for the different stage/grade of the network address for the different network addresss.In addition, also can be by setting up the further interlock between certificate server and the IPv6 access filter, for example in the IPv6 access filter, dispose a plurality of Access Control List (ACL) corresponding to different classes of user, store class of subscriber corresponding to user's name or IP address in the certificate server, then the IPv6 access filter obtains active user's class of subscriber from certificate server, thereby according to the corresponding Access Control List (ACL) of this class of subscriber to active user's control that conducts interviews, thereby be embodied as the different Access Control List (ACL) of different user configuration.
Further, in the access control method of the foregoing description, the step that Authentication Client obtains the address of the access filter that disposes Access Control List (ACL) comprises:
Step S101, described Authentication Client sends the authentication request packet that carries station address information via the authenticated exchange machine to certificate server;
Step S102, described certificate server authenticates described user according to described station address information, and returns the authentication response message that carries described access filter address to described Authentication Client via described authenticated exchange machine when by authentication.
Particularly, when the network using 802.1X authentication protocol shown in Fig. 1, certificate server is to possess among the 802.1X as the correlation function of certificate server and the Radius server of performance, the authenticated exchange facility are equipped with among the 802.1X correlation function and the performance as network access server (NAS), and Authentication Client possesses among the 802.1X correlation function and the performance as Authentication Client.
During user access network, Authentication Client sends the authentication request packet of the station address information that carries (being preferably the IPv4 address that comprises the user and user's IPv6 address) to the Radius server via the authenticated exchange machine; After the Radius server receives authentication request packet, check according to the station address information of carrying in this message whether this user is validated user, and after upchecking, return the return authentication response message that carries the access filter address to Authentication Client via switch, wherein, this access filter is connected with the Radius server, and the Radius server can adopt arbitrary address acquisition methods of the prior art to obtain the address of this access filter, and this access filter for example is the IPv6 access filter.
After Authentication Client receives the authentication response message,, can obtain the access filter address to this packet parsing.Preferably, Authentication Client is after obtaining the access filter address that this certificate server provides, also to whether existing other agencies that (for example being the IPv6 agent software) is set on the user terminal PC, and when detecting when existing, prompting user deletion, and stop the user to carry out access to netwoks, until detect do not exist other agencies to be provided with till.
Further, in the access control method of the foregoing description, the access to netwoks message that Authentication Client intercepting user sends comprises the step that described access to netwoks message is sent to described access filter according to the address of described access filter:
The access to netwoks message that described Authentication Client intercepting user sends, whether the destination address that detects described access to netwoks message is the IPv6 address; If then described access to netwoks message is sent to described access filter (IPv6 access filter).
Particularly, the access to netwoks message that the authentication client can adopt any message intercept method intercepting user of the prior art to send, when the destination address of knowing the access to netwoks message is the IPv6 address, this access to netwoks message is sent to the IPv6 access filter, with by the IPv6 access filter according to the visit control that conducts interviews of the IPv4 Access Control List (ACL) in the foregoing description and IPv4 address and IPv6 address translation table to IPv6.
Particularly, this access filter can send a warning message to certificate server when each discovery user conducts interviews to the limited accass address, also can regularly send illegal access times to certificate server, so that certificate server is controlled record with illegal visit behavior to this user, so that certificate server is according to presetting rule or as required this user is handled accordingly, for example log out a particular user or forbid this customer access network etc., can be follow-up verification in addition and provide safeguard.
Though be example with the network architecture shown in Figure 1 above the access control method of the foregoing description is described, it should be appreciated by those skilled in the art that the access control method of the foregoing description also can be applicable to other network architectures.Fig. 3 is for using another network system architecture figure of access control method of the present invention.As shown in Figure 3, can comprise a plurality of Authentication Clients, a plurality of authenticated exchange machine, core switch, access filter (being preferably the IPv6 access filter) and Radius server in this network.Access filter as can be seen, as long as in the general networks framework (promptly comprising Authentication Client, switch and certificate server) of prior art, increase an access filter that is connected with authenticated exchange machine and certificate server, can realize the access control method of above-mentioned arbitrary embodiment.
The present invention also provides a kind of Authentication Client, comprising:
The access filter address acquisition module is used to obtain the access filter address that disposes Access Control List (ACL);
Packet forwarding module, be used to intercept the access to netwoks message that the user sends, address according to described access filter is sent to described access filter with described access to netwoks message, with by described access filter if according to described Access Control List (ACL) check know whether the destination address of described access to netwoks message is the limited accass address, then to described Authentication Client return prevention information.
The Authentication Client of the foregoing description can be taked the flow performing access control identical with the access control method of above-mentioned arbitrary embodiment, so locate to repeat no more.
Authentication Client according to the foregoing description, because the overall network visit message that the user is sent is sent to the access filter that disposes Access Control List (ACL), make access filter to test to user's overall network visit according to Access Control List (ACL), to confirm whether the network that the user will visit is the limited accass network, and stop this visit during for "Yes" when judged result, thereby prevented that the user from carrying out network and climb over the walls, visit limited network by walking around DNS, realized effectively, the control of access to netwoks reliably.
Further, in the Authentication Client of the foregoing description, Access Control List (ACL) is the IPv4 Access Control List (ACL), and described access filter is the IPv6 access filter, and correspondingly, described access filter also disposes IPv4 address and IPv6 address translation table.
Further, in the Authentication Client of the foregoing description, the access filter address acquisition module comprises:
User authentication unit is used for sending the authentication request packet that carries station address information to certificate server via the authenticated exchange machine; Receive the authentication response message that carries described access filter address that described certificate server returns via described authenticated exchange machine;
Resolution unit is used for described authentication response message is resolved, to obtain described access filter address.
Further, in the Authentication Client of the foregoing description, packet forwarding module comprises:
The message detecting unit is used to intercept the access to netwoks message that the user sends, and whether the destination address that detects described access to netwoks message is the IPv6 address;
The message retransmission unit is used for if the testing result of described message detecting unit is for being then described access to netwoks message to be sent to described access filter.
Fig. 4 is the flow chart of another access control method of the present invention.As shown in Figure 4, this access control method may further comprise the steps:
Step S100 ', access filter receive access to netwoks message that the user sends and that transmit via Authentication Client;
Step S200 ', access filter checks according to the Access Control List (ACL) of configuration whether the destination address of described access to netwoks message is the limited accass address; If, then to described Authentication Client return prevention information.
Access control method according to the foregoing description, because access filter receives access to netwoks message that the user sends and that transmit via Authentication Client, and according to the configuration Access Control List (ACL) check whether the destination address of described access to netwoks message is the limited accass address, whether the network that makes access filter can confirm that the user will visit is the limited accass network, and stop this visit during for "Yes" when judged result, thereby prevented that the user from carrying out network and climb over the walls, visit limited network by walking around DNS, realized effectively, the control of access to netwoks reliably.
Further, in the access control method of the foregoing description, Access Control List (ACL) is the IPv4 Access Control List (ACL), and described access filter is the IPv6 access filter, and correspondingly, described access filter also disposes IPv4 address and IPv6 address translation table; And, whether access filter is checked the destination address of described access to netwoks message according to the Access Control List (ACL) of configuration is that the step of limited accass address comprises: described IPv6 access filter knows that the destination address of access to netwoks message is the IPv6 address if detect, the inquiry IPv4 address corresponding in IPv4 address and IPv6 address translation table with described IPv6 address, and whether inquiry comprises the IPv4 address that is obtained in described IPv4 Access Control List (ACL), if comprise, confirm that then described destination address is the limited accass address.
Access control method according to the foregoing description, owing in access filter, disposed IPv4 Access Control List (ACL) and IPv4 address and IPv6 address translation table, can avoid having realized more comprehensive, effectively access control owing to do not have in the prior art to escape the access control of IPv4 by using the IPv6 access filter at the user that access control method caused of IPv6 address.And, in the access control method of the foregoing description, owing to user's network address visit is controlled by the Access Control List (ACL) that disposes in the IPv6 access filter, so when this Access Control List (ACL) is further disposed, for example different access rights are set, then can realize the access control of user for the different stage/grade of the network address for the different network addresss.In addition, also can be by setting up the further interlock between certificate server and the IPv6 access filter, for example in the IPv6 access filter, dispose a plurality of Access Control List (ACL) corresponding to different classes of user, store class of subscriber corresponding to user's name or IP address in the certificate server, then the IPv6 access filter obtains active user's class of subscriber from certificate server, thereby according to the corresponding Access Control List (ACL) of this class of subscriber to active user's control that conducts interviews, thereby be embodied as the different Access Control List (ACL) of different user configuration.
Further, in the access control method of the foregoing description, also comprise:
Access filter provides the access filter address to certificate server, with by the authentication request packet of described authentication server response in described Authentication Client transmission, returns the authentication response message that carries described access filter address to described Authentication Client.
Further, in the access control method of the foregoing description, access filter checks according to the Access Control List (ACL) of configuration whether the destination address of described access to netwoks message is the limited accass address; If then after the step of described Authentication Client return prevention information, also comprise:
Access filter sends a warning message to described certificate server.
The present invention also provides a kind of access filter, comprising:
Access to netwoks message receiver module is used to receive access to netwoks message that the user sends and that transmit via Authentication Client;
The access to netwoks control module is used for checking according to the Access Control List (ACL) of configuration whether the destination address of described access to netwoks message is the limited accass address; If, then to described Authentication Client return prevention information.
Access filter according to the foregoing description, owing to receive access to netwoks message that the user sends and that transmit via Authentication Client, and according to the configuration Access Control List (ACL) check whether the destination address of described access to netwoks message is the limited accass address, whether the network that makes access filter can confirm that the user will visit is the limited accass network, and stop this visit during for "Yes" when judged result, thereby prevented that the user from carrying out network and climb over the walls, visit limited network by walking around DNS, realized effectively, the control of access to netwoks reliably.
This access filter can be for being arranged in the network, comprising any server of above-mentioned access to netwoks message receiver module and access to netwoks control module.
Further, in the access filter of the foregoing description, Access Control List (ACL) is the IPv4 Access Control List (ACL), and described access filter is the IPv6 access filter, and correspondingly, described access filter also disposes IPv4 address and IPv6 address translation table; And the access to netwoks control module comprises: the address lookup unit is used for if detection knows that the destination address of access to netwoks message is the IPv6 address, then the inquiry IPv4 address corresponding with described IPv6 address in IPv4 address and IPv6 address translation table; The address detected unit is used for whether comprising the IPv4 address that is obtained in described IPv4 Access Control List (ACL) inquiry, if comprise, confirms that then described destination address is the limited accass address.
Access filter according to the foregoing description, can avoid having realized more comprehensive, effectively access control owing to do not have in the prior art to escape the access control of IPv4 by using the IPv6 access filter at the user that access control method caused of IPv6 address.
Further, in the access filter of the foregoing description, also comprise:
The address sending module, be used for providing the access filter address to certificate server, with by the authentication request packet of described authentication server response, return the authentication response message that carries described access filter address to described Authentication Client in described Authentication Client transmission.
Further, in the access filter of the foregoing description, the access to netwoks control module also is used for sending a warning message to described certificate server.
The present invention also provides a kind of access control system, the framework of this access control system is for example shown in Figure 1, comprises access filter, the certificate server of the Authentication Client of above-mentioned arbitrary embodiment, above-mentioned arbitrary embodiment and the authenticated exchange machine that is connected with described Authentication Client, described access filter and described certificate server respectively.
Access control system according to the foregoing description, because Authentication Client is sent to the access filter that disposes Access Control List (ACL) with the overall network visit message that the user sends, make access filter to test to user's overall network visit according to Access Control List (ACL), to confirm whether the network that the user will visit is the limited accass network, and stop this visit during for "Yes" when judged result, thereby prevented that the user from carrying out network and climb over the walls, visit limited network by walking around DNS, realized effectively, the control of access to netwoks reliably.
It should be noted that at last: above embodiment only in order to technical scheme of the present invention to be described, is not intended to limit; Although with reference to previous embodiment the present invention is had been described in detail, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment put down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution break away from the spirit and scope of various embodiments of the present invention technical scheme.
Claims (17)
1. an access control method is characterized in that, comprising:
Authentication Client obtains the access filter address that disposes Access Control List (ACL);
The access to netwoks message that described Authentication Client intercepting user sends, according to described access filter address described access to netwoks message is sent to described access filter, so that described access filter is if know that according to described Access Control List (ACL) check the destination address of described access to netwoks message is the limited accass address, then to described Authentication Client return prevention information.
2. access control method according to claim 1, it is characterized in that described Access Control List (ACL) is the IPv4 Access Control List (ACL), described access filter is the IPv6 access filter, correspondingly, described access filter also disposes IPv4 address and IPv6 address translation table.
3. access control method according to claim 1 and 2 is characterized in that, the step that described Authentication Client obtains the access filter address that disposes Access Control List (ACL) comprises:
Described Authentication Client sends the authentication request packet that carries station address information via the authenticated exchange machine to certificate server;
Described certificate server authenticates described user according to described station address information, and returns the authentication response message that carries described access filter address to described Authentication Client via described authenticated exchange machine when by authentication.
4. access control method according to claim 2, it is characterized in that, the access to netwoks message that described Authentication Client intercepting user sends comprises the step that described access to netwoks message is sent to described access filter according to the address of described access filter:
The access to netwoks message that described Authentication Client intercepting user sends, whether the destination address that detects described access to netwoks message is the IPv6 address; If then described access to netwoks message is sent to described access filter.
5. an Authentication Client is characterized in that, comprising:
The access filter address acquisition module is used to obtain the access filter address that disposes Access Control List (ACL);
Packet forwarding module, be used to intercept the access to netwoks message that the user sends, address according to described access filter is sent to described access filter with described access to netwoks message, with by described access filter if according to described Access Control List (ACL) check know whether the destination address of described access to netwoks message is the limited accass address, then to described Authentication Client return prevention information.
6. Authentication Client according to claim 5, it is characterized in that described Access Control List (ACL) is the IPv4 Access Control List (ACL), described access filter is the IPv6 access filter, correspondingly, described access filter also disposes IPv4 address and IPv6 address translation table.
7. according to claim 5 or 6 described Authentication Clients, it is characterized in that described access filter address acquisition module comprises:
User authentication unit is used for sending the authentication request packet that carries station address information to certificate server via the authenticated exchange machine; Receive the authentication response message that carries described access filter address that described certificate server returns via described authenticated exchange machine;
Resolution unit is used for described authentication response message is resolved, to obtain described access filter address.
8. Authentication Client according to claim 6 is characterized in that, described packet forwarding module comprises:
The message detecting unit is used to intercept the access to netwoks message that the user sends, and whether the destination address that detects described access to netwoks message is the IPv6 address;
The message retransmission unit is used for if the testing result of described message detecting unit is for being then described access to netwoks message to be sent to described access filter.
9. an access control method is characterized in that, comprising:
Access filter receives access to netwoks message that the user sends and that transmit via Authentication Client;
Described access filter checks according to the Access Control List (ACL) of configuration whether the destination address of described access to netwoks message is the limited accass address; If, then to described Authentication Client return prevention information.
10. access control method according to claim 9, it is characterized in that described Access Control List (ACL) is the IPv4 Access Control List (ACL), described access filter is the IPv6 access filter, correspondingly, described access filter also disposes IPv4 address and IPv6 address translation table; Whether described access filter is checked the destination address of described access to netwoks message according to the Access Control List (ACL) of configuration is that the step of limited accass address comprises: described IPv6 access filter knows that the destination address of access to netwoks message is the IPv6 address if detect, the inquiry IPv4 address corresponding in IPv4 address and IPv6 address translation table with described IPv6 address, and whether inquiry comprises the IPv4 address that is obtained in described IPv4 Access Control List (ACL), if comprise, confirm that then described destination address is the limited accass address.
11. according to claim 9 or 10 described access control methods, it is characterized in that, also comprise:
Described access filter provides the access filter address to certificate server, with by the authentication request packet of described authentication server response, return the authentication response message that carries described access filter address to described Authentication Client in described Authentication Client transmission.
12., it is characterized in that described access filter checks according to the Access Control List (ACL) of configuration whether the destination address of described access to netwoks message is the limited accass address according to claim 9 or 10 described access control methods; If then after the step of described Authentication Client return prevention information, also comprise:
Described access filter sends a warning message to certificate server.
13. an access filter is characterized in that, comprising:
Access to netwoks message receiver module is used to receive access to netwoks message that the user sends and that transmit via Authentication Client;
The access to netwoks control module is used for checking according to the Access Control List (ACL) of configuration whether the destination address of described access to netwoks message is the limited accass address; If, then to described Authentication Client return prevention information.
14. access filter according to claim 13, it is characterized in that described Access Control List (ACL) is the IPv4 Access Control List (ACL), described access filter is the IPv6 access filter, correspondingly, described access filter also disposes IPv4 address and IPv6 address translation table; Described access to netwoks control module comprises: the address lookup unit is used for if detection knows that the destination address of access to netwoks message is the IPv6 address, then the inquiry IPv4 address corresponding with described IPv6 address in IPv4 address and IPv6 address translation table; The address detected unit is used for whether comprising the IPv4 address that is obtained in described IPv4 Access Control List (ACL) inquiry, if comprise, confirms that then described destination address is the limited accass address.
15. according to claim 13 or 14 described access filters, it is characterized in that, also comprise:
The address sending module, be used for providing the access filter address to certificate server, with by the authentication request packet of described authentication server response, return the authentication response message that carries described access filter address to described Authentication Client in described Authentication Client transmission.
16., it is characterized in that described access to netwoks control module also is used for sending a warning message to certificate server according to claim 13 or 14 described access filters.
17. access control system, it is characterized in that, comprising: as the arbitrary described Authentication Client of claim 5 to 8, as the arbitrary described access filter of claim 13 to 16, certificate server and respectively with as described in Authentication Client, as described in access filter with as described in the authenticated exchange machine that is connected of certificate server.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110079910.XA CN102118398B (en) | 2011-03-31 | 2011-03-31 | Access control method, device and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110079910.XA CN102118398B (en) | 2011-03-31 | 2011-03-31 | Access control method, device and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102118398A true CN102118398A (en) | 2011-07-06 |
| CN102118398B CN102118398B (en) | 2014-04-23 |
Family
ID=44216987
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110079910.XA Expired - Fee Related CN102118398B (en) | 2011-03-31 | 2011-03-31 | Access control method, device and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102118398B (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105208026A (en) * | 2015-09-29 | 2015-12-30 | 努比亚技术有限公司 | Hostile attack preventing method and network system |
| CN105491047A (en) * | 2015-12-10 | 2016-04-13 | 浙江宇视科技有限公司 | Access control method and system for front-end equipment |
| CN108616544A (en) * | 2015-08-04 | 2018-10-02 | 法赛特安全公司 | For detecting newer method, system and medium to record of domain name system system |
| CN108616490A (en) * | 2016-12-13 | 2018-10-02 | 腾讯科技(深圳)有限公司 | A kind of method for network access control, apparatus and system |
| CN109167758A (en) * | 2018-08-07 | 2019-01-08 | 新华三技术有限公司 | A kind of message processing method and device |
| CN109462589A (en) * | 2018-11-13 | 2019-03-12 | 北京天融信网络安全技术有限公司 | The method, device and equipment of application program NS software |
| CN109660497A (en) * | 2017-10-12 | 2019-04-19 | 阿里巴巴集团控股有限公司 | Data processing method and device, terminal, processor, storage medium |
| CN110022334A (en) * | 2018-01-09 | 2019-07-16 | 香港理工大学深圳研究院 | A kind of detection method of proxy server, detection device and terminal device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1567839A (en) * | 2003-06-24 | 2005-01-19 | 华为技术有限公司 | Port based network access control method |
| CN1705270A (en) * | 2004-05-26 | 2005-12-07 | 华为技术有限公司 | System and method for controlling network access |
| CN1815971A (en) * | 2005-02-03 | 2006-08-09 | 杭州华为三康技术有限公司 | Green internet-accessing system based on concentrated management and dictributed control, and method therefor |
| US20070002860A1 (en) * | 2005-06-30 | 2007-01-04 | Cooper Frederick J | Method and system for a digital home network trace and debug tool |
-
2011
- 2011-03-31 CN CN201110079910.XA patent/CN102118398B/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1567839A (en) * | 2003-06-24 | 2005-01-19 | 华为技术有限公司 | Port based network access control method |
| CN1705270A (en) * | 2004-05-26 | 2005-12-07 | 华为技术有限公司 | System and method for controlling network access |
| CN1815971A (en) * | 2005-02-03 | 2006-08-09 | 杭州华为三康技术有限公司 | Green internet-accessing system based on concentrated management and dictributed control, and method therefor |
| US20070002860A1 (en) * | 2005-06-30 | 2007-01-04 | Cooper Frederick J | Method and system for a digital home network trace and debug tool |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108616544A (en) * | 2015-08-04 | 2018-10-02 | 法赛特安全公司 | For detecting newer method, system and medium to record of domain name system system |
| CN108616544B (en) * | 2015-08-04 | 2021-06-01 | 法赛特安全公司 | Method, system, and medium for detecting updates to a domain name system recording system |
| CN105208026A (en) * | 2015-09-29 | 2015-12-30 | 努比亚技术有限公司 | Hostile attack preventing method and network system |
| CN105491047A (en) * | 2015-12-10 | 2016-04-13 | 浙江宇视科技有限公司 | Access control method and system for front-end equipment |
| CN105491047B (en) * | 2015-12-10 | 2019-01-11 | 浙江宇视科技有限公司 | A kind of access control method and system of headend equipment |
| CN108616490A (en) * | 2016-12-13 | 2018-10-02 | 腾讯科技(深圳)有限公司 | A kind of method for network access control, apparatus and system |
| CN109660497A (en) * | 2017-10-12 | 2019-04-19 | 阿里巴巴集团控股有限公司 | Data processing method and device, terminal, processor, storage medium |
| CN109660497B (en) * | 2017-10-12 | 2022-03-18 | 阿里巴巴集团控股有限公司 | Data processing method and device, terminal, processor and storage medium |
| CN110022334A (en) * | 2018-01-09 | 2019-07-16 | 香港理工大学深圳研究院 | A kind of detection method of proxy server, detection device and terminal device |
| CN110022334B (en) * | 2018-01-09 | 2022-01-11 | 香港理工大学深圳研究院 | Detection method and detection device of proxy server and terminal equipment |
| CN109167758A (en) * | 2018-08-07 | 2019-01-08 | 新华三技术有限公司 | A kind of message processing method and device |
| CN109462589A (en) * | 2018-11-13 | 2019-03-12 | 北京天融信网络安全技术有限公司 | The method, device and equipment of application program NS software |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102118398B (en) | 2014-04-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102118398B (en) | Access control method, device and system | |
| US10911368B2 (en) | Gateway address spoofing for alternate network utilization | |
| US10491561B2 (en) | Equipment for offering domain-name resolution services | |
| US8369346B2 (en) | Method and system for restricting a node from communicating with other nodes in a broadcast domain of an IP (internet protocol) network | |
| CN101471936B (en) | Method, device and system for establishing IP conversation | |
| CN101217482B (en) | A method traversing NAT sending down strategy and a communication device | |
| JP6007458B2 (en) | Packet receiving method, deep packet inspection apparatus and system | |
| US10033769B2 (en) | Lawful interception in a WI-FI/packet core network access | |
| McPherson et al. | Architectural considerations of IP anycast | |
| WO2015174100A1 (en) | Packet transfer device, packet transfer system, and packet transfer method | |
| EP2677716A1 (en) | Access control method, access device and system | |
| US10855624B2 (en) | Method and device for providing a backup link | |
| JP2007266931A (en) | Communication interruption apparatus, and communication interruption program | |
| JP4750750B2 (en) | Packet transfer system and packet transfer method | |
| CN103634289A (en) | Communication block apparatus and communication block method | |
| US8488618B1 (en) | Dual-connect service box with router bypass | |
| JP2004242161A (en) | Data communication network system and method for controlling data communication network connection | |
| KR100846536B1 (en) | Virtual Private Network Using DHCP and Method of Security on the Same | |
| CN113992583B (en) | Table item maintenance method and device | |
| JP2004289260A (en) | System for examining safety of client utilizing dynamic address imparting server | |
| Gundavelli et al. | RFC 8803: 0-RTT TCP Convert Protocol | |
| JP2006165877A (en) | Communication system, communication method, and communication program | |
| KR20210079641A (en) | METHOD AND APPARATUS OF DETCTING ToB IN IoT ENVIRONMENT BASED ON GATEWAY | |
| CN116783867A (en) | Method for detecting a malicious device in a communication network, corresponding communication device and computer program | |
| JP4455538B2 (en) | COMMUNICATION DEVICE, COMMUNICATION METHOD, AND PROGRAM |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20140423 Termination date: 20200331 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |