CN103618613A - Network access control system - Google Patents
Network access control system Download PDFInfo
- Publication number
- CN103618613A CN103618613A CN201310653805.1A CN201310653805A CN103618613A CN 103618613 A CN103618613 A CN 103618613A CN 201310653805 A CN201310653805 A CN 201310653805A CN 103618613 A CN103618613 A CN 103618613A
- Authority
- CN
- China
- Prior art keywords
- network
- security
- access control
- network access
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention belongs to a network access control system and particularly relates to a system based on a PKI digital certificate identity authentication function. The system comprises two special modules for completing the network access control function and the security inspection function. The two modules are a network access control module and a security inspection module respectively. The system has the advantages that the network access control system is based on the PKI digital certificate identity authentication technology to ensure that a terminal device needs to be authorized before having access to a network, inspects the security state of a network access terminal and can have access to a working network only when the authorization of the terminal device is passed, and when the security state completely conforms to the security strategy of a local network after being inspected; unauthorized terminal points cannot have access to the network, and the terminal points which pass the authentication but do not conform to the security strategy cannot have access to the working network; the system can skip to a remedy isolation region to allow a terminal to correct the security sate of the terminal itself and ensure that the system can have access to the working network only when the self security state conforms to the security strategy.
Description
Technical field
The invention belongs to a kind of network access control system, be specifically related to a kind of system having based on PKI digital certificate identity authentication function.
Background technology
Along with carrying out of IT application in enterprises work, information security becomes increasingly conspicuous for the importance of enterprise network and Information System Security, and network is being brought into play vital effect aspect supporting business operation.But traditional terminal security system (antivirus protection software, desktop fire compartment wall etc.) and network perimeter security guard system (fire compartment wall, intrusion detection etc.) are helpless for unauthorized computer access in-house network Luoque.Unauthorized computer access internal network equally can with the compunlcation of Intranet, may bring network attack thus, hacker can be by connecting arbitrary port Entry Firm internal network, by the activity that destroys and steal secret information of some technological means, so this has proposed urgent demand to network access authentication technology.Potential security risk major embodiment is in the following areas:
(1) import computer virus into network;
(2) become the access point of attacking internal network;
(3) information copy in internal network is arrived to undelegated computer, cause information-leakage.
Therefore, protecting network access control becomes incomparably important.
Existing technological means is switch mac address binding technology.
Principle: the mac address information of computer in switch record net, by MAC Address and IP or port binding, when finding new access computer, if its MAC Address is different from the address of setting, blocks it and carry out network connection.
Shortcoming is: (1) realizes the identification of MAC Address in switch ports themselves aspect, in the identification of overall network aspect, do not allow the MAC Address of access network, limited the mobility in internal network of computer, cause the artificial maintenance of network excessive, and easily because of human configuration carelessness, cause the existence of wide-open switch ports themselves.(2) have the counterfeit risk of MAC Address, potential safety hazard is larger.
Summary of the invention
The object of this invention is to provide a kind of network access control system, the authentication, the security state of terminal that before terminal use networks, carry out based on digital certificate PKI system detect, and guarantee that the identity of access classified network main frame is legal, state is healthy.
The present invention is achieved in that network access control system, comprises that two special modules complete Network access control and security inspection function, two modules respectively, Network access control module and security inspection module.
Described Network access control module comprises client and server end, client operates on the subscriber's main station that will carry out security inspection, system is supported user name password and two kinds of authentication modes of PKI digital certificate, after client operation, authentication information is first sent on the switch being connected with main frame, switch sends to the authentication information obtaining on certificate server and authenticates, server return authentication result, switch is according to the state of authentication result control port.
Described security inspection module is divided into client and server end two parts, service end function: determine the software conditions that each client need to be installed by service end control desk, and definite security strategy: if client does not meet security strategy, do different responses according to the setting of security strategy: warning, isolation and suspension; Client functionality: after user's login system, terminal control software is done the security inspection of terminal immediately, judges whether client meets with the safety requirements of control desk, as met, according to the mode of security strategy definition, does not respond.
Advantage of the present invention is, network access control system adopts based on PKI digital certificate identity identifying technology, guarantee that terminal equipment needs authentication before access network, and check the safe condition into network termination, only have authentication by and safe condition inspection after follow the security strategy of local network completely, could cut-in operation network.Unverified end points cannot access network, authentication by but do not meet the end points of security strategy cannot cut-in operation network, can jump to the isolated area remedied for himself safe condition of end correction, just accessible work while guaranteeing to only have inherently safe state to meet security strategy.
Accompanying drawing explanation
Fig. 1: 802.1x network access authentication schematic diagram;
Fig. 2: Network access control deployment diagram.
Embodiment
Below in conjunction with drawings and Examples, the present invention is described in detail:
Network access control system comprises that two special modules complete Network access control and security inspection function, two module cooperative work, two modules respectively, Network access control module and security inspection module, its function mainly realizing is as described below:
Network access control module
802.1X is a kind of authentication protocol based on port, is a kind of method that user is authenticated and strategy.Port can be a physical port, can be also a logic port (as VLAN).The final purpose of 802.1X authentication is exactly to determine that whether a port is available.For a port, if authentication success is so with regard to " opening " this port, allow all messages to pass through; If authentification failure just makes this port keep, in " closing " or access GuestVLAN, only allowing the authentication protocol message of 802.1X to pass through.
As shown in Figure 1: Network access control module is divided into client and server end, client operates on the subscriber's main station that will carry out security inspection, system is supported user name password and two kinds of authentication modes of PKI digital certificate, after client-side program operation, authentication information is first sent on the switch being connected with main frame, switch sends to the authentication information obtaining on certificate server and authenticates, server return authentication result, switch is according to the state of authentication result control port.
Before network access control system authentication and authentication rear port state as following table:
Table 1 authentication result and Port State Table
Security inspection module
The security protection ability of system is mainly realized by security inspection module, and security inspection module is also divided into client and server end two parts.
Service end function: by service end control desk, determine the software conditions that each client need to be installed, and definite security strategy: if client does not meet security strategy, according to the setting of security strategy, do different responses: warning, isolation and suspension.
Client functionality: after user's login system, terminal control software is done the security inspection of terminal immediately, judges whether client meets with the safety requirements of control desk, as met, according to the mode of security strategy definition, does not respond.
● the scope of examination of the security strategy that service end arranges
(1) inspection of operating system version
(2) screen protection time check
(3) software black and white lists checks
(4) operating system patch volume check
(5) antivirus software and version checking thereof
(6) main frame audit installation check
(7) multisystem start-up check
● the processing policy of client end safety inspection
(1) subscription client meets security policies, normal accesses network.
(2) subscription client fail safe does not meet strategy, to user, gives a warning.
(3) subscription client fail safe does not meet strategy, user is isolated, and only allows IP address or the IP address field of user's Access Management Access appointment.
(4) subscription client fail safe does not meet strategy, directly interrupts user network.
At client deployment, client-side program is installed, in Linux server end build-in services application program; Safety officer can be by system management and the inquiry user's of our unit networking authentication scenario, and can find in time the user of in violation of rules and regulations access and produce alarm log.Dispose schematic diagram as Fig. 2.
Claims (3)
1. network access control system, is characterized in that: comprise that two special modules complete Network access control and security inspection function, two modules respectively, Network access control module and security inspection module.
2. network access control system as claimed in claim 1, it is characterized in that: described Network access control module comprises client and server end, client operates on the subscriber's main station that will carry out security inspection, system is supported user name password and two kinds of authentication modes of PKI digital certificate, after client operation, authentication information is first sent on the switch being connected with main frame, switch sends to the authentication information obtaining on certificate server and authenticates, server return authentication result, switch is according to the state of authentication result control port.
3. network access control system as claimed in claim 1, it is characterized in that: described security inspection module is divided into client and server end two parts, service end function: determine the software conditions that each client need to be installed by service end control desk, and definite security strategy: if client does not meet security strategy, do different responses according to the setting of security strategy: warning, isolation and suspension; Client functionality: after user's login system, terminal control software is done the security inspection of terminal immediately, judges whether client meets with the safety requirements of control desk, as met, according to the mode of security strategy definition, does not respond.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310653805.1A CN103618613A (en) | 2013-12-09 | 2013-12-09 | Network access control system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310653805.1A CN103618613A (en) | 2013-12-09 | 2013-12-09 | Network access control system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103618613A true CN103618613A (en) | 2014-03-05 |
Family
ID=50169317
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310653805.1A Pending CN103618613A (en) | 2013-12-09 | 2013-12-09 | Network access control system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103618613A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104065709A (en) * | 2014-06-17 | 2014-09-24 | 成都绿洲电子有限公司 | LED screen remote control system |
| CN105471857A (en) * | 2015-11-19 | 2016-04-06 | 国网天津市电力公司 | Power grid terminal invalid external connection monitoring blocking method |
| CN105577618A (en) * | 2014-10-15 | 2016-05-11 | 中兴通讯股份有限公司 | Authentication method and apparatus |
| CN109617892A (en) * | 2018-12-26 | 2019-04-12 | 北京城强科技有限公司 | A kind of Intranet boundary management-control method |
| CN109693245A (en) * | 2018-12-27 | 2019-04-30 | 广东优世联合控股集团股份有限公司 | Inspection robot for performing physical isolation |
| CN113992337A (en) * | 2020-07-09 | 2022-01-28 | 台众计算机股份有限公司 | Information Security Management System of Multiple Information Security Software |
| CN114070612A (en) * | 2021-11-15 | 2022-02-18 | 北京天融信网络安全技术有限公司 | Network authentication processing method and device |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101106458A (en) * | 2007-08-17 | 2008-01-16 | 华中科技大学 | A Risk-Based Distributed Access Control Method |
| CN101136928A (en) * | 2007-10-19 | 2008-03-05 | 北京工业大学 | A Trusted Network Access Framework |
| CN101355557A (en) * | 2008-09-05 | 2009-01-28 | 杭州华三通信技术有限公司 | Method and system for implementing network access control in MPLS/VPN network |
| CN201298918Y (en) * | 2008-12-04 | 2009-08-26 | 中国移动通信集团广西有限公司 | Network access control system and device |
| CN101951603A (en) * | 2010-10-14 | 2011-01-19 | 中国电子科技集团公司第三十研究所 | Access control method and system for wireless local area network |
| CN102195932A (en) * | 2010-03-05 | 2011-09-21 | 北京路模思科技有限公司 | Method and system for realizing network identity authentication based on two pieces of isolation equipment |
| CN102916982A (en) * | 2012-11-22 | 2013-02-06 | 青岛海信宽带多媒体技术有限公司 | Network equipment identity authentication method |
-
2013
- 2013-12-09 CN CN201310653805.1A patent/CN103618613A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101106458A (en) * | 2007-08-17 | 2008-01-16 | 华中科技大学 | A Risk-Based Distributed Access Control Method |
| CN101136928A (en) * | 2007-10-19 | 2008-03-05 | 北京工业大学 | A Trusted Network Access Framework |
| CN101355557A (en) * | 2008-09-05 | 2009-01-28 | 杭州华三通信技术有限公司 | Method and system for implementing network access control in MPLS/VPN network |
| CN201298918Y (en) * | 2008-12-04 | 2009-08-26 | 中国移动通信集团广西有限公司 | Network access control system and device |
| CN102195932A (en) * | 2010-03-05 | 2011-09-21 | 北京路模思科技有限公司 | Method and system for realizing network identity authentication based on two pieces of isolation equipment |
| CN101951603A (en) * | 2010-10-14 | 2011-01-19 | 中国电子科技集团公司第三十研究所 | Access control method and system for wireless local area network |
| CN102916982A (en) * | 2012-11-22 | 2013-02-06 | 青岛海信宽带多媒体技术有限公司 | Network equipment identity authentication method |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104065709A (en) * | 2014-06-17 | 2014-09-24 | 成都绿洲电子有限公司 | LED screen remote control system |
| CN105577618A (en) * | 2014-10-15 | 2016-05-11 | 中兴通讯股份有限公司 | Authentication method and apparatus |
| CN105471857A (en) * | 2015-11-19 | 2016-04-06 | 国网天津市电力公司 | Power grid terminal invalid external connection monitoring blocking method |
| CN109617892A (en) * | 2018-12-26 | 2019-04-12 | 北京城强科技有限公司 | A kind of Intranet boundary management-control method |
| CN109617892B (en) * | 2018-12-26 | 2021-12-17 | 北京城强科技有限公司 | Intranet boundary management and control method |
| CN109693245A (en) * | 2018-12-27 | 2019-04-30 | 广东优世联合控股集团股份有限公司 | Inspection robot for performing physical isolation |
| CN113992337A (en) * | 2020-07-09 | 2022-01-28 | 台众计算机股份有限公司 | Information Security Management System of Multiple Information Security Software |
| CN113992337B (en) * | 2020-07-09 | 2024-01-26 | 台众计算机股份有限公司 | Information security management system with multiple information security software |
| CN114070612A (en) * | 2021-11-15 | 2022-02-18 | 北京天融信网络安全技术有限公司 | Network authentication processing method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11604861B2 (en) | Systems and methods for providing real time security and access monitoring of a removable media device | |
| CN109729180B (en) | Whole system intelligent community platform | |
| US11652829B2 (en) | System and method for providing data and device security between external and host devices | |
| CN114598540B (en) | Access control system, method, device and storage medium | |
| EP2328319B1 (en) | Method, system and server for realizing the secure access control | |
| CN103618613A (en) | Network access control system | |
| CN101588360A (en) | Associated equipment and method for internal network security management | |
| CN104796261A (en) | Secure access control system and method for network terminal nodes | |
| CN101355459B (en) | Method for monitoring network based on credible protocol | |
| AU2008325044A1 (en) | System and method for providing data and device security between external and host devices | |
| CN105610839A (en) | Controlling method and device for accessing network by terminal | |
| CN109309690B (en) | A software whitelist control method based on message authentication code | |
| CN101369995A (en) | A dial-up gateway based on safe and trusted connection technology | |
| Basarudin et al. | The role of cybersecurity law for sustainability of innovative smart homes (Goal 9) | |
| CN116232613A (en) | Zero trust protection method for rail transit network | |
| Rane | Securing SaaS applications: a cloud security perspective for application providers | |
| Choi | IoT (Internet of Things) based Solution Trend Identification and Analysis Research | |
| Mittal et al. | A Study of Different Intrusion Detection and Prevension System | |
| Ji et al. | Campus network security analysis and design of security system | |
| Ruha | Cybersecurity of computer networks | |
| CN205847452U (en) | Possesses the video superimpose processing system of secure accessing authentication function | |
| CN117974337A (en) | An information security protection system for enterprise economic management | |
| Qiao et al. | Research and Design of Robot Application System Security Protection in Electric Power Business Hall based on Artificial Intelligence | |
| CN118740435A (en) | A regional boundary security protection method and system | |
| CN117763580A (en) | Authorization management method, device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20140305 |
|
| WD01 | Invention patent application deemed withdrawn after publication |