CN105978844A - Network access control method, router and system based on router - Google Patents

Network access control method, router and system based on router Download PDF

Info

Publication number
CN105978844A
CN105978844A CN201510305623.4A CN201510305623A CN105978844A CN 105978844 A CN105978844 A CN 105978844A CN 201510305623 A CN201510305623 A CN 201510305623A CN 105978844 A CN105978844 A CN 105978844A
Authority
CN
China
Prior art keywords
described
network
monitoring
router
data message
Prior art date
Application number
CN201510305623.4A
Other languages
Chinese (zh)
Inventor
张国良
Original Assignee
乐视致新电子科技(天津)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 乐视致新电子科技(天津)有限公司 filed Critical 乐视致新电子科技(天津)有限公司
Priority to CN201510305623.4A priority Critical patent/CN105978844A/en
Publication of CN105978844A publication Critical patent/CN105978844A/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Abstract

The embodiment of the invention provides a network access control method, router and system based on a router. At one side of the router, the method comprises: receiving the monitoring content issued by a server, and configuring itself network monitoring information according to the monitoring content; when a monitored device is detected, detecting the message data of the monitored device according to the network monitoring information; when the detection result is not passed, dropping the data message to forbid the monitored device from accessing the web page corresponding to the data message; and when the detection result is passed, sending the data message to the network. Therefore, the router is able to control the network access of the monitored device, the data message which accesses invalid data such as undesirable websites and the like is discarded, and the safety of the device is protected while preventing from wasting the data resource.

Description

A kind of method for network access control based on router, router and system

Technical field

The present invention relates to communication technical field, particularly relate to a kind of NS software based on router Method, a kind of router, and a kind of network access control system.

Background technology

Router (Router) is for connecting multiple logically separate network, and so-called logic network is generation One single network of table or a subnet.When data are transferred to another subnet from a subnet, Can be completed by the routing function of router.Therefore, router have judge the network address and select IP The function in path, it can be set up and connect flexibly in Multi net voting Interconnection Environment, available diverse Packet and media access method connect various subnets, belong to a kind of InterWorking Equipment of Internet.Therefore Subscriber equipment can connect the Internet by router.

But, in current network needed for offer user while various resources, also it is flooded with a lot of bad letter Breath, such as violence, pornographic website etc., and uses router may have access to have bad when connecting network The website of information, accesses objectionable website and not only can cause the waste of data resource, there is likely to be in website The hostile content such as virus affect the safety of subscriber equipment.

Summary of the invention

Embodiment of the present invention technical problem to be solved is to provide a kind of network based on router and accesses Control method, to be controlled the website accessed.

Accordingly, the embodiment of the present invention additionally provides a kind of router and a kind of network access control system, In order to ensure realization and the application of said method.

In order to solve the problems referred to above, the embodiment of the invention discloses a kind of network based on router and access control Method processed, it is characterised in that in router side, including: receive the monitoring content that server issues, Network monitoring information according to described monitoring content configuration self;When monitored device being detected, according to The message data of described monitored device is detected by described network monitoring information;When testing result is not By time, abandon described data message with forbid monitored device access described data message correspondence webpage; When testing result be by time, described data message is sent to network.

The embodiment of the invention also discloses a kind of router, including: receive and configure module, being used for receiving The monitoring content that server issues, according to the network monitoring information of described monitoring content configuration self;Message Detection module, for when monitored device being detected, is supervised described according to described network monitoring information The message data of control equipment detects;Access control module, is used for when testing result is obstructed out-of-date, Abandon described data message to forbid that monitored device accesses described data message correspondence webpage;When detection knot Fruit be by time, described data message is sent to network.

Compared with prior art, the method for network access control based on router of the embodiment of the present invention, road Advantages below is included by device and system:

The monitoring content configuration network monitoring information that router issues based on server, so that it is determined that to monitor Data message information, after monitored device sends datagram to router, router is according to described The message data of described monitored device is detected by network monitoring information, when testing result is not for pass through Time, determine that data message has illegal contents, abandon described data message to forbid that monitored device accesses Described data message correspondence webpage, when testing result for by time determine that data message is valid data, will Described data message is sent to network, thus the network of monitored device can be accessed and control by router System, abandons the data message conducting interviews the invalid datas such as objectionable website, prevents from causing data resource Waste protection equipment safety simultaneously.

Accompanying drawing explanation

In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below will be to reality Execute the required accompanying drawing used in example or description of the prior art to be briefly described, it should be apparent that under, Accompanying drawing during face describes is some embodiments of the present invention, for those of ordinary skill in the art, On the premise of not paying creative work, it is also possible to obtain other accompanying drawing according to these accompanying drawings.

Fig. 1 is the steps flow chart of a kind of based on router the method for network access control embodiment of the present invention Figure;

Fig. 2 be the present invention another kind method for network access control based on router embodiment in router The flow chart of steps of configuration;

Fig. 3 be the present invention another kind method for network access control based on router embodiment in access control The flow chart of steps of system;

Fig. 4 is a kind of mutual schematic diagram accessing control system of the embodiment of the present invention;

Fig. 5 is the structured flowchart of a kind of router embodiment of the present invention;

Fig. 6 is the structured flowchart of another kind router embodiment of the present invention;

Fig. 7 is the structured flowchart of the present invention a kind of network access control system embodiment.

Detailed description of the invention

For making the purpose of the embodiment of the present invention, technical scheme and advantage clearer, below in conjunction with this Accompanying drawing in bright embodiment, is clearly and completely described the technical scheme in the embodiment of the present invention, Obviously, described embodiment is a part of embodiment of the present invention rather than whole embodiments.Based on Embodiment in the present invention, those of ordinary skill in the art are obtained under not making creative work premise The every other embodiment obtained, broadly falls into the scope of protection of the invention.

One of core idea of the embodiment of the present invention is, a kind of NS software side based on router Method, router and system, to be controlled the website accessed.The prison that router issues based on server Control content configuration network monitoring information, so that it is determined that data message information to be monitored, in monitored device After sending datagram to router, router according to described network monitoring information to described monitored device Message data detect, when testing result is obstructed out-of-date, determine that data message has illegal contents, Abandon described data message with forbid monitored device access described data message correspondence webpage, when detection knot Fruit for by time determine that data message is valid data, described data message is sent to network, thus road The network of monitored device can be accessed by device and be controlled, abandon and the invalid datas such as objectionable website are entered The data message that row accesses, prevents the waste causing data resource from protecting equipment safety simultaneously.

Embodiment one

With reference to Fig. 1, it is shown that a kind of based on router the method for network access control embodiment of the present invention Flow chart of steps, specifically may include steps of:

Step 102, receives the monitoring content that server issues, according to described monitoring content configuration self Network monitoring information.

In the present embodiment, in order to user is monitored by the network address of router access, by clothes The NS software rule of business device configuration router, it is achieved the data message of the router equipment to connecting Control.

By modes such as data analysiss, server determines that monitoring content, described monitoring content are that server passes through The information content that network access data is monitored that data analysis determines.Server is by under monitoring content Issuing router, router configures corresponding network monitoring information, this network monitoring according to this monitoring content The data message of connected device is monitored by information for router.

In the embodiment of the present invention, the various equipment referred to as user that can connect network that user uses is set Standby, i.e. subscriber equipment includes the various calculating equipment that can connect network, such as computer, and for example flat board electricity The mobile device such as brain, mobile phone.Wherein, set by the subscriber equipment referred to as LAN of router connection network Standby, not by the equipment of router direct interconnection network be referred to as outer net equipment, such as mobile phone by 3G, When the communication networks such as 4G connect the Internet, this mobile phone is outer net equipment, and the mobile devices such as mobile phone are opened When WIFI (WIreless-Fidelity, Wireless Fidelity) connection route device and then connection network, mobile phone is local Net equipment.

In the present embodiment, using router as the monitoring device of NS software, then from lan device In choose need monitoring equipment as monitored device, i.e. monitored device is all or part of local Net equipment.

Step 104, when monitored device being detected, is supervised described according to described network monitoring information The message data of control equipment detects.

When user accesses network by lan device connection route device, the LAN accessed is set by router Standby it is monitored, when detecting that the mobile device of currently transmitted data message is monitored device, according to The message data of described monitored device is detected by described network monitoring information, according to testing result pair Message data processes operation accordingly.The most legal data message correspondence testing result for passing through, Illegal data message correspondence testing result is not for pass through.

Step 106, abandons described data message.

When testing result is obstructed out-of-date, and it is illegal for characterizing this data message, what i.e. it was asked forbids visiting The network data asked, router abandons this data message, to forbid monitored device (i.e. monitored office Territory net equipment) access described data message correspondence webpage.

Thus for invalid datas such as objectionable websites, can be configured in network monitoring information, thus Block the request to invalid data in router side, not only can save data resource, moreover it is possible to prevent these In invalid data correspondence website virus etc. hostile content local area network equipment safety impact.

Step 108, is sent to network by described data message.

When testing result be by time, characterize this data message and there is not illegal contents, router is by described Data message is normally forwarded in network, and the most normally send datagram requested webpage, thus described Monitored device can normally access corresponding Webpage.

In sum, the monitoring content configuration network monitoring information that router issues based on server, thus Determine data message information to be monitored, after monitored device sends datagram to router, route The message data of described monitored device is detected by device according to described network monitoring information, when data are tied Fruit is obstructed out-of-date, determines that data message has illegal contents, abandons described data message to forbid being supervised Control equipment access described data message correspondence webpage, when data result for by time determine that data message is conjunction Method data, are sent to described data message network, thus router can be to the networks of monitored device Access is controlled, and abandons the data message conducting interviews the invalid datas such as objectionable website, prevents from causing Equipment safety is protected in the waste of data resource simultaneously.

Embodiment two

On the basis of above-described embodiment, the present embodiment is discussed in detail network browsing based on router and controls Method.

Router, when local area network equipment conducts interviews control, needs configuration monitoring the most in the router Content, then router to access lan device be monitored.

1, the configuration of router

With reference to Fig. 2, it is shown that the another kind method for network access control based on router of the present invention is implemented The flow chart of steps of configuration of routers in example, specifically may include steps of:

Step 202, the facility information collecting each lan device accessing described router generates LAN List of devices.

Lan device can connect network by router after couple in router, and router can be to access The facility information of lan device be collected, generate corresponding lan device list.This local i.e. Train table for recording the facility information of lan device of couple in router, as device name, model, Mark, MAC (Media Access Control, the medium access control) address of equipment, during access Between etc. information.

Step 204, the facility information fed back in described lan device list selects to be monitored for user Equipment.

Step 206, determines monitored device, according to described lan device according to the instruction information of user List obtains the facility information of described monitored device and adds in watch-list.

User is to be monitored equipment, and the children devices of such as head of a family monitoring to be specified, user is permissible By equipment and router, monitored device is set alternately.Wherein, user can be by the management of router The APP (Application, application program) of the page i.e. web page or mobile device arranges router institute Constitute the monitored device in LAN.

A, the setting of web page

User uses lan device connection route device to access the web page of router, this web page On can feed back router collect lan device list in facility information, identified by facility information In the information such as different lan devices, such as device name, unit type, device mac address At least one.User can be with the youngster selecting equipment to be monitored, such as family child to use on web page Virgin machine, and for example Ipad etc., instruction information can be sent after having selected, this instruction information carries The device identification of equipment, determines, by this device identification, the local device that user selects, the local that will select Net equipment is set to monitored device, by the facility information of monitored device such as device name, MAC Locations etc. are added in watch-list.

B, the setting of the mobile device APP page

As the mobile devices such as mobile phone can connect the Internet, in APP by router or communication network Arranging monitored device, i.e. a kind of mode is that mobile device passes through APP page from as during lan device Face carries out the setting of monitored device, and another way is that mobile device passes through APP as outer net equipment The page carries out the setting of monitored device.This app is mounted on mobile phone, and router is carried out function The app controlled.

Wherein, when mobile device is as lan device, mobile device connects the Internet by router, After starting APP in a mobile device, after the monitoring of entrance router arranges related pages, on this page The facility information in the lan device list that router is collected can be fed back, be now understandable that this office Territory net list of devices has the facility information of this mobile device, the page is identified not by facility information With lan device, such as in the information such as device name, unit type, device mac address extremely One item missing.User can send refer to select equipment to be monitored on web page after having selected Show information, this instruction information carries the device identification of equipment, determines that user selects by this device identification The local device selected, is set to monitored device by the lan device of selection, setting monitored device Standby information such as device name, MAC Address etc. is added in watch-list.

When mobile device is as outer net equipment, mobile device is by nets such as communication network such as 2G, 3G, 4G Network connects the Internet, and after starting APP in a mobile device, now mobile phone is taken by high in the clouds with router Business device communicates, and after the monitoring of entrance router arranges related pages, this page can feed back router Facility information in the lan device list collected, is now understandable that this lan device list In can not have the facility information of this mobile device, if this equipment was once connected by this router certainly Cross the Internet, then lan device list is the facility information can with this mobile device.In the page Different lan devices, such as device name, unit type, equipment is identified by facility information At least one in the information such as MAC Address.User can select on the page to monitor arranging of app Equipment, instruction information can be sent after having selected, this instruction information carries the equipment of equipment Mark, determines, by this device identification, the local device that user selects, and is arranged by the lan device selected For monitored device, the facility information of monitored device such as device name, MAC Address etc. are added to In watch-list.

Step 208, receives the monitoring content that server issues.

Router first local area network equipment conducts interviews when controlling, and can receive the monitoring that server issues Content, thus according to the network monitoring information of this monitoring content configuration router.

In one alternative embodiment of the present invention, receive the monitoring content of server update;According to described renewal Monitoring content update described network monitoring information.

In the present embodiment, server can also obtain the data message of feedback from router, and collects The information such as the network data in network, by updating prison to the analysis of above-mentioned information and the rule etc. of setting Control content.Such as, by the Internet, the info web etc. collected after data message is transferred to the number of platform After server, by the big data intelligence center of cloud platform, above-mentioned data message analysis can be determined Corresponding data frame information, thus the online rule forming renewal generates corresponding monitoring content, and will update Monitoring in being sent to router, with the network monitoring information of more new router.

Step 210, obtains website data to be monitored from described monitoring content.

Step 212, is configured to described website data to be monitored in the fire wall list of described router, Using described fire wall list as network monitoring information.

In the embodiment of the present invention, monitoring content include following at least one: website data to be monitored, time Data and message recognition rule, can configure corresponding monitoring project by above-mentioned monitoring content.

Wherein, website data to be monitored is prohibited from accessing the website data of website, as IP address, again Such as the rhizosphere name etc. for website, from described monitoring content, obtain website data to be monitored, by net to be monitored Fire wall list, in the fire wall list Iptable of described router, is supervised by location data configuration as network One of control information, follow-up is monitored monitored device.

Such as, website data to be monitored includes that an IP address is 1.1.0.0, it is assumed that its corresponding network address is Violence illegal website, then can be arranged IP address 1.1.0.0 in the Iptable table of router.

Step 214, obtains described time data from described monitoring content.

Step 216, according to the monitoring period of described time data configuration network monitoring information;

Time data is the data being monitored the time accessing network, prohibits as being set to Monday to Saturday Only accessing network, the time outside 18 o'clock to 20 o'clock every day that is and for example set to forbids accessing network etc..From Described monitoring content obtains described time data, according to described time data configuration network monitoring information Monitoring period, this monitoring period is configurable to the time forbidding accessing network, it is also possible to be configured to allow Access the time of network, according to actual demand equipment, the embodiment of the present invention, this can be not construed as limiting.

Step 218, obtains message recognition rule from described monitoring content.

Step 220, stores described router using described message recognition rule as network monitoring information In local cache.

Message recognition rule is the phase that router performs during NS software to be identified message Close rule, from described monitoring content, obtain message recognition rule, using described message recognition rule as net Network monitoring information, then stores message recognition rule in the local cache of described router.

Thus the lan device list configuration monitored device collected by router, by the prison issued Control content configuration network monitoring information, can configure respectively to network address, time and access content etc., Generate network monitoring information accurately, it is provided that access control more accurately.

2, control is accessed

With reference to Fig. 3, it is shown that the another kind method for network access control based on router of the present invention is implemented Example accesses the flow chart of steps of control, specifically may include steps of:

Step 302, receives data message.

Step 304, determines the lan device sending message according to described data message.

Step 306, detects whether described lan device is the monitored device in watch-list.

User uses lan device router access to be passed through network, needs first to send the datagram of request Router given in literary composition, if data message is TCP/IP (Transmission Control Protocol/Internet Protocol, transmission control protocol/Internet Protocol) message, this data message is analyzed really Surely send the MAC Address of the lan device of this message, search watch-list based on this MAC Address In, determine whether this MAC Address is the MAC Address of monitored device in watch-list.

If the MAC Address of monitored device in watch-list, then perform step 308.If not prison In control list, the MAC Address of monitored device, performs step 314.

Step 308, obtains current temporal information, detects whether described temporal information is positioned at monitoring period In.

Needing to be controlled access for monitored device, the time accessing network is controlled by the first System.Obtain current temporal information and i.e. access the time of network, when monitoring period is configured to forbid accessing net During time of network, detect whether described temporal information is positioned at monitoring period.If being positioned at monitoring period, Perform step 316;If not being positioned at monitoring period to perform step 310.

Certainly, if monitoring period is configured to the time allowing to access network, then the described time can be detected Whether information is positioned at outside monitoring period.I.e. forbidding that the time accessing network abandons network message, do not allowing Monitored device accesses network.

Such as, the time outside 18 o'clock to 20 o'clock every day forbids accessing network, if current temporal information Not 21 point, then abandon network message and forbid accessing network, if current temporal information is 19 points, be then Allow to access the time of network.

Whether step 310, detect and ask the network address that accesses in the message data of described monitored device In fire wall list.

In addition to the access time is controlled, it is also possible to network of network address is controlled, i.e. If current temporal information does not allows to access the time of network, then detect the message number of described monitored device According to the middle network address asking to access whether in fire wall list.

Fire wall list is configured with the website data forbidding accessing, it is thus determined that request is visited in message data Whether the network address asked is in fire wall list, if in fire wall list, performs step 316, if In fire wall list, do not perform step 312.If certainly data message not being identified, then judging Step 314 can be directly performed after asking the network address accessed not in fire wall list.

Such as, the network address that request accesses is 1.1.0.0, determines its Iptable at router by detection In table, then dropping packets conducts interviews this network address.

Step 312, determines whether to be capable of identify that described data according to the message recognition rule in local cache Message.

In the embodiment of the present invention, NS software also includes the identification to data message, i.e. when not allowing Access the time of network, and when message data being asked the network address accessed not in fire wall list, Still can continue according to the message recognition rule in local cache, data message to be identified, determine energy Enough identify this data message.

If being capable of identify that data message, perform step 314;If data message can not be identified, perform step 318。

Step 314, is sent to network by described data message.

When the lan device sent datagram is not monitored device, it is not necessary to data message is examined The external networks such as survey, directly can be sent to network by data message, the Internet that i.e. router connects.

Do not allow to access the time of network in current temporal information, message data is asked the network accessed Data message, not in fire wall list, directly can be sent to network so that monitored device by address It is able to access that the webpage of this data message corresponding requests.

Or, not allowing to access the time of network in current temporal information, in message data, request accesses The network address not in fire wall list, and be capable of identify that according to the message recognition rule in local cache During data message, the data message characterizing request is valid data, can be directly sent to by data message Network so that monitored device is able to access that the webpage of this data message corresponding requests.

Step 316, abandons described data message.

When current temporal information is the time forbidding accessing network, abandons network message, forbid this quilt Monitoring device accesses network.

Do not allow to access the time of network in current temporal information, but message data is asked the net accessed Network address is in fire wall list, and the network address characterizing message data request access comprises invalid data, Abandon network message, forbid that this monitored device accesses network.

Step 318, replicates described data message, and the data message of duplication is uploaded to server.

Do not allow to access the time of network in current temporal information, message data is asked the network accessed Address not in fire wall list, but according to the message recognition rule None-identified data in local cache During message, characterize the data that data message is nonrecognition of request, replicate described data message, will replicate Data message be uploaded to server.Subsequent server can be analyzed according to this packet, determines this Message data is the most legal, thus determines post-treatment operations based on whether legal analysis result, such as Analysis determines that data message is invalid data, then can be as monitoring content follow-up renewal network monitoring Information.

Thus the lan device accessed is monitored, by the net configured by router by watch-list The data message of monitored device is detected by network monitoring information, by the time, accesses network address and number According to each side such as message contents, data message is comprehensively detected, more accurately to monitored device Access be controlled.

It is understood that the embodiment of the present invention is not limited by described sequence of movement, some step Suddenly can use other orders or carry out simultaneously, the most not performing step 312, and for example in step 308 Performing step 312 etc., therefore those skilled in the art know, embodiment described in this description before Belong to preferred embodiment, necessary to the involved action not necessarily embodiment of the present invention.

In the embodiment of the present invention, a kind of access the mutual schematic diagram of control system as shown in Figure 4.This access Control system includes subscriber equipment, router, cloud platform server and external network.Subscriber equipment includes Lan device and outer net equipment.

Determine that it is lan device after subscriber equipment couple in router, hereafter send TCP/IP message to Router, whether the source MAC of this TCP/IP message of data stream monitoring process detection in router is positioned at In monitored device list.When determining that source MAC is positioned in monitored device list, by this data message Hand to safety detection process, otherwise, i.e. determine that source MAC is non-and be positioned in monitored device list, table Levying data message correspondence lan device is non-supervised equipment, directly by data message forwarding to extranets Network, such as the Internet.

Data message is analyzed by safety detection process according to the network monitoring information of configuration, including analyzing Access network temporal information (i.e. surf time), request access the network address (i.e. purpose IP) with And the message recognition rule etc. of local cache.If by the analysis of network monitoring information, then router turns Send out TCP/IP message in the Internet;If determining this TCP/IP message by network monitoring information analysis For invalid data, then forbidding that monitored device accesses network, safety detection process directly abandons this message; If determined the data of None-identified TCP/IP message by network monitoring information analysis, then copy portion TCP/IP message, by the Internet transmission to the data server of cloud platform.

Follow-up TCP/IP message, by big data intelligence center, analyzes the Frame of TCP/IP message, shape The online rule of Cheng Xin, the monitoring content i.e. updated, and issue the monitoring content of renewal in router, The safety monitoring process of router updates network monitoring information based on this monitoring content.

In the embodiment of the present invention, intercepted and captured the data message needing to monitor in router side by network flow analysis Data stream, the process built-in by router is analyzed, and can be forwarded to the service of cloud platform Mating with safety database in device, be once found to have illegal data stream, router can be somebody's turn to do with automatic shield Equipment and the data cube computation of illegal website.

In the present embodiment, the monitoring content issued by server automatically configures the network monitoring letter of router Breath, it is not necessary to user understands the network security protocol of complexity, configuration is simple, and user only need to indicate and to monitor Lan device, remaining can be automatically obtained equipment based on server of cloud platform and configuration of routers Access control.

Substantial amounts of logical process is placed on server side by the present embodiment, as data analysis is determined monitoring content Deng, thus reduce the hardware cost of router, the CPU configuration of router can be reduced.

Further, by server side ceaselessly analytical data, and the safety of server side is constantly updated Data base and monitoring content so that the network monitoring information of configuration of routers is also constantly updated, thus accurate The true access controlling network so that network accesses safer.

It should be noted that for embodiment of the method, in order to be briefly described, therefore it is all expressed as one it be The combination of actions of row, but those skilled in the art should know, and the embodiment of the present invention is not by described The restriction of sequence of movement because according to the embodiment of the present invention, some step can use other orders or Person is carried out simultaneously.Secondly, those skilled in the art also should know, embodiment described in this description Belong to preferred embodiment, necessary to the involved action not necessarily embodiment of the present invention.

Embodiment three

On the basis of above-described embodiment, the present embodiment additionally provides a kind of router.

With reference to Fig. 5, it is shown that the structured flowchart of a kind of router embodiment of the present invention, specifically can include Such as lower module:

Receive and configure module 502, for receiving the monitoring content that server issues, according to described monitoring The network monitoring information of content configuration self.

Packet check module 504, for when monitored device being detected, believes according to described network monitoring Cease the message data to described monitored device to detect.

Access control module 506, for when being obstructed out-of-date when testing result, abandoning described data message To forbid that monitored device accesses described data message correspondence webpage;When testing result be by time, by institute State data message and be sent to network.

In sum, the monitoring content configuration network monitoring information that router issues based on server, thus Determine data message information to be monitored, after monitored device sends datagram to router, route The message data of described monitored device is detected by device according to described network monitoring information, when detection knot Fruit is obstructed out-of-date, determines that data message has illegal contents, abandons described data message to forbid being supervised Control equipment access described data message correspondence webpage, when testing result for by time determine that data message is conjunction Method data, are sent to described data message network, thus router can be to the networks of monitored device Access is controlled, and abandons the data message conducting interviews the invalid datas such as objectionable website, prevents from causing Equipment safety is protected in the waste of data resource simultaneously.

With reference to Fig. 6, it is shown that the structured flowchart of another kind router embodiment of the present invention, specifically can wrap Include such as lower module:

Receive and configure module 602, for receiving the monitoring content issued according to server, according to described The network monitoring information of monitoring content configuration self.

Packet check module 604, for when monitored device being detected, believes according to described network monitoring Cease the message data to described monitored device to detect.

Access control module 606, for when testing result be obstructed out-of-date, abandon described data message with Forbid that monitored device accesses described data message correspondence webpage;When testing result be by time, by described Data message is sent to network so that described monitored device normally accesses described data message correspondence webpage; When testing result is nonrecognition, described data message is uploaded to server and is analyzed.

In one alternative embodiment of the present invention, described monitoring content include following at least one: net to be monitored Location data, time data and recognition rule.

Described reception also configures module 602, including:

Network address configuration submodule 60202, for obtaining website data to be monitored from described monitoring content; Described website data to be monitored is configured in the fire wall list of described router, described fire wall is arranged Table is as network monitoring information.

Time configuration submodule 60204, for obtaining described time data from described monitoring content, depends on Monitoring period according to described time data configuration network monitoring information.

Recognition rule configuration submodule 60206, for obtaining message recognition rule from described monitoring content, Described message recognition rule is stored as network monitoring information in the local cache of described router.

Described packet check module 604, including:

Network address detection sub-module 60402, in the message data detecting described monitored device, request is visited Whether the network address asked is in fire wall list;The network address accessed when described request arranges at fire wall In table, confirming that described data message mates with described network monitoring information, record testing result is not for pass through; When the network address that described request accesses is not in fire wall list, confirm described data message and described net Network monitoring information is not mated, and record testing result is for passing through.

Time detecting submodule 60404, for obtaining current temporal information, detects described temporal information Whether it is positioned at monitoring period;When described temporal information is positioned at monitoring period, and record testing result is not Pass through;When described temporal information is not positioned at monitoring period, the network address performing detection request access is No step in fire wall list.

Recognition rule detection sub-module 60406, is used for according to the message recognition rule in local cache institute Stating data message to be identified, when data message described in None-identified, record testing result is nonrecognition, Perform that described data message is sent to the step of network to be analyzed to be uploaded to server;When knowing Not during described data message, perform that described data message is sent to the step of network so that described monitored Equipment accesses the webpage that described data message is corresponding.

In another alternative embodiment of the present invention, described reception also configures module 602, is additionally operable to obtain clothes The monitoring content that business device updates;Described network monitoring information is updated according to the monitoring content of described renewal.

Monitored device configuration module 608, for collecting each lan device of the described router of access Facility information generates lan device list;Feed back facility information in described lan device list for User selects monitored device;Instruction information selection office from described lan device list according to user Territory net equipment adds watch-list to as monitored device, the facility information obtaining described monitored device In.

Equipment Inspection module 610, receives the data message that lan device sends, according to described datagram Literary composition obtains the address information of lan device;Whether described lan device is detected according to described address information For the monitored device of configuration in watch-list;When described lan device is non-monitored device, will Described data message is sent to network.

Embodiment four

On the basis of above-described embodiment, the present embodiment additionally provides a kind of network access control system.

With reference to Fig. 7, it is shown that the structured flowchart of the present invention a kind of network access control system embodiment.

This network access control system includes: subscriber equipment 702, server 704 and such as above-described embodiment Router 706 described in three.

In the embodiment of the present invention, intercepted and captured the data message needing to monitor in router side by network flow analysis Data stream, the process built-in by router is analyzed, and can be forwarded to the service of cloud platform Mating with safety database in device, be once found to have illegal data stream, router can be somebody's turn to do with automatic shield Equipment and the data cube computation of illegal website.

In the present embodiment, the monitoring content issued by server automatically configures the network monitoring letter of router Breath, it is not necessary to user understands the network security protocol of complexity, configuration is simple, and user only need to indicate and to monitor Subscriber equipment, remaining can be automatically obtained equipment based on server of cloud platform and configuration of routers Access and control.

Substantial amounts of logical process is placed on server side by the present embodiment, as data analysis is determined monitoring content Deng, thus reduce the hardware cost of router, the CPU configuration of router can be reduced.

Further, by server side ceaselessly analytical data, and the safety of server side is constantly updated Data base and monitoring content so that the network monitoring information of configuration of routers is also constantly updated, thus accurate The true access controlling network so that network accesses safer.

For device embodiment, due to itself and embodiment of the method basic simlarity, so the comparison described Simply, relevant part sees the part of embodiment of the method and illustrates.

Each embodiment in this specification all uses the mode gone forward one by one to describe, and each embodiment stresses Be all the difference with other embodiments, between each embodiment, identical similar part sees mutually ?.

Those skilled in the art are it should be appreciated that the embodiment of the embodiment of the present invention can be provided as method, dress Put or computer program.Therefore, the embodiment of the present invention can use complete hardware embodiment, completely Software implementation or the form of the embodiment in terms of combining software and hardware.And, the embodiment of the present invention Can use and can be situated between with storage at one or more computers wherein including computer usable program code The upper computer journey implemented of matter (including but not limited to disk memory, CD-ROM, optical memory etc.) The form of sequence product.

The embodiment of the present invention is with reference to method according to embodiments of the present invention, terminal unit (system) and meter The flow chart of calculation machine program product and/or block diagram describe.It should be understood that can be by computer program instructions Each flow process in flowchart and/or block diagram and/or square frame and flow chart and/or square frame Flow process in figure and/or the combination of square frame.Can provide these computer program instructions to general purpose computer, The processor of special-purpose computer, Embedded Processor or other programmable data processing terminal equipment is to produce One machine so that performed by the processor of computer or other programmable data processing terminal equipment Instruction produce for realizing at one flow process of flow chart or multiple flow process and/or one square frame of block diagram or The device of the function specified in multiple square frames.

These computer program instructions may be alternatively stored in and computer or other programmable datas can be guided to process In the computer-readable memory that terminal unit works in a specific way so that be stored in this computer-readable Instruction in memorizer produces the manufacture including command device, and this command device realizes flow chart one The function specified in flow process or multiple flow process and/or one square frame of block diagram or multiple square frame.

These computer program instructions also can be loaded into computer or other programmable data processing terminals set Standby upper so that on computer or other programmable terminal equipment, to perform sequence of operations step in terms of producing The process that calculation machine realizes, thus the instruction performed on computer or other programmable terminal equipment provides and uses In realizing in one flow process of flow chart or multiple flow process and/or one square frame of block diagram or multiple square frame The step of the function specified.

Although having been described for the preferred embodiment of the embodiment of the present invention, but those skilled in the art being once Know basic creative concept, then these embodiments can be made other change and amendment.So, Claims are intended to be construed to include preferred embodiment and fall into the institute of range of embodiment of the invention There are change and amendment.

Finally, in addition it is also necessary to explanation, in this article, the relational terms of such as first and second or the like It is used merely to separate an entity or operation with another entity or operating space, and not necessarily requires Or imply relation or the order that there is any this reality between these entities or operation.And, art Language " includes ", " comprising " or its any other variant are intended to comprising of nonexcludability, so that Process, method, article or terminal unit including a series of key elements not only include those key elements, and Also include other key elements being not expressly set out, or also include for this process, method, article or The key element that person's terminal unit is intrinsic.In the case of there is no more restriction, statement " include one It is individual ... " key element that limits, it is not excluded that including the process of described key element, method, article or end End equipment there is also other identical element.

Above to a kind of method for network access control based on router provided by the present invention, a kind of route Device, and a kind of network access control system, be described in detail, specific case used herein Principle and embodiment to the present invention are set forth, and the explanation of above example is only intended to help reason Solve method and the core concept thereof of the present invention;Simultaneously for one of ordinary skill in the art, according to this The thought of invention, the most all will change, in sum, and this Description should not be construed as limitation of the present invention.

Claims (17)

1. a method for network access control based on router, it is characterised in that in router side, Including:
Receive the monitoring content that server issues, according to the network monitoring letter of described monitoring content configuration self Breath;
When monitored device being detected, according to the described network monitoring information report to described monitored device Literary composition data detect;
When testing result is obstructed out-of-date, abandon described data message described to forbid that monitored device accesses Data message correspondence webpage;
When testing result be by time, described data message is sent to network.
Method the most according to claim 1, it is characterised in that described monitoring content includes waiting to supervise Control website data, the described network monitoring information according to described monitoring content configuration self, including:
Website data to be monitored is obtained from described monitoring content;
Described website data to be monitored is configured in the fire wall list of described router, by described fire prevention Wall list is as network monitoring information.
Method the most according to claim 2, it is characterised in that described network monitoring information is to institute The message data stating monitored device detects, including:
Whether detect the network address asking to access in the message data of described monitored device at fire wall In list;
When the network address that described request accesses is in fire wall list, confirm that described data message is with described Network monitoring information mates, and record testing result is not for pass through;
When the network address that described request accesses is not in fire wall list, confirm described data message and institute Stating network monitoring information not mate, record testing result is for passing through.
Method the most according to claim 3, it is characterised in that described monitoring content also includes: Time data;
The described network monitoring information according to described monitoring content configuration self, also includes: from described monitoring Content obtains described time data, configures the monitoring of described network monitoring information according to described time data Time;
The message data of the described monitored device of described detection is asked the network address accessed whether anti- Before in wall with flues list, also include:
Obtain current temporal information, detect whether described temporal information is positioned at monitoring period;
When described temporal information is positioned at monitoring period, and record testing result is not for pass through;
When described temporal information is not positioned at monitoring period, and whether the network address that execution detection request accesses Step in fire wall list.
Method the most according to claim 3, it is characterised in that described monitoring content also includes: Message recognition rule,
The described network monitoring information according to described monitoring content configuration self, including: in described monitoring Appearance obtains message recognition rule, described message recognition rule is stored as described network monitoring information In the local cache of described router;
The network address that the request that detects accesses is not after fire wall list, and described method also includes:
According to the message recognition rule in local cache, described data message is identified;
When data message described in None-identified, record testing result is nonrecognition, performs described data Message is sent to the step of network and is analyzed to be uploaded to server;
When being capable of identify that described data message, perform the step that described data message is sent to network with Described monitored device is made to access the webpage that described data message is corresponding.
6. according to the method described in any one of claim 1 to 5, it is characterised in that also include:
Receive the monitoring content of server update;
Described network monitoring information is updated according to the monitoring content of described renewal.
Method the most according to claim 1, it is characterised in that also include:
The facility information collecting each lan device accessing described router generates lan device list;
The facility information fed back in described lan device list selects monitored device for user;
From described lan device list, select monitored device according to the instruction information of user, obtain institute The facility information stating monitored device adds in watch-list.
Method the most according to claim 7, it is characterised in that also include:
Receive the data message that lan device sends, obtain lan device according to described data message Address information;
Whether detect described lan device according to described address information is being supervised of configuration in watch-list Control equipment;
When described lan device is non-monitored device, described data message is sent to network.
9. a router, it is characterised in that including:
Receive and configure module, for receiving the monitoring content that server issues, according to described monitoring content Configure the network monitoring information of self;
Packet check module, for when detecting monitored device, according to described network monitoring information pair The message data of described monitored device detects;
Access control module, for being obstructed out-of-date when testing result, abandons described data message to forbid Monitored device accesses described data message correspondence webpage;When testing result be by time, by described data Message is sent to network.
Router the most according to claim 9, it is characterised in that described monitoring content includes treating Monitoring website data, described reception also configures module, including:
Network address configuration submodule, for obtaining website data to be monitored from described monitoring content;By described Website data to be monitored is configured in the fire wall list of described router, using described fire wall list as Network monitoring information.
11. routers according to claim 10, it is characterised in that described network monitoring information To described packet check module, including:
Network address detection sub-module, asks the net accessed in the message data detecting described monitored device Whether network address is in fire wall list;When the network address that described request accesses is in fire wall list, Confirming that described data message mates with described network monitoring information, record testing result is not for pass through;Work as institute The network address that request of stating accesses, not in fire wall list, confirms that described data message is supervised with described network Control information is not mated, and record testing result is for passing through.
12. routers according to claim 11, it is characterised in that described monitoring content also wraps Include: time data;
Described reception also configures module, also includes: time configuration submodule, for from described monitoring content The described time data of middle acquisition, when configuring the monitoring of described network monitoring information according to described time data Between;
Described packet check module, also includes: time detecting submodule, for obtaining current time letter Breath, detects whether described temporal information is positioned at monitoring period;When described temporal information is positioned at monitoring period In, record testing result is not for pass through;When described temporal information is not positioned at monitoring period, call network address Detection sub-module performs the network address whether step in fire wall list that detection request accesses.
13. routers according to claim 11, it is characterised in that described monitoring content also wraps Include: message recognition rule,
Described reception also configures module, including: recognition rule configuration submodule, in described monitoring Appearance obtains message recognition rule, described message recognition rule is stored as described network monitoring information In the local cache of described router;
Described packet check module, also includes: recognition rule detection sub-module, for according to local cache In message recognition rule described data message is identified, when data message described in None-identified, Record testing result is nonrecognition, performs the step that described data message is sent to network to be uploaded to clothes Business device is analyzed;When being capable of identify that described data message, perform described data message is sent to net The step of network is so that described monitored device accesses the webpage that described data message is corresponding.
14. according to the router described in any one of claim 9 to 13, it is characterised in that
Described reception also configures module, is additionally operable to receive the monitoring content of server update;According to described more New monitoring content updates described network monitoring information.
15. routers according to claim 9, it is characterised in that also include:
Monitored device configuration module, for collecting the equipment of each lan device accessing described router Information generates lan device list;Feed back the facility information in described lan device list for user Select monitored device;From described lan device list, LAN is selected according to the instruction information of user Equipment adds in watch-list as monitored device, the facility information obtaining described monitored device.
16. routers according to claim 15, it is characterised in that also include:
Equipment Inspection module, receives the data message that lan device sends, obtains according to described data message Take the address information of lan device;Detect whether described lan device is prison according to described address information The monitored device of configuration in control list;When described lan device is non-monitored device, by described Data message is sent to network.
17. 1 kinds of network access control systems, it is characterised in that including: subscriber equipment, server and Router described in the claims 9-13,15 any one.
CN201510305623.4A 2015-06-04 2015-06-04 Network access control method, router and system based on router CN105978844A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510305623.4A CN105978844A (en) 2015-06-04 2015-06-04 Network access control method, router and system based on router

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510305623.4A CN105978844A (en) 2015-06-04 2015-06-04 Network access control method, router and system based on router

Publications (1)

Publication Number Publication Date
CN105978844A true CN105978844A (en) 2016-09-28

Family

ID=56988124

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510305623.4A CN105978844A (en) 2015-06-04 2015-06-04 Network access control method, router and system based on router

Country Status (1)

Country Link
CN (1) CN105978844A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108270751A (en) * 2016-12-30 2018-07-10 阿里巴巴集团控股有限公司 Application management method, device and data sending processing method and apparatus
CN109933001A (en) * 2019-04-11 2019-06-25 韩拥军 Firewall, method and system for programmable logic controller (PLC)

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1581804A (en) * 2004-05-21 2005-02-16 许仁祥 Home network content filtering system base on broadband intelligent network-screening hardware
CN101056306A (en) * 2006-04-11 2007-10-17 中兴通讯股份有限公司 Network device and its access control method
CN101951380A (en) * 2010-09-28 2011-01-19 杭州华三通信技术有限公司 Access control method and device used therein in dual-stack lite network
US8090856B1 (en) * 2000-01-31 2012-01-03 Telecommunication Systems, Inc. Intelligent messaging network server interconnection
CN102316034A (en) * 2011-09-06 2012-01-11 中兴通讯股份有限公司 Method for preventing manual Internet protocol (IP) address specification in local area network and device
EP2480019A1 (en) * 2011-01-18 2012-07-25 Iniwan GmbH Provision of a pre-defined content over an open wireless network
CN103532917A (en) * 2012-07-06 2014-01-22 天讯天网(福建)网络科技有限公司 Website-filtering method based on mobile Internet and cloud computing
CN104202360A (en) * 2014-08-13 2014-12-10 小米科技有限责任公司 Webpage access method, device and router
CN104254070A (en) * 2013-06-25 2014-12-31 中兴通讯股份有限公司 WiFi access method, intelligent terminal and router equipment
CN104580252A (en) * 2015-01-29 2015-04-29 小米科技有限责任公司 Network access control method and device

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8090856B1 (en) * 2000-01-31 2012-01-03 Telecommunication Systems, Inc. Intelligent messaging network server interconnection
CN1581804A (en) * 2004-05-21 2005-02-16 许仁祥 Home network content filtering system base on broadband intelligent network-screening hardware
CN101056306A (en) * 2006-04-11 2007-10-17 中兴通讯股份有限公司 Network device and its access control method
CN101951380A (en) * 2010-09-28 2011-01-19 杭州华三通信技术有限公司 Access control method and device used therein in dual-stack lite network
EP2480019A1 (en) * 2011-01-18 2012-07-25 Iniwan GmbH Provision of a pre-defined content over an open wireless network
CN102316034A (en) * 2011-09-06 2012-01-11 中兴通讯股份有限公司 Method for preventing manual Internet protocol (IP) address specification in local area network and device
CN103532917A (en) * 2012-07-06 2014-01-22 天讯天网(福建)网络科技有限公司 Website-filtering method based on mobile Internet and cloud computing
CN104254070A (en) * 2013-06-25 2014-12-31 中兴通讯股份有限公司 WiFi access method, intelligent terminal and router equipment
CN104202360A (en) * 2014-08-13 2014-12-10 小米科技有限责任公司 Webpage access method, device and router
CN104580252A (en) * 2015-01-29 2015-04-29 小米科技有限责任公司 Network access control method and device

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108270751A (en) * 2016-12-30 2018-07-10 阿里巴巴集团控股有限公司 Application management method, device and data sending processing method and apparatus
CN109933001A (en) * 2019-04-11 2019-06-25 韩拥军 Firewall, method and system for programmable logic controller (PLC)

Similar Documents

Publication Publication Date Title
US10628582B2 (en) Techniques for sharing network security event information
Cox et al. Advancing software-defined networks: A survey
US20170228389A1 (en) System and method for storing a skeleton representation of at least one application in a computerized organization including generating and utilizing application structure using skeleton-based discovery and re-discovery
Tian et al. Real-time lateral movement detection based on evidence reasoning network for edge computing environment
US9769210B2 (en) Classification of security policies across multiple security products
US20180219917A1 (en) Recommendations for security associated with accounts
Beckett et al. A general approach to network configuration verification
US9680875B2 (en) Security policy unification across different security products
Sicari et al. A secure and quality-aware prototypical architecture for the Internet of Things
JP2019501436A (en) System and method for application security and risk assessment and testing
US10257199B2 (en) Online privacy management system with enhanced automatic information detection
US9225601B2 (en) Network-wide verification of invariants
CN104025635B (en) Mobile risk assessment
KR101736425B1 (en) Cloud computing enhanced gateway for communication networks
US8464335B1 (en) Distributed, multi-tenant virtual private network cloud systems and methods for mobile security and policy enforcement
RU2550531C2 (en) Management of online privacy
US9954822B2 (en) Distributed traffic management system and techniques
CN103262063B (en) For the method and apparatus created in leading network in content and manage virtual private group
WO2018125989A2 (en) The internet of things
CN101124565B (en) Data traffic load balancing based on application layer messages
US9984241B2 (en) Method, apparatus, and system for data protection
US7801985B1 (en) Data transfer for network interaction fraudulence detection
CN102365890B (en) Verifiable service billing for intermediate networking devices
CN101371237B (en) Performing message payload processing functions in a network element on behalf of an application
US20130298184A1 (en) System and method for monitoring application security in a network environment

Legal Events

Date Code Title Description
PB01 Publication
C06 Publication
SE01 Entry into force of request for substantive examination
C10 Entry into substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20160928

WD01 Invention patent application deemed withdrawn after publication