CN105915565B - Authentication method, device and system - Google Patents

Authentication method, device and system Download PDF

Info

Publication number
CN105915565B
CN105915565B CN201610531912.0A CN201610531912A CN105915565B CN 105915565 B CN105915565 B CN 105915565B CN 201610531912 A CN201610531912 A CN 201610531912A CN 105915565 B CN105915565 B CN 105915565B
Authority
CN
China
Prior art keywords
patch
authentication
server
terminal equipment
vulnerability
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610531912.0A
Other languages
Chinese (zh)
Other versions
CN105915565A (en
Inventor
周迪
余剑声
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang Uniview Technologies Co Ltd
Original Assignee
Zhejiang Uniview Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang Uniview Technologies Co Ltd filed Critical Zhejiang Uniview Technologies Co Ltd
Priority to CN201610531912.0A priority Critical patent/CN105915565B/en
Publication of CN105915565A publication Critical patent/CN105915565A/en
Application granted granted Critical
Publication of CN105915565B publication Critical patent/CN105915565B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N7/00Television systems
    • H04N7/18Closed-circuit television [CCTV] systems, i.e. systems in which the video signal is not broadcast
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Multimedia (AREA)
  • Computer And Data Communications (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The invention provides an authentication method, an authentication device and an authentication system, wherein the method comprises the following steps: issuing a designated policy to the security device; before the terminal equipment passes the authentication, receiving a registration message from the terminal equipment, acquiring a scanning result of the terminal equipment after the terminal equipment finishes the registration, and obtaining a vulnerability identification needing to be added with a patch and patch server information corresponding to the vulnerability identification according to the scanning result; sending the vulnerability identification and the patch server information to the terminal equipment so that the terminal equipment can complete patch updating by using the vulnerability identification and the patch server information; receiving a keep-alive message from the terminal equipment for indicating that the terminal equipment finishes patch updating, issuing a strategy for starting authentication to the security equipment, and starting an authentication process by the security equipment. By the technical scheme of the invention, the whole monitoring service can be normally used, the use experience of a user is improved, and the safety of a video monitoring system can be ensured.

Description

Authentication method, device and system
Technical Field
The present invention relates to the field of communications technologies, and in particular, to an authentication method, apparatus, and system.
Background
In recent years, with the rapid development of computers, networks, image processing and transmission technologies, the popularization trend of video monitoring systems is more and more obvious, the video monitoring systems gradually advance to high-definition and intelligentization, and the video monitoring systems can be applied to numerous fields such as intelligent transportation, smart parks, safe cities and the like. With the development of video monitoring, monitoring technologies based on IP and network have become the mainstream of video monitoring systems.
As shown in fig. 1, which is a schematic networking diagram of a video monitoring system, for a message sent by a front-end device (such as a network camera, an analog camera, an encoder, and the like) to a management server, after receiving the message, a security device may send the message to the management server, and the management server processes the message by using the message.
However, in consideration of security, the security device may perform 802.1X authentication on the front-end device before sending the message of the front-end device to the management server, and only when the 802.1X authentication of the front-end device passes, the security device allows the message of the front-end device to be sent to the management server, otherwise, the security device discards the message of the front-end device.
Since the message of the front-end device is allowed to be sent to the management server only after the 802.1X authentication of the front-end device passes, the legal message of the front-end device cannot be transmitted to the management server before the 802.1X authentication of the front-end device passes, so that the whole monitoring service is unavailable, and the use experience of the user is influenced.
Disclosure of Invention
The invention provides an authentication method, which is applied to a management server and comprises the following steps:
issuing an appointed strategy to the security equipment, wherein the appointed strategy is used for indicating the security equipment to allow an appointed message to pass through before the terminal equipment passes the authentication, and the appointed message comprises a registration message and a keep-alive message;
before a terminal device passes authentication, receiving a registration message from the terminal device, acquiring a scanning result of the terminal device after the terminal device finishes registration, and obtaining a vulnerability identification needing to be added with a patch and patch server information corresponding to the vulnerability identification according to the scanning result;
sending the vulnerability identification and the patch server information to the terminal equipment so that the terminal equipment can complete patch updating by using the vulnerability identification and the patch server information;
receiving a keep-alive message from the terminal equipment for indicating that the terminal equipment finishes patch updating, issuing a strategy for starting authentication to the security equipment, and starting an authentication process by the security equipment.
The authentication comprises 802.1x authentication;
the process of issuing the designated policy to the security device specifically includes: sending a specified policy to an authentication server so that the authentication server issues the specified policy to the security device; the specified policy is further used for indicating that the security device refuses to authenticate the terminal device;
the process of issuing the policy for starting authentication to the security device specifically includes: sending a strategy for starting authentication to an authentication server so that the authentication server issues the strategy for starting authentication to the security equipment; and the strategy for starting the authentication is used for indicating the security equipment to authenticate the terminal equipment.
The designated message further includes a vulnerability scanning message, and the process of obtaining the scanning result of the terminal device specifically includes: carrying out vulnerability scanning on the terminal equipment to obtain a scanning result; alternatively, the first and second electrodes may be,
sending a scanning command to a scanning server to enable the scanning server to carry out vulnerability scanning on the terminal equipment to obtain a scanning result; receiving a scanning result returned by the scanning server;
the scanning result comprises a vulnerability identification and patch server information corresponding to the vulnerability identification.
The process of obtaining the vulnerability identification needing to be added with the patch and the patch server information corresponding to the vulnerability identification according to the scanning result comprises the following steps:
sending the scanning result to a patch server according to patch server information in the scanning result so that the patch server judges whether a patch needs to be added to a vulnerability identification in the scanning result, and if so, determining the vulnerability identification as the vulnerability identification needing to be added with the patch; and receiving a vulnerability identification needing to be added with the patch and patch server information corresponding to the vulnerability identification returned by the patch server.
After receiving the keep-alive message from the terminal device for indicating that the terminal device has completed patch update and before issuing a policy for starting authentication to the security device, the method further includes: acquiring a scanning result of the terminal equipment, and judging whether the vulnerability identification needing to be added with the patch is updated according to the scanning result; if yes, executing the process of issuing the strategy for starting authentication to the security equipment; and if not, continuing to execute the process of sending the vulnerability identification needing to be added with the patch and the patch server information corresponding to the vulnerability identification to the terminal equipment.
The invention provides an authentication device, which is applied to a management server, and comprises:
the sending module is used for issuing a designated strategy to the security equipment, the designated strategy is used for indicating the security equipment to allow a designated message to pass through before the terminal equipment passes the authentication, and the designated message comprises a registration message and a keep-alive message;
the receiving module is used for receiving the registration message from the terminal equipment before the terminal equipment passes the authentication;
the acquisition module is used for acquiring a scanning result of the terminal equipment after the terminal equipment finishes registration, and acquiring vulnerability identification needing to be added with a patch and patch server information corresponding to the vulnerability identification according to the scanning result;
the sending module is further configured to send the vulnerability identification and the patch server information to a terminal device, so that the terminal device completes patch updating by using the vulnerability identification and the patch server information;
the receiving module is further configured to receive a keep-alive message from the terminal device, where the keep-alive message is used to indicate that the terminal device has completed patch updating;
the sending module is further configured to issue a policy for starting authentication to the security device after the receiving module receives the keep-alive packet, and the security device starts an authentication process.
The authentication comprises 802.1x authentication;
the sending module is specifically configured to send a specified policy to an authentication server in a process of issuing the specified policy to a security device, so that the authentication server issues the specified policy to the security device; the specified policy is further used for indicating that the security device refuses to authenticate the terminal device;
in the process of issuing the strategy for starting authentication to the security equipment, sending the strategy for starting authentication to the authentication server so that the authentication server issues the strategy for starting authentication to the security equipment; and the strategy for starting the authentication is used for indicating the security equipment to authenticate the terminal equipment.
The appointed message also comprises a vulnerability scanning message; the acquisition module is specifically used for carrying out vulnerability scanning on the terminal equipment in the process of acquiring the scanning result of the terminal equipment to obtain the scanning result; or sending a scanning command to a scanning server to enable the scanning server to perform vulnerability scanning on the terminal equipment to obtain a scanning result; receiving a scanning result returned by the scanning server; the scanning result comprises a vulnerability identification and patch server information corresponding to the vulnerability identification.
The acquisition module is specifically used for sending the scanning result to a patch server according to patch server information in the scanning result in the process of obtaining the vulnerability identification needing to be added with the patch and the patch server information corresponding to the vulnerability identification according to the scanning result, so that the patch server judges whether the patch needs to be added to the vulnerability identification in the scanning result, and if so, the vulnerability identification is determined as the vulnerability identification needing to be added with the patch; and receiving a vulnerability identification needing to be added with the patch and patch server information corresponding to the vulnerability identification returned by the patch server.
The present invention provides an authentication system, the system comprising:
the management server is used for issuing a designated strategy to the security equipment, wherein the designated strategy is used for indicating the security equipment to allow a designated message to pass through before the terminal equipment passes the authentication, and the designated message comprises a registration message and a keep-alive message; before the terminal equipment passes the authentication, receiving a registration message from the terminal equipment, acquiring a scanning result of the terminal equipment after the terminal equipment finishes the registration, and obtaining a vulnerability identification needing to be added with a patch and patch server information corresponding to the vulnerability identification according to the scanning result; sending the vulnerability identification and the patch server information to terminal equipment; receiving a keep-alive message from the terminal equipment, wherein the keep-alive message is used for indicating that the terminal equipment finishes patch updating, and issuing a strategy for starting authentication to the security equipment;
the safety equipment is used for receiving the specified strategy and allowing the specified message to pass through before the terminal equipment passes through the authentication; receiving a strategy for starting authentication, and authenticating the terminal equipment;
and the terminal equipment is used for completing patch updating by utilizing the vulnerability identification and the patch server information and sending a keep-alive message for indicating that the terminal equipment completes the patch updating to a management server.
Based on the above technical solution, in the embodiment of the present invention, before the 802.1X authentication of the terminal device passes, the security device may send the message (such as the registration message, the keep-alive message, and the like) of the terminal device to the management server, that is, the legitimate message of the terminal device may be transmitted to the management server, so that the whole monitoring service may be normally used, and the user experience is improved. Moreover, before 802.1X authentication is carried out on the terminal equipment, vulnerability scanning and patch updating are carried out on the terminal equipment, so that the terminal equipment carrying out 802.1X authentication is already the terminal equipment which completes vulnerability scanning and patch updating, and the safety of the video monitoring system can be guaranteed.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments of the present invention or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in the present invention, and other drawings can be obtained by those skilled in the art according to the drawings.
Fig. 1 is a schematic networking diagram of a video monitoring system proposed in the prior art;
FIG. 2 is a schematic diagram of an application scenario in an embodiment of the present invention;
FIG. 3 is a flow diagram of an authentication method in one embodiment of the invention;
FIG. 4 is a flow chart of an authentication method in another embodiment of the invention;
FIG. 5 is a hardware block diagram of a management server in one embodiment of the invention;
fig. 6 is a configuration diagram of an authentication device according to an embodiment of the present invention.
Detailed Description
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in this specification and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein is meant to encompass any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present invention. Depending on the context, moreover, the word "if" as used may be interpreted as "at … …" or "when … …" or "in response to a determination".
Aiming at the problems in the prior art, the embodiment of the invention provides an authentication method which can be applied to a video monitoring system. With reference to fig. 2 as a schematic view of an application scenario of the embodiment of the present invention, the video monitoring system may include, but is not limited to: terminal devices, security devices, management servers, authentication servers, patch servers, scanning servers, and the like. The terminal device may be a front-end device (such as a Network camera, an analog camera, an encoder, and the like), a client, an NVR (Network Video Recorder ), and the like. The security device may be a router, a switch, or other network device. The management server may be a video management server, a video management platform, or the like, which manages the terminal device, the authentication server, the patch server, the scan server, or the like. The Authentication server is used for performing functions such as Authentication, authorization and accounting on the terminal device, and the Authentication server may be an RADIUS (Remote Authentication Dial In User Service) server. The patch server is used for performing functions such as patch updating on the terminal equipment. The scanning server is used for carrying out functions such as vulnerability scanning and the like on the terminal equipment.
In the application scenario, the authentication method provided in the embodiment of the present invention may be applied to a management server, and refer to a flowchart shown in fig. 3, where the authentication method may include the following steps:
step 301, issuing a designated policy to the security device, where the designated policy is used to indicate that the security device allows a designated message to pass through before the terminal device passes through authentication, and the designated message includes a registration message and a keep-alive message.
Step 302, before the terminal device passes the authentication, receiving a registration message from the terminal device, and after the terminal device completes the registration, obtaining a scanning result of the terminal device, and obtaining a vulnerability identification to be added with a patch and patch server information corresponding to the vulnerability identification according to the scanning result.
Step 303, sending the vulnerability identification to be added with the patch and the patch server information to the terminal device, so that the terminal device completes patch updating by using the vulnerability identification and the patch server information.
Step 304, receiving the keep-alive message from the terminal device for indicating that the terminal device has completed patch updating, and issuing a policy for starting authentication to the security device, and starting the authentication process by the security device.
In one example, the authentication may include, but is not limited to, 802.1x authentication.
In an example, the process of issuing the specified policy to the security device by the management server may specifically include, but is not limited to: sending a specified strategy to an authentication server so that the authentication server issues the specified strategy to the security equipment; wherein the specified policy is further used for instructing the security device to refuse to authenticate the terminal device. The process of issuing, by the management server, the policy for starting authentication to the security device may specifically include, but is not limited to: sending a strategy for starting authentication to an authentication server so that the authentication server issues the strategy for starting authentication to the security equipment; and the strategy for starting the authentication is used for indicating the security equipment to authenticate the terminal equipment.
In an example, the specific message may further include a vulnerability scanning message, and the process of the management server obtaining the scanning result of the terminal device may specifically include, but is not limited to: and carrying out vulnerability scanning on the terminal equipment to obtain a scanning result. Or sending a scanning command to a scanning server to enable the scanning server to carry out vulnerability scanning on the terminal equipment to obtain a scanning result; and receiving a scanning result returned by the scanning server. The scanning result may include, but is not limited to, a vulnerability identification and patch server information corresponding to the vulnerability identification.
In an example, the process of obtaining, by the management server, the vulnerability identifier to which the patch needs to be added and the patch server information corresponding to the vulnerability identifier according to the scanning result may specifically include, but is not limited to: and sending the scanning result to a patch server according to the patch server information in the scanning result so that the patch server judges whether a patch needs to be added to the vulnerability identification in the scanning result, and if so, determining the vulnerability identification as the vulnerability identification needing to be added with the patch by the patch server. And the management server receives the vulnerability identification needing to be added with the patch and patch server information corresponding to the vulnerability identification returned by the patch server.
In an example, after the management server receives a keep-alive message from the terminal device, the keep-alive message being used for indicating that the terminal device has completed patch updating, before the management server issues a policy for starting authentication to the security device, the management server may further obtain a scanning result of the terminal device again, and determine whether the vulnerability identifier to which the patch needs to be added has completed patch updating according to the scanning result; if yes, a process of issuing a strategy for starting authentication to the security equipment can be executed; if not, the process of sending the vulnerability identification needing to be added with the patch and the patch server information corresponding to the vulnerability identification to the terminal equipment can be continuously executed.
