CN102185867A - Method for realizing network security and star network - Google Patents
Method for realizing network security and star network Download PDFInfo
- Publication number
- CN102185867A CN102185867A CN2011101297632A CN201110129763A CN102185867A CN 102185867 A CN102185867 A CN 102185867A CN 2011101297632 A CN2011101297632 A CN 2011101297632A CN 201110129763 A CN201110129763 A CN 201110129763A CN 102185867 A CN102185867 A CN 102185867A
- Authority
- CN
- China
- Prior art keywords
- security
- controller
- terminal
- security server
- communication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention discloses a method for realizing network security and a star network. In the scheme of the invention, a controller is added to the start network; the controller and a security server are connected in an authentication manner; the security server confirms the communication security between the security server and the controller by periodically sending a detection message; every time after receiving an access request from a server, the security server sends the security level of the file requested by the terminal and the IP (Internet protocol) address of the terminal to the controller; and the controller determines the confidential level of the terminal according to the security level of the file, stores the IP address and confidential level of the terminal in a security level mapping table, generates a communication rule of the terminal according to the security level and sends the communication rule to a switch so as to control communication between terminals. Through the technical scheme of the invention, the security of the star network is greatly improved.
Description
Technical field
The present invention relates to network communications technology field, particularly relate to a kind of method and a kind of star network of realizing network security.
Background technology
Star network is modal in practice a kind of local area network (LAN) connected mode.Fig. 1 is the networking schematic diagram of existing a kind of star network.As shown in Figure 1, each communication between terminals must be passed through switch, and each terminal access security server also needs to pass through switch.
The open characteristics of local area network (LAN), make the important information resource in each terminal in the star network shown in Figure 1 be in the excessive risk state, contingent safety problem comprises the illegal invasion of viral wooden horse of spreading through the internet etc., and based on network information is stolen etc.
At the problems referred to above, traditional information security technology, as fire compartment wall, system for monitoring intrusion, access control, authentication, Virtual Private Network etc., incapability is an example often.Because the leakage of inner confidential data can not be monitored and block to these information security technologies mostly at the hacker attacks exploitation, in real time.
As seen the fail safe of existing star network is still waiting to improve.
Summary of the invention
The invention provides a kind of method that realizes network security, this method can improve the fail safe of star network.
The present invention also provides a kind of star network, and this star network has higher fail safe.
For achieving the above object, technical scheme of the present invention is achieved in that
The invention discloses a kind of method that realizes network security, this method is applicable to that a plurality of terminals communicate by switch, and by in the star network of described switch-access security server, also be provided with controller in this star network between these a plurality of terminals, then this method comprises:
Connect by authentication mode between security server and the controller; After the success that connects, security server regularly sends detect-message to controller, and controller receives after the detect-message that security server sends to the security server feeding back response information; If server is not still received response message after sending the detect-message of default number to controller, then refuse the visit of any client;
Security server is at every turn after receiving the access request of terminal, and the level of security of the file that this terminal is asked and the IP address of this terminal send to controller;
Controller receives security server and sends file security rank and IP address, determines the concerning security matters rank of terminal according to the file security rank, and IP address and the concerning security matters rank correspondence with this terminal is saved in the level of security mapping table then; Controller sends to switch according to the rule of communication that the level of security mapping table generates terminal; Wherein, in the described rule of communication, allow the minimum communication between terminals of concerning security matters rank, forbid that concerning security matters are superior to communicating by letter of other terminal of lowermost level and other-end;
The rule of communication that switch is sent according to controller is controlled each communication between terminals.
The present invention also provides a kind of star network, and this star network comprises: switch, security server and a plurality of terminal, communicate by switch between a plurality of terminals, and these a plurality of terminals are by described switch-access security server; In addition, this star network also comprises a controller that is connected with security server with switch; Wherein:
Security server is used for connecting by authentication mode and controller, after the success that connects, regularly sends detect-message to controller; If after sending the detect-message of default number, still do not receive response message, then refuse the visit of any client to controller; Be used for after the access request that at every turn receives terminal, the level of security of the file that this terminal is asked and the IP address of this terminal send to controller;
Controller, when being used to receive the detect-message that security server sends to the security server feeding back response information; Be used to receive security server and send file security rank and IP address, determine the concerning security matters rank of terminal according to the file security rank, IP address and the concerning security matters rank correspondence with this terminal is saved in the level of security mapping table then; Be used for sending to switch according to the rule of communication of level of security mapping table generation terminal; Wherein, in the described rule of communication, allow the minimum communication between terminals of concerning security matters rank, forbid that concerning security matters are superior to communicating by letter of other terminal of lowermost level and other-end;
Switch is used for controlling each communication between terminals according to the rule of communication that controller is sent.
By as seen above-mentioned, this controller that in star network, increases of the present invention, connect by authentication mode between this controller and the security server, and security server by periodically send detect-message and confirm and controller between communication security, security server is at every turn after receiving the access request of terminal, the level of security of the file that this terminal is asked and the IP address of this terminal send to controller, controller is determined the concerning security matters rank of terminal according to the file security rank, the IP address and the concerning security matters rank correspondence of this terminal are saved in the level of security mapping table, controller sends to switch according to the rule of communication that the level of security mapping table generates terminal then, and then control the technical scheme of each communication between terminals, the fail safe that has improved star network greatly.
Description of drawings
Fig. 1 is the networking schematic diagram of existing a kind of star network;
Fig. 2 is a kind of schematic diagram of realizing the method for network security in the embodiment of the invention;
Fig. 3 is the schematic diagram of the star network in the embodiment of the invention.
Embodiment
In order to make the purpose, technical solutions and advantages of the present invention clearer, describe the present invention below in conjunction with the drawings and specific embodiments.
Fig. 2 is a kind of schematic diagram of realizing the method for network security in the embodiment of the invention.This method is applicable to that a plurality of terminals communicate by switch, and passes through between these a plurality of terminals also to be provided with controller in the star network of described switch-access security server in this star network, and then as shown in Figure 2, this method comprises:
201, connect by authentication mode between security server and the controller; After the success that connects, security server regularly sends detect-message to controller, and controller receives after the detect-message that security server sends to the security server feeding back response information; If server is not still received response message after sending the detect-message of default number to controller, then refuse the visit of any client;
202, security server is at every turn after receiving the access request of terminal, and the level of security of the file that this terminal is asked and the IP address of this terminal send to controller;
203, controller receives security server and sends file security rank and IP address, determines the concerning security matters rank of terminal according to the file security rank, and IP address and the concerning security matters rank correspondence with this terminal is saved in the level of security mapping table then; Controller sends to switch according to the rule of communication that the level of security mapping table generates terminal; Wherein, in the described rule of communication, allow the minimum communication between terminals of concerning security matters rank, forbid that concerning security matters are superior to communicating by letter of other terminal of lowermost level and other-end;
204, the rule of communication that switch is sent according to controller is controlled each communication between terminals.
Fig. 3 is the schematic diagram of the star network in the embodiment of the invention.As shown in Figure 3, this star network comprises: switch, security server and a plurality of terminal, communicate by switch between a plurality of terminals, and these a plurality of terminals are by described switch-access security server; In addition, this star network also comprises a controller that is connected with security server with switch.
Security server is used for connecting by authentication mode and controller, after the success that connects, regularly sends detect-message to controller; If after sending the detect-message of default number, still do not receive response message, then refuse the visit of any client to controller; Be used for after the access request that at every turn receives terminal, the level of security of the file that this terminal is asked and the IP address of this terminal send to controller;
Controller, when being used to receive the detect-message that security server sends to the security server feeding back response information; Be used to receive security server and send file security rank and IP address, determine the concerning security matters rank of terminal according to the file security rank, IP address and the concerning security matters rank correspondence with this terminal is saved in the level of security mapping table then; Be used for sending to switch according to the rule of communication of level of security mapping table generation terminal; Wherein, in the described rule of communication, allow the minimum communication between terminals of concerning security matters rank, forbid that concerning security matters are superior to communicating by letter of other terminal of lowermost level and other-end;
Switch is used for controlling each communication between terminals according to the rule of communication that controller is sent.
Here it should be noted that the communication between described security server and the controller transmits by switch, promptly switch also is used to transmit the communication information between security server and the controller.
In system shown in Figure 3, security server and controller connect by authentication mode and be specially: security server starts the back and sends connection request to controller; After controller receives connection request, to security server request certificate; Security server sends to controller with the certificate of self; Controller authenticates according to certificate, accepts connection behind the authentication success; If the authentification failure refusal connects.When controller authenticates according to certificate, after accepting behind the authentication success to connect, controller sends to server according to key that produces at random of public key encryption of security server, after this, data between security server and the controller are encrypted the back transmission by this key, be that the data that security server sends to controller are encrypted by this key, controller sends to the data of security server also by this secret key encryption.
In star network shown in Figure 3, switch is a three-tier switch, Access Control List (ACL) (ACL can be provided, Access Control List) command interface, can be based on the control that number conducts interviews of MAC Address, IP address, IP agreement (TCP/UDP), tcp port number, udp port, can be from physically cutting off two data communication between the designated terminal.Therefore, switch can be controlled the communication between each communication terminal according to the rule of communication that controller is sent.
In star network shown in Figure 3, security server is according to the visit situation of terminal, constantly the IP address of each terminal with and the level of security of the confidential document of visit be notified to controller.
In star network shown in Figure 3, establish the mapping table that comprises each IP address of terminal on the controller, when controller receives security server when sending file security rank and IP address, determine the concerning security matters rank of terminal according to the file security rank, then the concerning security matters rank of determining is write in the mapping table corresponding with IP this terminal address one.In one embodiment of the invention, controller can be set a plurality of concerning security matters ranks, and with numeral concerning security matters rank, for example set 5 concerning security matters ranks, represent each concerning security matters rank with 1,2,3,4,5 respectively, wherein 1 expression concerning security matters rank is the highest, and the 5 expression concerning security matters ranks of getting off successively are minimum.Then according to the solution of the present invention, the concerning security matters rank is can communicate by letter between each terminal of 5.
In addition, in described star network shown in Figure 3, each terminal does not have the concerning security matters rank when initial, promptly in mapping table, when initial, each IP address correspondence be ' no concerning security matters rank ', have only corresponding terminal to visit the confidential document on the security server after, the Xiang Caihui of its IP address correspondence has been modified to the concerning security matters rank, and concrete concerning security matters rank has controller to determine according to the level of security of the file of its visit.In the present invention, the rule of communication of the switch that controller issues also comprises: allow between no other terminal of concerning security matters level, and do not have other terminal of concerning security matters level and the minimum communication between terminals of concerning security matters rank.
By as seen above-mentioned, this controller that in star network, increases of the present invention, connect by authentication mode between this controller and the security server, and security server by periodically send detect-message and confirm and controller between communication security, security service is at every turn after receiving the access request of terminal, the level of security of the file that this terminal is asked and the IP address of this terminal send to controller, controller is determined the concerning security matters rank of terminal according to the file security rank, the IP address and the concerning security matters rank correspondence of this terminal are saved in the level of security mapping table, controller sends to switch according to the rule of communication that the level of security mapping table generates terminal then, and then control in the technical scheme of each communication between terminals, owing to just connect after the authentication between security server and the controller, and the communication security between the real-time detection and control device of security server, at first guaranteed the confidence level of security server and controller, the level of security information of security server file that terminal is visited sends to controller then, formulate rule of communication by controller according to the Visitor Logs of terminal again and send to the switch execution, guaranteed the communication security of each terminal.
The above only is preferred embodiment of the present invention, and is in order to restriction the present invention, within the spirit and principles in the present invention not all, any modification of being made, is equal to replacement, improvement etc., all should be included within the scope of protection of the invention.
Claims (10)
1. method that realizes network security, this method is applicable between a plurality of terminals and communicates by switch, and these a plurality of terminals is characterized in that by in the star network of described switch-access security server, also be provided with controller in this star network, then this method comprises:
Connect by authentication mode between security server and the controller; After the success that connects, security server regularly sends detect-message to controller, and controller receives after the detect-message that security server sends to the security server feeding back response information; If server is not still received response message after sending the detect-message of default number to controller, then refuse the visit of any client;
Security server is at every turn after receiving the access request of terminal, and the level of security of the file that this terminal is asked and the IP address of this terminal send to controller;
Controller receives security server and sends file security rank and IP address, determines the concerning security matters rank of terminal according to the file security rank, and IP address and the concerning security matters rank correspondence with this terminal is saved in the level of security mapping table then; Controller sends to switch according to the rule of communication that the level of security mapping table generates terminal; Wherein, in the described rule of communication, allow the minimum communication between terminals of concerning security matters rank, forbid that concerning security matters are superior to communicating by letter of other terminal of lowermost level and other-end;
The rule of communication that switch is sent according to controller is controlled each communication between terminals.
2. method according to claim 1 is characterized in that, this method further comprises: the terminal in the described star network does not have the concerning security matters rank when initial;
Described rule of communication also comprises: allow between no other terminal of concerning security matters level, and do not have other terminal of concerning security matters level and the minimum communication between terminals of concerning security matters rank.
3. method according to claim 1 is characterized in that, connecting by authentication mode between described security server and the controller comprises:
Security server starts the back and sends connection request to controller;
After controller receives connection request, to security server request certificate;
Security server sends to controller with the certificate of self;
Controller authenticates according to certificate, accepts connection behind the authentication success; If the authentification failure refusal connects.
4. method according to claim 3 is characterized in that, this method further comprises:
Authenticate according to certificate at described controller, after accepting behind the authentication success to connect, controller sends to server according to key that produces at random of public key encryption of security server; After this, the data between security server and the controller are encrypted the back transmission by this key.
5. according to each described method in the claim 1 to 4, it is characterized in that,
Communication between described security server and the controller is transmitted by switch.
6. a star network is characterized in that, this star network comprises: switch, security server and a plurality of terminal, communicate by switch between a plurality of terminals, and these a plurality of terminals are by described switch-access security server; In addition, this star network also comprises a controller that is connected with security server with switch; Wherein:
Security server is used for connecting by authentication mode and controller, after the success that connects, regularly sends detect-message to controller; If after sending the detect-message of default number, still do not receive response message, then refuse the visit of any client to controller; Be used for after the access request that at every turn receives terminal, the level of security of the file that this terminal is asked and the IP address of this terminal send to controller;
Controller, when being used to receive the detect-message that security server sends to the security server feeding back response information; Be used to receive security server and send file security rank and IP address, determine the concerning security matters rank of terminal according to the file security rank, IP address and the concerning security matters rank correspondence with this terminal is saved in the level of security mapping table then; Be used for sending to switch according to the rule of communication of level of security mapping table generation terminal; Wherein, in the described rule of communication, allow the minimum communication between terminals of concerning security matters rank, forbid that concerning security matters are superior to communicating by letter of other terminal of lowermost level and other-end;
Switch is used for controlling each communication between terminals according to the rule of communication that controller is sent.
7. star network according to claim 6 is characterized in that, the terminal in the described star network does not have the concerning security matters rank when initial;
Described rule of communication also comprises: allow between no other terminal of concerning security matters level, and do not have other terminal of concerning security matters level and the minimum communication between terminals of concerning security matters rank.
8. star network according to claim 6 is characterized in that,
Described security server is used for after startup sending connection request to controller, when controller request certificate, self certificate is sent to controller; Accept the key that controller sends;
Described controller is used for after receiving the connection request of security server, to security server request certificate, receives the certificate that security server sends, and authenticates according to this certificate, accepts connection behind the authentication success, if the authentification failure refusal connects.
9. star network according to claim 8 is characterized in that,
Described controller, be further used for authenticating, after accept connecting behind the authentication success, send to server according to key that produces at random of public key encryption of security server according to certificate, after this, the data that send to security server are encrypted by this key;
Described security server is further used for receiving the key that controller sends, and the data that send to controller are afterwards encrypted by this key.
10. according to each described star network in the claim 6 to 9, it is characterized in that,
Described switch is used to transmit the communication information between security server and the controller.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2011101297632A CN102185867A (en) | 2011-05-19 | 2011-05-19 | Method for realizing network security and star network |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2011101297632A CN102185867A (en) | 2011-05-19 | 2011-05-19 | Method for realizing network security and star network |
Publications (1)
Publication Number | Publication Date |
---|---|
CN102185867A true CN102185867A (en) | 2011-09-14 |
Family
ID=44571937
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN2011101297632A Pending CN102185867A (en) | 2011-05-19 | 2011-05-19 | Method for realizing network security and star network |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN102185867A (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102497272A (en) * | 2011-12-26 | 2012-06-13 | 苏州风采信息技术有限公司 | Dynamic controllable method of security switch |
CN102497381A (en) * | 2011-12-26 | 2012-06-13 | 苏州风采信息技术有限公司 | Implementation method for dynamic controlled security switch structure |
CN106411929A (en) * | 2016-11-08 | 2017-02-15 | 西安云雀软件有限公司 | Method for placing illegal terminal into corresponding isolation area according to terminal safety level |
CN106485144A (en) * | 2016-09-30 | 2017-03-08 | 北京奇虎科技有限公司 | The analysis method of classified information and device |
CN106650432A (en) * | 2016-09-30 | 2017-05-10 | 北京奇虎科技有限公司 | Secret-related information analysis method and apparatus |
CN107592319A (en) * | 2017-09-29 | 2018-01-16 | 郑州云海信息技术有限公司 | A kind of document down loading method and device |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1889502A (en) * | 2006-06-02 | 2007-01-03 | 清华大学 | Method for preventing star-shape network from invading and attacking based on intelligent exchanger |
CN1889427A (en) * | 2006-06-02 | 2007-01-03 | 清华大学 | Safety star-shape local network computer system |
US20080022084A1 (en) * | 2006-07-21 | 2008-01-24 | Sbc Knowledge Vertures, L.P. | System and method for securing a network |
CN101594360A (en) * | 2009-07-07 | 2009-12-02 | 清华大学 | LAN system and the method for safeguarding LAN information safety |
-
2011
- 2011-05-19 CN CN2011101297632A patent/CN102185867A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1889502A (en) * | 2006-06-02 | 2007-01-03 | 清华大学 | Method for preventing star-shape network from invading and attacking based on intelligent exchanger |
CN1889427A (en) * | 2006-06-02 | 2007-01-03 | 清华大学 | Safety star-shape local network computer system |
US20080022084A1 (en) * | 2006-07-21 | 2008-01-24 | Sbc Knowledge Vertures, L.P. | System and method for securing a network |
CN101594360A (en) * | 2009-07-07 | 2009-12-02 | 清华大学 | LAN system and the method for safeguarding LAN information safety |
Non-Patent Citations (1)
Title |
---|
周麒麟等: "《用于安全局域网络的动态监控器》", 《清华大学学报》, vol. 49, no. 1, 31 January 2009 (2009-01-31) * |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102497272A (en) * | 2011-12-26 | 2012-06-13 | 苏州风采信息技术有限公司 | Dynamic controllable method of security switch |
CN102497381A (en) * | 2011-12-26 | 2012-06-13 | 苏州风采信息技术有限公司 | Implementation method for dynamic controlled security switch structure |
CN106485144A (en) * | 2016-09-30 | 2017-03-08 | 北京奇虎科技有限公司 | The analysis method of classified information and device |
CN106650432A (en) * | 2016-09-30 | 2017-05-10 | 北京奇虎科技有限公司 | Secret-related information analysis method and apparatus |
CN106411929A (en) * | 2016-11-08 | 2017-02-15 | 西安云雀软件有限公司 | Method for placing illegal terminal into corresponding isolation area according to terminal safety level |
CN107592319A (en) * | 2017-09-29 | 2018-01-16 | 郑州云海信息技术有限公司 | A kind of document down loading method and device |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112260995B (en) | Access authentication method, device and server | |
US9465668B1 (en) | Adaptive ownership and cloud-based configuration and control of network devices | |
US11233790B2 (en) | Network-based NT LAN manager (NTLM) relay attack detection and prevention | |
US9204345B1 (en) | Socially-aware cloud control of network devices | |
JP2005509977A5 (en) | ||
CN101355459B (en) | Method for monitoring network based on credible protocol | |
KR20150079740A (en) | Hardware-based device authentication | |
CN103747036A (en) | Trusted security enhancement method in desktop virtualization environment | |
CN103036867A (en) | Apparatus and method for providing virtual private network service based on mutual authentication | |
KR101992976B1 (en) | A remote access system using the SSH protocol and managing SSH authentication key securely | |
JP2006309698A (en) | Access control service and control server | |
CN102185867A (en) | Method for realizing network security and star network | |
CN113473458B (en) | Device access method, data transmission method and computer readable storage medium | |
CN104754571A (en) | User authentication realizing method, device and system thereof for multimedia data transmission | |
US8386783B2 (en) | Communication apparatus and communication method | |
CN109936515B (en) | Access configuration method, information providing method and device | |
CN115250203A (en) | Method and device for controlling equipment access and related products | |
JP2011035535A (en) | Communication cutoff device, server device, method, and program | |
KR20180081965A (en) | Apparatus and methdo for providing network service | |
JP4720576B2 (en) | Network security management system, encrypted communication remote monitoring method and communication terminal. | |
JP4775154B2 (en) | COMMUNICATION SYSTEM, TERMINAL DEVICE, PROGRAM, AND COMMUNICATION METHOD | |
CN103001931A (en) | Communication system of terminals interconnected among different networks | |
CN114254352A (en) | Data security transmission system, method and device | |
Pansa et al. | Architecture and protocols for secure LAN by using a software-level certificate and cancellation of ARP protocol | |
CN112333214B (en) | Safe user authentication method and system for Internet of things equipment management |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C12 | Rejection of a patent application after its publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20110914 |