CN105656905A - Network egress side security authentication system - Google Patents
Network egress side security authentication system Download PDFInfo
- Publication number
- CN105656905A CN105656905A CN201610040570.2A CN201610040570A CN105656905A CN 105656905 A CN105656905 A CN 105656905A CN 201610040570 A CN201610040570 A CN 201610040570A CN 105656905 A CN105656905 A CN 105656905A
- Authority
- CN
- China
- Prior art keywords
- network
- network egress
- security
- fire wall
- egress side
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention relates to the field of network security technologies, and specifically, to a network egress side security authentication system. An internal local area network is connected with a firewall and an access switch through a core switch. The firewall is used as a security gateway between the internal local area network and a network egress router. The access switch is connected with a network server and an anti-intrusion gateway so as to prevent the internal local area network from attacking the network server. According to the network egress side security authentication system, security authentication is mainly carried out in the network egress side and the server side, possible security risks of the network egress are eliminated, and network security and smoothness are ensured.
Description
Technical field
The present invention relates to network security technology field, be specifically related to a kind of network egress side security certification system.
Background technology
Conventionally the internal lan based on delineation of activities carrying all needs to be undertaken alternately by outlet bearer network and external data, but in the face of complicated numerous and complicated external web environment, be difficult to avoid from many-sided network security threats, for example hacker attacks, DDos attacks, the viruses such as worm are propagated in internal lan, cause internal lan paralysis, the normal work of impact, severe patient can cause huge economic loss, simultaneously because internal lan number of access terminals is more, comprise acquisition terminal, office terminal, light current terminal control network etc., there is equally many attacks in internal lan, for example DHCPSnooping, ARP attack protection, MAC attack protection, IP source attack protection, the information of malice is stolen etc., menace network server security greatly, once the webserver is held as a hostage, so crucial confidential data will be revealed, for enterprise security and business economic are brought huge loss.
Summary of the invention
Solve the problems of the technologies described above, the invention provides a kind of network egress side security certification system, mainly carry out safety certification from network egress side and server side, solve the security risk that network egress may exist, guarantee that network security is unimpeded.
In order to achieve the above object, the technical solution adopted in the present invention is, a kind of network egress side security certification system, internal lan is connected with a fire wall and an access switch through core switch, this fire wall is as the security gateway between internal lan and network egress router, described access switch interconnection network server and anti-invasion gateway, for preventing the attack of internal lan to the webserver.
Further, described core switch adopts double copies to dispose.
Further; described fire wall adopts UTM integrated safe fire wall; by configuration safety zone and secure access strategy; strict access control authority; open DDos attack, internet behavior management, anti-virus and ASPF depth detection function simultaneously; audit function is recorded in security incident, and comprehensive network egress safeguard protection is provided.
The present invention is by adopting technique scheme; compared with prior art; tool has the following advantages: the present invention is by disposing integrated gateway between the core switch at LAN and network egress side; effectively improve the safeguard protection of network egress side; simultaneously in network internal; between the access switch of LAN and server, dispose anti-invasion gateway, avoid internal lan to be attacked.
Brief description of the drawings
Fig. 1 is the structural representation of embodiments of the invention.
Detailed description of the invention
Now the present invention is further described with detailed description of the invention by reference to the accompanying drawings.
As a specific embodiment, as shown in Figure 1, a kind of network egress side security certification system of the present invention, internal lan 1 is connected with a fire wall 3 and an access switch 4 through core switch 2, this fire wall 3 is as the security gateway between internal lan 1 and network egress router five, network egress router five is connected in external network 8, fire wall 3 is used for preventing the invasion of next external network 8 as security gateway, described access switch 4 interconnection network servers 6 and anti-invasion gateway 7, for preventing the attack of internal lan to the webserver.
In the present embodiment, described core switch 2 adopts double copies to dispose. Adopt two core switch 2 to back up between two and connect respectively internal lan. Access switch 4 is connected with a core switch 2 wherein, and fire wall 3 is all connected with two core switch 2. This core switch can adopt H3CS10500 series of switch product, realizes cloud computing data center core, Campus Networks core of future generation and Metropolitan Area Network (MAN) and converges. Adopt the multistage many planes architecture for exchanging of advanced CLOS, lasting bandwidth upgrading ability can be provided, the large two layers of technology TRILL in supported data center, longitudinally virtual and MDC(mono-is empty many) technology, support EVB and FCOE, and complete compatible 40GE and 100GE ethernet standard. Merge MPLSVPN, IPv6, application safety, optimizing application; wireless; the various network services such as BRAS; the multiple highly reliable technology such as uninterrupted forwarding, uninterrupted upgrading, Graceful Restart, looped network protection are provided; in improving user's production efficiency; ensure network maximum uptime, thereby reduced client's TCO (TCO).
In the present embodiment; described fire wall 3 adopts UTM integrated safe fire wall 3; by configuration safety zone and secure access strategy; strict access control authority; open DDos attack, internet behavior management, anti-virus and ASPF depth detection function simultaneously; audit function is recorded in security incident, and comprehensive network egress safeguard protection is provided. Fire wall of future generation will continue to promote the recognition capability to application, user, terminal and content in future, and the data of encipher flux, tunnel encapsulation are identified, along with application identification technology is in the lifting of the aspects such as extensive degree and fineness, enterprise will progressively transit to by current blacklist access control the white list pattern that level of security is higher.
The DDos mean of defense that anti-invasion gateway 7 is abundant, this UTM fire wall can, according to the means of different of the feature of data message and DoS attack, carry out the defence of DoS attack. Simultaneously can the multiple common attack kind of initiative recognition, and initiatively cut off these rogue attacks, make internal lan avoid the attack from internal lan.
Fire wall 3, as security gateway, is held the safe lifeblood of network egress, to HTTP, SMTP, the file that POP3 agreement is uploaded, downloaded detects, and PI type virus, wooden horse and spyware virus are directly extractd, and page push warning, powerful anti-virus ability is provided.
Although specifically show and introduced the present invention in conjunction with preferred embodiment; but those skilled in the art should be understood that; not departing from the spirit and scope of the present invention that appended claims limits; can make a variety of changes the present invention in the form and details, be protection scope of the present invention.
Claims (3)
1. a network egress side security certification system, it is characterized in that: internal lan is connected with a fire wall and an access switch through core switch, this fire wall is as the security gateway between internal lan and network egress router, described access switch interconnection network server and anti-invasion gateway, for preventing the attack of internal lan to the webserver.
2. a kind of network egress side security certification system according to claim 1, is characterized in that: described core switch adopts double copies to dispose.
3. a kind of network egress side security certification system according to claim 1; it is characterized in that: described fire wall adopts UTM integrated safe fire wall; by configuration safety zone and secure access strategy; strict access control authority; open DDos attack, internet behavior management, anti-virus and ASPF depth detection function simultaneously; audit function is recorded in security incident, and comprehensive network egress safeguard protection is provided.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510356841.0A CN104901973A (en) | 2015-06-25 | 2015-06-25 | Network exit side security authentication system |
| CN2015103568410 | 2015-06-25 |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105656905A true CN105656905A (en) | 2016-06-08 |
Family
ID=54034370
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510356841.0A Pending CN104901973A (en) | 2015-06-25 | 2015-06-25 | Network exit side security authentication system |
| CN201610040570.2A Pending CN105656905A (en) | 2015-06-25 | 2016-01-21 | Network egress side security authentication system |
Family Applications Before (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510356841.0A Pending CN104901973A (en) | 2015-06-25 | 2015-06-25 | Network exit side security authentication system |
Country Status (1)
| Country | Link |
|---|---|
| CN (2) | CN104901973A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113364734A (en) * | 2021-04-29 | 2021-09-07 | 通富微电子股份有限公司 | Internal network protection method and system |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107659584A (en) * | 2017-10-31 | 2018-02-02 | 四川仕虹腾飞信息技术有限公司 | A kind of food processing factory's network security management system |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN204669400U (en) * | 2015-06-25 | 2015-09-23 | 马秋平 | Network egress side safety certification device |
-
2015
- 2015-06-25 CN CN201510356841.0A patent/CN104901973A/en active Pending
-
2016
- 2016-01-21 CN CN201610040570.2A patent/CN105656905A/en active Pending
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN204669400U (en) * | 2015-06-25 | 2015-09-23 | 马秋平 | Network egress side safety certification device |
Non-Patent Citations (1)
| Title |
|---|
| 黄述杰: "武威职业学院无线校园网方案设计与实现", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113364734A (en) * | 2021-04-29 | 2021-09-07 | 通富微电子股份有限公司 | Internal network protection method and system |
| CN113364734B (en) * | 2021-04-29 | 2022-07-26 | 通富微电子股份有限公司 | Internal network protection method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104901973A (en) | 2015-09-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Rahman et al. | DDoS attacks detection and mitigation in SDN using machine learning | |
| Bull et al. | Flow based security for IoT devices using an SDN gateway | |
| Xing et al. | SDNIPS: Enabling software-defined networking based intrusion prevention system in clouds | |
| WO2014021863A1 (en) | Network traffic processing system | |
| JP2010268483A (en) | Active network defense system and method | |
| Arukonda et al. | The innocent perpetrators: reflectors and reflection attacks | |
| CN111641639B (en) | IPv6 network safety protection system | |
| Taylor et al. | Enhancing integrity of modbus TCP through covert channels | |
| Hashim et al. | Biologically inspired anomaly detection and security control frameworks for complex heterogeneous networks | |
| Huang et al. | An authentication scheme to defend against UDP DrDoS attacks in 5G networks | |
| Mahmood et al. | Network security issues of data link layer: An overview | |
| Shitharth et al. | A comparative analysis between two countermeasure techniques to detect DDoS with sniffers in a SCADA network | |
| Patidar et al. | Information Theory-based Techniques to Detect DDoS in SDN: A Survey | |
| Saad et al. | A study on detecting ICMPv6 flooding attack based on IDS | |
| Safa et al. | Cyber security of smart grid and SCADA systems, threats and risks | |
| US10021070B2 (en) | Method and apparatus for federated firewall security | |
| Tippenhauer et al. | Vbump: Securing ethernet-based industrial control system networks with vlan-based traffic aggregation | |
| CN105656905A (en) | Network egress side security authentication system | |
| CN204669400U (en) | Network egress side safety certification device | |
| Gonçalves et al. | IPS architecture for IoT networks overlapped in SDN | |
| Patel et al. | A Snort-based secure edge router for smart home | |
| KR20210001728A (en) | Ship security system for Ethernet network based ship network protection. | |
| Funmilola et al. | Review of Computer Network Security System | |
| Pande et al. | Prevention mechanism on DDOS attacks by using multilevel filtering of distributed firewalls | |
| Ariffin | Securing internet of things system using software defined network based architecture |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20160608 |
|
| WD01 | Invention patent application deemed withdrawn after publication |