Based on the above technical solution, in the embodiment of the present invention, before the 802.1X authentication of the terminal device passes, the security device may send the message (such as the registration message, the keep-alive message, and the like) of the terminal device to the management server, that is, the legitimate message of the terminal device may be transmitted to the management server, so that the whole monitoring service may be normally used, and the user experience is improved. Moreover, before 802.1X authentication is carried out on the terminal equipment, vulnerability scanning and patch updating are carried out on the terminal equipment, so that the terminal equipment which carries out 802.1X authentication is already the terminal equipment which completes vulnerability scanning and patch updating, and the safety of the video monitoring system is guaranteed.
The following describes the authentication method in the embodiment of the present invention in detail with reference to the flowchart shown in fig. 4.
In step 401, the management server sends a specified policy to the authentication server.
At step 402, the authentication server issues the specified policy to the security device.
In one example, the specified policy may be used to instruct the security device to deny authentication of the terminal device; and before the terminal device passes the authentication, allowing a specified message to pass, wherein the specified message may include but is not limited to: registration messages, keep-alive messages, vulnerability scanning messages, patch update messages, and the like.
In one example, the authentication may include, but is not limited to, 802.1x authentication.
The management server issues a designated policy to the security device through the authentication server in order to ensure sufficient security when the terminal device accesses the security device. Based on the specified policy, the security device only allows specified messages such as registration messages, keep-alive messages, vulnerability scanning messages, patch update messages, and the like to pass through, and for other types of messages, the security device discards the messages, such as messages for performing 802.1x authentication, and the security device discards the messages.
Before the 802.1X authentication of the terminal device passes, the security device allows specified messages such as a registration message, a keep-alive message, a vulnerability scanning message, a patch updating message and the like to pass, so that the monitoring service can be normally used, and operations such as registration of the terminal device, vulnerability scanning of the terminal device, patch updating of the terminal device and the like can be completed, so that the security is increased, and the operations will be explained in the subsequent process. And before completing vulnerability scanning and patch updating of the terminal equipment, the 802.1X authentication of the terminal equipment is rejected, so that the terminal equipment which does not complete vulnerability scanning and patch updating is prevented from performing 802.1X authentication, and the terminal equipment is accessed to the network after the 802.1X authentication is successful, so that potential safety hazards are brought to the network, and the safety of the video monitoring system is guaranteed.
In order to implement a function that "the security device only allows designated messages such as a registration message, a keep-alive message, a vulnerability scanning message, and a patch update message to pass through", the designated policy may be an Access Control List (ACL) policy, where a matching option of the ACL policy may be a message feature in a message header of the designated message, and an action option may be a message that is passed through and matched with the ACL policy. Based on the ACL strategy, when the safety equipment receives the appointed message, the message characteristic is analyzed from the message header of the appointed message, and the message characteristic can be matched with the ACL strategy, so the safety equipment can pass the appointed message, namely the appointed message is sent according to the destination IP address of the appointed message. When the safety equipment receives the non-specified message, the message characteristics are analyzed from the message header of the non-specified message, and the safety equipment discards the non-specified message and does not allow the non-specified message to be released because the message characteristics are not matched with the ACL strategy.
In one example, since the management server can know what the packet characteristics in the header of the specified packet, such as the registration packet, the keep-alive packet, the bug scan packet, and the patch update packet, is, the ACL policy can be configured based on the packet characteristics. For example, if the destination IP address of the registration packet/keep-alive packet is an IP address of the management server, and the Protocol type is an SIP (Session Initiation Protocol) type, then the packet characteristics of the IP address, the SIP type, and the like of the management server may be configured in the ACL policy. For another example, if the destination IP address of the patch update message is the IP address of the patch server, the IP address of the patch server may be configured in the ACL policy. Of course, in practical application, the configuration method is not limited to the above, and the management server may perform any configuration based on the packet characteristics in the headers of the designated packets, such as the registration packet, the keep-alive packet, the bug scan packet, and the patch update packet, which is not limited to this.
Step 403, before the terminal device passes the authentication, the management server receives the registration message from the terminal device, and after the terminal device completes the registration, obtains the scanning result of the terminal device.
In one example, the terminal device may send a registration message to the management server before the terminal device is authenticated. After the security device receives the registration message, the registration message can be matched with the ACL policy, so that the registration message is released, namely, the registration message is sent to the management server according to the destination IP address. After receiving the registration message, the management server performs registration processing on the terminal device, and the specific processing process is not described again. After the terminal device completes registration, the management server acquires a scanning result of the terminal device.
In one example, the process of the management server obtaining the scanning result of the terminal device may include, but is not limited to: and the management server scans the vulnerability of the terminal equipment to obtain a scanning result. Or the management server sends a scanning command to the scanning server so that the scanning server performs vulnerability scanning on the terminal equipment to obtain a scanning result; and the management server receives the scanning result returned by the scanning server. The scanning result may include, but is not limited to, a vulnerability identification (such as a vulnerability name), and patch server information corresponding to the vulnerability identification.
The management server or the scanning server may scan the terminal device for vulnerabilities, and in the scanning process, the management server or the scanning server needs to actively establish a connection with the terminal device and scan vulnerabilities of the terminal device through a special scanning program, which is not described in detail again.
It should be noted that, in the scanning process, the terminal device sends a vulnerability scanning message to the management server or the scanning server, and after the security device receives the vulnerability scanning message, the vulnerability scanning message can be matched with the ACL policy, so that the vulnerability scanning message is released, that is, the vulnerability scanning message is sent to the management server or the scanning server according to the destination IP address, so as to perform vulnerability scanning by using the vulnerability scanning message.
In one example, the scan results may include, but are not limited to: the vulnerability identification, and patch server information (such as an IP address of the patch server) corresponding to the vulnerability identification. For example, the scan results are: loopholes _1 and 10.1.1.22, loopholes _2 and 10.1.1.22, loopholes _3 and 10.1.1.22, and loopholes _4 and 10.1.1.22. In an example, the scanning result may be as shown in table 1, where table 1 is an example of the scanning result, and other ways may also be used to represent the scanning result in practical applications, which is not limited in the embodiment of the present invention.
TABLE 1
Figure BDA0001037790050000101
In step 404, the management server sends the scan result to the patch server. For example, the management server sends the scan result to the patch server according to the patch server information in the scan result.
In one example, the management server may send "vulnerabilities _1 and 10.1.1.22, vulnerabilities _2 and 10.1.1.22, vulnerabilities _3 and 10.1.1.22, and vulnerabilities _4 and 10.1.1.22" to the patch server corresponding to the address 10.1.1.22. Alternatively, the scan result shown in table 1 is directly sent to the patch server corresponding to the address 10.1.1.22.
Step 405, the patch server judges whether a patch needs to be added to the vulnerability identification in the scanning result, if so, the patch server determines the vulnerability identification as the vulnerability identification needing to be added with the patch.
In one example, for a certain vulnerability identification, if the patch server has the capability of adding a patch to the vulnerability identification, and the vulnerability identification corresponds to an important vulnerability, it is determined that the patch needs to be added to the vulnerability identification, and the vulnerability identification is determined as the vulnerability identification to which the patch needs to be added. Or if the patch server does not have the capability of adding the patch to the vulnerability identification, or although the patch server has the capability of adding the patch to the vulnerability identification, the vulnerability identification corresponds to an unimportant vulnerability, determining that the patch does not need to be added to the vulnerability identification, and determining the vulnerability identification as the vulnerability identification which does not need to be added with the patch.
In step 406, the patch server returns the vulnerability identification to which the patch needs to be added and patch server information (such as an IP address) corresponding to the vulnerability identification to the management server. And the management server receives the vulnerability identification needing to be added with the patch, which is returned by the patch server, and patch server information corresponding to the vulnerability identification.
In one example, assuming that the patch server determines that the vulnerabilities that require patch addition are identified as vulnerability _1 and vulnerability _2, the patch server may send vulnerabilities _1 and 10.1.1.22, vulnerability _2 and 10.1.1.22 to the management server. In another example, the patch server may also send table 2 to the management server.
TABLE 2
Figure BDA0001037790050000102
Figure BDA0001037790050000111
Step 407, the management server sends the vulnerability identification to be added with the patch and the patch server information to the terminal device, and the terminal device completes patch updating by using the vulnerability identification and the patch server information.
In one example, since the vulnerabilities to which the patch needs to be added are identified as vulnerability _1 and vulnerability _2, the management server may send vulnerabilities _1 and 10.1.1.22, vulnerability _2 and 10.1.1.22 to the end devices. In another example, the management server may also transmit table 3 to the terminal device. The loopholes _1 and 10.1.1.22, loopholes _2 and 10.1.1.22, or the table 3 may be carried in an SIP message and sent to the terminal device.
TABLE 3
Figure BDA0001037790050000112
In one example, the terminal device may download the patch corresponding to vulnerability _1 and the patch corresponding to vulnerability _2 to the patch server using the IP address (10.1.1.22) of the patch server, and the patch server may transmit the patch corresponding to vulnerability _1 and the patch corresponding to vulnerability _2 to the terminal device. And the terminal equipment completes patch updating of the vulnerability _1 by using the patch corresponding to the vulnerability _1 and completes patch updating of the vulnerability _2 by using the patch corresponding to the vulnerability _ 2. For the patch updating process, details thereof are not described in the embodiment of the present invention.
It should be noted that, in the patch updating process, the terminal device sends a patch update message to the patch server, and after receiving the patch update message, the security device releases the patch update message because the patch update message can be matched with the ACL policy, that is, sends the patch update message to the patch server according to the destination IP address, so that the patch server completes the patch updating process using the patch update message.
Step 408, after completing the patch update, the terminal device sends a keep-alive message used for indicating that the terminal device has completed the patch update to the management server, and the management server receives the keep-alive message.
It should be noted that the terminal device sends the keep-alive message to the management server, and after receiving the keep-alive message, the security device passes through the keep-alive message because the keep-alive message can be matched with the ACL policy, that is, sends the keep-alive message to the management server according to the destination IP address.
In an example, the keep-alive message sent by the terminal device may carry a vulnerability _1 and a vulnerability _2 to indicate that the terminal device has completed patch updating of the vulnerability _1 and the vulnerability _ 2. Or, the keep-alive message sent by the terminal device may also carry the table 4 to indicate that patch updating of the vulnerability _1 and the vulnerability _2 has been completed.
TABLE 4
Figure BDA0001037790050000121
Step 409, the management server obtains the scanning result of the terminal device, and judges whether the vulnerability identification needing to be added with the patch has finished patch updating according to the scanning result. If so, step 410 is performed. Otherwise, the vulnerability identification of the incomplete patch update is determined as the vulnerability identification needing to be added with the patch, and step 407 is executed.
In one example, the process of the management server obtaining the scanning result of the terminal device may include, but is not limited to: and the management server directly scans the vulnerability of the terminal equipment to obtain a scanning result. Or, the management server may send a scanning command to the scanning server, so that the scanning server performs vulnerability scanning on the terminal device to obtain a scanning result; and the management server receives the scanning result returned by the scanning server.
The process of acquiring the scanning result again by the management server may be similar to the process of step 403, and is not repeated here. Different from the step 403, in the step 403, all vulnerability identifiers of the terminal device are scanned to obtain a scanning result. In this step 409, only the vulnerability identification to which the patch needs to be added is scanned to obtain a scanning result. Based on the scanning result, the management server may determine whether the vulnerability identification to which the patch needs to be added has already completed patch updating.
At step 410, the management server sends a policy to the authentication server to initiate authentication.
In step 411, the authentication server issues the policy for starting authentication to the security device.
In one example, the policy to initiate authentication is used to instruct the security device to authenticate the terminal device, such as 802.1x authentication of the terminal device. The authentication start policy is used to replace the specified policy, that is, the security device deletes the specified policy after receiving the authentication start policy.
Based on this policy to initiate authentication, the security device will allow the messages for 802.1x authentication to pass through. The terminal device may send an authentication packet carrying information such as a user name and a password. After receiving the authentication message, the security device sends an authentication message carrying information such as a user name and a password to the authentication server. And after receiving the authentication message, the authentication server authenticates the terminal equipment by using the information such as the user name, the password and the like, and sends the information of successful authentication or failed authentication to the safety equipment, wherein the authentication result is successful authentication or failed authentication. If the authentication is successful, the security device allows the terminal device to access the network. If the authentication fails, the security device does not allow the terminal device to access the network. For the authentication process, details are not repeated herein.
Based on the above technical solution, in the embodiment of the present invention, before the 802.1X authentication of the terminal device passes, the security device may send the message (such as the registration message, the keep-alive message, and the like) of the terminal device to the management server, that is, the legitimate message of the terminal device may be transmitted to the management server, so that the whole monitoring service may be normally used, and the user experience is improved. Moreover, before 802.1X authentication is carried out on the terminal equipment, vulnerability scanning and patch updating are carried out on the terminal equipment, so that the terminal equipment which carries out 802.1X authentication is already the terminal equipment which completes vulnerability scanning and patch updating, and the safety of the video monitoring system is guaranteed.
Based on the same inventive concept as the method, the embodiment of the invention provides an authentication device applied to a management server. The authentication device may be implemented by software, or may be implemented by hardware, or a combination of hardware and software. Taking a software implementation as an example, a logical device is formed by reading corresponding computer program instructions in the nonvolatile memory through the processor of the management server where the logical device is located. From a hardware aspect, as shown in fig. 5, the hardware structure diagram of the management server is shown, and in addition to the processor and the nonvolatile memory shown in fig. 5, the management server may further include other hardware, such as a forwarding chip, a network interface, and a memory, which are responsible for processing a packet; in terms of hardware structure, the management server may also be a distributed device, and may include a plurality of interface cards, so as to perform extension of message processing at a hardware level.
As shown in fig. 6, a structure of an authentication apparatus according to the present invention includes:
a sending module 11, configured to issue a specified policy to a security device, where the specified policy is used to indicate that the security device allows a specified message to pass through before a terminal device passes authentication, and the specified message includes a registration message and a keep-alive message; a receiving module 12, configured to receive a registration packet from the terminal device before the terminal device passes authentication; an obtaining module 13, configured to obtain a scanning result of the terminal device after the terminal device completes registration, and obtain, according to the scanning result, a vulnerability identification to which a patch needs to be added and patch server information corresponding to the vulnerability identification; the sending module 11 is further configured to send the vulnerability identification and the patch server information to a terminal device, so that the terminal device completes patch updating by using the vulnerability identification and the patch server information; the receiving module 12 is further configured to receive a keep-alive message from the terminal device, where the keep-alive message is used to indicate that the terminal device has completed patch updating; the sending module 11 is further configured to, after the receiving module receives the keep-alive message, issue a policy for starting authentication to the security device, and the security device starts an authentication process.
In one example, the authentication includes 802.1x authentication;
the sending module 11 is specifically configured to send a specified policy to an authentication server in a process of issuing the specified policy to a security device, so that the authentication server issues the specified policy to the security device; the specified policy is further used for indicating that the security device refuses to authenticate the terminal device; in the process of issuing the strategy for starting authentication to the security equipment, sending the strategy for starting authentication to the authentication server so that the authentication server issues the strategy for starting authentication to the security equipment; and the strategy for starting the authentication is used for indicating the security equipment to authenticate the terminal equipment.
The appointed message also comprises a vulnerability scanning message; the obtaining module 13 is specifically configured to perform vulnerability scanning on the terminal device in a process of obtaining a scanning result of the terminal device, so as to obtain a scanning result; or sending a scanning command to a scanning server to enable the scanning server to perform vulnerability scanning on the terminal equipment to obtain a scanning result; receiving a scanning result returned by the scanning server; the scanning result comprises a vulnerability identification and patch server information corresponding to the vulnerability identification.
In an example, the obtaining module 13 is specifically configured to, in a process of obtaining, according to a scanning result, a vulnerability identification to which a patch needs to be added and patch server information corresponding to the vulnerability identification, send the scanning result to a patch server according to the patch server information in the scanning result, so that the patch server determines whether a patch needs to be added to the vulnerability identification in the scanning result, and if so, determines the vulnerability identification as the vulnerability identification to which the patch needs to be added; and receiving a vulnerability identification needing to be added with the patch and patch server information corresponding to the vulnerability identification returned by the patch server.
In an example, the obtaining module 13 is further configured to, after the receiving module 12 receives a keep-alive message from the terminal device, where the keep-alive message is used to indicate that the terminal device has completed patch updating, and before the sending module 11 issues a policy to start authentication to the security device, obtain a scanning result of the terminal device, and determine whether the vulnerability identifier to which a patch needs to be added has completed patch updating according to the scanning result; if yes, the sending module 11 executes a process of issuing a policy for starting authentication to the security device; if not, the sending module 11 executes a process of sending the vulnerability identification needing to be added with the patch and the patch server information corresponding to the vulnerability identification to the terminal device.
The modules of the device can be integrated into a whole or can be separately deployed. The modules can be combined into one module, and can also be further split into a plurality of sub-modules.
Based on the same inventive concept as the method described above, an embodiment of the present invention provides an authentication system, including: a management server, a security device and a terminal device; wherein:
the management server is used for issuing a designated strategy to the security equipment, wherein the designated strategy is used for indicating the security equipment to allow a designated message to pass through before the terminal equipment passes the authentication, and the designated message comprises a registration message and a keep-alive message; before the terminal equipment passes the authentication, receiving a registration message from the terminal equipment, acquiring a scanning result of the terminal equipment after the terminal equipment finishes the registration, and obtaining a vulnerability identification needing to be added with a patch and patch server information corresponding to the vulnerability identification according to the scanning result; sending the vulnerability identification and the patch server information to terminal equipment; receiving a keep-alive message from the terminal equipment, wherein the keep-alive message is used for indicating that the terminal equipment finishes patch updating, and issuing a strategy for starting authentication to the security equipment;
the safety equipment is used for receiving the specified strategy and allowing the specified message to pass through before the terminal equipment passes through the authentication; receiving a strategy for starting authentication, and authenticating the terminal equipment;
and the terminal equipment is used for completing patch updating by utilizing the vulnerability identification and the patch server information and sending a keep-alive message for indicating that the terminal equipment completes the patch updating to a management server.
In one example, the authentication includes 802.1x authentication; the system further comprises an authentication server;
the management server is specifically configured to send a specified policy to an authentication server in a process of issuing the specified policy to the security device, so that the authentication server issues the specified policy to the security device; the specified policy is further used for indicating that the security device refuses to authenticate the terminal device; in the process of issuing the strategy for starting authentication to the security equipment, sending the strategy for starting authentication to an authentication server so that the authentication server issues the strategy for starting authentication to the security equipment; and the strategy for starting the authentication is used for indicating the security equipment to authenticate the terminal equipment.
In one example, the specified message further comprises a vulnerability scanning message; the system may further include a scan server and a patch server; the management server is specifically used for carrying out vulnerability scanning on the terminal equipment in the process of obtaining the scanning result of the terminal equipment so as to obtain the scanning result; or sending a scanning command to the scanning server to enable the scanning server to perform vulnerability scanning on the terminal equipment to obtain a scanning result; receiving a scanning result returned by the scanning server; the scanning result comprises a vulnerability identification and patch server information corresponding to the vulnerability identification.
In an example, the management server is specifically configured to, in a process of obtaining, according to a scanning result, a vulnerability identification to which a patch needs to be added and patch server information corresponding to the vulnerability identification, send the scanning result to a patch server according to the patch server information in the scanning result, so that the patch server determines whether a patch needs to be added to the vulnerability identification in the scanning result, and if so, determines the vulnerability identification as the vulnerability identification to which the patch needs to be added; and receiving a vulnerability identification needing to be added with the patch and patch server information corresponding to the vulnerability identification returned by the patch server.
In an example, the management server is further configured to, after receiving a keep-alive message from the terminal device and indicating that the terminal device has completed patch updating, obtain a scanning result of the terminal device before issuing a policy to start authentication to the security device, and determine whether the vulnerability identifier to which a patch needs to be added has completed patch updating according to the scanning result; if yes, executing the process of issuing the strategy for starting authentication to the security equipment; and if not, continuing to execute the process of sending the vulnerability identification needing to be added with the patch and the patch server information corresponding to the vulnerability identification to the terminal equipment.
Through the above description of the embodiments, those skilled in the art will clearly understand that the present invention may be implemented by software plus a necessary general hardware platform, and certainly may also be implemented by hardware, but in many cases, the former is a better embodiment. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute the methods according to the embodiments of the present invention. Those skilled in the art will appreciate that the drawings are merely schematic representations of one preferred embodiment and that the blocks or flow diagrams in the drawings are not necessarily required to practice the present invention.
Those skilled in the art will appreciate that the modules in the devices in the embodiments may be distributed in the devices in the embodiments according to the description of the embodiments, and may be correspondingly changed in one or more devices different from the embodiments. The modules of the above embodiments may be combined into one module, or further split into multiple sub-modules. The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
The above disclosure is only for a few specific embodiments of the present invention, but the present invention is not limited thereto, and any variations that can be made by those skilled in the art are intended to fall within the scope of the present invention.

Claims (9)

1. An authentication method applied to a management server, the method comprising:
issuing an appointed strategy to a security device, wherein the appointed strategy is used for indicating the security device to allow an appointed message to pass before a terminal device passes authentication, the appointed message comprises a registration message and a keep-alive message, and the authentication comprises 802.1x authentication;
before a terminal device passes authentication, receiving a registration message from the terminal device, acquiring a scanning result of the terminal device after the terminal device finishes registration, and obtaining a vulnerability identification needing to be added with a patch and patch server information corresponding to the vulnerability identification according to the scanning result;
sending the vulnerability identification and the patch server information to the terminal equipment so that the terminal equipment can complete patch updating by using the vulnerability identification and the patch server information;
receiving a keep-alive message from the terminal equipment, wherein the keep-alive message is used for indicating that the terminal equipment finishes patch updating, issuing a strategy for starting authentication to the safety equipment, and starting an authentication process by the safety equipment;
after receiving the keep-alive message from the terminal device for indicating that the terminal device has completed patch update and before issuing a policy for starting authentication to the security device, the method further includes:
acquiring a scanning result of the terminal equipment, and judging whether the vulnerability identification needing to be added with the patch is updated according to the scanning result; if yes, executing the process of issuing the strategy for starting authentication to the security equipment; and if not, continuing to execute the process of sending the vulnerability identification needing to be added with the patch and the patch server information corresponding to the vulnerability identification to the terminal equipment.
2. The method of claim 1,
the process of issuing the designated policy to the security device specifically includes: sending a specified policy to an authentication server so that the authentication server issues the specified policy to the security device; the specified policy is further used for indicating that the security device refuses to authenticate the terminal device;
the process of issuing the policy for starting authentication to the security device specifically includes: sending a strategy for starting authentication to an authentication server so that the authentication server issues the strategy for starting authentication to the security equipment; and the strategy for starting the authentication is used for indicating the security equipment to authenticate the terminal equipment.
3. The method according to claim 1, wherein the designated packet further includes a vulnerability scanning packet, and the process of obtaining the scanning result of the terminal device specifically includes:
carrying out vulnerability scanning on the terminal equipment to obtain a scanning result; alternatively, the first and second electrodes may be,
sending a scanning command to a scanning server to enable the scanning server to carry out vulnerability scanning on the terminal equipment to obtain a scanning result; receiving a scanning result returned by the scanning server;
the scanning result comprises a vulnerability identification and patch server information corresponding to the vulnerability identification.
4. The method according to claim 3, wherein the process of obtaining the vulnerability identification to which the patch needs to be added and the patch server information corresponding to the vulnerability identification according to the scanning result comprises:
sending the scanning result to a patch server according to patch server information in the scanning result so that the patch server judges whether a patch needs to be added to a vulnerability identification in the scanning result, and if so, determining the vulnerability identification as the vulnerability identification needing to be added with the patch; and receiving a vulnerability identification needing to be added with the patch and patch server information corresponding to the vulnerability identification returned by the patch server.
5. An authentication apparatus applied to a management server, the apparatus comprising:
the sending module is used for issuing a designated strategy to the security equipment, wherein the designated strategy is used for indicating the security equipment to allow a designated message to pass before the terminal equipment passes authentication, the designated message comprises a registration message and a keep-alive message, and the authentication comprises 802.1x authentication;
the receiving module is used for receiving the registration message from the terminal equipment before the terminal equipment passes the authentication;
the acquisition module is used for acquiring a scanning result of the terminal equipment after the terminal equipment finishes registration, and acquiring vulnerability identification needing to be added with a patch and patch server information corresponding to the vulnerability identification according to the scanning result;
the sending module is further configured to send the vulnerability identification and the patch server information to a terminal device, so that the terminal device completes patch updating by using the vulnerability identification and the patch server information;
the receiving module is further configured to receive a keep-alive message from the terminal device, where the keep-alive message is used to indicate that the terminal device has completed patch updating;
the sending module is further configured to obtain a scanning result of the terminal device after the receiving module receives the keep-alive message, and determine whether the vulnerability identifier to which the patch needs to be added has completed patch updating according to the scanning result; if so, issuing a strategy for starting authentication to the security equipment, and starting an authentication process by the security equipment; and if not, continuing to execute the process of sending the vulnerability identification needing to be added with the patch and the patch server information corresponding to the vulnerability identification to the terminal equipment.
6. The apparatus of claim 5,
the sending module is specifically configured to send a specified policy to an authentication server in a process of issuing the specified policy to a security device, so that the authentication server issues the specified policy to the security device; the specified policy is further used for indicating that the security device refuses to authenticate the terminal device;
in the process of issuing the strategy for starting authentication to the security equipment, sending the strategy for starting authentication to the authentication server so that the authentication server issues the strategy for starting authentication to the security equipment; and the strategy for starting the authentication is used for indicating the security equipment to authenticate the terminal equipment.
7. The apparatus of claim 5,
the appointed message also comprises a vulnerability scanning message; the acquisition module is specifically used for carrying out vulnerability scanning on the terminal equipment in the process of acquiring the scanning result of the terminal equipment to obtain the scanning result; or sending a scanning command to a scanning server to enable the scanning server to perform vulnerability scanning on the terminal equipment to obtain a scanning result; receiving a scanning result returned by the scanning server; the scanning result comprises a vulnerability identification and patch server information corresponding to the vulnerability identification.
8. The apparatus of claim 7,
the acquisition module is specifically used for sending the scanning result to a patch server according to patch server information in the scanning result in the process of obtaining the vulnerability identification needing to be added with the patch and the patch server information corresponding to the vulnerability identification according to the scanning result, so that the patch server judges whether the patch needs to be added to the vulnerability identification in the scanning result, and if so, the vulnerability identification is determined as the vulnerability identification needing to be added with the patch; and receiving a vulnerability identification needing to be added with the patch and patch server information corresponding to the vulnerability identification returned by the patch server.
9. An authentication system, the system comprising:
the management server is used for issuing a designated strategy to the security equipment, wherein the designated strategy is used for indicating the security equipment to allow a designated message to pass through before the terminal equipment passes through authentication, the designated message comprises a registration message and a keep-alive message, and the authentication comprises 802.1x authentication; before the terminal equipment passes the authentication, receiving a registration message from the terminal equipment, acquiring a scanning result of the terminal equipment after the terminal equipment finishes the registration, and obtaining a vulnerability identification needing to be added with a patch and patch server information corresponding to the vulnerability identification according to the scanning result; sending the vulnerability identification and the patch server information to terminal equipment; receiving a keep-alive message from the terminal equipment, wherein the keep-alive message is used for indicating that the terminal equipment completes patch updating, acquiring a scanning result of the terminal equipment, and judging whether the vulnerability identification needing to be added with the patch completes patch updating according to the scanning result; if yes, issuing a strategy for starting authentication to the security equipment; if not, continuing to execute the process of sending the vulnerability identification needing to be added with the patch and the patch server information corresponding to the vulnerability identification to the terminal equipment;
the safety equipment is used for receiving the specified strategy and allowing the specified message to pass through before the terminal equipment passes through the authentication; receiving a strategy for starting authentication, and authenticating the terminal equipment;
and the terminal equipment is used for completing patch updating by utilizing the vulnerability identification and the patch server information and sending a keep-alive message for indicating that the terminal equipment completes the patch updating to a management server.
CN201610531912.0A 2016-06-30 2016-06-30 Authentication method, device and system Active CN105915565B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610531912.0A CN105915565B (en) 2016-06-30 2016-06-30 Authentication method, device and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610531912.0A CN105915565B (en) 2016-06-30 2016-06-30 Authentication method, device and system

Publications (2)

Publication Number Publication Date
CN105915565A CN105915565A (en) 2016-08-31
CN105915565B true CN105915565B (en) 2020-11-17

Family

ID=56754444

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610531912.0A Active CN105915565B (en) 2016-06-30 2016-06-30 Authentication method, device and system

Country Status (1)

Country Link
CN (1) CN105915565B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107888598B (en) * 2017-11-17 2020-08-11 中广核工程有限公司 Nuclear power station electrical secondary system information safety risk evaluation system and method

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102710642A (en) * 2012-06-01 2012-10-03 北京神州绿盟信息安全科技股份有限公司 Method and device for scanning system bug
CN104735050A (en) * 2014-12-19 2015-06-24 武汉烽火网络有限责任公司 Authentication method integrating mac authentication and web authentication

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101272250A (en) * 2007-03-21 2008-09-24 杭州华三通信技术有限公司 Client terminal access authentication method, system and device thereof
CN102916949B (en) * 2012-10-11 2015-09-02 北京东土科技股份有限公司 A kind of Web authentication method and device
CN102984031B (en) * 2012-12-12 2015-06-10 浙江宇视科技有限公司 Method and device for allowing encoding equipment to be safely accessed to monitoring and control network
US9473507B2 (en) * 2013-01-03 2016-10-18 International Business Machines Corporation Social and proximity based access control for mobile applications
CN103227992A (en) * 2013-04-01 2013-07-31 南京理工大学常熟研究院有限公司 Android terminal-based vulnerability scanning system
US9684780B2 (en) * 2013-11-25 2017-06-20 Yingjie Liu Dynamic interactive identity authentication method and system
CN104184686B (en) * 2014-08-20 2017-10-17 新华三技术有限公司 The method and apparatus for controlling broadcast traffic on the virtual bridged link in edge
CN104363236A (en) * 2014-11-21 2015-02-18 西安邮电大学 Automatic vulnerability validation method
CN204465588U (en) * 2015-03-31 2015-07-08 北京亿中景科技发展有限公司 A kind of host monitor based on server architecture and auditing system
CN105610630A (en) * 2016-01-29 2016-05-25 博雅网信(北京)科技有限公司 Patch installation system and method in cloud computing environment

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102710642A (en) * 2012-06-01 2012-10-03 北京神州绿盟信息安全科技股份有限公司 Method and device for scanning system bug
CN104735050A (en) * 2014-12-19 2015-06-24 武汉烽火网络有限责任公司 Authentication method integrating mac authentication and web authentication

Also Published As

Publication number Publication date
CN105915565A (en) 2016-08-31

Similar Documents

Publication Publication Date Title
US8769639B2 (en) History-based downgraded network identification
CN105635084B (en) Terminal authentication apparatus and method
US20090217353A1 (en) Method, system and device for network access control supporting quarantine mode
US8381281B2 (en) Authenticating a remote host to a firewall
US20060161770A1 (en) Network apparatus and program
CN104158808A (en) Portal authentication method based on APP application and device
DK2924944T3 (en) Presence authentication
US9787678B2 (en) Multifactor authentication for mail server access
US20180248892A1 (en) Location-Based Continuous Two-Factor Authentication
DE112020000948T5 (en) SERVER-BASED SETUP FOR CONNECTING A DEVICE TO A LOCAL NETWORK
CN113341798A (en) Method, system, device, equipment and storage medium for remotely accessing application
CN107294910B (en) Login method and server
CN113852483B (en) Network slice connection management method, terminal and computer readable storage medium
CN106411852B (en) Distributed terminal access control method and device
CN105915565B (en) Authentication method, device and system
CN105915557B (en) Network authentication method, access control method and network access equipment
CN102624724B (en) Security gateway and method for securely logging in server by gateway
CN110830419B (en) Access control method and device for internet protocol camera
CN108259420B (en) Message processing method and device
CN113746864B (en) Authentication method, device, equipment and storage medium of user terminal
CN105871596A (en) Router configuration method and router configuration device
CN105959251B (en) method and device for preventing NAT from traversing authentication
WO2020248369A1 (en) Firewall switching method and related apparatus
CN112887982B (en) Intelligent authority management method, system, terminal and storage medium based on network
CN114363083B (en) Security protection method, device and equipment of intelligent gateway

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant