CN103944884B - A kind of multilevel and multi-domain access control method and system based on web tab communication - Google Patents
A kind of multilevel and multi-domain access control method and system based on web tab communication Download PDFInfo
- Publication number
- CN103944884B CN103944884B CN201410110186.6A CN201410110186A CN103944884B CN 103944884 B CN103944884 B CN 103944884B CN 201410110186 A CN201410110186 A CN 201410110186A CN 103944884 B CN103944884 B CN 103944884B
- Authority
- CN
- China
- Prior art keywords
- terminal
- access control
- label data
- packets
- management system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention belongs to computer information safety technique field, more particularly to a kind of multilevel and multi-domain access control method and system based on web tab communication.Method includes:Terminal confirms whether data can send before the transmission of IP packets according to terminal inner configuration strategy, if it is possible to sends and is sent to sent after the additional device label data of IP packets;Terminal verifies device label data when IP packets are received, and judges whether IP bags can receive according to terminal inner configuration strategy, and label data is released if device label data are legal, receives IP packets, otherwise abandons this IP bag.Advantages of the present invention has:Realize same level domain terminal two-way access, terminal data unidirectionally flows into high-level domain terminal etc. point fraction domain browsing control in low level domain, while being only registered terminal recognition during network data transmission, the security of network data is protected with this.
Description
Technical field
The invention belongs to computer information safety technique field, more particularly to a kind of classification based on web tab communication
Divide domain browsing control method and system.
Background technology
Information System Security cascade protection is the highest level of confidentiality with information handled by system determines safe class, is closing
In the case that reason division security domain boundaries are safely controllable, each security domain can be implemented " to divide domain point according to concerning security matters deciding grade and level high individually deciding grade and level
The strategy of level protection ", so as to ensure information safety.Current existing multilevel and multi-domain access control is mostly the user based on authority
Layer multilevel and multi-domain access control method, the method cannot realize that terminal hierarchies point domain manages.
The content of the invention
The technical problems to be solved by the invention are to provide a kind of multilevel and multi-domain access control based on web tab communication
Method and system, is different from the common client layer multilevel and multi-domain access control based on authority, and the present invention can not only be realized point
Fraction domain browsing control function, and being capable of Logistics networks data safety.
The technical solution adopted for the present invention to solve the technical problems is:A kind of multilevel and multi-domain based on web tab communication
Access control method, specifically includes following steps:
1) terminal confirms whether data can send before the transmission of IP packets according to terminal inner configuration strategy, if
Can send and be sent to sent after the additional device label data of IP packets;
2) terminal verifies device label data when IP packets are received, and IP bags are judged according to terminal inner configuration strategy
Whether can receive, label data is released if device label data are legal, receive IP packets, otherwise abandon this IP bag;
The label data includes network domain identifier, network-level mark, main body mark and access rights.
Preferably, the step 1)Also include policy management system configurating terminal access control policy step before, specifically
Divided including network domains where configurating terminal, network-level is specified, operation main body is specified, communication protocol, access pick out control, whole
Access control between end.
Preferably, also include that client terminals are downloaded before the configurating terminal access control policy step and registration step is installed
Suddenly, following sub-step is specifically included:
31)The client terminals installation kit that terminal downloads policy management system is provided;
32)The client installation kit that terminal-pair is downloaded performs installation;
33)Terminal in installation process by endpoint registration to policy management system, while loading related visit in terminal
Ask control engine.
Preferably, also policy information step is updated to policy management system request including client terminals timing.
Preferably, described label data derives from policy management system.
The technical solution adopted for the present invention to solve the technical problems is:A kind of dividing based on web tab communication is also provided
Fraction domain browsing control system, terminal inner includes transmitting element, and the transmitting element is used for the basis before the transmission of IP packets
Terminal inner configuration strategy confirms whether data can send, if it is possible to send to sent the additional equipment mark of IP packets
Sent after signing data;Terminal inner also includes receiving unit, and the receiving unit verifies device label when IP packets are received
Data, judge whether IP bags can receive according to terminal inner configuration strategy, and label is released if device label data are legal
Data, receive IP packets, otherwise abandon this IP bag;The label data includes network domain identifier, network-level mark, main body
Mark, access rights.
Preferably, also including policy management system, the policy management system is used for configurating terminal access control policy, tool
Body includes that network domains are divided where configurating terminal, network-level is specified, operation main body is specified, communication protocol, access pick out control,
Access control between terminal.
Preferably, the terminal terminal that download policy management system is provided before policy management system configurating terminal visitor
Family end installation kit, and perform installation, terminal in installation process by endpoint registration to policy management system, while in terminal
The related access control engine of loading.
Preferably, also including client terminals policy update unit, for client terminals timing to policy management system
Request updates policy information step.
Preferably, described label data derives from policy management system.
Beneficial effect
As a result of above-mentioned technical scheme, the present invention compared with prior art, has the following advantages that and actively imitates
Really:
First:Can realize that terminal hierarchies point domain manages
Network domains, network-level are specified to terminal by policy management system, terminal is when data are sent according to itself plan
Slightly judge whether IP packets can be sent to target terminal with target terminal domain, level identification;Terminal receive data when according to
Judge whether IP packets can receive according to itself strategy and source terminal domain, level identification;So realize terminal in low level domain
Unidirectional flow of data enters high-level domain, and same level domain terminal can be with access controls such as two-way access.
Second:Being capable of Logistics networks data safety
Increase web tab data communication by IP data, the terminal being only managed in the IP data of network transmission can
Identification, the terminal None- identified not being managed commonly improves network data security.
Brief description of the drawings
Fig. 1 is multilevel and multi-domain access control system construction drawing of the present invention based on web tab communication.
Specific embodiment
With reference to specific embodiment, the present invention is expanded on further.It should be understood that these embodiments are merely to illustrate the present invention
Rather than limitation the scope of the present invention.In addition, it is to be understood that after the content for having read instruction of the present invention, people in the art
Member can make various changes or modifications to the present invention, and these equivalent form of values equally fall within the application appended claims and limited
Scope.
First embodiment of the invention is related to a kind of multilevel and multi-domain access control method based on web tab communication, tool
Body is comprised the following steps:
1) terminal confirms whether data can send before the transmission of IP packets according to terminal inner configuration strategy, if
Can send and be sent to sent after the additional device label data of IP packets;
2) terminal verifies device label data when IP packets are received, and IP bags are judged according to terminal inner configuration strategy
Whether can receive, label data is released if device label data are legal, receive IP packets, otherwise abandon this IP bag;
The label data includes network domain identifier, network-level mark, main body mark and access rights.
In the present embodiment, in step 1)Also include policy management system configurating terminal access control policy step, tool before
Body includes that network domains are divided where configurating terminal, network-level is specified, operation main body is specified, communication protocol, access pick out control,
Access control between terminal.Policy management system Main Function is management terminal, configurating terminal access control policy, therefore real
Successfully set up firstly the need of by policy management system when applying.Policy management system provides client terminals installation kit and downloads, terminal
Download installation program of client to be installed, installation kit has been arrived in policy management system endpoint registration in installation process, together
When related access control engine is loaded with terminal.Policy management system provides label data.Client terminals timing is to plan
Newest policy information, access control engine are slightly asked in management system can realize that the networks such as multilevel and multi-domain are visited according to policy information
Ask control.
Second embodiment of the present invention is related to a kind of multilevel and multi-domain access control system based on web tab communication, such as
Shown in Fig. 1, terminal inner includes transmitting element, and the transmitting element is used to be configured according to terminal inner before the transmission of IP packets
Strategy confirms whether data can send, if it is possible to sends and is sent out to sent after the additional device label data of IP packets
Send;Terminal inner also includes receiving unit, and the receiving unit verifies device label data when IP packets are received, according to end
The internal configuration strategy in end judges whether IP bags can receive, and label data is released if device label data are legal, receives IP
Packet, otherwise abandons this IP bag;The label data includes network domain identifier, network-level mark, main body mark, access right
Limit.
As shown in figure 1, the system also includes policy management system, the policy management system is used for configurating terminal and accesses control
System is tactful, specifically includes network domains division where configurating terminal, specified network-level, specified operation main body, communication protocol, access
Pick out access control between control, terminal.Foregoing label data derives from policy management system.
The terminal client terminals that download policy management system is provided before policy management system configurating terminal peace
Dress bag, and performs installation, terminal in installation process by endpoint registration to policy management system, while loading phase in terminal
Close access control engine.
The system also includes client terminals policy update unit, please to policy management system for client terminals timing
Seek renewal policy information step.
It is seen that, by policy management system to terminal specify network domains, network-level, terminal send data when according to
Judge whether IP data can be sent to destination end according to itself strategy and target terminal domain, level identification;Terminal is receiving data
When according to itself strategy and source terminal domain, level identification judge whether IP data can receive;So realize that low level domain is unidirectional
High-level domain is accessed, same level domain can be with access controls such as two-way access.
In addition, increase web tab data communication by IP data, at the end that the IP data of network transmission are only managed
End identification, the terminal None- identified not being managed commonly improves network data security.
The claims in the present invention protection domain is not limited to above-described embodiment.
Claims (8)
1. it is a kind of based on web tab communication multilevel and multi-domain access control method, it is characterised in that specifically include following steps:
1) client terminals are downloaded and install registration:11) the client terminals installation kit that terminal downloads policy management system is provided;
12) the client installation kit that terminal-pair is downloaded performs installation;13) terminal in installation process by endpoint registration to tactical management
In system, while loading related access control engine in terminal;
2) policy management system configurating terminal access control policy:Network domains where configurating terminal are divided, network-level is specified, fortune
Row main body is specified, communication protocol, access pick out access control between control, terminal;
3) terminal confirms whether data can send before the transmission of IP packets according to terminal inner configuration strategy, if it is possible to send out
Send and sent to sent after the additional device label data of IP packets;
4) terminal verifies device label data when IP packets are received, and judges that whether IP bags can according to terminal inner configuration strategy
It is enough to receive, label data is released if device label data are legal, IP packets are received, otherwise abandon this IP bag;
The label data includes network domain identifier, network-level mark, main body mark and access rights.
2. it is according to claim 1 based on web tab communication multilevel and multi-domain access control method, it is characterised in that also
Including client terminals timing policy information step is updated to policy management system request.
3. it is according to claim 1 based on web tab communication multilevel and multi-domain access control method, it is characterised in that institute
The label data stated derives from policy management system.
4. it is a kind of based on web tab communication multilevel and multi-domain access control system, it is characterised in that terminal inner include send
Unit, the transmitting element is used to confirm whether data can be sent out according to terminal inner configuration strategy before the transmission of IP packets
Send, if it is possible to send and sent to sent after the additional device label data of IP packets;Terminal inner also includes receiving single
Unit, the receiving unit verifies device label data when IP packets are received, and IP bags are judged according to terminal inner configuration strategy
Whether can receive, label data is released if device label data are legal, receive IP packets, otherwise abandon this IP bag;
The label data includes network domain identifier, network-level mark, main body mark, access rights.
5. it is according to claim 4 based on web tab communication multilevel and multi-domain access control system, it is characterised in that also
Including policy management system, the policy management system is used for configurating terminal access control policy, specifically includes configurating terminal institute
Pick out to be accessed between control, terminal and control in network domains division, specified network-level, specified operation main body, communication protocol, access
System.
6. it is according to claim 5 based on web tab communication multilevel and multi-domain access control system, it is characterised in that institute
The terminal client terminals installation kit that download policy management system is provided before policy management system configurating terminal is stated, and is performed
Install, terminal in installation process by endpoint registration to policy management system, while loading related access control in terminal
Engine.
7. it is according to claim 6 based on web tab communication multilevel and multi-domain access control system, it is characterised in that also
Including client terminals policy update unit, update policy information to policy management system request for client terminals timing and walk
Suddenly.
8. it is according to claim 5 based on web tab communication multilevel and multi-domain access control system, it is characterised in that institute
The label data stated derives from policy management system.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410110186.6A CN103944884B (en) | 2014-03-24 | 2014-03-24 | A kind of multilevel and multi-domain access control method and system based on web tab communication |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410110186.6A CN103944884B (en) | 2014-03-24 | 2014-03-24 | A kind of multilevel and multi-domain access control method and system based on web tab communication |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103944884A CN103944884A (en) | 2014-07-23 |
| CN103944884B true CN103944884B (en) | 2017-05-31 |
Family
ID=51192368
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410110186.6A Expired - Fee Related CN103944884B (en) | 2014-03-24 | 2014-03-24 | A kind of multilevel and multi-domain access control method and system based on web tab communication |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103944884B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105577406B (en) * | 2014-10-15 | 2019-02-12 | 华为技术有限公司 | The control method and the network equipment of business data flow |
| CN111726353A (en) * | 2020-06-17 | 2020-09-29 | 华中科技大学 | Sensitive data grading protection method and grading protection system based on numerical control system |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101069145A (en) * | 2004-09-30 | 2007-11-07 | 茨特里克斯系统公司 | A method and apparatus for assigning access control levels in providing access to networked content files |
| CN101425903A (en) * | 2008-07-16 | 2009-05-06 | 冯振周 | Trusted network architecture based on identity |
-
2014
- 2014-03-24 CN CN201410110186.6A patent/CN103944884B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101069145A (en) * | 2004-09-30 | 2007-11-07 | 茨特里克斯系统公司 | A method and apparatus for assigning access control levels in providing access to networked content files |
| CN101425903A (en) * | 2008-07-16 | 2009-05-06 | 冯振周 | Trusted network architecture based on identity |
Non-Patent Citations (1)
| Title |
|---|
| 多域环境下基于标签的访问控制研究;陈明生;《中国优秀硕士学位论文全文数据库》;20131215;第I139-101页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103944884A (en) | 2014-07-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3593519B1 (en) | Core network access provider | |
| US8001610B1 (en) | Network defense system utilizing endpoint health indicators and user identity | |
| JP5943006B2 (en) | COMMUNICATION SYSTEM, CONTROL DEVICE, COMMUNICATION METHOD, AND PROGRAM | |
| US8650620B2 (en) | Methods and apparatus to control privileges of mobile device applications | |
| US8898459B2 (en) | Policy configuration for mobile device applications | |
| US9319429B2 (en) | Network quarantine system, network quarantine method and program therefor | |
| CN107528856A (en) | Internet of Things mist end equipment based on block chain platform access authentication method beyond the clouds | |
| Kelbert et al. | Data usage control enforcement in distributed systems | |
| WO2018148058A1 (en) | Network application security policy enforcement | |
| CN102823195A (en) | System and methods for remote maintenance of client systems in an electronic network using software testing by a virtual machine | |
| US20170331823A1 (en) | Embedding security posture in network traffic | |
| US11310643B2 (en) | Subject matching for distributed access control scenarios | |
| WO2017107809A1 (en) | Link management method and device for internet of things | |
| Navas et al. | Do not trust your neighbors! A small IoT platform illustrating a man-in-the-middle attack | |
| US20140082693A1 (en) | Updating security bindings in a network device | |
| CN103944884B (en) | A kind of multilevel and multi-domain access control method and system based on web tab communication | |
| KR100714367B1 (en) | Network security system co-operated with an authentication server and method thereof | |
| WO2006001647A1 (en) | Network integrated management system | |
| KR102184114B1 (en) | Method and apparatus for providing network security service | |
| US20140013389A1 (en) | Communication blocking control apparatus and method thereof | |
| Bradatsch et al. | ZTSFC: A Service Function Chaining-Enabled Zero Trust Architecture | |
| JPWO2008153069A1 (en) | Communication control system, communication control method, and communication terminal | |
| JP5397380B2 (en) | Access control system, access control method, and communication terminal | |
| CN109429225A (en) | Message sink, sending method and device, terminal, network functional entity | |
| JP6076276B2 (en) | Communication system and communication method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20170531 Termination date: 20190324 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |