CN102594814B - Terminal-based network access control system - Google Patents

Terminal-based network access control system Download PDF

Info

Publication number
CN102594814B
CN102594814B CN201210030423.9A CN201210030423A CN102594814B CN 102594814 B CN102594814 B CN 102594814B CN 201210030423 A CN201210030423 A CN 201210030423A CN 102594814 B CN102594814 B CN 102594814B
Authority
CN
China
Prior art keywords
network
access control
information
module
acl
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201210030423.9A
Other languages
Chinese (zh)
Other versions
CN102594814A (en
Inventor
张辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fujian Centerm Information Co Ltd
Original Assignee
Fujian Centerm Information Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fujian Centerm Information Co Ltd filed Critical Fujian Centerm Information Co Ltd
Priority to CN201210030423.9A priority Critical patent/CN102594814B/en
Publication of CN102594814A publication Critical patent/CN102594814A/en
Application granted granted Critical
Publication of CN102594814B publication Critical patent/CN102594814B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

The invention provides a terminal-based network access control system. The terminal-based network access control system comprises a network access control module, a network limit module and a network card middle layer filtering driving module, wherein the network access control module performs network authentication according to the identity of a user to determine whether to allow terminal equipment used by the user to connect a network; the network limit module is used for analyzing a network access control policy transmitted by a server, converting the network access control policy into an access control list and distributing the access control list to the network card middle layer filtering driving module; and the network card middle layer filtering driving module is used for filtering data frames received by a network card of the terminal equipment to intercept network access action forbidden in the network access control policy. By the system, network access actions to a computer can be limited at a terminal, and different computers or users can only access to appointed networks. Under the condition that the safety state of the user is changed, the user can be isolated in an appointed network area, and influence to others is prevented.

Description

Based on the last network access control system of end
[technical field]
The present invention relates to computer communication field, relate in particular to a kind of based on the last network access control system of end.
[background technology]
Traditional technology of network isolation control, generally realize by configuration switch or fire compartment wall, higher to hardware requirement, compatible poor, in the situation that access privilege needs dynamic change, also need frequent exchange machine to arrange, and the large polydispersion of switch, configure the very trouble that just seems, and on switch or fire compartment wall, configure a large amount of ACL (Access Control List (ACL)) can exert an influence to the performance of switch, cause network performance to decline, part non-administrator switches cannot be supported this type of configuration; For network accesses such as the external 3G card of surfing Internet of user or wireless network cards, cannot reach limiting network access and control network traffics by configuration switch or fire compartment wall simultaneously.
At traditional technology of network isolation, if need to limit the authority of certain station terminal to access to netwoks, need configure fire compartment wall, or the ACL of the equipment such as switch table or VLAN (VLAN), need dynamically to change for user's access rights, need to change frequently the configuration of switch or fire compartment wall, it is large that the pressure carrying of the hardware making becomes, bring a difficult problem also to keeper's maintenance, or traditional approach is merely able to restriction through the data traffic on switch fire compartment wall simultaneously, for the wireless network card outreaching, the equipment such as 3G card of surfing Internet cannot be accomplished restriction.The complexity that on its legacy network isolation technology, a large amount of configurations of existence bring and problem and the following safety problem of equipment compatibility:
1) subscriber computer is poisoning, need to forbid that it networks, or isolation is to network restoration district.The switch that need to access user is configured, and limits its networking.If what use on Access Layer is non-administrator switches, cannot effectively isolate it.
2) user surfs the Net by modes such as external 3G card of surfing Internet or wireless network cards, cannot reach by configuration switch or fire compartment wall the object of limiting network access and control network traffics, thereby cause fail safe hidden danger.
And for different user the otherness to network access authority, need keeper to be configured separately, management maintenance cost is very high, difficulty is very large.
A kind of " method for managing security, Authentication Client, server and safety management system " is provided in prior art, see that publication number is: CN102164136A, within open day, be: the Chinese patent of 2011.08.24, the feature of its method for managing security comprises: Authentication Client obtains server and issues the security control information that carries security configuration standard; Whether the security configuration that Authentication Client detects user according to described security control information meets described security configuration standard; If do not meet, described Authentication Client sends security configuration to described server and does not meet normal notification, so that described server carries out access to netwoks control to described user.Its Authentication Client is characterised in that, comprising: security control information acquisition module, issues for obtaining server the security control information that carries security configuration standard; Whether security configuration detection module, meet described security configuration standard for the security configuration that detects user according to described security control information; Notice sending module, if do not meet described security configuration standard for described user's security configuration, sends security configuration to described server and does not meet normal notification, so that described server carries out access to netwoks control to described user.Method for managing security, Authentication Client, server and the safety management system of this invention can be worked as the high-performance of still guaranteeing server while simultaneously there is a large number of users access online; Solve the whether legal problem that causes certificate server performance to reduce of antivirus software information that judges user in prior art.But this invention can not, according to the fail safe of client computer self, dynamically be changed client network access rights, comprises switching intranet and extranet; Can not dynamic-configuration security control information, and cannot limit external other networks of client computer and walk around the control of access to netwoks.
[summary of the invention]
The technical problem to be solved in the present invention, is to provide a kind of based on the last network access control system of end, and it can limit the access to netwoks behavior of computer on end end, improves the fail safe of network, has reduced the complexity that a large amount of configuration switch bring.
The present invention is achieved in that a kind of based on the last network access control system of end, comprises network admittance control module, network limits module and network interface card intermediate layer filtration drive module;
Described network admittance control module is carried out network authentication according to user's identity and is determined whether the terminal equipment interconnection network that allows user to use;
The Network Acccss Control Policy that described network limits module is responsible for server end to issue is resolved, and convert to can be for the Access Control List (ACL) of described network interface card intermediate layer filtration drive resume module, described Access Control List (ACL) comprises the protocol type field that IP address/IP address range field, local port range field, remote port range field, internet use, direction of the traffic field and the rights field of network data frame in terminal equipment; Access Control List (ACL) is distributed to described network interface card intermediate layer filtration drive module; Described Network Acccss Control Policy comprises: direction of the traffic information, the authority information of network data frame in protocol type information that IP address/IP address range information of access, local port range information, remote port range information, internet use, terminal equipment; Described authority information comprises: allow and forbid, in described terminal equipment, the direction of the traffic information of network data frame comprises reception and sends;
The network data frame that described network interface card intermediate layer filtration drive module is responsible for the network interface card of terminal equipment to receive filters, and tackles the access to netwoks behavior of forbidding in described Network Acccss Control Policy.
Tool of the present invention has the following advantages: 1, without the equipment such as switch are carried out to ACL, and the configurations such as VLAN, network limits is carried out in the last client computer of end, and configuring maintenance is simple, can not affect performance of network equipments.
2, can carry out access to netwoks by modes such as external 3G card of surfing Internet or wireless Internet cards by limited subscriber by network limits module.
3, can, according to the fail safe of client computer self, dynamically change client network access rights, comprise switching intranet and extranet.
4, in conjunction with the network equipment, can realize the control to enterprise network resource access authority, only have the end end addressable enterprise of the equipment keystone resources of trusted, protection ERM access security.
[brief description of the drawings]
Fig. 1 is the operation principle block diagram of system of the present invention.
[embodiment]
Refer to shown in Fig. 1, the present invention is a kind of based on the last network access control system of end, comprises network admittance control module 1, network limits module 2 and network interface card intermediate layer filtration drive module 3;
Described network admittance control module 1 is carried out network authentication according to user's identity and is determined whether the terminal equipment interconnection network that allows user to use;
The Network Acccss Control Policy that described network limits module 2 is responsible for server end to issue is resolved, and convert the Access Control List (ACL) (being ACL table) that can process for described network interface card intermediate layer filtration drive module 3 to, described Access Control List (ACL) comprises the protocol type field that IP address/IP address range field, local port range field, remote port range field, internet use, direction of the traffic field and the rights field of network data frame in terminal equipment; Access Control List (ACL) is distributed to described network interface card intermediate layer filtration drive module 3; Described Network Acccss Control Policy comprises: direction of the traffic information, the authority information of network data frame in protocol type information that IP address/IP address range information of access, local port range information, remote port range information, internet use, terminal equipment; Described authority information comprises: allow and forbid, in described terminal equipment, the direction of the traffic information of network data frame comprises reception and sends;
The network data frame that described network interface card intermediate layer filtration drive module 3 is responsible for the network interface card of terminal equipment to receive filters, and tackles the access to netwoks behavior of forbidding in described Network Acccss Control Policy.Wherein said network interface card intermediate layer filtration drive module 3 specific works are as follows:
The network data frame that network interface card intermediate layer filtration drive module 3 receives network interface card carries out identifying operation, extract network packet according to Frame, judge whether network packet is IP packet, no, network packet is let pass, be,, according to the form of IP packet, parse protocol type (as: transmission control protocol TCP, user datagram protocol UDP, the Internet Control Message Protocol ICMP etc.) information that source address information, destination address information, source port information, destination interface information and internet use, and according to these information of resolving, described Access Control List (ACL) is searched to comparison, if the information that exists corresponding IP packet to parse in discovery Access Control List (ACL), judge corresponding informance in Access Control List (ACL) capable (be the data message that stores plural number row in Access Control List (ACL), each information row represents a complete data message) in authority information, if authority information is for forbidding, abandon described IP packet, if authority information, for allowing, is let pass IP packet, if the information that does not exist corresponding IP packet to parse in Access Control List (ACL), the IP packet of letting pass, wherein, when these information of described parsing are searched comparison to described Access Control List (ACL), IP address/IP address range in Access Control List (ACL), local port scope and remote port scope have different manner of comparison in different described direction of the traffics: when in described terminal equipment, the direction of the traffic information of network data frame is for transmission, IP address/IP address range in Access Control List (ACL), local port scope, remote port scope, the protocol type that internet uses needs the destination address parsing with IP packet respectively, source port, destination interface and protocol type compare whether mate (wherein local port scope in Access Control List (ACL), remote port scope is a port range value, as scope is made as 80~1024, the corresponding source port parsing in IP packet, the value of destination interface as long as all mate in above-mentioned scope), in described terminal equipment, the direction of the traffic information of network data frame is when receiving, and whether source address, destination interface, source port and protocol type that the protocol type that IP address/IP scope in Access Control List (ACL), local port scope, remote port scope, internet use needs to parse with IP packet respectively compare and mate.
System of the present invention also comprises that keeper changes Network Acccss Control Policy module 4; This module is that keeper directly changes at server end the Network Acccss Control Policy issuing after Network Acccss Control Policy after changing and triggers described network limits module 3 and operate.Wherein management server issues in the situation that finding that terminal equipment safe class is found variation, as detected there are security breaches in terminal equipment, or exist antivirus software that (management service end needs supporting safety detection software) is not installed, now can issue described network control strategy, triggering described network limits module 3 operates, isolation is in specified network, and restriction network of relation is accessed behavior.The access rights of terminal equipment change, and as terminal equipment is linked in the network environment that safe class is higher, now also can issues corresponding network control strategy and trigger described network limits module 3 and operate.
The present invention is based on software mode limits the access to netwoks behavior of computer on the last equipment of end.Based on the last technology of network isolation of end, can on end end, limit the access to netwoks behavior of computer, can realize easily different computers or user is merely able to access specified network.In user security Status Change situation, (as poisoning, attacked) and can be easy to user isolation, in specified network region, prevent from other people to impact., for the external 3G card of surfing Internet of user, can be controlled effectively too simultaneously, be merely able to the specified network range of access strategy, only need to adjust user's access strategy, can realize user Intranet or outside switching off the net.
The foregoing is only preferred embodiment of the present invention, all equalizations of doing according to the present patent application the scope of the claims change and modify, and all should belong to covering scope of the present invention.

Claims (2)

1. based on the last network access control system of end, it is characterized in that: comprise network admittance control module, network limits module and network interface card intermediate layer filtration drive module;
Described network admittance control module is carried out network authentication according to user's identity and is determined whether the terminal equipment interconnection network that allows user to use;
The Network Acccss Control Policy that described network limits module is responsible for server end to issue is resolved, and convert to can be for the Access Control List (ACL) of described network interface card intermediate layer filtration drive resume module, described Access Control List (ACL) comprises the protocol type field that IP address/IP address range field, local port range field, remote port range field, internet use, direction of the traffic field and the rights field of network data frame in terminal equipment; Access Control List (ACL) is distributed to described network interface card intermediate layer filtration drive module; Described Network Acccss Control Policy comprises: direction of the traffic information, the authority information of network data frame in protocol type information that IP address/IP address range information of access, local port range information, remote port range information, internet use, terminal equipment; Described authority information comprises: allow and forbid, in described terminal equipment, the direction of the traffic information of network data frame comprises reception and sends;
The network data frame that described network interface card intermediate layer filtration drive module is responsible for the network interface card of terminal equipment to receive filters, and tackles the access to netwoks behavior of forbidding in described Network Acccss Control Policy; Described network interface card intermediate layer filtration drive module specific works is as follows:
The network data frame that network interface card intermediate layer filtration drive module receives network interface card carries out identifying operation, extract network packet according to Frame, judge whether network packet is IP packet, no, network packet is let pass,, according to the form of IP packet, to parse the protocol type information that source address information, destination address information, source port information, destination interface information and internet use, and according to these information of resolving, described Access Control List (ACL) is searched to comparison, if the information that exists corresponding IP packet to parse in discovery Access Control List (ACL), judge the authority information in capable of corresponding informance in Access Control List (ACL), if authority information is for forbidding, abandon described IP packet, if authority information, for allowing, is let pass IP packet, if the information that does not exist corresponding IP packet to parse in Access Control List (ACL), the IP packet of letting pass, wherein, when these information of described parsing are searched comparison to described Access Control List (ACL), IP address/IP address range in Access Control List (ACL), local port scope and remote port scope have different manner of comparison in different described direction of the traffics: when in described terminal equipment, the direction of the traffic information of network data frame is for transmission, IP address/IP address range in Access Control List (ACL), local port scope, remote port scope, the protocol type that internet uses needs the destination address parsing with IP packet respectively, source port, whether destination interface and protocol type compare and mate, in described terminal equipment, the direction of the traffic information of network data frame is when receiving, and whether source address, destination interface, source port and protocol type that the protocol type that IP address/IP scope in Access Control List (ACL), local port scope, remote port scope, internet use needs to parse with IP packet respectively compare and mate.
2. according to claim 1 based on the last network access control system of end, it is characterized in that: also comprise that keeper changes Network Acccss Control Policy module; This module is that keeper directly changes at server end the Network Acccss Control Policy issuing after Network Acccss Control Policy after changing and triggers described network limits module and operate.
CN201210030423.9A 2012-02-10 2012-02-10 Terminal-based network access control system Active CN102594814B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210030423.9A CN102594814B (en) 2012-02-10 2012-02-10 Terminal-based network access control system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210030423.9A CN102594814B (en) 2012-02-10 2012-02-10 Terminal-based network access control system

Publications (2)

Publication Number Publication Date
CN102594814A CN102594814A (en) 2012-07-18
CN102594814B true CN102594814B (en) 2014-11-12

Family

ID=46483015

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210030423.9A Active CN102594814B (en) 2012-02-10 2012-02-10 Terminal-based network access control system

Country Status (1)

Country Link
CN (1) CN102594814B (en)

Families Citing this family (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102882859B (en) * 2012-09-13 2015-08-05 广东电网公司电力科学研究院 A kind of safety protecting method based on public network data transmission information system
CN103647772A (en) * 2013-12-12 2014-03-19 浪潮电子信息产业股份有限公司 Method for carrying out trusted access controlling on network data package
CN104283870A (en) * 2014-09-18 2015-01-14 广东顺德中山大学卡内基梅隆大学国际联合研究院 Cloud desktop network access control method
CN105407106A (en) * 2015-12-23 2016-03-16 北京奇虎科技有限公司 Access control method and device
CN106230612B (en) * 2016-07-12 2019-09-06 杭州迪普科技股份有限公司 Handle the method and device of message
CN108207012B (en) 2016-12-20 2021-10-29 中兴通讯股份有限公司 Flow control method, device, terminal and system
CN108494726A (en) * 2018-02-02 2018-09-04 大势至(北京)软件工程有限公司 Network access control method and system based on ARP replacement and filtration drive
CN109033872A (en) * 2018-07-18 2018-12-18 郑州信大捷安信息技术股份有限公司 A kind of secure operating environment building method of identity-based
CN111030970B (en) * 2019-03-21 2023-04-18 安天科技集团股份有限公司 Distributed access control method and device and storage equipment
CN110430179A (en) * 2019-07-26 2019-11-08 西安交通大学 A kind of control method and system for intranet and extranet secure access
CN111064750A (en) * 2019-12-31 2020-04-24 苏州浪潮智能科技有限公司 Network message control method and device of data center
CN113271285B (en) * 2020-02-14 2023-08-08 北京沃东天骏信息技术有限公司 Method and device for accessing network
CN111711631B (en) * 2020-06-17 2022-09-27 北京字节跳动网络技术有限公司 Network access control method, device, equipment and storage medium
CN111953692A (en) * 2020-08-13 2020-11-17 福建深空信息技术有限公司 Secure access method and system for network port
CN112165536B (en) * 2020-09-11 2022-11-11 中国银联股份有限公司 Network terminal authentication method and device
CN113055397A (en) * 2021-03-29 2021-06-29 郑州中科集成电路与信息系统产业创新研究院 Configuration method and device of security access control policy
CN113347169B (en) * 2021-05-25 2022-09-06 浙江科技学院 Communication system based on wireless mobile and wired discontinuous mobile
CN113836577A (en) * 2021-09-09 2021-12-24 武汉市风奥科技股份有限公司 Intranet and extranet access control method and access control system of confidential computer
CN114285819A (en) * 2021-12-29 2022-04-05 深圳市共进电子股份有限公司 Method and device for visiting intranet by visitor network, computer equipment and medium
CN115622809B (en) * 2022-12-14 2023-03-03 浙江中电远为科技有限公司 Internal and external network safety isolation system for application scene of secret cabinet

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1705270A (en) * 2004-05-26 2005-12-07 华为技术有限公司 System and method for controlling network access
CN1738290A (en) * 2004-08-18 2006-02-22 华为技术有限公司 Network access control method based on access control listing

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1705270A (en) * 2004-05-26 2005-12-07 华为技术有限公司 System and method for controlling network access
CN1738290A (en) * 2004-08-18 2006-02-22 华为技术有限公司 Network access control method based on access control listing

Also Published As

Publication number Publication date
CN102594814A (en) 2012-07-18

Similar Documents

Publication Publication Date Title
CN102594814B (en) Terminal-based network access control system
Kuwatly et al. A dynamic honeypot design for intrusion detection
JP5062967B2 (en) Network access control method and system
US11741801B2 (en) Network sanitization for dedicated communication function and edge enforcement
KR100358518B1 (en) Firewall system combined with embeded hardware and general-purpose computer
US10887160B2 (en) Management method for home network device and network management system
CN102857388A (en) Cloud detection safety management auditing system
CN109510841B (en) Safety isolation gateway of control device and system
CN110391988B (en) Network flow control method, system and safety protection device
CN101577729A (en) Method for blocking bypass by combining DNS redirection with Http redirection
CN111385326B (en) Rail transit communication system
KR101472685B1 (en) Network connection gateway, a network isolation method and a computer network system using such a gateway
TW202137735A (en) Programmable switching device for network infrastructures
KR101881061B1 (en) 2-way communication apparatus capable of changing communication mode and method thereof
KR101448028B1 (en) Apparatus and method for remote access network division
Jose et al. Survey on SDN security mechanisms
US11792093B2 (en) Generating network system maps based on network traffic
CN108712398A (en) Port authentication method, server, interchanger and the storage medium of certificate server
KR20220070875A (en) Smart home network system based on sdn/nfv
Frank et al. Securing smart homes with openflow
Al-Kahtani et al. Architectures and security of software defined networks for internet of things: State-of-the-art and challenges
CN101917440B (en) Control method and system for computer to receive management after computer accesses local area network
Sharukh et al. DDoS Attack Detection in Software-Defined IoT: A Big Picture
CN201167328Y (en) Status switching type bridging apparatus
Meng Discussion on internet security strategy of embedded system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant