CN102594814B - Terminal-based network access control system - Google Patents
Terminal-based network access control system Download PDFInfo
- Publication number
- CN102594814B CN102594814B CN201210030423.9A CN201210030423A CN102594814B CN 102594814 B CN102594814 B CN 102594814B CN 201210030423 A CN201210030423 A CN 201210030423A CN 102594814 B CN102594814 B CN 102594814B
- Authority
- CN
- China
- Prior art keywords
- network
- access control
- information
- module
- acl
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention provides a terminal-based network access control system. The terminal-based network access control system comprises a network access control module, a network limit module and a network card middle layer filtering driving module, wherein the network access control module performs network authentication according to the identity of a user to determine whether to allow terminal equipment used by the user to connect a network; the network limit module is used for analyzing a network access control policy transmitted by a server, converting the network access control policy into an access control list and distributing the access control list to the network card middle layer filtering driving module; and the network card middle layer filtering driving module is used for filtering data frames received by a network card of the terminal equipment to intercept network access action forbidden in the network access control policy. By the system, network access actions to a computer can be limited at a terminal, and different computers or users can only access to appointed networks. Under the condition that the safety state of the user is changed, the user can be isolated in an appointed network area, and influence to others is prevented.
Description
[technical field]
The present invention relates to computer communication field, relate in particular to a kind of based on the last network access control system of end.
[background technology]
Traditional technology of network isolation control, generally realize by configuration switch or fire compartment wall, higher to hardware requirement, compatible poor, in the situation that access privilege needs dynamic change, also need frequent exchange machine to arrange, and the large polydispersion of switch, configure the very trouble that just seems, and on switch or fire compartment wall, configure a large amount of ACL (Access Control List (ACL)) can exert an influence to the performance of switch, cause network performance to decline, part non-administrator switches cannot be supported this type of configuration; For network accesses such as the external 3G card of surfing Internet of user or wireless network cards, cannot reach limiting network access and control network traffics by configuration switch or fire compartment wall simultaneously.
At traditional technology of network isolation, if need to limit the authority of certain station terminal to access to netwoks, need configure fire compartment wall, or the ACL of the equipment such as switch table or VLAN (VLAN), need dynamically to change for user's access rights, need to change frequently the configuration of switch or fire compartment wall, it is large that the pressure carrying of the hardware making becomes, bring a difficult problem also to keeper's maintenance, or traditional approach is merely able to restriction through the data traffic on switch fire compartment wall simultaneously, for the wireless network card outreaching, the equipment such as 3G card of surfing Internet cannot be accomplished restriction.The complexity that on its legacy network isolation technology, a large amount of configurations of existence bring and problem and the following safety problem of equipment compatibility:
1) subscriber computer is poisoning, need to forbid that it networks, or isolation is to network restoration district.The switch that need to access user is configured, and limits its networking.If what use on Access Layer is non-administrator switches, cannot effectively isolate it.
2) user surfs the Net by modes such as external 3G card of surfing Internet or wireless network cards, cannot reach by configuration switch or fire compartment wall the object of limiting network access and control network traffics, thereby cause fail safe hidden danger.
And for different user the otherness to network access authority, need keeper to be configured separately, management maintenance cost is very high, difficulty is very large.
A kind of " method for managing security, Authentication Client, server and safety management system " is provided in prior art, see that publication number is: CN102164136A, within open day, be: the Chinese patent of 2011.08.24, the feature of its method for managing security comprises: Authentication Client obtains server and issues the security control information that carries security configuration standard; Whether the security configuration that Authentication Client detects user according to described security control information meets described security configuration standard; If do not meet, described Authentication Client sends security configuration to described server and does not meet normal notification, so that described server carries out access to netwoks control to described user.Its Authentication Client is characterised in that, comprising: security control information acquisition module, issues for obtaining server the security control information that carries security configuration standard; Whether security configuration detection module, meet described security configuration standard for the security configuration that detects user according to described security control information; Notice sending module, if do not meet described security configuration standard for described user's security configuration, sends security configuration to described server and does not meet normal notification, so that described server carries out access to netwoks control to described user.Method for managing security, Authentication Client, server and the safety management system of this invention can be worked as the high-performance of still guaranteeing server while simultaneously there is a large number of users access online; Solve the whether legal problem that causes certificate server performance to reduce of antivirus software information that judges user in prior art.But this invention can not, according to the fail safe of client computer self, dynamically be changed client network access rights, comprises switching intranet and extranet; Can not dynamic-configuration security control information, and cannot limit external other networks of client computer and walk around the control of access to netwoks.
[summary of the invention]
The technical problem to be solved in the present invention, is to provide a kind of based on the last network access control system of end, and it can limit the access to netwoks behavior of computer on end end, improves the fail safe of network, has reduced the complexity that a large amount of configuration switch bring.
The present invention is achieved in that a kind of based on the last network access control system of end, comprises network admittance control module, network limits module and network interface card intermediate layer filtration drive module;
Described network admittance control module is carried out network authentication according to user's identity and is determined whether the terminal equipment interconnection network that allows user to use;
The Network Acccss Control Policy that described network limits module is responsible for server end to issue is resolved, and convert to can be for the Access Control List (ACL) of described network interface card intermediate layer filtration drive resume module, described Access Control List (ACL) comprises the protocol type field that IP address/IP address range field, local port range field, remote port range field, internet use, direction of the traffic field and the rights field of network data frame in terminal equipment; Access Control List (ACL) is distributed to described network interface card intermediate layer filtration drive module; Described Network Acccss Control Policy comprises: direction of the traffic information, the authority information of network data frame in protocol type information that IP address/IP address range information of access, local port range information, remote port range information, internet use, terminal equipment; Described authority information comprises: allow and forbid, in described terminal equipment, the direction of the traffic information of network data frame comprises reception and sends;
The network data frame that described network interface card intermediate layer filtration drive module is responsible for the network interface card of terminal equipment to receive filters, and tackles the access to netwoks behavior of forbidding in described Network Acccss Control Policy.
Tool of the present invention has the following advantages: 1, without the equipment such as switch are carried out to ACL, and the configurations such as VLAN, network limits is carried out in the last client computer of end, and configuring maintenance is simple, can not affect performance of network equipments.
2, can carry out access to netwoks by modes such as external 3G card of surfing Internet or wireless Internet cards by limited subscriber by network limits module.
3, can, according to the fail safe of client computer self, dynamically change client network access rights, comprise switching intranet and extranet.
4, in conjunction with the network equipment, can realize the control to enterprise network resource access authority, only have the end end addressable enterprise of the equipment keystone resources of trusted, protection ERM access security.
[brief description of the drawings]
Fig. 1 is the operation principle block diagram of system of the present invention.
[embodiment]
Refer to shown in Fig. 1, the present invention is a kind of based on the last network access control system of end, comprises network admittance control module 1, network limits module 2 and network interface card intermediate layer filtration drive module 3;
Described network admittance control module 1 is carried out network authentication according to user's identity and is determined whether the terminal equipment interconnection network that allows user to use;
The Network Acccss Control Policy that described network limits module 2 is responsible for server end to issue is resolved, and convert the Access Control List (ACL) (being ACL table) that can process for described network interface card intermediate layer filtration drive module 3 to, described Access Control List (ACL) comprises the protocol type field that IP address/IP address range field, local port range field, remote port range field, internet use, direction of the traffic field and the rights field of network data frame in terminal equipment; Access Control List (ACL) is distributed to described network interface card intermediate layer filtration drive module 3; Described Network Acccss Control Policy comprises: direction of the traffic information, the authority information of network data frame in protocol type information that IP address/IP address range information of access, local port range information, remote port range information, internet use, terminal equipment; Described authority information comprises: allow and forbid, in described terminal equipment, the direction of the traffic information of network data frame comprises reception and sends;
The network data frame that described network interface card intermediate layer filtration drive module 3 is responsible for the network interface card of terminal equipment to receive filters, and tackles the access to netwoks behavior of forbidding in described Network Acccss Control Policy.Wherein said network interface card intermediate layer filtration drive module 3 specific works are as follows:
The network data frame that network interface card intermediate layer filtration drive module 3 receives network interface card carries out identifying operation, extract network packet according to Frame, judge whether network packet is IP packet, no, network packet is let pass, be,, according to the form of IP packet, parse protocol type (as: transmission control protocol TCP, user datagram protocol UDP, the Internet Control Message Protocol ICMP etc.) information that source address information, destination address information, source port information, destination interface information and internet use, and according to these information of resolving, described Access Control List (ACL) is searched to comparison, if the information that exists corresponding IP packet to parse in discovery Access Control List (ACL), judge corresponding informance in Access Control List (ACL) capable (be the data message that stores plural number row in Access Control List (ACL), each information row represents a complete data message) in authority information, if authority information is for forbidding, abandon described IP packet, if authority information, for allowing, is let pass IP packet, if the information that does not exist corresponding IP packet to parse in Access Control List (ACL), the IP packet of letting pass, wherein, when these information of described parsing are searched comparison to described Access Control List (ACL), IP address/IP address range in Access Control List (ACL), local port scope and remote port scope have different manner of comparison in different described direction of the traffics: when in described terminal equipment, the direction of the traffic information of network data frame is for transmission, IP address/IP address range in Access Control List (ACL), local port scope, remote port scope, the protocol type that internet uses needs the destination address parsing with IP packet respectively, source port, destination interface and protocol type compare whether mate (wherein local port scope in Access Control List (ACL), remote port scope is a port range value, as scope is made as 80~1024, the corresponding source port parsing in IP packet, the value of destination interface as long as all mate in above-mentioned scope), in described terminal equipment, the direction of the traffic information of network data frame is when receiving, and whether source address, destination interface, source port and protocol type that the protocol type that IP address/IP scope in Access Control List (ACL), local port scope, remote port scope, internet use needs to parse with IP packet respectively compare and mate.
System of the present invention also comprises that keeper changes Network Acccss Control Policy module 4; This module is that keeper directly changes at server end the Network Acccss Control Policy issuing after Network Acccss Control Policy after changing and triggers described network limits module 3 and operate.Wherein management server issues in the situation that finding that terminal equipment safe class is found variation, as detected there are security breaches in terminal equipment, or exist antivirus software that (management service end needs supporting safety detection software) is not installed, now can issue described network control strategy, triggering described network limits module 3 operates, isolation is in specified network, and restriction network of relation is accessed behavior.The access rights of terminal equipment change, and as terminal equipment is linked in the network environment that safe class is higher, now also can issues corresponding network control strategy and trigger described network limits module 3 and operate.
The present invention is based on software mode limits the access to netwoks behavior of computer on the last equipment of end.Based on the last technology of network isolation of end, can on end end, limit the access to netwoks behavior of computer, can realize easily different computers or user is merely able to access specified network.In user security Status Change situation, (as poisoning, attacked) and can be easy to user isolation, in specified network region, prevent from other people to impact., for the external 3G card of surfing Internet of user, can be controlled effectively too simultaneously, be merely able to the specified network range of access strategy, only need to adjust user's access strategy, can realize user Intranet or outside switching off the net.
The foregoing is only preferred embodiment of the present invention, all equalizations of doing according to the present patent application the scope of the claims change and modify, and all should belong to covering scope of the present invention.
Claims (2)
1. based on the last network access control system of end, it is characterized in that: comprise network admittance control module, network limits module and network interface card intermediate layer filtration drive module;
Described network admittance control module is carried out network authentication according to user's identity and is determined whether the terminal equipment interconnection network that allows user to use;
The Network Acccss Control Policy that described network limits module is responsible for server end to issue is resolved, and convert to can be for the Access Control List (ACL) of described network interface card intermediate layer filtration drive resume module, described Access Control List (ACL) comprises the protocol type field that IP address/IP address range field, local port range field, remote port range field, internet use, direction of the traffic field and the rights field of network data frame in terminal equipment; Access Control List (ACL) is distributed to described network interface card intermediate layer filtration drive module; Described Network Acccss Control Policy comprises: direction of the traffic information, the authority information of network data frame in protocol type information that IP address/IP address range information of access, local port range information, remote port range information, internet use, terminal equipment; Described authority information comprises: allow and forbid, in described terminal equipment, the direction of the traffic information of network data frame comprises reception and sends;
The network data frame that described network interface card intermediate layer filtration drive module is responsible for the network interface card of terminal equipment to receive filters, and tackles the access to netwoks behavior of forbidding in described Network Acccss Control Policy; Described network interface card intermediate layer filtration drive module specific works is as follows:
The network data frame that network interface card intermediate layer filtration drive module receives network interface card carries out identifying operation, extract network packet according to Frame, judge whether network packet is IP packet, no, network packet is let pass,, according to the form of IP packet, to parse the protocol type information that source address information, destination address information, source port information, destination interface information and internet use, and according to these information of resolving, described Access Control List (ACL) is searched to comparison, if the information that exists corresponding IP packet to parse in discovery Access Control List (ACL), judge the authority information in capable of corresponding informance in Access Control List (ACL), if authority information is for forbidding, abandon described IP packet, if authority information, for allowing, is let pass IP packet, if the information that does not exist corresponding IP packet to parse in Access Control List (ACL), the IP packet of letting pass, wherein, when these information of described parsing are searched comparison to described Access Control List (ACL), IP address/IP address range in Access Control List (ACL), local port scope and remote port scope have different manner of comparison in different described direction of the traffics: when in described terminal equipment, the direction of the traffic information of network data frame is for transmission, IP address/IP address range in Access Control List (ACL), local port scope, remote port scope, the protocol type that internet uses needs the destination address parsing with IP packet respectively, source port, whether destination interface and protocol type compare and mate, in described terminal equipment, the direction of the traffic information of network data frame is when receiving, and whether source address, destination interface, source port and protocol type that the protocol type that IP address/IP scope in Access Control List (ACL), local port scope, remote port scope, internet use needs to parse with IP packet respectively compare and mate.
2. according to claim 1 based on the last network access control system of end, it is characterized in that: also comprise that keeper changes Network Acccss Control Policy module; This module is that keeper directly changes at server end the Network Acccss Control Policy issuing after Network Acccss Control Policy after changing and triggers described network limits module and operate.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210030423.9A CN102594814B (en) | 2012-02-10 | 2012-02-10 | Terminal-based network access control system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210030423.9A CN102594814B (en) | 2012-02-10 | 2012-02-10 | Terminal-based network access control system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102594814A CN102594814A (en) | 2012-07-18 |
| CN102594814B true CN102594814B (en) | 2014-11-12 |
Family
ID=46483015
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210030423.9A Active CN102594814B (en) | 2012-02-10 | 2012-02-10 | Terminal-based network access control system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102594814B (en) |
Families Citing this family (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102882859B (en) * | 2012-09-13 | 2015-08-05 | 广东电网公司电力科学研究院 | A kind of safety protecting method based on public network data transmission information system |
| CN103647772A (en) * | 2013-12-12 | 2014-03-19 | 浪潮电子信息产业股份有限公司 | Method for carrying out trusted access controlling on network data package |
| CN104283870A (en) * | 2014-09-18 | 2015-01-14 | 广东顺德中山大学卡内基梅隆大学国际联合研究院 | Cloud desktop network access control method |
| CN105407106A (en) * | 2015-12-23 | 2016-03-16 | 北京奇虎科技有限公司 | Access control method and device |
| CN106230612B (en) * | 2016-07-12 | 2019-09-06 | 杭州迪普科技股份有限公司 | Handle the method and device of message |
| CN108207012B (en) | 2016-12-20 | 2021-10-29 | 中兴通讯股份有限公司 | Flow control method, device, terminal and system |
| CN108494726A (en) * | 2018-02-02 | 2018-09-04 | 大势至(北京)软件工程有限公司 | Network access control method and system based on ARP replacement and filtration drive |
| CN109033872A (en) * | 2018-07-18 | 2018-12-18 | 郑州信大捷安信息技术股份有限公司 | A kind of secure operating environment building method of identity-based |
| CN111030970B (en) * | 2019-03-21 | 2023-04-18 | 安天科技集团股份有限公司 | Distributed access control method and device and storage equipment |
| CN110430179A (en) * | 2019-07-26 | 2019-11-08 | 西安交通大学 | A kind of control method and system for intranet and extranet secure access |
| CN111064750A (en) * | 2019-12-31 | 2020-04-24 | 苏州浪潮智能科技有限公司 | Network message control method and device of data center |
| CN113271285B (en) * | 2020-02-14 | 2023-08-08 | 北京沃东天骏信息技术有限公司 | Method and device for accessing network |
| CN111711631B (en) * | 2020-06-17 | 2022-09-27 | 北京字节跳动网络技术有限公司 | Network access control method, device, equipment and storage medium |
| CN111953692A (en) * | 2020-08-13 | 2020-11-17 | 福建深空信息技术有限公司 | Secure access method and system for network port |
| CN112165536B (en) * | 2020-09-11 | 2022-11-11 | 中国银联股份有限公司 | Network terminal authentication method and device |
| CN113055397A (en) * | 2021-03-29 | 2021-06-29 | 郑州中科集成电路与信息系统产业创新研究院 | Configuration method and device of security access control policy |
| CN113347169B (en) * | 2021-05-25 | 2022-09-06 | 浙江科技学院 | Communication system based on wireless mobile and wired discontinuous mobile |
| CN113836577A (en) * | 2021-09-09 | 2021-12-24 | 武汉市风奥科技股份有限公司 | Intranet and extranet access control method and access control system of confidential computer |
| CN114285819A (en) * | 2021-12-29 | 2022-04-05 | 深圳市共进电子股份有限公司 | Method and device for visiting intranet by visitor network, computer equipment and medium |
| CN115622809B (en) * | 2022-12-14 | 2023-03-03 | 浙江中电远为科技有限公司 | Internal and external network safety isolation system for application scene of secret cabinet |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1705270A (en) * | 2004-05-26 | 2005-12-07 | 华为技术有限公司 | System and method for controlling network access |
| CN1738290A (en) * | 2004-08-18 | 2006-02-22 | 华为技术有限公司 | Network access control method based on access control listing |
-
2012
- 2012-02-10 CN CN201210030423.9A patent/CN102594814B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1705270A (en) * | 2004-05-26 | 2005-12-07 | 华为技术有限公司 | System and method for controlling network access |
| CN1738290A (en) * | 2004-08-18 | 2006-02-22 | 华为技术有限公司 | Network access control method based on access control listing |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102594814A (en) | 2012-07-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102594814B (en) | Terminal-based network access control system | |
| Kuwatly et al. | A dynamic honeypot design for intrusion detection | |
| JP5062967B2 (en) | Network access control method and system | |
| US11741801B2 (en) | Network sanitization for dedicated communication function and edge enforcement | |
| KR100358518B1 (en) | Firewall system combined with embeded hardware and general-purpose computer | |
| US10887160B2 (en) | Management method for home network device and network management system | |
| CN102857388A (en) | Cloud detection safety management auditing system | |
| CN109510841B (en) | Safety isolation gateway of control device and system | |
| CN110391988B (en) | Network flow control method, system and safety protection device | |
| CN101577729A (en) | Method for blocking bypass by combining DNS redirection with Http redirection | |
| CN111385326B (en) | Rail transit communication system | |
| KR101472685B1 (en) | Network connection gateway, a network isolation method and a computer network system using such a gateway | |
| TW202137735A (en) | Programmable switching device for network infrastructures | |
| KR101881061B1 (en) | 2-way communication apparatus capable of changing communication mode and method thereof | |
| KR101448028B1 (en) | Apparatus and method for remote access network division | |
| Jose et al. | Survey on SDN security mechanisms | |
| US11792093B2 (en) | Generating network system maps based on network traffic | |
| CN108712398A (en) | Port authentication method, server, interchanger and the storage medium of certificate server | |
| KR20220070875A (en) | Smart home network system based on sdn/nfv | |
| Frank et al. | Securing smart homes with openflow | |
| Al-Kahtani et al. | Architectures and security of software defined networks for internet of things: State-of-the-art and challenges | |
| CN101917440B (en) | Control method and system for computer to receive management after computer accesses local area network | |
| Sharukh et al. | DDoS Attack Detection in Software-Defined IoT: A Big Picture | |
| CN201167328Y (en) | Status switching type bridging apparatus | |
| Meng | Discussion on internet security strategy of embedded system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |