Summary of the invention
In view of this, the main purpose of the embodiment of the present invention is in that to provide a kind of network access system based on lucidification disposal and method, to realize ensureing the reliable purpose of particular network content safety.
For achieving the above object, embodiments provide a kind of network access system based on lucidification disposal, described system includes network access equipment and at least one client, described network access equipment includes being responsible for making described client access at least one first subset of first network and be responsible at least one second subset making described client access the second network, described first network is the network having secure data, and described second network is the network having secure data and/or dangerous data;
Described network access equipment, for when the request of described client accesses described first network, based on the mode of lucidification disposal, the first subset being responsible for the service that is currently accessed described client is made to access described first network, in order to described first network provides network access service for described client;When the request of described client accesses described second network, based on the mode of lucidification disposal, the second subset being responsible for the service that is currently accessed described client is made to access described second network, in order to described second network provides network access service for described client.
Optionally, described network access equipment also includes:
Network insertion service module, for accessing described first network or before the request of described client accesses described second network when the request of described client, makes described client realize network by the network connection service provided and connects.
Optionally, described network access equipment also includes:
Network insertion service module, for adopting the mode of lucidification disposal to manage described first subset and described second subset.
Optionally, described network access equipment also includes:
Network insertion service module, the first subset and described second subset described in physical isolation;Or, the first subset described in physical isolation and described second subset and the first subset described in physical isolation each two.
Optionally, described system also includes:
Central administration center, for adopting firmware and the operating system of network access equipment described in the mode maintenance and management of lucidification disposal.
Optionally, described central administration center, specifically for described central administration center and the two-way mutual authentication of described network access equipment by and/or described central administration center with described network access equipment after Third Party Authentication passes through, the firmware of network access equipment described in the mode maintenance and management of employing lucidification disposal and operating system.
Optionally, described central administration center, whether the communication link being additionally operable between monitoring and described network access equipment disconnects.
Optionally, described network access equipment, for when monitoring under the exception level state laying oneself open to setting, carrying out the automatic maintenance of firmware and/or systems soft ware, or, carry out the self-destruction of firmware and/or systems soft ware.
The embodiment of the present invention additionally provides a kind of method for network access based on lucidification disposal, described method is applied to a kind of network access system, described system includes network access equipment and at least one client, described network access equipment includes being responsible for making described client access at least one first subset of first network and be responsible at least one second subset making described client access the second network, described first network is the network having secure data, and described second network is the network having secure data and/or dangerous data;Described method includes:
When the request of described client accesses described first network, described network access equipment is based on the mode of lucidification disposal, described client is made to access described first network by the first subset being responsible for the service that is currently accessed, in order to described first network provides network access service for described client;
When the request of described client accesses described second network, described network access equipment is based on the mode of lucidification disposal, described client is made to access described second network by the second subset being responsible for the service that is currently accessed, in order to described second network provides network access service for described client.
Optionally, described network access equipment also includes network insertion service module, and described method also includes:
When the described client request described first network of access or before the request of described client accesses described second network, described network insertion service module makes described client realize network connection by the network connection service provided.
Optionally, described network access equipment also includes network insertion service module, and described method also includes:
Described network insertion service module adopts the mode of lucidification disposal to manage described first subset and described second subset.
Optionally, described network access equipment also includes network insertion service module;
First subset described in described network insertion service module physical isolation and described second subset;
Or, the first subset described in described network insertion service module physical isolation and described second subset and the first subset described in physical isolation each two.
Optionally, described system also includes central administration center, and described method also includes:
The firmware of network access equipment described in the mode maintenance and management of described central administration center employing lucidification disposal and operating system.
Optionally, described central administration center adopts the mode of lucidification disposal to safeguard firmware and the operating system of described network access equipment, specifically includes:
Described central administration center described central administration center and the two-way mutual authentication of described network access equipment by and/or described central administration center with described network access equipment after Third Party Authentication passes through, the firmware of network access equipment described in the mode maintenance and management of employing lucidification disposal and operating system.
Optionally, described method also includes:
Whether the communication link between the monitoring of described central administration center and described network access equipment disconnects.
Optionally, described method also includes:
Described network access equipment, when monitoring under the exception level state laying oneself open to setting, carries out the automatic maintenance of firmware and/or systems soft ware, or, carry out the self-destruction of firmware and/or systems soft ware.
The network access system based on lucidification disposal of embodiment of the present invention offer and method, network access equipment in this system includes two seed devices, respectively the first subset and the second subset, first subset is responsible for making client access security network (first network), second subset is responsible for making client access insecure network (the second network), first network and the second network is utilized to provide the user two kinds of network services that are separate and that isolate, subscription client is made freely to access first network and the mutually isolated network of the second network both by corresponding subset, can ensure that the content in first network is not polluted by the content in the second network, namely the content in the second network may not flow in first network, thus the content safety that ensure that in first network is credible.
Detailed description of the invention
For making the purpose of the embodiment of the present invention, technical scheme and advantage clearly, below in conjunction with the accompanying drawing in the embodiment of the present invention, technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is a part of embodiment of the present invention, rather than whole embodiments.Based on the embodiment in the present invention, the every other embodiment that those of ordinary skill in the art obtain under not making creative work premise, broadly fall into the scope of protection of the invention.
For ensureing that some Web content that user gets is credible and safe, the embodiment of the present invention opens the safe and reliable network of and conventional TCP/IP the Internet isolation specially, content on this network is managed by specialized agency, such as by releasing news specially or the organization management of government affairs information, the content in this network is credible and safe.
Referring to Fig. 1, for one of composition schematic diagram of the network access system based on lucidification disposal that the embodiment of the present invention provides, described system includes at least one client 100, network access equipment 200, described network access equipment 200 includes being responsible for making described client 100 access at least one first subset of first network and be responsible at least one second subset making described client 100 access the second network, described first network is the network having secure data, and described second network is the network having secure data and/or dangerous data.
Lucidification disposal is a kind of user concrete place without perception computer operating system, middleware, application program and communication network;Only according to the demand of oneself, need to select and use the computation schema of respective service (such as calculating, phone, TV, online and amusement etc.) from the various terminal units (include fixing, all kinds of terminal units) mobile and family used by network.
In embodiments of the present invention, described first network can be by releasing news specially, the content network of the content such as government affairs information, public service information, described second network can be TCP/IP address network.In actual the Internet, can there is one or more first network, each first network has the safe and reliable network data managed by specialized agency, same, can also there is one or more second network, content in described second network is more complicated, comprises safe and/or unsafe Web content.Each first network is to there being one or more first subset, and each second network is to there being one or more second subset.
In embodiments of the present invention, for many seed devices (i.e. at least one first subset and at least one second subset) integrated in network access equipment 200, the physical form of these subsets can be independent circuit board, it is also possible to be the intellectual computing device with systems soft ware or operating system.Each subset can access a kind of network service by individual responsibility, wherein, first subset is responsible for making client 100 access first network, namely the network address of client-access is accessed, to be provided user to ask the network service of (by network access mode) by first network for client 100, second subset is responsible for making client 100 access the second network, namely the network address of client-access is accessed, in order to provided user to ask the network service of (by network access mode) by the second network for client 100.To sum up, described network access equipment 200, for when the request of described client 100 accesses described first network, mode based on lucidification disposal, described client 100 is made to access described first network by the first subset being responsible for the service that is currently accessed, in order to described first network provides network access service for described client 100;When the request of described client 100 accesses described second network, mode based on lucidification disposal, described client 100 is made to access described second network by the second subset being responsible for the service that is currently accessed, in order to described second network provides network access service for described client 100.
Specifically, if network access equipment 200 only includes first subset being responsible for making client 100 access first network, then when this first network of client-access, this first subset client 100 is made to access this first network.If network access equipment 200 includes at least two the first subset being responsible for making client 100 access this first network, then when this first network of client-access, (such as all access services relevant to first network can be classified according to access level, such as data download, information browse etc. it are divided into, each first subset is responsible for the access of one or more of which access level and is accessed) determine and by which the first subset be responsible for making active client 100 access first network, and made client 100 access this first network by the first subset determined.
Same, if network access equipment 200 only includes second subset being responsible for making client 100 access the second network, then when this second network of client-access, this second subset make client 100 access this second network.If network access equipment 200 includes at least two the second subset being responsible for making client 100 access this second network, then when this second network of client-access, (such as all access services relevant to the second network are classified according to access level, such as data download, information browse etc. it are divided into, each second subset is responsible for the access of one or more of which access level and is accessed) determine and by which the second subset be responsible for making active client 100 access the second network, and made client 100 access this second network by the second subset determined.
Further, the two of the composition schematic diagram of the network access system based on lucidification disposal shown in Figure 2, described network access equipment 200 also includes: network insertion service module, for accessing described first network or before the request of described client 100 accesses described second network when the request of described client 100, make described client 100 realize network by the network connection service provided and connect.
Specifically, described network insertion service module collaborative work is required between each subset of network access equipment 200, described network insertion service module is responsible for the network insertion of user, user is provided unified such as Wifi by this module, LAN (LocalAreaNetwork, the network connection service such as LAN), these Connection Service can make the network docking that client 100 is directly corresponding with each subset simultaneously, user uses and is not required to when network manage these different networks, user is transparent by the various networks under this network access equipment 200, Consumer's Experience can be identical with current network access equipment, such as, subscription client 100 connects the Wifi service of this network access equipment 200, following user just can freely use each network service that these subsets are corresponding, it is which network is providing service even without knowing.
In embodiments of the present invention, described network insertion service module, it is additionally operable to adopt the mode of lucidification disposal to manage described first subset and described second subset.That is, described access service module is as a master control hardware, it is not only responsible for processing above-mentioned user's access request, it is also responsible in the way of lucidification disposal, managing the first subset and the second subset (supervisor of lucidification disposal is controlled program and is located in described network insertion service module), by to the first subset, second subset carries out lucidification disposal management, just make user when accessing network by network access equipment 200, without perception the first equipment, second subset, management program on subset, and access Internet resources are positioned at the concrete existence of which network, only need to select respective service by network from client 100.
In addition; described network insertion service module can also realize the mutual physical isolation between each subset according to safety requirements; to reach to protect some network not infected demand of such as described first network; isolation between subset can be realized by the design of service module circuit; relatively adopt the mode that functional circuit etc. is physically separated; if realizing isolation by software, then reducing safety, namely to be subject to the probability of security threat bigger for described first network.Specifically, such as, when having data communication between described first subset and described second subset, in order to ensure the safety of data in first network, it is possible to will be physically separated between each second subset and each first subset;Again such as, when also having the different access classification that data communication and different first subset are responsible for first network between each first subset, in order to strengthen the data safety under certain access level of first network, it is possible to will be physically separated between each first subset and other the first subset further.Visible, described network insertion service module, it is additionally operable to the first subset described in physical isolation and described second subset;Or, the first subset described in physical isolation and described second subset and the first subset described in physical isolation each two.
It addition, each subset of described network access equipment 200 can be different architecture, as adopted different CPU, it is also possible to install different operating system.For the different architecture that each subset adopts, the network insertion service module in described network access equipment 200, for different architectures, is responsible to define communication capacity and condition that each subset needs to meet.Such as, user is uploaded to the data of network or network is issued to the data of user and requires over the subset of correspondence and carry out data parsing, but when each subset adopts different architectures, subset may be different to the analysis mode of data, therefore, described network insertion service module is as the data uploading channel between client and network and data distributing passage, need the resolution data under these subset difference analysis modes is carried out different upload process or issues process, in order to data are uploaded to network or are issued to client.
Further, network access system shown in Fig. 2 also includes central administration center 300, described network access equipment 200 needs to access long-range central administration center 300, shown in central administration center 300 can be cloud computing center etc., central administration center 300 adopts the method firmware to network access equipment 200 and subset thereof of lucidification disposal, operating system and the systems soft ware of network access equipment 200 and subset thereof is managed.The manufacturer of network access equipment 200 is without the installation of the firmware and systems soft ware that manage equipment and maintenance, even without knowing each subset needs what network corresponding, these work adopt the mode of lucidification disposal to carry out configuring and managing by central administration center 300 is unified according to set standard.To sum up, central administration center 300, for adopting firmware and the operating system of network access equipment 200 described in the mode maintenance and management of lucidification disposal.
Specifically, when central administration center 300 adopts the way to manage management network access equipment 200 of lucidification disposal, safety and the management and control of network access equipment 200 are more paid close attention to.Network access equipment 200 is modified by (data that such as amendment network issues) for disabled user, attack and (as by network access equipment, network is accessed in a large number, it is intended to make network paralysis), falsely use (such as falsely using official's signature), copy safety problems such as (such as copying official's signature), central administration center 300 all has corresponding control measures, code is managed as passed through addition hardware (or software) on network access equipment 200, it is responsible for monitoring hardware (or software) state etc., once pinpoint the problems, remotely network access equipment 200 can be carried out management and control, as closed the port of network access equipment 200, close the network access equipment 200 access to network, restart network access equipment 200, reinstall the system of network access equipment 200, or update the system mend etc. of network access equipment 200.
In addition, the above-mentioned central administration center 300 way to manage to the lucidification disposal of network access equipment 200, can in conjunction with third-party certification, such as ca authentication, simultaneously, can possess two-way mutual authentication ability between network access equipment 200 and central administration center 300, not only prevent illegality equipment, be also prevented from illegal center.Therefore, described central administration center 300, specifically for described central administration center 300 and the described two-way mutual authentication of network access equipment 200 by and/or described central administration center 300 with described network access equipment 200 after Third Party Authentication passes through, the firmware of network access equipment 200 described in the mode maintenance and management of employing lucidification disposal and operating system.
It addition, described central administration center 300, whether the communication link being additionally operable between monitoring and described network access equipment 200 disconnects.Specifically, network access equipment 200 can be adopted the monitor in real time mechanism such as heartbeat signal by central administration center 300, namely central administration center 300 sends an only small packet to network access equipment 200 at set intervals, by the reply situation of network access equipment 200, central administration center 300 judges that whether the bipartite communication link of interconnection is already off.
Further, in embodiments of the present invention, described network access equipment 200; for when monitoring under the exception level state laying oneself open to setting, carrying out firmware and/or systems soft ware safeguarded automatically, or; carry out the self-destruction of firmware and/or systems soft ware or other self-protection measure.Specifically, the network access equipment 200 safe class requirement according to self, can possess and automatically safeguard and self-destruction ability, such as can preset security grade, when oneself primary control program or hardware (are under some safe class) under abnormality, by automatically safeguarding the method self-destruction eliminating safe hidden trouble or adopting oneself to eliminate firmware or systems soft ware.
The network access system based on lucidification disposal of embodiment of the present invention offer and method, network access equipment in this system includes two seed devices, respectively the first subset and the second subset, first subset is responsible for making client access security network (first network), second subset is responsible for making client access insecure network (the second network), first network and the second network is utilized to provide the user two kinds of network services that are separate and that isolate, subscription client is made freely to access first network and the mutually isolated network of the second network both by corresponding subset, can ensure that the content in first network is not polluted by the content in the second network, namely the content in the second network may not flow in first network, thus the content safety that ensure that in first network is credible.
Referring to Fig. 3, schematic flow sheet for the method for network access based on lucidification disposal that the embodiment of the present invention provides, described method is applied to a kind of network access system, described system includes network access equipment and at least one client, described network access equipment includes being responsible for making described client access at least one first subset of first network and be responsible at least one second subset making described client access the second network, described first network is the network having secure data, and described second network is the network having secure data and/or dangerous data;Described method includes:
Step 301: determine the network of the requested access of described client;
Step 302: when the request of described client accesses described first network, described network access equipment is based on the mode of lucidification disposal, described client is made to access described first network by the first subset being responsible for the service that is currently accessed, in order to described first network provides network access service for described client;
Step 303: when the request of described client accesses described second network, described network access equipment is based on the mode of lucidification disposal, described client is made to access described second network by the second subset being responsible for the service that is currently accessed, in order to described second network provides network access service for described client.
In embodiments of the present invention, described network access equipment also includes network insertion service module, and described method also includes:
When the described client request described first network of access or before the request of described client accesses described second network, described network insertion service module makes described client realize network connection by the network connection service provided.
In embodiments of the present invention, described network access equipment also includes network insertion service module, and described method also includes:
Described network insertion service module adopts the mode of lucidification disposal to manage described first subset and described second subset.
In embodiments of the present invention, described network access equipment also includes network insertion service module;First subset described in described network insertion service module physical isolation and described second subset;Or, the first subset described in described network insertion service module physical isolation and described second subset and the first subset described in physical isolation each two.
In embodiments of the present invention, described system also includes central administration center, and described method also includes:
The firmware of network access equipment described in the mode maintenance and management of described central administration center employing lucidification disposal and operating system.
In embodiments of the present invention, described central administration center adopts the mode of lucidification disposal to safeguard firmware and the operating system of described network access equipment, specifically includes:
Described central administration center described central administration center and the two-way mutual authentication of described network access equipment by and/or described central administration center with described network access equipment after Third Party Authentication passes through, the firmware of network access equipment described in the mode maintenance and management of employing lucidification disposal and operating system.
In embodiments of the present invention, described method also includes:
Whether the communication link between the monitoring of described central administration center and described network access equipment disconnects.
In embodiments of the present invention, described method also includes:
Described network access equipment, when monitoring under the exception level state laying oneself open to setting, carries out the automatic maintenance of firmware and/or systems soft ware, or, carry out the self-destruction of firmware and/or systems soft ware.
As seen through the above description of the embodiments, those skilled in the art is it can be understood that can add the mode of required general hardware platform by software to all or part of step in above-described embodiment method and realize.Based on such understanding, the part that prior art is contributed by technical scheme substantially in other words can embody with the form of software product, this computer software product can be stored in storage medium, such as ROM/RAM, magnetic disc, CD etc., including some instructions with so that a computer equipment (can be personal computer, server, or the network communication equipments such as such as WMG, etc.) perform the method described in some part of each embodiment of the present invention or embodiment.
It should be noted that each embodiment adopts the mode gone forward one by one to describe in this specification, what each embodiment stressed is the difference with other embodiments, between each embodiment identical similar portion mutually referring to.For method disclosed in embodiment, due to its with embodiment disclosed in system corresponding, so what describe is fairly simple, relevant part illustrates referring to components of system as directed.
It can further be stated that, in this article, the relational terms of such as first and second or the like is used merely to separate an entity or operation with another entity or operating space, and not necessarily requires or imply the relation that there is any this reality between these entities or operation or sequentially.And, term " includes ", " comprising " or its any other variant are intended to comprising of nonexcludability, so that include the process of a series of key element, method, article or equipment not only include those key elements, but also include other key elements being not expressly set out, or also include the key element intrinsic for this process, method, article or equipment.When there is no more restriction, statement " including ... " key element limited, it is not excluded that there is also other identical element in including the process of described key element, method, article or equipment.
Described above to the disclosed embodiments, makes professional and technical personnel in the field be capable of or uses the present invention.The multiple amendment of these embodiments be will be apparent from for those skilled in the art, and generic principles defined herein can without departing from the spirit or scope of the present invention, realize in other embodiments.Therefore, the present invention is not intended to be limited to the embodiments shown herein, and is to fit to the widest scope consistent with principles disclosed herein and features of novelty.