CN105635073A - Access control method and device and network access equipment - Google Patents
Access control method and device and network access equipment Download PDFInfo
- Publication number
- CN105635073A CN105635073A CN201410620661.4A CN201410620661A CN105635073A CN 105635073 A CN105635073 A CN 105635073A CN 201410620661 A CN201410620661 A CN 201410620661A CN 105635073 A CN105635073 A CN 105635073A
- Authority
- CN
- China
- Prior art keywords
- network access
- access request
- white list
- url
- recorded
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Computer And Data Communications (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention discloses an access control method and device and network access equipment, which are used for solving the problem that an existing access control scheme based on a referer field has limited applicable scenes. The method includes the steps of: receiving a first network access request from an enterprise network, the first network access request carrying a first URL; judging whether the first URL is recorded on a first white list set in advance; based on a judgment result of recording of the first URL on the first white list, forwarding the first network access request to a server in the Internet; receiving a response to the first network access request from the server; establishing a second white list which stores a second URL carried in the response; receiving a second network access request from the enterprise network, the second network access request carrying a third URL; judging whether the third URL is recorded on the second white list; and based on a judgment result of recording of the third URL on the second white list, sending the second network access request to the Internet.
Description
Technical field
The present invention relates to computer and communication technical field, particularly relate to a kind of access control method and a kind of access control apparatus.
Background technology
Along with developing rapidly of internet, applications, computer network is popularized rapidly in the every field of social life, people are obtained, shared and propagation information is convenient, but bring puzzlement also to the manager of enterprise: employee is random accesses illegal website uncontrolledly, not only has a strong impact on work efficiency but also enterprise information security is threatened simultaneously.
For the manager of quite a lot of enterprise, it is desirable to employee does not access amusement, physical culture, news etc. and the unrelated website of work at time that is on duty, but only accesses the website that work is relevant. White list mechanism based on URL (UniformResourceLocator is called for short URL) is a kind of common prior art realizing above-mentioned purpose.
The principle that realizes based on the white list mechanism of URL is: prestores a white list in the network access equipment such as gateway, fire wall, only comprises in this white list; After network access equipment receives the Client-initiated network access request come from the enterprise network (such as intranet) connected, the URL of the Internet resources that the request of extracting accesses from network access request, it is judged that whether the URL extracted belongs to above-mentioned white list; If the URL extracted is not belonging to above-mentioned white list, then block this network access request; If the URL extracted belongs to above-mentioned white list, then this network access request is sent to the Internet.
A lot of Website pages are all embedded with the URL of other websites at present, the such as Website page URLhttp of Chinese software exploitation alliance: be embedded with in //bbs.csdn.net/home and engage net URLhttp: its website URL such as //www.liepin.com/ with hunting of presenting of image link or Text Link mode, for image link, page URLhttp: the either statically or dynamically picture of in //bbs.csdn.net/home is really by URLhttp: a subpage frame URLhttp under //www.liepin.com/ website: //www.liepin.com/ABC is to provide displaying. If blocking user for URLhttp: the network access request of //www.liepin.com/, then URLhttp: the page of //bbs.csdn.net/home cannot show completely, causes the URLhttp showing user: in the page of //bbs.csdn.net/home, a large amount of mess code, caution frame occur. This will cause poor experience to the user of enterprise network.
In order to solve the problems referred to above, it is possible to artificially the URL allowing other websites embedded in the Website page accessed also is added in white list, it is apparent that the method can be greatly increased the workload of network operation. Another kind of comparatively it is possible that based on the access control scheme of referer field, the principle based on the access control scheme of referer field is:
Network access equipment is when receiving the network access request of the user come from enterprise network, judge that the URL of Internet resources of request access is whether in white list, if the URL of the Internet resources that request accesses is not in white list, then determine whether that the URL in the referer field of this network access request is whether in white list, if the URL in the referer field of network access request is in white list, then this network access request is sent to the Internet. Because it indicate that this network access request is the guide of the embedded link in the URL carried according to the referer field page identified and initiates. In the above example, initiate for URLhttp user: during the network access request of //www.liepin.com/, it is judged that whether the content http://bbs.csdn.net/home of the referer field carried in this network access request is in white list; Owing to http://bbs.csdn.net/home is in white list, so Client-initiated is for URLhttp: the network access request of //www.liepin.com/ will be sent in the Internet.
But first the above-mentioned access control scheme based on referer field there is problems in that, it is suitable for scene limited, such as user is in order to protect privacy, can by browser be configured, the content of the referer field wherein carried is shielded by browser when sending network access request, for instance be set to the content of None-identified; Existing a lot of browser manufacturer, in order to adapt to the demand of user, is also mostly designed as the content of shielding referer field in the existing and following browser version. In addition, the above-mentioned access control scheme based on referer field there is also the problem that reliability is not good, such as the content tampering of referer field can be the URL allowing to access in white list by malicious user, thus reaching to escape enterprise implement to access the purpose controlled.
Summary of the invention
The embodiment of the present invention provides a kind of access control method, existing is suitable for, based on what exist in the access control scheme of referer field, the problem that scene is limited in order to solving.
Accordingly, the embodiment of the present invention additionally provides a kind of network access equipment and a kind of access control apparatus.
The technical scheme that the embodiment of the present invention provides is as follows:
First aspect, it is provided that a kind of access control method, including:
Receiving the first network access request from enterprise network, described first network access request carries a URL;
Judge whether a described URL is recorded in the first white list pre-set;
It is recorded in the judged result of described first white list based on a described URL, forwards described first network access request to the server in the Internet;
Receive the response to described first network access request from described server;
Set up the second white list, described second white list is preserved at least one the 2nd URL carried in described response;
Receiving the second network access request from described enterprise network, described second network access request carries the 3rd URL;
Judge whether described 3rd URL is recorded in described second white list;
It is recorded in the judged result of described second white list based on described 3rd URL, sends described second network access request to the Internet.
In the first possible implementation of first aspect, before setting up the second white list, also include:
Determining that first network access request belongs to newly-built session, described newly-built session has referred to the session setting up the three-way handshake of session and non-interactive service data, determines result based on above-mentioned, sets up the second white list.
In conjunction with the first possible implementation of first aspect, in the implementation that the second of first aspect is possible, described judge whether described 3rd URL is recorded in described second white list before, also include:
Determine that described second network access request belongs to the session at described first network access request place;
Based on a determination that result, perform to judge whether described 3rd URL is recorded in the step of described second white list.
In conjunction with the implementation that the second of first aspect is possible, in the third possible implementation of first aspect, before judging the described 3rd URL step whether being recorded in described second white list, including: judge whether described 3rd URL belongs to the first white list;
It is not belonging to the judged result of described first white list based on described 3rd URL, performs described to judge the described 3rd URL step whether being recorded in described second white list.
In conjunction with the implementation that the second of first aspect is possible, in the 4th kind of possible implementation of first aspect, the determination result of the described session belonging to described first network access request place based on described second network access request, after performing to judge the described 3rd URL step whether being recorded in described second white list, also include:
The determination result of described second white list it is not recorded in, it is determined that whether described 3rd URL belongs to described first white list based on described 3rd URL;
Belong to the determination result of described first white list based on described 3rd URL, send described second network access request; It is not belonging to the determination result of described first white list based on described 3rd URL, blocks described second network access request.
In conjunction with the first possible implementation of first aspect or first aspect, in the 5th kind of possible implementation of first aspect, described judge whether described 3rd URL is recorded in described second white list before, also include:
The determination result of the session at described first network access request place it is not belonging to, it is judged that whether described 3rd URL is recorded in described first white list based on described second network access request;
It is not recorded in the judged result of described first white list based on described 3rd URL, performs to judge whether described 3rd URL is recorded in the step of described second white list.
The 5th kind of possible implementation in conjunction with first aspect, in the 6th kind of possible implementation of first aspect, also including timestamp in described second white list and user agent's mark that described first network access request is carried, source address, described timestamp is receive the time of described first network access request or receive the time of response corresponding to described first network access request;
It is recorded in the judged result of described second white list based on described 3rd URL, sends the step of described second network access request to server, including:
The judged result of described second white list it is recorded in, it is determined that the user agent in user agent that source address the second network access request whether identical, described in the source address of described second network access request and described second white list is carried mark and described second white list identifies whether that the difference between the timestamp in identical, to receive described second network access request time and described second white list is whether in scope set in advance based on described 3rd URL;
User agent in the user agent's mark carried based on source address second network access request identical, described with the source address in described second white list of described second network access request and described second white list identifies the determination result in scope set in advance of the difference between the timestamp in time that is identical and that receive described second network access request and described second white list, performs the described step sending described second network access request to the Internet.
In conjunction with first aspect, or any one possible implementation above-mentioned of first aspect, in the 7th kind of possible implementation of first aspect, described set up the second white list after, also include: set the ageing time that described second white list is corresponding, the time span that described ageing time preserves for indicating described second white list.
Second aspect, it is provided that a kind of network access equipment, including memorizer, processor and network interface, described memorizer, described processor and described network interface are connected by bus,
Described network interface is for receiving the first network access request from enterprise network, and described first network access request carries a URL;
Described processor, for reading the program code of storage in described memorizer, performs following operation:
Judge whether a described URL is recorded in the first white list pre-set;
It is recorded in the judged result of described first white list based on a described URL, indicates described network interface to forward described first network access request to described server;
Described network interface is additionally operable to receive the response to described first network access request from described server;
Described processor is additionally operable to perform: sets up the second white list, preserves at least one the 2nd URL carried in described response in described second white list;
Described network interface is additionally operable to receive the second network access request coming from described enterprise network, and described second network access request carries the 3rd URL;
Described processor is additionally operable to perform:
Judge whether described 3rd URL belongs to described second white list;
It is recorded in the judged result of described second white list based on described 3rd URL, indicates described network interface to send described second network access request to the Internet.
In the first possible implementation of second aspect, described processor is additionally operable to before setting up the second white list, determine that first network access request belongs to newly-built session, described newly-built session has referred to the session setting up the three-way handshake of session and non-interactive service data, determine result based on above-mentioned, set up the second white list.
The first possible implementation in conjunction with second aspect, in the implementation that the second of second aspect is possible, before described processor is additionally operable to judge whether described 3rd URL is recorded in described second white list, the determination result of the session at described first network access request place it is not belonging to, it is judged that whether described 3rd URL is recorded in described first white list based on described second network access request;
It is not recorded in the judged result of described first white list based on described 3rd URL, performs to judge whether described 3rd URL is recorded in the step of described second white list.
In conjunction with the implementation that the second of second aspect is possible, in the third possible implementation of second aspect, also including timestamp in described second white list and user agent's mark that described first network access request is carried, source address, described timestamp is receive the time of described first network access request or receive the time of response corresponding to described first network access request;
It is recorded in the judged result of described second white list based on described 3rd URL, sends the step of described second network access request to server, including:
The judged result of described second white list it is recorded in, it is determined that the user agent in user agent that source address the second network access request whether identical, described in the source address of described second network access request and described second white list is carried mark and described second white list identifies whether that the difference between the timestamp in identical, to receive described second network access request time and described second white list is whether in scope set in advance based on described 3rd URL;
User agent in the user agent's mark carried based on source address second network access request identical, described with the source address in described second white list of described second network access request and described second white list identifies the determination result in scope set in advance of the difference between the timestamp in time that is identical and that receive described second network access request and described second white list, performs the described step sending described second network access request to the Internet.
Any one possible implementation in conjunction with second aspect or second aspect, in the 4th kind of possible implementation of second aspect, described processor is additionally operable to, described set up the second white list after, set the ageing time that described second white list is corresponding, the time span that described ageing time preserves for indicating described second white list.
The third aspect, additionally provides access control apparatus, including:
Receiver module, for receiving the first network access request from enterprise network, described first network access request carries a URL;
Judge module, for judging whether a described URL is recorded in the first white list that the first white list maintenance module pre-sets;
Sending module, the described URL for obtaining based on described judge module is recorded in the judged result of described first white list, forwards described first network access request to the server in the Internet;
Described receiver module, is additionally operable to receive the response to described first network access request from described server;
Second white list creation module, is used for setting up the second white list, preserves at least one the 2nd URL carried in the described response that described receiver module receives in described second white list;
Described receiver module, is additionally operable to receive the second network access request from described enterprise network, and described second network access request carries the 3rd URL;
Described judge module, is additionally operable to judge whether described 3rd URL is recorded in described second white list;
Sending module, described 3rd URL for obtaining based on described judge module is recorded in the judged result of described second white list, sends described second network access request to the Internet.
In the first possible implementation of the third aspect, described judge module is specifically for before setting up the second white list, determining that first network access request belongs to newly-built session, described newly-built session has referred to the session setting up the three-way handshake of session and non-interactive service data; Described second white list creation module determines result based on above-mentioned, sets up the second white list.
In conjunction with the third aspect, or the first possible implementation of the third aspect, in the implementation that the second of the third aspect is possible, described judge module is for before judging whether described 3rd URL is recorded in described second white list, the determination result of the session at described first network access request place it is not belonging to, it is judged that whether described 3rd URL is recorded in described first white list based on described second network access request; It is not recorded in the judged result of described first white list based on described 3rd URL, performs to judge whether described 3rd URL is recorded in the step of described second white list.
In conjunction with the implementation that the second of the third aspect is possible, in the third possible implementation of the third aspect, also including timestamp in described second white list and user agent's mark that described first network access request is carried, source address, described timestamp is receive the time of described first network access request or receive the time of response corresponding to described first network access request;
Described judge module specifically for being recorded in the judged result of described second white list based on described 3rd URL, it is determined that the user agent in user agent that source address the second network access request whether identical, described in the source address of described second network access request and described second white list is carried mark and described second white list identifies whether that the difference between the timestamp in identical, to receive described second network access request time and described second white list is whether in scope set in advance;
Described sending module, user agent in user agent that source address second network access request identical, described with the source address in described second white list of described second network access request specifically for obtaining based on described judge module is carried mark and described second white list identifies the determination result in scope set in advance of the difference between the timestamp in time that is identical and that receive described second network access request and described second white list, sends described second network access request to the Internet.
In conjunction with the third aspect, or any one possible implementation of the third aspect, in the 4th kind of possible implementation of the third aspect, described second white list creation module is additionally operable to after setting up the second white list, set the ageing time that described second white list is corresponding, the time span that described ageing time preserves for indicating described second white list.
The embodiment of the present invention passes through network access equipment when receiving the first network access request from terminal unit, according at least one the 2nd URL carried in the server response to described first network access request, set up the second white list that described newly-built session is corresponding, described second white list is preserved the corresponding relation of other URL (i.e. the 2nd URL) embedded with the webpage of a described URL mark for a described URL; Follow-up when the second network access request of the page received for accessing the 3rd URL mark from the request of terminal unit, judge whether described 3rd URL belongs to described second white list, if described 3rd URL belongs to described second white list, then illustrate that the second network access request is to initiate according to the guide of embedded link in the URL webpage identified, send described second network access request to the Internet. Due to be confirmed whether to allow the second network access request by the process of network access equipment without reference to the second network access request in the referer field contents that carries, thus having evaded user or browser manufacturer shielding referer field contents brings is suitable for the problem that scene is limited.
Accompanying drawing explanation
In order to be illustrated more clearly that the technical scheme of the embodiment of the present invention, the accompanying drawing used required in embodiment or description of the prior art will be briefly described below, apparently, accompanying drawing in the following describes is some embodiments of the present invention, for those of ordinary skill in the art, under the premise not paying creative work, it is also possible to obtain other accompanying drawing according to these accompanying drawings.
The application scenarios schematic diagram of the access control method that Fig. 1 provides for the embodiment of the present invention;
The schematic diagram of the network access procedure that Fig. 2 provides for the embodiment of the present invention;
Fig. 3 a is the structural representation of the network access equipment that the embodiment of the present invention provides;
Fig. 3 b is the building-block of logic of the network access equipment Program module that the embodiment of the present invention provides;
Fig. 4 a is the flow chart of the access control method that the embodiment of the present invention provides;
Fig. 4 b is the flow chart of the access control method that the embodiment of the present invention provides;
Fig. 5 a is the form schematic diagram of session entry in the embodiment of the present invention;
Fig. 5 b is the content schematic diagram of session entry between UEA and Server1 in the embodiment of the present invention;
Fig. 5 c is the form schematic diagram of the session entry after updating in the embodiment of the present invention;
Fig. 5 d is the content schematic diagram of the session entry after updating between UEA and Server1 in the embodiment of the present invention;
Fig. 5 e is the form schematic diagram of the session entry after updating in the embodiment of the present invention;
Fig. 5 f is the content schematic diagram of the session entry after updating between UEA and Server1 in the embodiment of the present invention.
Detailed description of the invention
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is a part of embodiment of the present invention, rather than whole embodiments. Based on the embodiment in the present invention, the every other embodiment that those of ordinary skill in the art obtain under not making creative work premise, broadly fall into the scope of protection of the invention.
Accompanying drawing 1 is the application scenarios schematic diagram of the access control method that the embodiment of the present invention provides. This application scenarios includes the enterprise network for LAN. User terminal in enterprise network accesses the Internet by network access equipment, the UEA in user terminal such as accompanying drawing 1. Wherein, user terminal can be personal computer, notebook computer, intelligent movable mobile phone, personal digital assistant (PersonalDigitalAssistant is called for short PDA) etc. Network access equipment can be gateway, firewall box etc., the GW in accompanying drawing 1. The Internet includes multiple web page server, Server1, the Server2 in accompanying drawing 1. It is introduced in conjunction with the network access procedure of the user in accompanying drawing 1 local area network following by accompanying drawing 2.
Accompanying drawing 2 is the schematic diagram of the network access procedure that the embodiment of the present invention provides.
Step 200, the UEA in LAN carries out three-way handshake (threetimeshandshake) message interaction by GW and Server1, thus the session set up between UEA and Server1.
User inputs the webpage URLhttp of a shopping website in the browser of UEA: //www.vmall.com, it is assumed here that this webpage is to be provided by the Server1 in accompanying drawing 1. Browser in the present embodiment refers to the file in display web page server or archives economy, and allow user's a kind of software interactive with these files, such as the Firefox etc. of the InternetExplorer series of Microsoft, Chrome, Mozilla company of Google.
For brevity, the present embodiment eliminates the introduction of the prior aries such as the dns resolution that may relate in message interaction process.
UEA sends SYN message to Server1; Server1 returns SYN/ACK message; UEA sends ACK message. If these three message interactions normally complete according to the requirement of standard RFC793, RFC791 or RFC1700, then UEA and Server1 sets up session.
Step 210, UEA sends first network access request to Server1, carries URLhttp: //www.vmall.com, in order to access URLhttp: the webpage that //www.vmall.com identifies in described first network access request. The content of first network access request includes: GEThttp: //www.vmall.com/HTTP/1.1 r n, it is possible to obtained by packet parsing. In the embodiment of the present invention, " URL carried in network access request " can be the URL closing on GET tagged word.
Step 220, Server1 returns, to UEA, the response that first network access request is corresponding. The content of this response include HTTP/1.1200OK r n, this response also carries normal presentation URLhttp: resource needed for the webpage that //www.vmall.com identifies or the URL of resource, such as picture, script (JavaScript), CSS (CascadingStyleSheets is called for short CSS), other URL etc. Here other URL refer to except URLhttp: the URL except //www.vmall.com, it is possible to be the URL of other websites, it is also possible to be other URL of same website. With the URLhttp of same website in the present embodiment: //res.vmall.com/pimages/tag/1/138254288099.png is illustrated, and the situation of different web sites will illustrate later.
Step 230, UEA sends the second network access request to Server1. After UEA receives the response that first network access request is corresponding, response is carried out HTML (HyperTextMark-upLanguage by browser, it is called for short HTML) resolve can obtain in response and carry content, further determine which resource needs again to initiate network access request and obtains, and then transmission network access request obtains these resources.
Such as, URLhttp: the picture that //res.vmall.com/pimages/tag/1/138254288099.png identifies is to need again to initiate network access request, i.e. the second network access request obtains.
The content of the second network access request includes:
Gethttp: //res.vmall.com/pimages/tag/1/138254288099.pngHTTP/1.1 r n. In reality, the resource corresponding for URL carried in first network access request can be that same server provides with the resource corresponding for URL carried in the second network access request, such as all provided by Server1, can also be provided by different server, the resource corresponding for URL such as, carried in first network access request is provided by Server1, and the resource corresponding for URL carried in the second network access request is provided by Server2. It is assumed herein that
The picture of URLhttp: //res.vmall.com/pimages/tag/1/138254288099.png mark is provided by Server1.
Step 240, Server1 returns, to UEA, the response that the second network access request is corresponding. The content of this response include HTTP/1.1200OK r n, this response also carries URLhttp: the picture that //res.vmall.com/pimages/tag/1/138254288099.png identifies.
The browser of UEA, according to the picture carried in response corresponding to the second network access request, other resources carried in the response corresponding with first network access request, displays to the user that URLhttp: the webpage of //www.vmall.com mark. Such as, the script that carries in the response corresponding with first network access request by the picture carried in response corresponding for the second network access request, CSS etc. are combined, generate the webpage of URLhttp: //www.vmall.com mark, and be shown to user.
In the network access procedure shown in accompanying drawing 2, the user terminal UEA first network access request sent and the second network access request are forwarded in the Internet by network access equipment GW, first network access request and the second network access request, according to the destination address of first network access request and destination interface, are sent in web page server Server1 or Server2 of correspondence by the equipment such as the router in the Internet. Correspondingly, response corresponding to response corresponding to Server1 or Server2 is returned by network access equipment first network access request, the second network access request is sent to user terminal UEA.
Accompanying drawing 3a is the structural representation of the network access equipment (GW in such as accompanying drawing 1 and accompanying drawing 2) that the embodiment of the present invention provides. This network access equipment includes memorizer 301, processor 302 and network interface 303, and wherein memorizer 301, processor 302 and network interface 303 are connected with each other by bus 304.
Memorizer 301 includes but not limited to it is random access memory (RAM), read only memory (ROM), Erasable Programmable Read Only Memory EPROM (EPROM or flash memory) or portable read only memory (CD-ROM).
Processor 302 can be one or more central processing unit (CentralProcessingUnit is called for short CPU), and when processor 302 is a CPU, this CPU can be monokaryon CPU, it is also possible to be multi-core CPU.
Described network interface 303 is for receiving the network access request of the user terminal come from enterprise network, and receives the response that network access request is corresponding. Second network request etc. of the 3rd URL is asked, carried to first network as carried a URL. Alternatively, being additionally operable to receive the response that network access request is corresponding, the first network as carried the 2nd URL asks corresponding response. Network interface 303 can be a network interface, it is also possible to be multiple network interfaces. When network interface 303 is multiple network interface, a class network interface therein can be used to communicate with the user terminal in enterprise network, namely receives the message coming from user terminal and sends message to user terminal; Another kind of network interface communicates with the web page server in the Internet, namely receives the message coming from web page server and sends message to web page server. In order to describe for the purpose of simplicity, this two class interface is not made a distinction by the embodiment of the present invention. Network interface 303 can be wireline interface, for instance Fiber Distributed Data Interface (FiberDistributedDataInterface is called for short FDDI), gigabit Ethernet (GigabitEthernet is called for short GE) interface; Network interface 303 can also be wave point.
Processor 302, for reading the program module 3010 of storage in memorizer 301, performs the operation of these program modules instruction.
Refer to accompanying drawing 3b, in memorizer 301, the program module 3010 of storage includes receiver module the 3011, first white list maintenance module the 3012, second white list creation module 3013, judge module 3014 and sending module 3015.
Receiver module 3011, for receiving the first network access request from enterprise network, described first network access request carries a URL. Receiver module 3011 is to be obtained the first network request of the URL coming from enterprise network that network interface 303 receives by bus 304, carried second network request etc. of the 3rd URL. Alternatively, being additionally operable to obtain the response that the network access request of the server come from the Internet that network interface 303 receives is corresponding, the first network as carried the 2nd URL asks corresponding response.
First white list maintenance module 3012, for preserving the first white list pre-set, have recorded the list of the URL information allowing the user in enterprise network to access in the first white list. Manager in enterprise network can pass through the graphical user interface (GraphicalUserInterface that the first white list maintenance module 3012 provides, it is called for short GUI) or the mode such as the order line content that arranges, revise in the first white list, increase including on the first white list basis arranged first, deletion etc.
Judge module 3014, for judging whether the URL carried in the described first network access request that receiver module 3011 receives is recorded in the first white list that the first white list maintenance module 3012 preserves.
Sending module 3015, the described URL for obtaining based on described judge module 3014 is recorded in the judged result of described first white list, forwards described first network access request to the server in the Internet;
Receiver module 3011, is additionally operable to receive the response to described first network access request from described server;
Second white list creation module 3013, is used for setting up the second white list, preserves at least one the 2nd URL carried in the described response that described receiver module 3011 receives in described second white list.
Receiver module 3011, is additionally operable to receive the second network access request from enterprise network, and described second network access request carries the 3rd URL.
Judge module 3014, is additionally operable to determine whether the 3rd URL carried in the second network access request that receiver module 3011 receives is recorded in the second white list that the second white list creation module 3013 creates.
Sending module 3015, for if it is determined that module 3014 judges that the 3rd URL is recorded in described second white list, sending described second network access request. Sending module 3015 sends described second network access request and refers to that the second network access request is passed through bus 304 is sent to network interface 303, and indicates network interface 303 to send the second network access request to the Internet.
Alternatively, view of the above, it will be seen that the second white list is for determining that the second network access request will be sent in the Internet, or will be blocked. Intelligible, in the second white list, the quantity of URL is more many, and the degree of freedom of the customer access network in enterprise network is more big. In order to prevent the scale excessively rapid growth of the second white list, in local area network, the network access behavior of user carries out more strict management and control simultaneously, it is also possible to above-described embodiment is adjusted as follows.
Judge module 3014 is before the second white list creation module 3013 sets up the second white list, it is determined that first network access request belongs to newly-built session, and the second white list creation module 3010 determines result based on above-mentioned, sets up the second white list. Namely only having first network access request to meet belong to the first white list and belong to newly-built session the two condition, the second white list creation module 3010 just sets up the second white list simultaneously. Wherein, newly-built session has referred to the session of setting up the three-way handshake of session and non-interactive service data.
Judge module 3014 determines that, when whether first network access request belongs to newly-built session, concrete implementation mode includes but not limited to: based on the conversational list of storage, judge module 3014 determines whether first network access request belongs to newly-built session. Conversational list comprises the session entry that session is corresponding, and session entry includes the five-tuple information of session, is specially<source IP address, source port, purpose IP address, destination interface, protocol type>. Can by increasing a flag bit assists in determining whether it is newly-built session in session entry, the initial value of such as this flag bit is set to 0, network access equipment is when receiving service message, search in the session entry of this service message place session, whether the value of this flag bit is 0, if 0, then confirm that this service message place session is newly-built session, and by this mark position 1. If 1, then confirm that this service message place session is not newly-built session. Second white list creation module 3013, when setting up the second white list, is specifically as follows and sets up the second white list that session belonging to first network access request is corresponding.
Correspondingly, judge module 3014 is for before judging whether the 3rd URL is recorded in the second white list, the determination result of the session at described first network access request place it is not belonging to, it is judged that whether described 3rd URL is recorded in described first white list based on described second network access request; It is not recorded in the judged result of described first white list based on described 3rd URL, performs to judge whether described 3rd URL is recorded in the step of described second white list. Specifically, judge module 3014 is according to the source port in the second network access request, purpose IP address, destination interface, protocol type, mate with the five-tuple in session entry each in above-mentioned conversational list, determine whether the second network access request belongs to the session at first network access request place according to matching result.
Further, also including timestamp in the second white list that second white list creation module 3013 creates and user agent's mark that described first network access request is carried, source address, described timestamp is receive the time of described first network access request or receive the time of response corresponding to described first network access request. Wherein, owing to bus transfer time delay is negligible, the time receiving described first network access request can be the time that network interface 303 receives first network access request, and the time receiving response corresponding to described first network access request can be the time that network interface 303 receives response corresponding to first network access request.
Judge module 3014, if being additionally operable to described second network access request to belong to the session at described first network access request place, it is determined that whether described 3rd URL belongs to described first white list; If described 3rd URL belongs to described first white list, send described second network access request; If described 3rd URL is not belonging to described first white list, it is determined that whether described 3rd URL belongs to described second white list.
Further, judge module 3014, if belonging to described second white list specifically for described 3rd URL, it is determined that the user agent in user agent that source address the second network access request whether identical, described in the source address of described second network access request and described second white list is carried mark and described second white list identifies whether that the difference between the timestamp in identical, to receive described second network access request time and described second white list is whether in scope set in advance;
If the user agent in user agent's mark that the source address of described second network access request the second network access request identical, described with the source address in described second white list is carried and described second white list identifies the difference between the timestamp in time that is identical and that receive described second network access request and described second white list in scope set in advance, instruction sending module 3015 sends described second network access request; Otherwise block described second network access request.
Alternatively, if the second network access request belongs to the session at described first network access request place, judge module 3014, before being additionally operable to judge whether described 3rd URL is recorded in described second white list, it is judged that whether described 3rd URL belongs to described first white list; If described 3rd URL belongs to the judged result of described first white list, instruction sending module 3015 sends described second network access request. If described 3rd URL is not belonging to described first white list, perform described to judge the described 3rd URL step whether being recorded in described second white list.
Alternatively, if the second network access request belongs to the session at described first network access request place, judge module 3014, if being additionally operable to described 3rd URL to be not belonging to described second white list, it is determined that whether described 3rd URL belongs to described first white list; If described 3rd URL belongs to described first white list, instruction sending module 3015 sends described second network access request. If described 3rd URL is not belonging to described first white list, block described second network access request.
That is, when the second network access request belongs to the session at described first network access request place, as long as the 3rd URL belongs to the first white list or the second white list, judge module would indicate that sending module 3015 sends described second network access request, only when the 3rd URL had both been not belonging to the first white list and had also been not belonging to the second white list, just block described second network access request.
The embodiment of the present invention additionally provides a kind of access control apparatus, and the logic chart of this access control apparatus is identical with the program module in accompanying drawing 3b, is distinctive in that this access control apparatus both can be that pure software realizes, it is also possible to be that software combined with hardware realizes. When access control apparatus realizes based on pure software, access control apparatus is identical with the program module in above-described embodiment. When access control apparatus realizes based on software combined with hardware, receiver module 3011 therein and sending module 3015 are realized by hardware, and receiver module 3011 and sending module 3015 can be the network interfaces 303 in accompanying drawing 3a.
Embodiments provide a kind of network access equipment, this network access equipment is in the conversational list safeguarded, the second corresponding white list is set up for each session entry, the method for building up of the second white list is: network access equipment receives first network access request, and described first network access request carries a URL; When whether described first network access request belongs to newly-built session and a described URL whether is recorded in the first white list pre-set, the 2nd embedded URL in the webpage of a URL mark is added the second white list. Then network access equipment is when receiving network access request, determine whether to be forwarded in the Internet by this network access request according to the second white list, still this network access request is blocked, concrete defining method is: receiving the second network access request, described second network access request carries the 3rd URL; Determine whether the second network access request belongs to the session at described first network access request place; If the second network access request belongs to the session at first network access request place and whether the 3rd URL is recorded in the second white list, then the second network access request is forwarded in the Internet. Due in determining the process sending or blocking the second network access request without reference to the content of referer field, therefore no matter whether user or browser provider shield the content of referer field, Detection results is all unaffected, thus providing the access control method that a kind of versatility is high.
It should be understood that the network access equipment of above-described embodiment offer or network access device when conducting interviews control to the network access request (network access request to the Internet that namely user in enterprise network initiates) from enterprise network, only it is illustrated with the division of above-mentioned each functional module, in practical application, as desired above-mentioned functions distribution can be completed by different functional modules, it is divided into different functional modules, to complete all or part of function described above by the internal structure of equipment.
In the method shown in accompanying drawing 2, specify according to existing protocol, if the resource that the 2nd URL carried in the resource that the URL carried in first network access request identifies and the second network request identifies is provided by same web page server, user terminal is when sending the second network request, the session that can utilize first network access request place sends the second network request, it is also possible to a newly-built session sends the second network request. By the session entry in network access equipment is extended, both of these case can be had the process of differentiation. If the 2nd URL carried in the resource that the URL carried in first network access request identifies and the second network request is provided by different web pages server, user terminal sends the second network request only by a newly-built session.
Accompanying drawing 4a and accompanying drawing 4b is the flow chart of the access control method that the embodiment of the present invention provides, combine with each accompanying drawing aforementioned, the access control method that the embodiment of the present invention is provided is described in detail, more owing to relating to step, it is difficult to, by same figure statement, split into accompanying drawing 4a and accompanying drawing 4b. Access control method, from the angle of network access equipment, is described by accompanying drawing 4a and accompanying drawing 4b. Network access equipment refers to the equipment possessing network access facility, includes but not limited to gateway, firewall box etc., and the present embodiment illustrates for the GW in accompanying drawing 1, accompanying drawing 2.
Step 400, GW UEA and Server1 in forwarding LAN carries out, in the process of message of three-way handshake, setting up the session entry corresponding with the session set up by above-mentioned three-way handshake. between UEA and Server1, the message of three-way handshake is forwarded by GW, GW is when forwarding the UEA SYN message sent, conversational list creates a session entry, session entry includes five-tuple<source IP address, source port, purpose IP address, destination interface, protocol type>, source IP address in five-tuple is the source address in SYN message, source port in five-tuple is the source port in SYN message, purpose IP address in five-tuple is the destination address in SYN message, destination interface in five-tuple is the destination interface in SYN message, protocol type in five-tuple obtains by resolving the heading of SYN message.
In the present embodiment, the form of session entry is such as shown in accompanying drawing 5a, and between UEA and Server1, the content of session entry is as shown in fig. 5b, and wherein source address is the address 3.1.1.10 of UEA, and source port is the port 2060 of UEA; Destination address is the address 12.0.0.100 of Server1, and destination interface is the port 80 of Server1, and protocol type is TCP.
Step 410, GW receives UEA to the Server1 first network access request sent, and carries URLhttp: //www.vmall.com, in order to access URLhttp: the webpage that //www.vmall.com identifies in described first network access request. This step is similar with the step 210 in accompanying drawing 2, and correlated characteristic is here not repeated.
Step 411, GW judges whether the URL carried in described first network access request is recorded in the first white list pre-set. If the URL carried in first network access request is recorded in the first white list pre-set, performs step 412, otherwise abandon first network access request. This embodiment assumes that and the first white list only comprises a URLhttp: //www.vmall.com, the URL carried in first network access request is recorded in the first white list.
Step 412, after GW receives first network access request, it is judged that whether described first network access request belongs to newly-built session. Specifically, step 412 is further comprising the steps.
Whether step 4110, after GW receives the message coming from LAN, by analytic message header structure, confirms whether this message is network access request, be namely HTTPGET message. If network access request then performs step 4111, otherwise forward this message or according to this message of disposal methods to message of existing gateway. Specifically, according to the form of HTTPGET being defined in the message received whether conformance with standard RFC2616, GW can determine whether this message is network access request, here no longer describe in detail.
Step 4111, if it is determined that the message received is network access request, then according to the source IP address resolving this message that this message obtains, source port, purpose IP address, destination interface, protocol type inquiry session table, determine the source IP address that whether there is five-tuple and this message in conversational list, source port, purpose IP address, the session entry that destination interface is consistent, if it is present perform step 4112; If there is no the source IP address of five-tuple and this network access request, source port, purpose IP address, the session entry that destination interface is consistent, then abandon this network access request, and this network access request is probably a packet being forged.
Step 4112, determines whether whether there is main link mark in the session entry that step 4111 finds. If there is no main link mark, then confirm that this message belongs to a newly-built session.
Step 413, it is recorded in the first white list if first network request belongs to the URL carried in a newly-built session and first network request, then ask the information updating session entry carried according to first network, increase main link mark and respectively in order to record the unit of user agent (User-agent) mark, source address and timestamp.
In the present embodiment, main link mark is after three-way handshake completes session establishment process, transport service message first between user terminal and server, and namely GW forwards first and is identified during the network access request between user terminal and server. In order to indicate that the conversation request that user terminal has passed through this session entry corresponding crosses webpage.
In the present embodiment, owing to first network request is first network request message of transmission between UEA and Server1, therefore GW marks main link mark in the session entry shown in accompanying drawing 5b, and increase respectively in order to record user agent's mark, the unit of source address and timestamp, wherein user agent's mark is user agent's mark that first network request is carried, source address is the source address that first network access request is carried, timestamp is that GW receives the equipment time of first network access request or follow-up GW receives the equipment time that first network access request is corresponding. certain source address therein can also with the source address multiplexing in five-tuple, thus saving memory space. the present embodiment, for the purpose of describing clearly, is introduced for a record source address unit newly-increased in session entry.
Alternatively, data analysis is carried out for the ease of management with follow-up, it is also possible to increase the unit of the URL that main frame (HOST) mark carried respectively is carried with first network access request in order to record first network access request. Succinct in order to describe below, URL first network access request carried is referred to as " URL ".
The form of the session entry after renewal is such as shown in accompanying drawing 5c, and the content of the session entry after updating in the present embodiment is such as shown in accompanying drawing 5d. Host identification is www.vmall.com; User agent's mark is Mozilla/4.0; Timestamp is 5.020338; Source address is 3.1.1.10.
Step 414, GW receives Server1 to response corresponding to the UEA first network access request returned, and creates, according to the URL carried in this response, the second white list that the session entry of the first access request place session is corresponding. The particular content of the response that first network access request is corresponding refer to the description in accompanying drawing 2 step 220, is here not repeated.
The response that first network access request is corresponding is resolved by GW, it is thus achieved that what this response was carried is embedded at least one other URL in a URL institute identified page. Succinct in order to describe below, by other URL embedded in the URL page identified referred to as " the 2nd URL ".
Obviously, the response that first network access request is corresponding and first network access request belong to a session together. the GW session entry that this session is corresponding in conversational list increases to record the unit of at least one the 2nd URL. response corresponding to first network access request can carry at least one the 2nd URL, in the present embodiment for brevity, in the response that first network access request is corresponding, carry the 2nd URL illustrate, in actual applications, the response that first network access request is corresponding is often carried multiple 2nd URL, multiple two URL is carried in the response that first network access request is corresponding, preferably all 2nd URL carried in response corresponding for first network access request are added session entry, certainly consider from the angle saving memory space, selectively some of them the 2nd URL can also be added session entry. the 2nd URL carried in the response that in the present embodiment, first network access request is corresponding is http://res.vmall.com/pimages/tag/1/138254288099.png.
The form of the session entry after renewal is such as shown in accompanying drawing 5e, and the content of the session entry after updating in the present embodiment is such as shown in accompanying drawing 5f. Can using each record unit of increasing in existing session list item in accompanying drawing 5e as the second white list.
Step 417, GW receives UEA to Server1 the second network access request sent. In the content of the second network access request such as accompanying drawing 2 shown in step 230.
Step 418, GW searches the session entry that the second network access request is corresponding in conversational list. If found, session entry corresponding to the second network access request and the session entry that finds exist main link mark, then perform step 420; If found, session entry corresponding to the second network access request and the session entry that finds being absent from main link mark, performing step 430 (step 430 and subsequent step refer to shown in accompanying drawing 4b). If searching the session entry corresponding less than the second network access request, then abandoning described second network access request, in this case, the second network access request is probably the message being forged.
Concrete, GW to compare with the five-tuple of each session entry in conversational list according to the source IP address of the second network access request, source port, purpose IP address, destination interface, protocol type, if it is identical to there is the five-tuple of session entry and the source IP address of the second network access request, source port, purpose IP address, destination interface, protocol type, then confirm to find the session entry that the second network access request is corresponding.
If found, session entry corresponding to the second network access request and the session entry that finds existing main link mark, illustrating that the session that the second network access request is set up when sending first network access request before being UEA multiplexing sends. If found, session entry corresponding to the second network access request and the session entry that finds are absent from main link mark, illustrate that UEA does not use used session when sending first network access request before to send the second network access request, but use a newly-established session to send the second network access request.
Supposing in the present embodiment that the five-tuple information of the second network access request is identical with the five-tuple information of the second network access request, the session that namely the second network access request is set up when sending first network access request before being UEA multiplexing sends. Meanwhile, also UEA can use the situation that a newly-established session sends the second network access request illustrate.
Step 420, GW obtains the 3rd URL from the second network access request, performs step 421. In the present embodiment, the 3rd URL that GW obtains is
http://res.vmall.com/pimages/tag/1/138254288099.png��
Step 421, GW judges whether the 3rd URL is recorded in the first white list pre-set, and if so, forwards the second network access request to the Internet; Otherwise perform step 422. 3rd URL is not recorded in the first white list in the present embodiment.
Step 422, GW judges whether the 3rd URL is recorded in described second white list, if so, forwards the second network access request to the Internet; Otherwise block described second network access request.
3rd URL in the present embodiment
Http:// res.vmall.com/pimages/tag/1/138254288099.png records in the second white list shown in accompanying drawing 5f, and therefore GW forwards the second network access request to the Internet.
Step 430, GW obtains the 3rd URL from the second network access request, performs step 431.
In the present embodiment, the 3rd URL that GW obtains is
http://res.vmall.com/pimages/tag/1/138254288099.png��
Step 431, GW judges whether the 3rd URL is recorded in the first white list pre-set, and if so, forwards the second network access request to the Internet; Otherwise perform step 432.
Step 432, GW judges whether the 3rd URL is recorded in the second white list set up, and if so, performs step 433; Otherwise block described second network access request.
Step 433, GW compares the user agent in the user agent's mark carried in whether identical for the source address of the second corresponding to the source IP address carried in the second network access request and other session entries in conversational list (namely in conversational list session entry) except the session entry that step 418 finds white list, the second network access request and described second white list being identified whether, whether the difference between the timestamp in identical, to receive the second network access request time and described second white list is in scope set in advance.
When specific design, step 433 can be realized by the judgement step of three independent series connection, step 4331 as depicted in fig. 4b, step 4332 and step 4333.
Step 4331, it is judged that whether the source address of the second network access request is identical with the source address in the second white list, if performing step 4332, otherwise blocks the second network access request.
Step 4332, it is judged that user agent's mark that the second network access request is carried identifies whether identical with the user agent in the second white list, if performing step 4333, otherwise blocks the second network access request.
Step 4333, it is judged that receive the difference between the timestamp in time of the second network access request and the second white list whether in scope set in advance, if forward the second network access request to the Internet, otherwise block the second network access request.
It will be understood by those skilled in the art that step 411 and step 412 after step 410 can executed in parallel, the execution sequence of step 4331, step 4332 and step 4333 can also Reasonable adjustment.
If the user agent in the source address of the second network access request is identical with the source address in the second white list, the second network access request is carried user agent mark and the second white list identifies the difference between the timestamp in the timestamp and the second white list that identical and the second network access request carries in scope set in advance, then forward the second network access request to the Internet; Otherwise block the second network access request. Wherein scope value set in advance can resolve according to the serial message that normal network behavior is relevant, extract the time tolerance between message, the time tolerance obtained is carried out statistical analysis obtain, the such as numerical value ranged between 10 milliseconds to 100 milliseconds set in advance, such as 50 milliseconds or 80 milliseconds, specifically how to arrange relevant with real network environment, it is possible to arranged according to field test or experience by enterprise network management person.
The session used when sending first network access request before UEA does not use sends the second network access request, but when using a newly-established Session Resources to send the second network access request, GW is when receiving the second network access request, cannot confirm that the second network access request is first network access request that the user terminal in LAN utilizes that a newly-built session sends, or the user terminal being transmitted across network access request before utilizes a newly-built session to go for the embedded resource in webpage requested before asking, therefore GW utilizes the second white list of previously established session entry to assist to confirm whether the second network access request is that the user terminal being transmitted across network access request utilizes a newly-built session to go for the embedded resource in webpage requested before asking. if the 3rd URL carried in the second network access request is present in the second white list of the session entry of another session, and the source address of the second network access request is identical with the source address in this second white list, explanation is that the second network access request is sent by same user terminal with the first network access request setting up the second white list time institute foundation, confirm the second network access request according to the timestamp received in time of the second network access request and the second white list further and the first network access request setting up the second white list time institute foundation is that same user terminal continuously transmits in time to approach, identify according to the user agent of the second network access request further and user agent in the second white list identifies identical confirmation the second network access request and is probably very greatly for asking embedded resource in a URL institute presentation web page.
Provided that the server of the URL institute presentation web page carried in the first access request and the server providing identified Internet resources of other URL embedded in a URL institute presentation web page are not same servers, such as, assuming that constant at network design environment, remain UEA send network access request carry out as follows adjust: the content of first network access request includes GEThttp: //www.vmall.com/HTTP/1.1 r n, URLhttp: //www.vmall.com/ mark webpage be by accompanying drawing 1 Server1 provide; The 2nd URL carried in the response that first network access request is corresponding is http://res.tmall.com/pimages/tag/1/138254288099.png, the picture of the 2nd URL mark is to be provided by the Server2 in accompanying drawing 1, still the flow process shown in accompanying drawing 4a and accompanying drawing 4b can carry out NS software.
In step 414, GW includes the 2nd URLhttp according to response creation the second white list that first network access request is corresponding: //res.tmall.com/pimages/tag/1/138254288099.png.
The 3rd URL carried due to the second network access request is not in the first white list, so according to increasing main link mark step 413��step 414 Suo Shi in the second network access request place session entry and the second white list that session entry is corresponding will not be created.
In step 418, owing to the session entry that the second network access request is corresponding not having main link identify, but therefore GW finds and is absent from main link mark in the session entry that session entry corresponding to the second network access request finds, and therefore performs step 430.
In step 430, the 3rd URLhttp that GW obtains from the second network access request: //res.tmall.com/pimages/tag/1/138254288099.png in the first white list, therefore performs step 432.
In step 432, due to the 3rd URL
Http:// res.tmall.com/pimages/tag/1/138254288099.png records in the second white list that the session entry of first network access request place session is corresponding, therefore performs step 433.
In step 433, receiving the difference between the timestamp in time of the second network access request and the second white list in scope set in advance owing to the user agent in the source address of described second network access request is identical with the source address in the second white list, the second network access request is carried user agent mark and the second white list identifies identical and GW, therefore GW forwards the second network access request to the Internet.
Alternatively, the second white list in order to enable session entry corresponding reflects that in this session, the network of the user of carrying accesses behavior in time, and save storage resource, on the basis of above-described embodiment, the ageing time that the second white list is corresponding can also be set, the time span that described ageing time preserves for indicating described second white list. Such as arranging ageing time corresponding to the second white list is 1 minute, and after ageing time arrives, the white list that session entry is corresponding will be deleted. Or can not also be that the second white list is separately provided ageing time, and the ageing time being by mean of in prior art session entry, when a session entry in conversational list is aging, the second white list of its correspondence is also deleted in the lump.
It will be appreciated by those skilled in the art that, the execution sequence of some steps in accompanying drawing 4a or accompanying drawing 4b can rationally be exchanged, the execution sequence of such as step 421 and step 422 can be exchanged, as long as the 3rd URL is recorded in the first white list or the second white list, then send described second network access request. When only the 3rd URL is not recorded in the first white list and does not record with the second white list, block described second network access request.
In embodiments of the present invention, network access equipment, in the conversational list safeguarded, sets up the second white list, and the method for building up of the second white list is: network access equipment receives first network access request, and described first network access request carries a URL; When whether a described URL is recorded in the first white list pre-set, the 2nd embedded URL in the webpage of a URL mark is added the second white list. Then network access equipment is when receiving network access request, determines whether to be forwarded in the Internet by this network access request according to the second white list, still blocks this network access request. Due in determining the process sending or blocking the second network access request without reference to the content of referer field, therefore no matter whether user or browser provider shield the content of referer field, Detection results is all unaffected, thus providing the access control method that a kind of versatility is high.
Foregoing description is all that user terminal is according to the normal situation sending first network access request and the second network access request of the regulation of existing protocol. The access control scheme that the present embodiment provides is it can be avoided that user terminal escapes the way of detection by distorting the content of referer field. Below in conjunction with example, technique effect is illustrated:
Assuming that network access equipment receives the network access request that the content of a referer field is tampered, the content of this network access request is GEThttp: //www.game.com/HTTP/1.1 r n, its referer field is tampered as http://www.vmall.com/, wherein http://www.vmall.com/ is recorded in the first white list, and http://www.game.com/ is not recorded in the first white list.
First, way for the content distorting referer field, when GW receives the above-mentioned network access request being tampered, another network access request sent before this and not according to same user terminal sets up the URLhttp comprised entrained by this network access request: second white list of //www.game.com/, if the URLhttp entrained by this network access request: //www.game.com/ in the first white list, then this network access request being tampered will be blocked.
Second, even if before GW receives the above-mentioned network access request distorted, according to the network access request that other network users send, the second white list that session entry is corresponding increased URLhttp: //www.game.com/, the probability that can simultaneously meet three below condition yet with the network access request being tampered is very little, so this network access request being tampered will be blocked.
The source address of the network access request 1, being tampered is identical with the source address of the network access request that other network users send.
The user agent of the network access request that user agent's mark of the network access request 2, being tampered sends with other network users identifies identical.
3, the difference between the time that GW receives time of the standby network access request distorted and GW receives the network access request that other network users send is within scope set in advance.
Each embodiment in this specification all adopts the mode gone forward one by one to describe, between each embodiment identical similar part mutually referring to, what each embodiment stressed is the difference with other embodiments. Especially for system embodiment, owing to it is substantially similar to embodiment of the method, so what describe is fairly simple, relevant part illustrates referring to the part of embodiment of the method.
It will be recognized by those of ordinary skill in the art that the possible implementation of various aspects of the invention or various aspects can be embodied as system, method or computer program. Therefore, the possible implementation of each aspect of the present invention or various aspects can adopt complete hardware embodiment, complete software implementation (including firmware, resident software etc.), or the form of the embodiment of integration software and hardware aspect, is collectively referred to herein as " circuit ", " module " or " system ". Additionally, the possible implementation of each aspect of the present invention or various aspects can adopt the form of computer program, computer program refers to the computer readable program code being stored in computer-readable medium.
It is also noted that in some alternate embodiment, in each step or block diagram, each piece of function indicated is likely to not occur by the order indicated in figure in flow charts. Such as, depending on involved function, two steps or two blocks that illustrate in succession are actually likely to be executed substantially concurrently, or these blocks are sometimes likely to be performed with reverse order.
Obviously, the present invention can be carried out various change and modification without deviating from the spirit and scope of the present invention by those skilled in the art. So, if these amendments of the present invention and modification belong within the scope of the claims in the present invention and equivalent technologies thereof, then the present invention is also intended to comprise these change and modification.
Claims (12)
1. an access control method, it is characterised in that including:
Receiving the first network access request from enterprise network, described first network access request carries a URL;
Judge whether a described URL is recorded in the first white list pre-set;
It is recorded in the judged result of described first white list based on a described URL, forwards described first network access request to the server in the Internet;
Receive the response to described first network access request from described server;
Set up the second white list, described second white list is preserved at least one the 2nd URL carried in described response;
Receiving the second network access request from described enterprise network, described second network access request carries the 3rd URL;
Judge whether described 3rd URL is recorded in described second white list;
It is recorded in the judged result of described second white list based on described 3rd URL, sends described second network access request to the Internet.
2. method according to claim 1, it is characterised in that before setting up the second white list, also include:
Determining that first network access request belongs to newly-built session, described newly-built session has referred to the session setting up the three-way handshake of session and non-interactive service data, determines result based on above-mentioned, sets up the second white list.
3. method according to claim 2, it is characterised in that described judge whether described 3rd URL is recorded in described second white list before, also include:
Determine that described second network access request belongs to the session at described first network access request place;
Based on a determination that result, perform to judge whether described 3rd URL is recorded in the step of described second white list.
4. method according to claim 1 and 2, it is characterised in that described judge whether described 3rd URL is recorded in described second white list before, also include:
The determination result of the session at described first network access request place it is not belonging to, it is judged that whether described 3rd URL is recorded in described first white list based on described second network access request;
It is not recorded in the judged result of described first white list based on described 3rd URL, performs to judge whether described 3rd URL is recorded in the step of described second white list.
5. according to the arbitrary described method of claim 4, it is characterized in that, also including timestamp in described second white list and user agent's mark that described first network access request is carried, source address, described timestamp is receive the time of described first network access request or receive the time of response corresponding to described first network access request;
It is recorded in the judged result of described second white list based on described 3rd URL, sends the step of described second network access request to server, including:
The judged result of described second white list it is recorded in, it is determined that the user agent in user agent that source address the second network access request whether identical, described in the source address of described second network access request and described second white list is carried mark and described second white list identifies whether that the difference between the timestamp in identical, to receive described second network access request time and described second white list is whether in scope set in advance based on described 3rd URL;
User agent in the user agent's mark carried based on source address second network access request identical, described with the source address in described second white list of described second network access request and described second white list identifies the determination result in scope set in advance of the difference between the timestamp in time that is identical and that receive described second network access request and described second white list, performs the described step sending described second network access request to the Internet.
6. according to described method arbitrary in claim 1 to 5, it is characterised in that described set up the second white list after, also include:
Set the ageing time that described second white list is corresponding, the time span that described ageing time preserves for indicating described second white list.
7. a network access equipment, it is characterised in that including memorizer, processor and network interface, described memorizer, described processor and described network interface are connected by bus,
Described network interface is for receiving the first network access request from enterprise network, and described first network access request carries a URL;
Described processor, for reading the program code of storage in described memorizer, performs following operation:
Judge whether a described URL is recorded in the first white list pre-set;
It is recorded in the judged result of described first white list based on a described URL, indicates described network interface to forward described first network access request to described server;
Described network interface is additionally operable to receive the response to described first network access request from described server;
Described processor is additionally operable to perform: sets up the second white list, preserves at least one the 2nd URL carried in described response in described second white list;
Described network interface is additionally operable to receive the second network access request coming from described enterprise network, and described second network access request carries the 3rd URL;
Described processor is additionally operable to perform:
Judge whether described 3rd URL belongs to described second white list;
It is recorded in the judged result of described second white list based on described 3rd URL, indicates described network interface to send described second network access request to the Internet.
8. an access control apparatus, it is characterised in that including:
Receiver module, for receiving the first network access request from enterprise network, described first network access request carries a URL;
Judge module, for judging whether a described URL is recorded in the first white list that the first white list maintenance module pre-sets;
Sending module, the described URL for obtaining based on described judge module is recorded in the judged result of described first white list, forwards described first network access request to the server in the Internet;
Described receiver module, is additionally operable to receive the response to described first network access request from described server;
Second white list creation module, is used for setting up the second white list, preserves at least one the 2nd URL carried in the described response that described receiver module receives in described second white list;
Described receiver module, is additionally operable to receive the second network access request from described enterprise network, and described second network access request carries the 3rd URL;
Described judge module, is additionally operable to judge whether described 3rd URL is recorded in described second white list;
Sending module, described 3rd URL for obtaining based on described judge module is recorded in the judged result of described second white list, sends described second network access request to the Internet.
9. device according to claim 8, it is characterised in that
Described judge module is additionally operable to before setting up the second white list, it is determined that first network access request belongs to newly-built session, and described newly-built session has referred to the session setting up the three-way handshake of session and non-interactive service data; Described second white list creation module determines result based on above-mentioned, sets up the second white list.
10. device according to claim 8 or claim 9, it is characterized in that, described judge module is for before judging whether described 3rd URL is recorded in described second white list, the determination result of the session at described first network access request place it is not belonging to, it is judged that whether described 3rd URL is recorded in described first white list based on described second network access request; It is not recorded in the judged result of described first white list based on described 3rd URL, performs to judge whether described 3rd URL is recorded in the step of described second white list.
11. device according to claim 10, it is characterized in that, also including timestamp in described second white list and user agent's mark that described first network access request is carried, source address, described timestamp is receive the time of described first network access request or receive the time of response corresponding to described first network access request;
Described judge module specifically for being recorded in the judged result of described second white list based on described 3rd URL, it is determined that the user agent in user agent that source address the second network access request whether identical, described in the source address of described second network access request and described second white list is carried mark and described second white list identifies whether that the difference between the timestamp in identical, to receive described second network access request time and described second white list is whether in scope set in advance;
Described sending module, user agent in user agent that source address second network access request identical, described with the source address in described second white list of described second network access request specifically for obtaining based on described judge module is carried mark and described second white list identifies the determination result in scope set in advance of the difference between the timestamp in time that is identical and that receive described second network access request and described second white list, sends described second network access request to the Internet.
12. according to Claim 8 to 11 arbitrary described devices, it is characterized in that, described second white list creation module is additionally operable to after setting up the second white list, sets the ageing time that described second white list is corresponding, the time span that described ageing time preserves for indicating described second white list.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410620661.4A CN105635073B (en) | 2014-11-06 | 2014-11-06 | Access control method and device and network access equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410620661.4A CN105635073B (en) | 2014-11-06 | 2014-11-06 | Access control method and device and network access equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105635073A true CN105635073A (en) | 2016-06-01 |
| CN105635073B CN105635073B (en) | 2020-06-26 |
Family
ID=56049575
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410620661.4A Active CN105635073B (en) | 2014-11-06 | 2014-11-06 | Access control method and device and network access equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105635073B (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106023333A (en) * | 2016-08-05 | 2016-10-12 | 曾理 | RSSI locating and tracking technology-based attendance checking method, and system and application thereof |
| CN106533989A (en) * | 2016-12-01 | 2017-03-22 | 携程旅游网络技术(上海)有限公司 | Optimization method and system for enterprise cross-region access network |
| CN106888405A (en) * | 2017-01-03 | 2017-06-23 | 青岛海信电器股份有限公司 | Webpage method of adjustment, browser client and system in TV browser |
| CN107483431A (en) * | 2017-08-10 | 2017-12-15 | 杭州迪普科技股份有限公司 | A kind of switch ports themselves safety protecting method and device based on ICP/IP protocol |
| CN110278271A (en) * | 2019-06-24 | 2019-09-24 | 厦门美图之家科技有限公司 | Network request control method, device and terminal device |
| CN112260991A (en) * | 2020-09-16 | 2021-01-22 | 厦门网宿有限公司 | Authentication management method and device |
| CN112995092A (en) * | 2019-12-02 | 2021-06-18 | 阿里巴巴集团控股有限公司 | Data transmission method and device |
| CN116132502A (en) * | 2022-08-01 | 2023-05-16 | 马上消费金融股份有限公司 | Webpage access processing method and device and electronic equipment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103200231A (en) * | 2013-03-04 | 2013-07-10 | 华为技术有限公司 | Strategy control method and system |
| US20130347069A1 (en) * | 2012-06-25 | 2013-12-26 | Electronics And Telecommunications Research Institute | Referer verification apparatus and method |
| CN103701760A (en) * | 2012-09-28 | 2014-04-02 | 中国电信股份有限公司 | Wireless LAN (Local Area Network) Portal authentication method and system and Portal server |
| CN104092698A (en) * | 2014-07-21 | 2014-10-08 | 北京网秦天下科技有限公司 | Network resource access control method and device |
-
2014
- 2014-11-06 CN CN201410620661.4A patent/CN105635073B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20130347069A1 (en) * | 2012-06-25 | 2013-12-26 | Electronics And Telecommunications Research Institute | Referer verification apparatus and method |
| CN103701760A (en) * | 2012-09-28 | 2014-04-02 | 中国电信股份有限公司 | Wireless LAN (Local Area Network) Portal authentication method and system and Portal server |
| CN103200231A (en) * | 2013-03-04 | 2013-07-10 | 华为技术有限公司 | Strategy control method and system |
| CN104092698A (en) * | 2014-07-21 | 2014-10-08 | 北京网秦天下科技有限公司 | Network resource access control method and device |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106023333A (en) * | 2016-08-05 | 2016-10-12 | 曾理 | RSSI locating and tracking technology-based attendance checking method, and system and application thereof |
| CN106533989A (en) * | 2016-12-01 | 2017-03-22 | 携程旅游网络技术(上海)有限公司 | Optimization method and system for enterprise cross-region access network |
| CN106533989B (en) * | 2016-12-01 | 2019-08-20 | 携程旅游网络技术(上海)有限公司 | Optimization method and optimization system for enterprise's cross-region access network |
| CN106888405A (en) * | 2017-01-03 | 2017-06-23 | 青岛海信电器股份有限公司 | Webpage method of adjustment, browser client and system in TV browser |
| CN106888405B (en) * | 2017-01-03 | 2020-06-16 | 海信视像科技股份有限公司 | Webpage adjusting method in television browser, browser client and system |
| CN107483431A (en) * | 2017-08-10 | 2017-12-15 | 杭州迪普科技股份有限公司 | A kind of switch ports themselves safety protecting method and device based on ICP/IP protocol |
| CN110278271A (en) * | 2019-06-24 | 2019-09-24 | 厦门美图之家科技有限公司 | Network request control method, device and terminal device |
| CN110278271B (en) * | 2019-06-24 | 2022-04-12 | 厦门美图之家科技有限公司 | Network request control method and device and terminal equipment |
| CN112995092A (en) * | 2019-12-02 | 2021-06-18 | 阿里巴巴集团控股有限公司 | Data transmission method and device |
| CN112260991A (en) * | 2020-09-16 | 2021-01-22 | 厦门网宿有限公司 | Authentication management method and device |
| CN116132502A (en) * | 2022-08-01 | 2023-05-16 | 马上消费金融股份有限公司 | Webpage access processing method and device and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105635073B (en) | 2020-06-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105635073A (en) | Access control method and device and network access equipment | |
| CN104767775B (en) | Web application information push method and system | |
| CN107341160B (en) | Crawler intercepting method and device | |
| KR100848319B1 (en) | Harmful web site filtering method and apparatus using web structural information | |
| CN108259425A (en) | The determining method, apparatus and server of query-attack | |
| CN102783119A (en) | Access control method and system, and access terminal | |
| CN102594934A (en) | Method and device for identifying hijacked website | |
| CN106453216A (en) | Malicious website interception method, malicious website interception device and client | |
| CN104601601A (en) | Web crawler detecting method and device | |
| CN105635064A (en) | CSRF attack detection method and device | |
| CN110557358A (en) | Honeypot server communication method, SSLStrip man-in-the-middle attack perception method and related device | |
| CN105119928A (en) | Data transmission method, device and system for Android intelligent terminal | |
| CN104834588A (en) | Permanent residence cross site script vulnerability detection method and apparatus | |
| CN106789413A (en) | A kind of method and apparatus for detecting proxy surfing | |
| CN103970882A (en) | Method and device for rendering page | |
| CN105939320A (en) | Message processing method and device | |
| CN106686151A (en) | IP address obtaining method and device | |
| CN106411819A (en) | Method and apparatus for recognizing proxy Internet protocol address | |
| CN102754488A (en) | User access control method, apparatus and system | |
| EP2640035B1 (en) | Hypertext transfer protocol (http) stream association method and device | |
| CN107070885B (en) | Information processing method, device and system | |
| WO2017020597A1 (en) | Resource cache method and apparatus | |
| US11394687B2 (en) | Fully qualified domain name (FQDN) determination | |
| CN105930512A (en) | Advertisement insertion method, apparatus and system, server and client | |
| CN105119764A (en) | Method and device for monitoring flow |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |