CN102118398B - Access control method, device and system - Google Patents
Access control method, device and system Download PDFInfo
- Publication number
- CN102118398B CN102118398B CN201110079910.XA CN201110079910A CN102118398B CN 102118398 B CN102118398 B CN 102118398B CN 201110079910 A CN201110079910 A CN 201110079910A CN 102118398 B CN102118398 B CN 102118398B
- Authority
- CN
- China
- Prior art keywords
- access
- address
- filter
- message
- acl
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides an access control method, a device and a system. The access control method includes: an authentication client side acquires an access filter address equipped with an access control list; the authentication client side captures a network access message transmitted by a user and transmits the network access message to an access filter according to the access filter address so that the access filter returns stop information to the authentication client side if the destination address of the network access message is limited, which is detected by the access control list. The access control method, the device and the system realize effective and reliable access control.
Description
Technical field
The present invention relates to communication technical field, relate in particular to a kind of access control method, Apparatus and system.
Background technology
Along with the development of network and universal, the control of access to netwoks is become to particularly important.Consider the control of the local law of country variant and policy, gateway need to filter number of site so that user cannot access.
In the prior art, normally by domain name resolution server (the Domain Name System being arranged in network, DNS) domain name of the website to user access is resolved, when knowing that this domain name is pre-configured disable access domain name, and the access of limited subscriber.Therefore, when user accesses these network address by proxy server, owing to having walked around the parsing of domain name resolution server (Domain Name System, DNS) for access domain name in access process, so can realize, climb over the walls, stride across restrict access restricted web site is conducted interviews.
Summary of the invention
For above-mentioned defect, the invention provides a kind of access control method, Apparatus and system,, reliably access control effective in order to realize.
The invention provides a kind of access control method, comprising:
Authentication Client obtains the access filter address that disposes Access Control List (ACL);
Described Authentication Client intercepts the access to netwoks message that user sends, according to described access filter address, described access to netwoks message is sent to described access filter, if so that described access filter knows that according to described Access Control List (ACL) check the destination address of described access to netwoks message is limited accass address, to described Authentication Client return prevention information.
According to a further aspect in the invention, also provide a kind of Authentication Client, comprising:
Access filter address acquisition module, for obtaining the address of the access filter that disposes Access Control List (ACL);
Packet forwarding module, the access to netwoks message sending for intercepting user, according to the address of described access filter, described access to netwoks message is sent to described access filter, if to check the destination address of knowing described access to netwoks message as limited accass address, to described Authentication Client return prevention information by described access filter according to described Access Control List (ACL).
According to a further aspect in the invention, also provide another kind of access control method, comprising:
Access filter receives access to netwoks message that user sends and that forward via Authentication Client;
Described access filter checks according to the Access Control List (ACL) of configuration whether the destination address of described access to netwoks message is limited accass address; If so, to described Authentication Client return prevention information.
According to a further aspect in the invention, also provide a kind of access filter, comprising:
Access to netwoks message receiver module, for receiving access to netwoks message that user sends and that forward via Authentication Client;
Access to netwoks control module, for checking according to the Access Control List (ACL) of configuration whether the destination address of described access to netwoks message is limited accass address; If so, to described Authentication Client return prevention information.
According to a further aspect in the invention, a kind of access control system is also provided, comprises Authentication Client of the present invention, access filter of the present invention, certificate server and the authenticated exchange machine being connected with described Authentication Client, described access filter and described certificate server respectively.
According to access control method of the present invention, Authentication Client, access filter and access control system, overall network access message user being sent due to Authentication Client is sent to the access filter that disposes Access Control List (ACL), access filter can be tested to user's overall network access according to Access Control List (ACL), whether the network that will access take confirmation user is as limited accass network, and when being "Yes", judged result stops this access, thereby prevented that user from carrying out network and climb over the walls by walking around DNS, access limited network, realized effectively, access to netwoks control reliably.
Accompanying drawing explanation
Fig. 1 is the network system architecture figure of application access control method of the present invention.
Fig. 2 is the flow chart of access control method of the present invention.
Fig. 3 is another network system architecture figure of application access control method of the present invention.
Fig. 4 is the flow chart of another access control method of the present invention.
Embodiment
For making the object, technical solutions and advantages of the present invention clearer, below in conjunction with accompanying drawing, technical scheme of the present invention is clearly and completely described.
Fig. 1 is the network system architecture figure of application access control method of the present invention.As shown in Figure 1, this network system comprises certificate server (being for example Radius server), Authentication Client, authenticated exchange machine and access filter.Wherein, Authentication Client can be the integrated Authentication Client software being arranged on user terminal PC, can be also the computer being independently arranged between user terminal PC and authenticated exchange machine; Certificate server, Authentication Client and authenticated exchange machine are supported authentication protocol of the prior art, as an example of 802.1X authentication protocol example, access control method of the present invention are described below.
Fig. 2 is the flow chart of access control method of the present invention.As shown in Figure 2, this access control method comprises:
Step S100, Authentication Client obtains the access filter address that disposes Access Control List (ACL);
Wherein, in this Access Control List (ACL), comprise the limited accass address setting in advance, this limited accass address dynamic-configuration as required, and this limited accass address can be that IP address can be also and the unique corresponding domain names in IP address.
Step S200, described Authentication Client intercepts the access to netwoks message that user sends, according to described access filter address, described access to netwoks message is sent to described access filter, if so that described access filter knows that according to described Access Control List (ACL) check the destination address of described access to netwoks message is limited accass address, to described Authentication Client return prevention information.
Particularly, Authentication Client can take any message intercept method of the prior art to intercept the access to netwoks message that user sends, and can adopt any message forwarding method of the prior art that this access to netwoks message is sent to access filter.For example, Authentication Client encapsulates intercepted access to netwoks message, and the access filter address obtaining in step S100 is set to the destination address of this encapsulated message; Authentication Client is sent to access filter by this encapsulated message via authenticated exchange machine, correspondingly, resolve message receiving after this encapsulated message access filter address, obtain primitive network access message, and extract this primitive network and access the destination address of message (being for example IP address or domain name), the network address that user will access.Access filter is inquired about the network address that this user will access (if what store in Access Control List (ACL) is domain names in preset Access Control List (ACL), but the destination address of this access to netwoks message is IP address, can in this control list, inquire about this corresponding domain names in IP address), if comprise this network address in Access Control List (ACL), access filter knows that this network address is limited accass address, this access to netwoks message is not forwarded, and to Authentication Client return prevention information.
According to the access control method of above-described embodiment, overall network access message user being sent due to Authentication Client is sent to the access filter that disposes Access Control List (ACL), access filter can be tested to user's overall network access according to Access Control List (ACL), whether the network that will access take confirmation user is as limited accass network, and when being "Yes", judged result stops this access, thereby prevented that user from carrying out network and climb over the walls, access limited network by walking around DNS, realized effectively, access to netwoks control reliably.
Further, in the access control method of above-described embodiment, Access Control List (ACL) is IPv4 Access Control List (ACL), and described access filter is IPv6 access filter, and correspondingly, described access filter also disposes IPv4 address and IPv6 address translation table.
Wherein, IPv4(Internet protocol the 4th edition) be to apply at present Internet technology agreement very widely, it may operate on various bottom-layer networks, such as, such as end-to-end serial data link (ppp protocol and SLIP agreement), satellite link etc.IPv6(Internet protocol sixth version) be the IP next generation protocol for alternative IPv4 of mutual net net engineering duty group (Internet Engineering Task Force, IETF) design.In IPv6, having enough addresses is a unique IP address of distribution, place of each square inch on the earth, and the automatic configuring technical of node that IPv6 comprises alternative DHCP (DHCP) and ARP(Address Resolution Protocol) can be connected to network by new equipment in the situation that not carrying out any setting.Current website visiting great majority are access modes of IPv4, but along with the development of IPv6 technology, there is increasing website to dispose IPv6 network, for example we can use the IPv6 network of ipv6.google.com address access google.com, for the user who uses IPv6 network, by using
www.google.comaddress can preferably be connected to IPv6 network.
In the access control method of above-described embodiment, in Access Control List (ACL), it is IPv4 Access Control List (ACL), this Access Control List (ACL) comprises the IPv4 network address of limited accass, and now this Access Control List (ACL) can be taked existing IPv4 Access Control List (ACL) in prior art.Paired storing IP v4 address and corresponding IPv6 address in the IPv4 address arranging in IPv6 access filter and IPv6 address translation table, for example
www.google.com and ipv6.google.combe a pair of.When the destination address of the access to netwoks message receiving when IPv6 access filter is IPv6 address, the inquiry IPv4 address corresponding with this IPv6 address in IPv4 address and IPv6 address translation table, and whether inquiry comprises the IPv4 address of this acquisition in IPv4 Access Control List (ACL), if comprise, can confirm that the network address that user will access is limited accass address, thereby stop.
According to the access control method of above-described embodiment, owing to having configured IPv4 Access Control List (ACL) and IPv4 address and IPv6 address translation table in access filter, can avoid, because the user who does not cause for the access control method of IPv6 address in prior art is by escaping the access control of IPv4 with IPv6 access filter, having realized more comprehensive, effectively access control.And, in the access control method of above-described embodiment, because the Access Control List (ACL) by configuring in IPv6 access filter is controlled user's network address access, so when this Access Control List (ACL) is further configured, for example for the different network addresss, different access rights are set, can realize the access control of user for the different stage/grade of the network address.In addition, also can be by setting up the further interlock between certificate server and IPv6 access filter, for example in IPv6 access filter, configure the multiple Access Control List (ACL) corresponding to different classes of user, in certificate server, corresponding to user's name or IP address, store class of subscriber, IPv6 access filter obtains active user's class of subscriber from certificate server, thereby to active user's control that conducts interviews, thereby be embodied as different user, configure different Access Control List (ACL) according to the Access Control List (ACL) corresponding with this class of subscriber.
Further, in the access control method of above-described embodiment, the step that Authentication Client obtains the address of the access filter that disposes Access Control List (ACL) comprises:
Step S101, described Authentication Client sends the authentication request packet that carries station address information to certificate server via authenticated exchange machine;
Step S102, described certificate server authenticates described user according to described station address information, and via described authenticated exchange machine, to described Authentication Client, returns to the authentication response message that carries described access filter address when by authentication.
Particularly, when network using 802.1X authentication protocol shown in Fig. 1, certificate server is to possess in 802.1X as the correlation function of certificate server and the Radius server of performance, authenticated exchange facility are for correlation function and the performance as network access server (NAS) in 802.1X, and Authentication Client possesses correlation function and the performance as Authentication Client in 802.1X.
During user access network, Authentication Client sends the authentication request packet that carries station address information (be preferably and comprise user's IPv4 address and user's IPv6 address) to Radius server via authenticated exchange machine; Radius server receives after authentication request packet, according to the station address information of carrying in this message, check whether this user is validated user, and after upchecking, via switch, to Authentication Client, return to the return authentication response message that carries access filter address, wherein, this access filter is connected with Radius server, and Radius server can adopt arbitrary address acquisition methods of the prior art to obtain the address of this access filter, and this access filter is for example IPv6 access filter.
Authentication Client receives after authentication response message, to this packet parsing, can obtain access filter address.Preferably, Authentication Client is obtaining behind the access filter address that this certificate server provides, also for example, to whether existing other agencies that (being IPv6 agent software) is set on user terminal PC, and when detecting while existing, prompting user deletes, and stop user to carry out access to netwoks, until detect that not existing other to act on behalf of arranges.
Further, in the access control method of above-described embodiment, Authentication Client intercepts the access to netwoks message that user sends, and the step that described access to netwoks message is sent to described access filter according to the address of described access filter comprises:
Described Authentication Client intercepts the access to netwoks message that user sends, and whether the destination address that detects described access to netwoks message is IPv6 address; If so, described access to netwoks message is sent to described access filter (IPv6 access filter).
Particularly, authentication client can adopt any message intercept method of the prior art to intercept the access to netwoks message that user sends, when knowing that the destination address of access to netwoks message is IPv6 address, this access to netwoks message is sent to IPv6 access filter, with by IPv6 access filter according to the access control that conducts interviews to IPv6 of the IPv4 Access Control List (ACL) in above-described embodiment and IPv4 address and IPv6 address translation table.
Particularly, this access filter can send a warning message to certificate server when each discovery user conducts interviews to limited accass address, also can timing send illegal access times to certificate server, so that certificate server is controlled this user and the record of illegal access behavior, so that certificate server is according to presetting rule or as required this user is processed accordingly, for example log out a particular user or forbid this customer access network etc., can be in addition follow-up verification and provide safeguard.
Although as an example of the network architecture shown in Fig. 1 example, the access control method to above-described embodiment describes above, it should be appreciated by those skilled in the art, the access control method of above-described embodiment also can be applicable to other network architectures.Fig. 3 is another network system architecture figure of application access control method of the present invention.As shown in Figure 3, in this network, can comprise multiple Authentication Clients, multiple authenticated exchange machine, core switch, access filter (being preferably IPv6 access filter) and Radius server.Access filter can be found out, as long as in the general networks framework (comprising Authentication Client, switch and certificate server) of prior art, increase an access filter being connected with authenticated exchange machine and certificate server, can realize the access control method of above-mentioned arbitrary embodiment.
The present invention also provides a kind of Authentication Client, comprising:
Access filter address acquisition module, for obtaining the access filter address that disposes Access Control List (ACL);
Packet forwarding module, the access to netwoks message sending for intercepting user, according to the address of described access filter, described access to netwoks message is sent to described access filter, if to check the destination address of knowing described access to netwoks message as limited accass address, to described Authentication Client return prevention information by described access filter according to described Access Control List (ACL).
The Authentication Client of above-described embodiment can be taked the flow performing access control identical with the access control method of above-mentioned arbitrary embodiment, so locate to repeat no more.
According to the Authentication Client of above-described embodiment, because the overall network access message that user is sent is sent to the access filter that disposes Access Control List (ACL), access filter can be tested to user's overall network access according to Access Control List (ACL), whether the network that will access take confirmation user is as limited accass network, and when being "Yes", judged result stops this access, thereby prevented that user from carrying out network and climb over the walls, access limited network by walking around DNS, realized effectively, access to netwoks control reliably.
Further, in the Authentication Client of above-described embodiment, Access Control List (ACL) is IPv4 Access Control List (ACL), and described access filter is IPv6 access filter, and correspondingly, described access filter also disposes IPv4 address and IPv6 address translation table.
Further, in the Authentication Client of above-described embodiment, access filter address acquisition module comprises:
User authentication unit, for sending the authentication request packet that carries station address information to certificate server via authenticated exchange machine; Receive the authentication response message that carries described access filter address that described certificate server returns via described authenticated exchange machine;
Resolution unit, for described authentication response message is resolved, to obtain described access filter address.
Further, in the Authentication Client of above-described embodiment, packet forwarding module comprises:
Packet check unit, the access to netwoks message sending for intercepting user, whether the destination address that detects described access to netwoks message is IPv6 address;
Message repeating unit, if be yes for the testing result of described packet check unit, is sent to described access filter by described access to netwoks message.
Fig. 4 is the flow chart of another access control method of the present invention.As shown in Figure 4, this access control method comprises the following steps:
Step S100 ', access filter receives access to netwoks message that user sends and that forward via Authentication Client;
Step S200 ', access filter checks according to the Access Control List (ACL) of configuration whether the destination address of described access to netwoks message is limited accass address; If so, to described Authentication Client return prevention information.
According to the access control method of above-described embodiment, because access filter receives access to netwoks message that user sends and that forward via Authentication Client, and check according to the Access Control List (ACL) of configuration whether the destination address of described access to netwoks message is limited accass address, whether the network that makes access filter can confirm that user will access is limited accass network, and when being "Yes", judged result stops this access, thereby prevented that user from carrying out network and climb over the walls, access limited network by walking around DNS, realized effectively, access to netwoks control reliably.
Further, in the access control method of above-described embodiment, Access Control List (ACL) is IPv4 Access Control List (ACL), and described access filter is IPv6 access filter, and correspondingly, described access filter also disposes IPv4 address and IPv6 address translation table; And, whether access filter is checked the destination address of described access to netwoks message according to the Access Control List (ACL) of configuration is that the step of limited accass address comprises: if described IPv6 access filter detects, know that the destination address of access to netwoks message is IPv6 address, the inquiry IPv4 address corresponding with described IPv6 address in IPv4 address and IPv6 address translation table, and whether inquiry comprises obtained IPv4 address in described IPv4 Access Control List (ACL), if comprise, confirm that described destination address is limited accass address.
According to the access control method of above-described embodiment, owing to having configured IPv4 Access Control List (ACL) and IPv4 address and IPv6 address translation table in access filter, can avoid, because the user who does not cause for the access control method of IPv6 address in prior art is by escaping the access control of IPv4 with IPv6 access filter, having realized more comprehensive, effectively access control.And, in the access control method of above-described embodiment, because the Access Control List (ACL) by configuring in IPv6 access filter is controlled user's network address access, so when this Access Control List (ACL) is further configured, for example for the different network addresss, different access rights are set, can realize the access control of user for the different stage/grade of the network address.In addition, also can be by setting up the further interlock between certificate server and IPv6 access filter, for example in IPv6 access filter, configure the multiple Access Control List (ACL) corresponding to different classes of user, in certificate server, corresponding to user's name or IP address, store class of subscriber, IPv6 access filter obtains active user's class of subscriber from certificate server, thereby to active user's control that conducts interviews, thereby be embodied as different user, configure different Access Control List (ACL) according to the Access Control List (ACL) corresponding with this class of subscriber.
Further, in the access control method of above-described embodiment, also comprise:
Access filter provides access filter address to certificate server, with the authentication request packet being sent in described Authentication Client by described authentication server response, returns to the authentication response message that carries described access filter address to described Authentication Client.
Further, in the access control method of above-described embodiment, access filter checks according to the Access Control List (ACL) of configuration whether the destination address of described access to netwoks message is limited accass address; If so, after the step of described Authentication Client return prevention information, also comprise:
Access filter sends a warning message to described certificate server.
The present invention also provides a kind of access filter, comprising:
Access to netwoks message receiver module, for receiving access to netwoks message that user sends and that forward via Authentication Client;
Access to netwoks control module, for checking according to the Access Control List (ACL) of configuration whether the destination address of described access to netwoks message is limited accass address; If so, to described Authentication Client return prevention information.
According to the access filter of above-described embodiment, owing to receiving access to netwoks message that user sends and that forward via Authentication Client, and check according to the Access Control List (ACL) of configuration whether the destination address of described access to netwoks message is limited accass address, whether the network that makes access filter can confirm that user will access is limited accass network, and when being "Yes", judged result stops this access, thereby prevented that user from carrying out network and climb over the walls, access limited network by walking around DNS, realized effectively, access to netwoks control reliably.
This access filter can be any server that is arranged in network, comprises above-mentioned access to netwoks message receiver module and access to netwoks control module.
Further, in the access filter of above-described embodiment, Access Control List (ACL) is IPv4 Access Control List (ACL), and described access filter is IPv6 access filter, and correspondingly, described access filter also disposes IPv4 address and IPv6 address translation table; And access to netwoks control module comprises: address lookup unit, if know that for detecting the destination address of access to netwoks message is IPv6 address, the inquiry IPv4 address corresponding with described IPv6 address in IPv4 address and IPv6 address translation table; Address detected unit, for whether comprising obtained IPv4 address in described IPv4 Access Control List (ACL) inquiry, if comprise, confirms that described destination address is limited accass address.
According to the access filter of above-described embodiment, can avoid, because the user who does not cause for the access control method of IPv6 address in prior art is by escaping the access control of IPv4 with IPv6 access filter, having realized more comprehensive, effectively access control.
Further, in the access filter of above-described embodiment, also comprise:
Address sending module, for providing access filter address to certificate server, with the authentication request packet being sent in described Authentication Client by described authentication server response, to described Authentication Client, return to the authentication response message that carries described access filter address.
Further, in the access filter of above-described embodiment, access to netwoks control module is also for sending a warning message to described certificate server.
The present invention also provides a kind of access control system, the framework example of this access control system as shown in Figure 1, comprises access filter, the certificate server of the Authentication Client of above-mentioned arbitrary embodiment, above-mentioned arbitrary embodiment and the authenticated exchange machine being connected with described Authentication Client, described access filter and described certificate server respectively.
According to the access control system of above-described embodiment, overall network access message user being sent due to Authentication Client is sent to the access filter that disposes Access Control List (ACL), access filter can be tested to user's overall network access according to Access Control List (ACL), whether the network that will access take confirmation user is as limited accass network, and when being "Yes", judged result stops this access, thereby prevented that user from carrying out network and climb over the walls, access limited network by walking around DNS, realized effectively, access to netwoks control reliably.
Finally it should be noted that: above embodiment only, in order to technical scheme of the present invention to be described, is not intended to limit; Although the present invention is had been described in detail with reference to previous embodiment, those of ordinary skill in the art is to be understood that: its technical scheme that still can record aforementioned each embodiment is modified, or part technical characterictic is wherein equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution depart from the spirit and scope of various embodiments of the present invention technical scheme.
Claims (11)
1. an access control method, is characterized in that, comprising:
Authentication Client obtains the access filter address that disposes Access Control List (ACL);
Described Authentication Client intercepts the access to netwoks message that user sends, according to described access filter address, described access to netwoks message is sent to described access filter, if so that described access filter knows that according to described Access Control List (ACL) check the destination address of described access to netwoks message is limited accass address, to described Authentication Client return prevention information;
Described Access Control List (ACL) is IPv4 Access Control List (ACL), and described access filter is IPv6 access filter, and correspondingly, described access filter also disposes IPv4 address and IPv6 address translation table;
Wherein, the step that described Authentication Client obtains the access filter address that disposes Access Control List (ACL) comprises:
Described Authentication Client sends the authentication request packet that carries station address information to certificate server via authenticated exchange machine;
Described certificate server authenticates described user according to described station address information, and via described authenticated exchange machine, to described Authentication Client, returns to the authentication response message that carries described access filter address when by authentication.
2. access control method according to claim 1, it is characterized in that, described Authentication Client intercepts the access to netwoks message that user sends, and the step that described access to netwoks message is sent to described access filter according to the address of described access filter comprises:
Described Authentication Client intercepts the access to netwoks message that user sends, and whether the destination address that detects described access to netwoks message is IPv6 address; If so, described access to netwoks message is sent to described access filter.
3. an Authentication Client, is characterized in that, comprising:
Access filter address acquisition module, for obtaining the access filter address that disposes Access Control List (ACL);
Packet forwarding module, the access to netwoks message sending for intercepting user, according to the address of described access filter, described access to netwoks message is sent to described access filter, if to check the destination address of knowing described access to netwoks message as limited accass address, to described Authentication Client return prevention information by described access filter according to described Access Control List (ACL);
Described Access Control List (ACL) is IPv4 Access Control List (ACL), and described access filter is IPv6 access filter, and correspondingly, described access filter also disposes IPv4 address and IPv6 address translation table.
Wherein, described access filter address acquisition module comprises:
User authentication unit, for sending the authentication request packet that carries station address information to certificate server via authenticated exchange machine; Receive the authentication response message that carries described access filter address that described certificate server returns via described authenticated exchange machine;
Resolution unit, for described authentication response message is resolved, to obtain described access filter address.
4. Authentication Client according to claim 3, is characterized in that, described packet forwarding module comprises:
Packet check unit, the access to netwoks message sending for intercepting user, whether the destination address that detects described access to netwoks message is IPv6 address;
Message repeating unit, if be yes for the testing result of described packet check unit, is sent to described access filter by described access to netwoks message.
5. an access control method, is characterized in that, comprising:
Access filter provides access filter address to certificate server, with the authentication request packet being sent in Authentication Client by described authentication server response, returns to the authentication response message that carries described access filter address to described Authentication Client;
Described access filter receives access to netwoks message that user sends and that forward via described Authentication Client;
Described access filter checks according to the Access Control List (ACL) of configuration whether the destination address of described access to netwoks message is limited accass address; If so, to described Authentication Client return prevention information;
Described Access Control List (ACL) is IPv4 Access Control List (ACL), and described access filter is IPv6 access filter, and correspondingly, described access filter also disposes IPv4 address and IPv6 address translation table.
6. access control method according to claim 5, it is characterized in that, whether described access filter is checked the destination address of described access to netwoks message according to the Access Control List (ACL) of configuration is that the step of limited accass address comprises: if described IPv6 access filter detects, know that the destination address of access to netwoks message is IPv6 address, the inquiry IPv4 address corresponding with described IPv6 address in IPv4 address and IPv6 address translation table, and whether inquiry comprises obtained IPv4 address in described IPv4 Access Control List (ACL), if comprise, confirm that described destination address is limited accass address.
7. according to the access control method described in claim 5 or 6, it is characterized in that, described access filter checks according to the Access Control List (ACL) of configuration whether the destination address of described access to netwoks message is limited accass address; If so, after the step of described Authentication Client return prevention information, also comprise:
Described access filter sends a warning message to certificate server.
8. an access filter, is characterized in that, comprising:
Address sending module, for providing access filter address to certificate server, with the authentication request packet being sent in Authentication Client by described authentication server response, to described Authentication Client, return to the authentication response message that carries described access filter address;
Access to netwoks message receiver module, for receiving access to netwoks message that user sends and that forward via described Authentication Client;
Access to netwoks control module, for checking according to the Access Control List (ACL) of configuration whether the destination address of described access to netwoks message is limited accass address; If so, to described Authentication Client return prevention information;
Described Access Control List (ACL) is IPv4 Access Control List (ACL), and described access filter is IPv6 access filter, and correspondingly, described access filter also disposes IPv4 address and IPv6 address translation table.
9. access filter according to claim 8, it is characterized in that, described access to netwoks control module comprises: address lookup unit, if know that for detecting the destination address of access to netwoks message is IPv6 address, the inquiry IPv4 address corresponding with described IPv6 address in IPv4 address and IPv6 address translation table; Address detected unit, for whether comprising obtained IPv4 address in described IPv4 Access Control List (ACL) inquiry, if comprise, confirms that described destination address is limited accass address.
10. access filter according to claim 8 or claim 9, is characterized in that, described access to netwoks control module is also for sending a warning message to certificate server.
11. 1 kinds of access control systems, it is characterized in that, comprising: Authentication Client as described in claim 3 or 4, the access filter as described in as arbitrary in claim 8 to 10, certificate server and respectively with as described in Authentication Client, as described in access filter and as described in the authenticated exchange machine that is connected of certificate server.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110079910.XA CN102118398B (en) | 2011-03-31 | 2011-03-31 | Access control method, device and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110079910.XA CN102118398B (en) | 2011-03-31 | 2011-03-31 | Access control method, device and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102118398A CN102118398A (en) | 2011-07-06 |
| CN102118398B true CN102118398B (en) | 2014-04-23 |
Family
ID=44216987
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110079910.XA Expired - Fee Related CN102118398B (en) | 2011-03-31 | 2011-03-31 | Access control method, device and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102118398B (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9264440B1 (en) * | 2015-08-04 | 2016-02-16 | Farsight Security, Inc. | Parallel detection of updates to a domain name system record system using a common filter |
| CN105208026A (en) * | 2015-09-29 | 2015-12-30 | 努比亚技术有限公司 | Hostile attack preventing method and network system |
| CN105491047B (en) * | 2015-12-10 | 2019-01-11 | 浙江宇视科技有限公司 | A kind of access control method and system of headend equipment |
| CN108616490B (en) * | 2016-12-13 | 2020-11-03 | 腾讯科技(深圳)有限公司 | Network access control method, device and system |
| CN109660497B (en) * | 2017-10-12 | 2022-03-18 | 阿里巴巴集团控股有限公司 | Data processing method and device, terminal, processor and storage medium |
| CN110022334B (en) * | 2018-01-09 | 2022-01-11 | 香港理工大学深圳研究院 | Detection method and detection device of proxy server and terminal equipment |
| CN109167758B (en) * | 2018-08-07 | 2021-07-23 | 新华三技术有限公司 | Message processing method and device |
| CN109462589B (en) * | 2018-11-13 | 2021-08-24 | 北京天融信网络安全技术有限公司 | Method, device and equipment for controlling network access of application program |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1567839A (en) * | 2003-06-24 | 2005-01-19 | 华为技术有限公司 | Port based network access control method |
| CN1705270A (en) * | 2004-05-26 | 2005-12-07 | 华为技术有限公司 | System and method for controlling network access |
| CN1815971A (en) * | 2005-02-03 | 2006-08-09 | 杭州华为三康技术有限公司 | Green internet-accessing system based on concentrated management and dictributed control, and method therefor |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070002860A1 (en) * | 2005-06-30 | 2007-01-04 | Cooper Frederick J | Method and system for a digital home network trace and debug tool |
-
2011
- 2011-03-31 CN CN201110079910.XA patent/CN102118398B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1567839A (en) * | 2003-06-24 | 2005-01-19 | 华为技术有限公司 | Port based network access control method |
| CN1705270A (en) * | 2004-05-26 | 2005-12-07 | 华为技术有限公司 | System and method for controlling network access |
| CN1815971A (en) * | 2005-02-03 | 2006-08-09 | 杭州华为三康技术有限公司 | Green internet-accessing system based on concentrated management and dictributed control, and method therefor |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102118398A (en) | 2011-07-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102118398B (en) | Access control method, device and system | |
| US10091209B2 (en) | Access enforcement at a wireless access point | |
| JP4819953B2 (en) | Control tunnel and direct tunnel setting method in IPv4 network-based IPv6 service providing system | |
| US8250184B2 (en) | System, network entities and computer programs for configuration management of a dynamic host configuration protocol framework | |
| US9237027B2 (en) | Destination address control to limit unauthorized communications | |
| CN100571188C (en) | A kind of method and SSL gateway that improves SSL gateway processes efficient | |
| US8363663B2 (en) | Methods and apparatus for routing data to nodes | |
| US20190380028A1 (en) | User equipment identity implementation in mobile edge scenarios | |
| US8369346B2 (en) | Method and system for restricting a node from communicating with other nodes in a broadcast domain of an IP (internet protocol) network | |
| McPherson et al. | Architectural considerations of IP anycast | |
| US10033769B2 (en) | Lawful interception in a WI-FI/packet core network access | |
| CN105141621A (en) | Network access monitoring method and device | |
| CN107231445A (en) | A kind of dynamic domain name system DNS reorientation methods, apparatus and system | |
| Stapp | DHCPv6 Bulk Leasequery | |
| JP4750750B2 (en) | Packet transfer system and packet transfer method | |
| US20080201477A1 (en) | Client side replacement of DNS addresses | |
| US20090154396A1 (en) | Mobile communication management system | |
| US11563816B2 (en) | Methods for managing the traffic associated with a client domain and associated server, client node and computer program | |
| Gundavelli et al. | RFC 8803: 0-RTT TCP Convert Protocol | |
| US20240048576A1 (en) | Methods for traffic redirection, corresponding terminal, controller, authorisation server, name resolution servers and computer program | |
| JP2019009637A (en) | Network monitoring device | |
| US20240007484A1 (en) | Method for detecting a malicious device in a communication network, corresponding communication device and computer program | |
| Boucadair et al. | Triggering DHCPv6 Reconfiguration from Relay Agents | |
| KR20050002337A (en) | Proxy server, and dynamic domain name service system and method using the same | |
| Thaler et al. | Internet Architecture Board (IAB) D. McPherson Request for Comments: 7094 Verisign, Inc. Category: Informational D. Oran |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20140423 Termination date: 20200331 |