CN106060040A - Enterprise network access control method and device - Google Patents
Enterprise network access control method and device Download PDFInfo
- Publication number
- CN106060040A CN106060040A CN201610371825.3A CN201610371825A CN106060040A CN 106060040 A CN106060040 A CN 106060040A CN 201610371825 A CN201610371825 A CN 201610371825A CN 106060040 A CN106060040 A CN 106060040A
- Authority
- CN
- China
- Prior art keywords
- network
- access port
- enterprise network
- boundary device
- enterprise
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The present invention provides an enterprise network access control method and device. The method comprises: monitoring whether the access port of a network boundary device of an enterprise network has changes at the exterior of the enterprise network or not; if it is monitored that the access port of a network boundary device of an enterprise network has changes at the exterior of the enterprise network, obtaining a monitoring result, wherein the monitoring result includes the access port change condition of the network boundary device; analyzing the monitoring result based on the presetting network safety strategy, and determining whether the access port changes of the network boundary device are abnormal or not; and performing network access control of the enterprise network according to the analysis result. According to the embodiment of the invention, the enterprise network boundary protection condition is controlled in real time and the enterprise network is safely protected.
Description
Technical field
The present invention relates to net application technology field, particularly a kind of enterprise network access control method and device.
Background technology
Between information point, communication is requisite business demand in enterprise network with communicating of internal-external network, in order to ensure industry
Business data are not illegally accessed and distort in network transmission exchange process, and corresponding network information security safeguard procedures are not
Disposed with aspect.
In correlation technique, most business private network for network access control nearly all concentrate on network go out to enter the GATT
Mouthful, and network internal structure and access border are not implemented monitoring and the management of necessity.It would therefore be highly desirable to solve this technology
Problem.
Summary of the invention
In view of the above problems, it is proposed that the present invention in case provide one overcome the problems referred to above or at least in part solve on
State the enterprise network access control method of problem and corresponding device.
According to an aspect of of the present present invention, it is provided that a kind of enterprise network access control method, including:
Whether change at the access port of the network boundary device of enterprise network described in enterprise network external monitoring;
If the access port monitoring the network boundary device of described enterprise network changes, then obtain monitoring result,
Described monitoring result includes the access port situation of change of network boundary device;
Based on default network security policy, described monitoring result is analyzed, determines the access of described network boundary device
Port change is the most abnormal;
According to analysis result, described enterprise network is carried out NS software.
Alternatively, described acquisition monitoring result, including: outside described enterprise network, monitoring result is sent to described enterprise
Network internal, obtains described monitoring result inside described enterprise network;
Described based on default network security policy, described monitoring result is analyzed, including: in described enterprise network
Described monitoring result is analyzed by portion based on default network security policy.
Alternatively, include inside described enterprise network possessing carrying out network security assessment ability according to network security policy
Network security management platform.
Alternatively, described at the access port of the network boundary device of enterprise network described in enterprise network external monitoring whether
Change, including:
Outside enterprise network, the information of the access port that the network boundary device of described enterprise network reports is supervised
Survey, to determine whether the access port of the network boundary device of described enterprise network changes;
Or,
In the information of the access port of the network boundary device of enterprise network described in the outside active obtaining of enterprise network, with really
Whether the access port of the network boundary device of fixed described enterprise network changes.
Alternatively, the information of described access port includes at least one following:
Domain-name information that access port is corresponding, the IP list that access port is corresponding, information on services that access port is corresponding, visit
Ask the leak that port is corresponding.
Alternatively, described at the access port of the network boundary device of enterprise network described in enterprise network external monitoring whether
Change, including:
At the route letter described in the outside network boundary device in real time or periodically obtaining described enterprise network of enterprise network
Breath;
The access port of the network boundary device of described enterprise network is determined according to described routing iinformation;
The access port of the network boundary device of the described enterprise network that scanning determines, it is judged that the network of described enterprise network
Whether the access port of edge device changes.
Alternatively, the access port of the network boundary device of the described enterprise network that described scanning determines, including:
The access end of the network boundary device of the described enterprise network to determining of the rate of scanning according to safety need setting
Mouth is scanned.
Alternatively, the access port of the network boundary device of the described enterprise network that described scanning determines, including:
Determine the quantity of the network boundary device place subnet of described enterprise network;
The quantity of the network boundary device place subnet according to described enterprise network enables the scanning of the predetermined number of correspondence
Thread;
The access port of the network boundary device of described enterprise network is carried out by the scanning thread utilizing described predetermined number
Scanning.
Alternatively, described default network security policy has various level authority;
Described based on default network security policy, described monitoring result is analyzed, determines described network boundary device
Access port change is the most abnormal, including:
The network peace that network boundary device that access port changes is corresponding is found in default network security policy
Full strategy, determines the first authority that access port that described network boundary device changes is corresponding;
The second authority that access port that described network boundary device changes is corresponding is determined according to described monitoring result;
First authority described in comparison and described second authority, determine whether the access port of described network boundary device changes
Abnormal.
Alternatively, the first authority described in described comparison and described second authority, determine the access of described network boundary device
Port change is the most abnormal, including:
If comparison is consistent, it is determined that exception does not occurs in the access port change of described network boundary device;
If comparison is inconsistent, it is determined that the access port change of described network boundary device occurs abnormal.
Alternatively, described according to analysis result, described enterprise network is carried out NS software, including:
If it is determined that exception does not occurs in the access port change of described network boundary device, then generate described network boundary device
Access port change abnormal information does not occurs.
Alternatively, described according to analysis result, described enterprise network is carried out NS software, including:
If it is determined that the access port change of described network boundary device occurs abnormal, then judge whether that changing access port sends out
The network security policy that the network boundary device of changing is corresponding;
If it is not, then close the access port that described network boundary device changes.
Alternatively, the network boundary device of described enterprise network includes each terminal that region be directly facing described enterprise network,
The equipment of network insertion service is provided.
Alternatively, the network boundary device of described enterprise network includes at least one following:
Router, switch, fire wall.
According to another aspect of the present invention, additionally provide a kind of enterprise network access control apparatus, including:
Monitoring modular, be suitable at the access port of the network boundary device of enterprise network described in enterprise network external monitoring be
No change;
Acquisition module, if being suitable to the described monitoring module monitors access port to the network boundary device of described enterprise network
Changing, then obtain monitoring result, described monitoring result includes the access port situation of change of network boundary device;
Analyze module, be suitable to based on default network security policy, described monitoring result is analyzed, determine described network
The access port change of edge device is the most abnormal;
Access control module, is suitable to, according to analysis result, described enterprise network is carried out NS software.
Alternatively, described acquisition module, it is further adapted for outside described enterprise network sending to described enterprise network monitoring result
Inside network, inside described enterprise network, obtain described monitoring result;
Described analysis module, is further adapted for inside described enterprise network tying described monitoring based on default network security policy
Fruit is analyzed.
Alternatively, include inside described enterprise network possessing carrying out network security assessment ability according to network security policy
Network security management platform.
Alternatively, described monitoring modular is further adapted for:
Outside enterprise network, the information of the access port that the network boundary device of described enterprise network reports is supervised
Survey, to determine whether the access port of the network boundary device of described enterprise network changes;
Or,
In the information of the access port of the network boundary device of enterprise network described in the outside active obtaining of enterprise network, with really
Whether the access port of the network boundary device of fixed described enterprise network changes.
Alternatively, the information of described access port includes at least one following:
Domain-name information that access port is corresponding, the IP list that access port is corresponding, information on services that access port is corresponding, visit
Ask the leak that port is corresponding.
Alternatively, described monitoring modular is further adapted for:
At the route letter described in the outside network boundary device in real time or periodically obtaining described enterprise network of enterprise network
Breath;
The access port of the network boundary device of described enterprise network is determined according to described routing iinformation;
The access port of the network boundary device of the described enterprise network that scanning determines, it is judged that the network of described enterprise network
Whether the access port of edge device changes.
Alternatively, described monitoring modular is further adapted for:
The access end of the network boundary device of the described enterprise network to determining of the rate of scanning according to safety need setting
Mouth is scanned.
Alternatively, described monitoring modular is further adapted for:
Determine the quantity of the network boundary device place subnet of described enterprise network;
The quantity of the network boundary device place subnet according to described enterprise network enables the scanning of the predetermined number of correspondence
Thread;
The access port of the network boundary device of described enterprise network is carried out by the scanning thread utilizing described predetermined number
Scanning.
Alternatively, described default network security policy has various level authority, and described analysis module is further adapted for:
The network peace that network boundary device that access port changes is corresponding is found in default network security policy
Full strategy, determines the first authority that access port that described network boundary device changes is corresponding;
The second authority that access port that described network boundary device changes is corresponding is determined according to described monitoring result;
First authority described in comparison and described second authority, determine whether the access port of described network boundary device changes
Abnormal.
Alternatively, described analysis module is further adapted for:
If comparison is consistent, it is determined that exception does not occurs in the access port change of described network boundary device;
If comparison is inconsistent, it is determined that the access port change of described network boundary device occurs abnormal.
Alternatively, described access control module is further adapted for:
If it is determined that exception does not occurs in the access port change of described network boundary device, then generate described network boundary device
Access port change abnormal information does not occurs.
Alternatively, described access control module is further adapted for:
If it is determined that the access port change of described network boundary device occurs abnormal, then judge whether that changing access port sends out
The network security policy that the network boundary device of changing is corresponding;
If it is not, then close the access port that described network boundary device changes.
Alternatively, the network boundary device of described enterprise network includes each terminal that region be directly facing described enterprise network,
The equipment of network insertion service is provided.
Alternatively, the network boundary device of described enterprise network includes at least one following:
Router, switch, fire wall.
The access port of each network boundary device in enterprise network is entered outside enterprise network by the embodiment of the present invention
Row monitoring, when the access port monitoring network boundary device changes, obtains the prison comprising access port situation of change
Survey result, and based on default network security policy, monitoring result is analyzed, determine that the access port of network boundary device becomes
Change the most abnormal, and then according to analysis result, enterprise network is carried out NS software.As can be seen here, the embodiment of the present invention is real
Show the internal structure to enterprise network and the monitoring of edge device and management, and can be according to the access port of edge device
Situation of change carries out NS software to enterprise network such that it is able to realize carrying out enterprise network the purpose of security protection.
Further, the embodiment of the present invention can be passed through based on the outside mechanism with enterprise network internal combustion of enterprise network
Whether the access port at the network boundary device of enterprise network external monitoring enterprise network changes, and is monitoring enterprise network
When the access port of the network boundary device of network changes, monitoring result is sent to enterprise network, at enterprise network
Monitoring result is analyzed by inside based on default network security policy, determines whether the access port of network boundary device changes
Abnormal, and then according to analysis result, enterprise network is carried out NS software, thus achieve the internal junction to enterprise network
Structure and the monitoring of edge device and management.
Described above is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention,
And can be practiced according to the content of description, and in order to allow above and other objects of the present invention, the feature and advantage can
Become apparent, below especially exemplified by the detailed description of the invention of the present invention.
According to below in conjunction with the accompanying drawing detailed description to the specific embodiment of the invention, those skilled in the art will be brighter
Above-mentioned and other purposes, advantage and the feature of the present invention.
Accompanying drawing explanation
By reading the detailed description of hereafter preferred implementation, various other advantage and benefit common for this area
Technical staff will be clear from understanding.Accompanying drawing is only used for illustrating the purpose of preferred implementation, and is not considered as the present invention
Restriction.And in whole accompanying drawing, it is denoted by the same reference numerals identical parts.In the accompanying drawings:
Fig. 1 shows the flow chart of enterprise network access control method according to an embodiment of the invention;
Fig. 2 shows the signal disposing network security management platform according to an embodiment of the invention in enterprise network
Figure;
Fig. 3 shows the flow chart of enterprise network access control method according to another embodiment of the present invention;
Fig. 4 shows the structural representation of enterprise network access control apparatus according to an embodiment of the invention;And
Fig. 5 shows the structural representation of enterprise network access control apparatus in accordance with another embodiment of the present invention.
Detailed description of the invention
It is more fully described the exemplary embodiment of the disclosure below with reference to accompanying drawings.Although accompanying drawing shows the disclosure
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure and should be by embodiments set forth here
Limited.On the contrary, it is provided that these embodiments are able to be best understood from the disclosure, and can be by the scope of the present disclosure
Complete conveys to those skilled in the art.
For solving above-mentioned technical problem, embodiments provide a kind of enterprise network access control method.Fig. 1 illustrates
The flow chart of enterprise network access control method according to an embodiment of the invention.As it is shown in figure 1, the method at least include with
Lower step S102 is to step S108:
Step S102, whether the access port at the network boundary device of enterprise network external monitoring enterprise network becomes
Change;
Step S104, if the access port monitoring the network boundary device of enterprise network changes, then obtains monitoring
As a result, described monitoring result includes the access port situation of change of network boundary device;
Step S106, is analyzed monitoring result based on default network security policy, determines the visit of network boundary device
Ask that port change is the most abnormal;
Step S108, carries out NS software according to analysis result to enterprise network.
The access port of each network boundary device in enterprise network is entered outside enterprise network by the embodiment of the present invention
Row monitoring, when the access port monitoring network boundary device changes, obtains the prison comprising access port situation of change
Survey result, and based on default network security policy, monitoring result is analyzed, determine that the access port of network boundary device becomes
Change the most abnormal, and then according to analysis result, enterprise network is carried out NS software.As can be seen here, the embodiment of the present invention is real
Show the internal structure to enterprise network and the monitoring of edge device and management, and can be according to the access port of edge device
Situation of change carries out NS software to enterprise network such that it is able to realize carrying out enterprise network the purpose of security protection.
The network boundary device that above step S102 is mentioned includes each terminal that region be directly facing enterprise network, it is provided that network
The equipment of access service, can be the equipment such as router, switch, fire wall.Here, router is that a kind of computer network sets
Standby, it is by selecting the transmission path of data, it is possible to by network one by one, data packing is sent to destination, this process
It is referred to as route.Router is for connecting multiple logically separate network, and route is operated in OSI (Open System
Interconnection, open system interconnection) third layer of model, i.e. Internet.Router is to connect each office in the Internet
Territory net, the equipment of wide area network, it can automatically select according to the situation of channel and set route, with optimal path, by tandem
Send signal.The main distinction between router and switch is that switch occurs in OSI Reference Model data link layer, and road
By occurring in Internet, this difference determines router and switch and needs to use different control during mobile message
Information, so both realize the mode of respective function is different.Additionally, fire wall refers to one by software and hardware equipment
Combine, the protective barrier of structure on interface between in-house network and extranets, between private network and public network, be a kind of
Obtaining the vivid saying of security method menu, it is the combination of a kind of computer hardware and software, makes to set up between network and network
Rise a security gateway, thus protect internal network from the intrusion of disabled user, fire wall mainly by service access rule, test
Card instrument, packet filtering and application gateway 4 part composition, fire wall be exactly one be positioned at computer and its network of being connected it
Between software or hardware, the all-network communication of this computer inflow and outflow and packet are intended to through this fire wall.
In the alternative embodiment of the present invention, it is possible to the outside and mechanism of enterprise network internal combustion based on enterprise network,
By whether changing at the access port of the network boundary device of enterprise network external monitoring enterprise network, monitoring enterprise
When the access port of industry network of network edge device changes, outside enterprise network, monitoring result is sent to enterprise network
Inside, is analyzed monitoring result based on default network security policy inside enterprise network, determines network boundary device
Access port change is the most abnormal, and then according to analysis result, enterprise network is carried out NS software, from there through on line
The access port of the network boundary device of (that is, outside enterprise network) monitoring enterprise network, and under line (that is, in enterprise network
Portion) mode of research and application result, it is achieved that to the internal structure of enterprise network and the monitoring of edge device and management.
In another alternative embodiment of the present invention, include inside enterprise network possessing and carry out net according to network security policy
The network security management platform of network security evaluation ability.As in figure 2 it is shown, network security management platform can be deployed in enterprise network
Safety management domain, with the form of rack server be connected to management domain core exchange on, user and manager remotely pass through
Web page conducts interviews, and (Internet Data Center, in internet data with enterprise network and IDC for management server
The heart) core network device carries out configuring and order level mutual, including router, switch and fire wall, to supporting SNMP
(Simple Network Management Protocol, Simple Network Management Protocol), order line terminal and netconf agreement
Network equipment adaptation support.
When on-premise network safety management platform, need to import user profile and carry out registration and organization's operation flow pass
System, it is also possible to the LDAP (Lightweight Directory Access Protocol, Light Directory Access Protocol) of enterprise
Interface carries out integrated, simultaneously need to the SSH (Secure Shell, containment agreement) that batch imports core network device logs in letter
Breath and SNMP read string, specify this network equipment brand adaptive for automatization's order.
Network security management platform can provide in the form of hardware, can remotely access Web page and be managed, this product by
User's registration platform, manager's platform, management server and water flow collection device composition.
User's registration platform is used for user and the login of user higher level, including application, the user of network access policies
Application record is checked, the confirmation of user higher level, user higher level confirm that record is checked and user password management etc..
Manager's platform is used for network security manager's integrated management to Network Acccss Control Policy, including the network equipment
ACL (Access Control List accesses and controls list) manages module, ACL status monitoring, and ACL information is checked and examines,
VLAN (Virtual Local Area Network, VLAN) information management, user and rights management, system configuration pipe
Reason, audit log management etc..
Management server is responsible for periodically capturing the configuration information of core network device, checks network device state, and network sets
Adaptation that standby order performs, the automatically generating and push of network equipment order, ACL strategy fails status monitoring, ACL flow monitoring
Cancel with inefficacy.
Whether step S102 becomes at the access port of the network boundary device of enterprise network external monitoring enterprise network
Change, embodiments provide the scheme of plurality of optional.In the optional scheme of one, can be to enterprise outside enterprise network
The information of the access port that each network boundary device of industry network reports is monitored, to determine each network boundary of enterprise network
Whether the access port of equipment changes.In another optional scheme, can be at the outside each net of active obtaining of enterprise network
The information of the access port of network edge device, to determine whether the access port of each network boundary device of enterprise network becomes
Change.Here, the information of access port can be domain-name information that access port is corresponding, access port is corresponding IP list, access
Information on services that port is corresponding, the leak etc. that access port is corresponding, the invention is not limited in this regard.In embodiments of the present invention,
As a example by the domain-name information that the information of access port is corresponding for access port, the information of port changes, as network initially sets
The meter stage, the access port 1 on network boundary device A corresponding domain name 1, domain name 2, building maintenance phase, when monitoring network
During corresponding domain name 1, the domain name 3 of the access port 1 on edge device A, it is believed that the information of access port changes, then it is assumed that this visit
Ask that port changes.And for example, as a example by the information on services that the information of access port is corresponding for access port, initially set at network
The meter stage, access port 2 corresponding with service 1, service 2 and the service 3 on network boundary device B, build maintenance phase, work as monitoring
When access port 2 corresponding with service 1 on network boundary device B, service 2, service 3 and service 4, it is believed that the information of access port
Change, then it is assumed that this access port changes.It is to say, when monitoring the information of current access port with initial
The information difference of access port time, it is believed that the information of access port changes, then it is assumed that this access port changes.
In another optional scheme, step S102 is at the network boundary device of enterprise network external monitoring enterprise network
Whether access port changes, may be implemented as at the outside network boundary in real time or periodically obtaining enterprise network of enterprise network
Routing iinformation described in equipment, determines the access port of the network boundary device of enterprise network subsequently according to routing iinformation, it
The access port of the network boundary device of the enterprise network that rear scanning determines, it is judged that the access of the network boundary device of enterprise network
Whether port changes.Here, routing iinformation can include the routing information pointing to particular network address, including particular network
The port numbers of address map network equipment, such that it is able to be scanned corresponding port according to port numbers.In some cases,
The route metric value in path can also be recorded.Routing iinformation can store in the routing table, containing network perimeter in routing table
Topology information, the main target that routing table is set up is to select to realize Routing Protocol and static routing.It addition, scanning accesses
Port can be the information that scanning obtains access port, judges whether this access port becomes according to the information of access port
Changing, the information content of access port may refer to described previously, and here is omitted.
Further, when the access port of the network boundary device of the enterprise network that scanning determines, can be according to safety
The access port needing the network boundary device of the rate of scanning the arranged enterprise network to determining is scanned.Such as, according to
Demand for security can arrange every 60 minutes run-downs, every 15 minutes run-downs or real time scans etc..
In another embodiment of the invention, when access port is scanned, by invisible scanning initial address, obtain
The operation information of other nodes must being connected with this node, uses each node in width first traversal traverses network successively,
The single-threaded scan method of this whole network is frequently used in that network size is less, structure relatively simple in the case of.For larger
Enterprise network, it is contemplated that in scanning process the most of the time be all wasted in waiting facilities prepare data stage, in order to be able to conjunction
Reason utilizes this period of free time, completes the scanning analysis to whole enterprise network as early as possible, in real process within the shorter time
The method usually using the subnet multithreading scanning of multiple scanning initial addresses according to sub-network division.That is, enterprise network is determined
The quantity of network boundary device place subnet, enables correspondence according to the quantity of the network boundary device place subnet of enterprise network
The scanning thread of predetermined number, and then utilize the scanning thread access end to the network boundary device of enterprise network of predetermined number
Mouth is scanned.
Further, step S104 changes when the access port of each network boundary device monitoring enterprise network
Time, monitoring result can be obtained, and carry out follow-up analytical procedure;Visit when each network boundary device monitoring enterprise network
Ask when port does not changes, any operation can not be performed, it is also possible to generate safety instruction information and carry out safety instruction.
In another embodiment of the invention, monitoring result is carried out point by step S106 based on default network security policy
Analysis, determines that the access port change of network boundary device is the most abnormal, embodiments provides a kind of optional scheme,
In the program, default network security policy has various level authority, then can find in default network security policy
The network security policy that network boundary device that access port changes is corresponding, determines the visit that network boundary device changes
Asking the first authority that port is corresponding, this first authority is the authority that this access port is preset.Network edge is determined according to monitoring result
The second authority that access port that boundary's equipment changes is corresponding, this second authority is corresponding after this access port changes
Authority.Subsequently, comparison the first authority and the second authority, determine that the access port change of network boundary device is the most abnormal.Enter one
Step ground, if comparison is consistent, it is determined that exception does not occurs in the access port change of network boundary device;If comparison is inconsistent, the most really
The access port change determining network boundary device occurs abnormal.For example, at network initial design stage, network boundary device
The authority of the access port 1 on A is general user's authority, is building maintenance phase, the access port 1 on network boundary device A
Authority uprise.According to network security policy, if it is to allow that the authority of the access port 1 on network boundary device A uprises
, then may determine that exception does not occurs in access port 1;And if the authority of the access port 1 on network boundary device A uprises and is
Unallowed, then may determine that exception occurs in access port 1.Therefore, in actual applications, need to combine the network of enterprise network
Security strategy, it is judged that whether the change of access port can cause Network Abnormal, affects the safety of whole enterprise network.
Further, however, it is determined that exception does not occurs in the access port change of network boundary device, then generate network boundary and set
There is not abnormal information in standby access port change.If it is determined that the access port change of network boundary device occurs different
Often, then judge whether to change the network security policy that the network boundary device that changes of access port is corresponding;If it is not, then close
The access port that network boundary device changes, to ensure the safety of whole enterprise network;The most then it is based further on change
After the access port that changes of Analysis of Network Security Policy whether exception occurs, i.e. step S106 can be performed and carry out point
Analysis, can use the analytical plan provided above, and here is omitted.
In the alternative embodiment of the present invention, it is also possible to according to the access control list ACL information of network boundary device, really
Determining the Packet Filtering rule of network boundary device, Packet Filtering rule allows or refuses specific packet to pass through.And then,
Determine the communication path of network boundary device according to Packet Filtering rule, the communication path of network boundary device is carried out visually
Change and show, generate enterprise network boundary device topology figure, contribute to network manager and control enterprise network boundary in real time and set
Standby status of protection, and state and network structure to the network operation can have a comprehensive understanding in real time.
Be discussed in detail below by a specific embodiment present invention enterprise network access control method realize process.
Fig. 3 shows the flow chart of enterprise network access control method according to another embodiment of the present invention.As it is shown on figure 3, the method
At least comprise the following steps S302 to step S318.
Step S302, the multiple network boundary device in locating business network, wherein, each network boundary device can provide
The network insertion service of multi-layer authority.
In this step, each network boundary device can provide the network insertion service of multi-layer authority, can be such as route
The equipment such as device, switch, fire wall.
Step S304, whether the access port at each network boundary device of enterprise network external monitoring changes, if so,
Then continue executing with step S306;If it is not, then continue executing with step S308.
In this step, the access port that outside enterprise network, each network boundary device of enterprise network can be reported
Information be monitored, to determine whether the access port of each network boundary device of enterprise network changes.Or, it is possible to
With the information of the access port at the outside each network boundary device of active obtaining of enterprise network, to determine each network of enterprise network
Whether the access port of edge device changes.Here, the information of access port can be the domain name letter that access port is corresponding
Breath, IP list that access port is corresponding, information on services that access port is corresponding, leak etc. that access port is corresponding, the present invention couple
This is not restricted.
Additionally, whether the access port at the network boundary device of enterprise network external monitoring enterprise network changes,
Can be at the routing iinformation described in the outside network boundary device in real time or periodically obtaining enterprise network of enterprise network, root subsequently
Determine the access port of the network boundary device of enterprise network according to routing iinformation, scan the network edge of the enterprise network determined afterwards
The access port of boundary's equipment, it is judged that whether the access port of the network boundary device of enterprise network changes.Here it is possible to root
The access port of the network boundary device of the rate of scanning enterprise network to determining arranged according to safety need is scanned.Example
As, according to demand for security, every 60 minutes run-downs, every 15 minutes run-downs or real time scans etc. can be set.
When access port is scanned, by invisible scanning initial address, it is thus achieved that other joints being connected with this node
The operation information of point, uses each node in width first traversal traverses network successively, the single-threaded scan method of this whole network
Be frequently used in that network size is less, structure relatively simple in the case of.For larger enterprise network, it is contemplated that scanned
In journey, the most of the time is all wasted in the stage of waiting facilities preparation data, in order to enable this period of free time of Appropriate application, more
Complete the scanning analysis to whole enterprise network in the short time as early as possible, real process usually uses multiple according to sub-network division
The method of the subnet multithreading scanning of scanning initial address.That is, the number of the network boundary device place subnet of enterprise network is determined
Amount, enables the scanning thread of the predetermined number of correspondence according to the quantity of the network boundary device place subnet of enterprise network, and then
The access port of the network boundary device of enterprise network is scanned by the scanning thread utilizing predetermined number.
Step S306, sends monitoring result to enterprise network outside enterprise network, continues executing with step S310.
In this step, include inside enterprise network possessing carrying out network security assessment ability according to network security policy
Network security management platform, its deployment in enterprise network may refer to shown in Fig. 2.
Step S308, generates information and carries out safety instruction.
Step S310, is analyzed monitoring result based on default network security policy inside enterprise network, determines net
The access port change of network edge device is the most abnormal, if it is not, then continue executing with step S312;The most then continue executing with step
S314。
In this step, default network security policy has various level authority, then can be in default network security plan
Find the network security policy that network boundary device that access port changes is corresponding in slightly, determine that network boundary device is sent out
The first authority that the access port of changing is corresponding, this first authority is the authority that this access port is preset.According to monitoring result
Determining the second authority that access port that network boundary device changes is corresponding, this second authority is that this access port becomes
Authority corresponding after change.Subsequently, comparison the first authority and the second authority, determine whether the access port of network boundary device changes
Abnormal.Further, if comparison is consistent, it is determined that exception does not occurs in the access port change of network boundary device;If comparison is not
Unanimously, it is determined that the access port change of network boundary device occurs abnormal.
Step S312, there is not abnormal information in the access port change generating network boundary device.
Step S314, it may be judged whether the network security plan that the change network boundary device that changes of access port is corresponding
Slightly, the most then step S316 is continued executing with;If it is not, then continue executing with step S318.
Step S316, whether the access port changed based on the Analysis of Network Security Policy after change there is exception,
Step S312 is performed if it is not, then return;The most then return and perform step S314.
Step S318, closes the access port that network boundary device changes, to ensure the safety of whole enterprise network.
The embodiment of the present invention is by (that is, outside enterprise network) on line opening the multi-layer authority of each network boundary device
Logical and service condition is monitored, and sends monitoring result to the network security management of (that is, inside enterprise network) under line flat
Platform is analyzed, and realizes controlling in real time the purpose of enterprise network boundary status of protection based on analysis result, is simultaneously based on analysis knot
Fruit carries out security protection process, it is achieved enterprise network carries out the purpose of security protection.
It should be noted that in actual applications, above-mentioned all optional embodiments can be any in the way of using combination
Combination, forms the alternative embodiment of the present invention, and this is no longer going to repeat them.
Based on the offer of each embodiment above based on enterprise network access control method, based on same inventive concept, this
Inventive embodiments additionally provides a kind of enterprise network access control apparatus.Fig. 4 shows and looks forward to according to an embodiment of the invention
The structural representation of industry network access control device.As shown in Figure 4, this device at least can include monitoring modular 410, obtain mould
Block 420, analysis module 430 and access control module 440.
Now introduce each composition of the enterprise network access control apparatus of the embodiment of the present invention or the function of device and each portion
Annexation between Fen:
Monitoring modular 410, being suitable to the access port at the network boundary device of enterprise network external monitoring enterprise network is
No change;
Acquisition module 420, is coupled with monitoring modular 410, if being suitable to monitoring modular 410 to monitor the network of enterprise network
The access port of edge device changes, then obtain monitoring result, and monitoring result includes the access port of network boundary device
Situation of change;
Analyze module 430, be coupled with acquisition module 420, be suitable to based on default network security policy, monitoring result be entered
Row is analyzed, and determines that the access port change of network boundary device is the most abnormal;
Access control module 440, is coupled with analyzing module 430, is suitable to, according to analysis result, enterprise network is carried out net
Network accesses and controls.
In an embodiment of the present invention, it is possible to mechanism based on enterprise network outside and enterprise network internal combustion is to enterprise
Network conducts interviews control, as it is shown in figure 5, the acquisition module 420 that Fig. 4 shows, is further adapted for monitoring result outside enterprise network
Send to enterprise network, inside enterprise network, obtain monitoring result;And, the analysis module 430 that Fig. 4 shows, the suitableeest
In based on default network security policy, monitoring result being analyzed inside enterprise network.
In an embodiment of the present invention, include inside enterprise network possessing and carry out network security according to network security policy and comment
Estimate the network security management platform of ability.As in figure 2 it is shown, network security management platform can be deployed in the bursting tube of enterprise network
Reason territory, is connected in the core exchange of management domain with the form of rack server, and user and manager are remotely entered by Web page
Row accesses, and management server is with enterprise network and IDC (Internet Data Center, Internet data center) core network
Equipment carries out configuring and order level mutual, including router, switch and fire wall, to supporting SNMP (Simple
Network Management Protocol, Simple Network Management Protocol), the network of order line terminal and netconf agreement sets
Standby adaptive support.
In an embodiment of the present invention, monitoring modular 410 is further adapted for:
Outside enterprise network, the information of the access port that the network boundary device of enterprise network reports is monitored, with
Determine whether the access port of the network boundary device of enterprise network changes;
Or,
The information of the access port of the network boundary device of active obtaining enterprise network outside enterprise network, to determine enterprise
Whether the access port of industry network of network edge device changes.
In an embodiment of the present invention, the information of access port includes at least one following:
Domain-name information that access port is corresponding, the IP list that access port is corresponding, information on services that access port is corresponding, visit
Ask the leak that port is corresponding.
In an embodiment of the present invention, monitoring modular 410 is further adapted for:
At the routing iinformation described in the outside network boundary device in real time or periodically obtaining enterprise network of enterprise network;
The access port of the network boundary device of enterprise network is determined according to routing iinformation;
The access port of the network boundary device of the enterprise network that scanning determines, it is judged that the network boundary device of enterprise network
Access port whether change.
In an embodiment of the present invention, monitoring modular 410 is further adapted for:
The access port of the network boundary device of the enterprise network to determining of the rate of scanning according to safety need setting enters
Row scanning.
In an embodiment of the present invention, monitoring modular 410 is further adapted for:
Determine the quantity of the network boundary device place subnet of enterprise network;
The quantity of the network boundary device place subnet according to enterprise network enables the scanning thread of the predetermined number of correspondence;
The access port of the network boundary device of enterprise network is scanned by the scanning thread utilizing predetermined number.
In an embodiment of the present invention, default network security policy has various level authority, analyzes module 430 the suitableeest
In:
The network peace that network boundary device that access port changes is corresponding is found in default network security policy
Full strategy, determines the first authority that access port that network boundary device changes is corresponding;
The second authority that access port that network boundary device changes is corresponding is determined according to monitoring result;
Comparison the first authority and the second authority, determine that the access port change of network boundary device is the most abnormal.
In an embodiment of the present invention, analyze module 430 to be further adapted for:
If comparison is consistent, it is determined that exception does not occurs in the access port change of network boundary device;
If comparison is inconsistent, it is determined that the access port change of network boundary device occurs abnormal.
In an embodiment of the present invention, access control module 440 is further adapted for:
If it is determined that exception does not occurs in the access port change of network boundary device, then generate the access end of network boundary device
There is not abnormal information in mouth change.
In an embodiment of the present invention, access control module 440 is further adapted for:
If it is determined that the access port change of network boundary device occurs abnormal, then judge whether that changing access port becomes
Network security policy corresponding to network boundary device changed;
If it is not, then close the access port that network boundary device changes.
In an embodiment of the present invention, the network boundary device of enterprise network includes each end that region be directly facing enterprise network
End, it is provided that the equipment of network insertion service.
In an embodiment of the present invention, the network boundary device of enterprise network includes at least one following:
Router, switch, fire wall.
According to any one preferred embodiment above-mentioned or the combination of multiple preferred embodiment, the embodiment of the present invention can reach
Following beneficial effect:
The access port of each network boundary device in enterprise network is entered outside enterprise network by the embodiment of the present invention
Row monitoring, when the access port monitoring network boundary device changes, obtains the prison comprising access port situation of change
Survey result, and based on default network security policy, monitoring result is analyzed, determine that the access port of network boundary device becomes
Change the most abnormal, and then according to analysis result, enterprise network is carried out NS software.As can be seen here, the embodiment of the present invention is real
Show the internal structure to enterprise network and the monitoring of edge device and management, and can be according to the access port of edge device
Situation of change carries out NS software to enterprise network such that it is able to realize carrying out enterprise network the purpose of security protection.
Further, the embodiment of the present invention can be passed through based on the outside mechanism with enterprise network internal combustion of enterprise network
Whether the access port at the network boundary device of enterprise network external monitoring enterprise network changes, and is monitoring enterprise network
When the access port of the network boundary device of network changes, monitoring result is sent to enterprise network, at enterprise network
Monitoring result is analyzed by inside based on default network security policy, determines whether the access port of network boundary device changes
Abnormal, and then according to analysis result, enterprise network is carried out NS software, thus achieve the internal junction to enterprise network
Structure and the monitoring of edge device and management.
In description mentioned herein, illustrate a large amount of detail.It is to be appreciated, however, that the enforcement of the present invention
Example can be put into practice in the case of not having these details.In some instances, it is not shown specifically known method, structure
And technology, in order to do not obscure the understanding of this description.
Similarly, it will be appreciated that one or more in order to simplify that the disclosure helping understands in each inventive aspect, exist
Above in the description of the exemplary embodiment of the present invention, each feature of the present invention is grouped together into single enforcement sometimes
In example, figure or descriptions thereof.But, the method for the disclosure should not be construed to reflect an intention that i.e. required guarantor
The application claims feature more more than the feature being expressly recited in each claim protected.More precisely, as following
Claims reflected as, inventive aspect is all features less than single embodiment disclosed above.Therefore,
The claims following detailed description of the invention are thus expressly incorporated in this detailed description of the invention, the most each claim itself
All as the independent embodiment of the present invention.
Those skilled in the art are appreciated that and can carry out the module in the equipment in embodiment adaptively
Change and they are arranged in one or more equipment different from this embodiment.Can be the module in embodiment or list
Unit or assembly are combined into a module or unit or assembly, and can put them in addition multiple submodule or subelement or
Sub-component.In addition at least some in such feature and/or process or unit excludes each other, can use any
Combine all features disclosed in this specification (including adjoint claim, summary and accompanying drawing) and so disclosed appoint
Where method or all processes of equipment or unit are combined.Unless expressly stated otherwise, this specification (includes adjoint power
Profit requires, summary and accompanying drawing) disclosed in each feature can be carried out generation by providing identical, equivalent or the alternative features of similar purpose
Replace.
Although additionally, it will be appreciated by those of skill in the art that embodiments more described herein include other embodiments
Some feature included by rather than further feature, but the combination of the feature of different embodiment means to be in the present invention's
Within the scope of and form different embodiments.Such as, in detail in the claims, embodiment required for protection one of arbitrarily
Can mode use in any combination.
The all parts embodiment of the present invention can realize with hardware, or to run on one or more processor
Software module realize, or with combinations thereof realize.It will be understood by those of skill in the art that and can use in practice
Microprocessor or digital signal processor (DSP) realize in enterprise network access control apparatus according to embodiments of the present invention
The some or all functions of some or all parts.The present invention is also implemented as performing side as described herein
Part or all equipment of method or device program (such as, computer program and computer program).Such
The program realizing the present invention can store on a computer-readable medium, or can have the shape of one or more signal
Formula.Such signal can be downloaded from internet website and obtain, or provides on carrier signal, or with any other shape
Formula provides.
The present invention will be described rather than limits the invention to it should be noted above-described embodiment, and ability
Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims,
Any reference marks that should not will be located between bracket is configured to limitations on claims.Word " comprises " and does not excludes the presence of not
Arrange element in the claims or step.Word "a" or "an" before being positioned at element does not excludes the presence of multiple such
Element.The present invention and can come real by means of including the hardware of some different elements by means of properly programmed computer
Existing.If in the unit claim listing equipment for drying, several in these devices can be by same hardware branch
Specifically embody.Word first, second and third use do not indicate that any order.These word explanations can be run after fame
Claim.
So far, although those skilled in the art will appreciate that the multiple of the most detailed present invention of illustrate and describing show
Example embodiment, but, without departing from the spirit and scope of the present invention, still can be direct according to present disclosure
Determine or derive other variations or modifications of many meeting the principle of the invention.Therefore, the scope of the present invention is it is understood that and recognize
It is set to and covers other variations or modifications all these.
The one side of the embodiment of the present invention discloses A1, a kind of enterprise network access control method, including:
Whether change at the access port of the network boundary device of enterprise network described in enterprise network external monitoring;
If the access port monitoring the network boundary device of described enterprise network changes, then obtain monitoring result,
Described monitoring result includes the access port situation of change of network boundary device;
Based on default network security policy, described monitoring result is analyzed, determines the access of described network boundary device
Port change is the most abnormal;
According to analysis result, described enterprise network is carried out NS software.
A2, according to the method described in A1, wherein,
Described acquisition monitoring result, including: outside described enterprise network, monitoring result is sent to described enterprise network
Portion, obtains described monitoring result inside described enterprise network;
Described based on default network security policy, described monitoring result is analyzed, including: in described enterprise network
Described monitoring result is analyzed by portion based on default network security policy.
A3, according to the method described in A2, wherein, include inside described enterprise network possessing carrying out according to network security policy
The network security management platform of network security assessment ability.
A4, according to the method described in any one of A1-A3, wherein, described at enterprise network described in enterprise network external monitoring
The access port of network boundary device whether change, including:
Outside enterprise network, the information of the access port that the network boundary device of described enterprise network reports is supervised
Survey, to determine whether the access port of the network boundary device of described enterprise network changes;
Or,
In the information of the access port of the network boundary device of enterprise network described in the outside active obtaining of enterprise network, with really
Whether the access port of the network boundary device of fixed described enterprise network changes.
A5, according to the method described in A4, wherein, the information of described access port includes at least one following:
Domain-name information that access port is corresponding, the IP list that access port is corresponding, information on services that access port is corresponding, visit
Ask the leak that port is corresponding.
A6, according to the method described in any one of A1-A5, wherein, described at enterprise network described in enterprise network external monitoring
The access port of network boundary device whether change, including:
At the route letter described in the outside network boundary device in real time or periodically obtaining described enterprise network of enterprise network
Breath;
The access port of the network boundary device of described enterprise network is determined according to described routing iinformation;
The access port of the network boundary device of the described enterprise network that scanning determines, it is judged that the network of described enterprise network
Whether the access port of edge device changes.
A7, according to the method described in A6, wherein, the visit of the network boundary device of the described enterprise network that described scanning determines
Ask port, including:
The access end of the network boundary device of the described enterprise network to determining of the rate of scanning according to safety need setting
Mouth is scanned.
A8, according to the method described in A6 or A7, wherein, the network boundary device of the described enterprise network that described scanning determines
Access port, including:
Determine the quantity of the network boundary device place subnet of described enterprise network;
The quantity of the network boundary device place subnet according to described enterprise network enables the scanning of the predetermined number of correspondence
Thread;
The access port of the network boundary device of described enterprise network is carried out by the scanning thread utilizing described predetermined number
Scanning.
A9, according to the method described in any one of A1-A8, wherein,
Described default network security policy has various level authority;
Described based on default network security policy, described monitoring result is analyzed, determines described network boundary device
Access port change is the most abnormal, including:
The network peace that network boundary device that access port changes is corresponding is found in default network security policy
Full strategy, determines the first authority that access port that described network boundary device changes is corresponding;
The second authority that access port that described network boundary device changes is corresponding is determined according to described monitoring result;
First authority described in comparison and described second authority, determine whether the access port of described network boundary device changes
Abnormal.
A10, according to the method described in A9, wherein, the first authority described in described comparison and described second authority, determine described
The access port change of network boundary device is the most abnormal, including:
If comparison is consistent, it is determined that exception does not occurs in the access port change of described network boundary device;
If comparison is inconsistent, it is determined that the access port change of described network boundary device occurs abnormal.
A11, according to the method described in A10, wherein, described according to analysis result, described enterprise network is carried out network access
Control, including:
If it is determined that exception does not occurs in the access port change of described network boundary device, then generate described network boundary device
Access port change abnormal information does not occurs.
A12, according to the method described in A10, wherein, described according to analysis result, described enterprise network is carried out network access
Control, including:
If it is determined that the access port change of described network boundary device occurs abnormal, then judge whether that changing access port sends out
The network security policy that the network boundary device of changing is corresponding;
If it is not, then close the access port that described network boundary device changes.
A13, according to the method described in any one of A1-A12, wherein, the network boundary device of described enterprise network includes directly
Junction is to each terminal of described enterprise network, it is provided that the equipment of network insertion service.
A14, according to the method described in A13, wherein, the network boundary device of described enterprise network include following at least it
One:
Router, switch, fire wall.
The another aspect of the embodiment of the present invention also discloses B15, a kind of enterprise network access control apparatus, including:
Monitoring modular, be suitable at the access port of the network boundary device of enterprise network described in enterprise network external monitoring be
No change;
Acquisition module, if being suitable to the described monitoring module monitors access port to the network boundary device of described enterprise network
Changing, then obtain monitoring result, described monitoring result includes the access port situation of change of network boundary device;
Analyze module, be suitable to based on default network security policy, described monitoring result is analyzed, determine described network
The access port change of edge device is the most abnormal;
Access control module, is suitable to, according to analysis result, described enterprise network is carried out NS software.
B16, according to the device described in B15, wherein,
Described acquisition module, is further adapted for outside described enterprise network sending to described enterprise network monitoring result,
Described monitoring result is obtained inside described enterprise network;
Described analysis module, is further adapted for inside described enterprise network tying described monitoring based on default network security policy
Fruit is analyzed.
B17, according to the device described in B16, wherein, include possessing inside described enterprise network and enter according to network security policy
The network security management platform of row network security assessment ability.
B18, according to the device described in any one of B15-B17, wherein, described monitoring modular is further adapted for:
Outside enterprise network, the information of the access port that the network boundary device of described enterprise network reports is supervised
Survey, to determine whether the access port of the network boundary device of described enterprise network changes;
Or,
In the information of the access port of the network boundary device of enterprise network described in the outside active obtaining of enterprise network, with really
Whether the access port of the network boundary device of fixed described enterprise network changes.
B19, according to the device described in B18, wherein, the information of described access port includes at least one following:
Domain-name information that access port is corresponding, the IP list that access port is corresponding, information on services that access port is corresponding, visit
Ask the leak that port is corresponding.
B20, according to the device described in any one of B15-B19, wherein, described monitoring modular is further adapted for:
At the route letter described in the outside network boundary device in real time or periodically obtaining described enterprise network of enterprise network
Breath;
The access port of the network boundary device of described enterprise network is determined according to described routing iinformation;
The access port of the network boundary device of the described enterprise network that scanning determines, it is judged that the network of described enterprise network
Whether the access port of edge device changes.
B21, according to the device described in B20, wherein, described monitoring modular is further adapted for:
The access end of the network boundary device of the described enterprise network to determining of the rate of scanning according to safety need setting
Mouth is scanned.
B22, according to the device described in B20 or B21, wherein, described monitoring modular is further adapted for:
Determine the quantity of the network boundary device place subnet of described enterprise network;
The quantity of the network boundary device place subnet according to described enterprise network enables the scanning of the predetermined number of correspondence
Thread;
The access port of the network boundary device of described enterprise network is carried out by the scanning thread utilizing described predetermined number
Scanning.
B23, according to the device described in any one of B15-B22, wherein, described default network security policy has different level
Authority, described analysis module is further adapted for:
The network peace that network boundary device that access port changes is corresponding is found in default network security policy
Full strategy, determines the first authority that access port that described network boundary device changes is corresponding;
The second authority that access port that described network boundary device changes is corresponding is determined according to described monitoring result;
First authority described in comparison and described second authority, determine whether the access port of described network boundary device changes
Abnormal.
B24, according to the device described in B23, wherein, described analysis module is further adapted for:
If comparison is consistent, it is determined that exception does not occurs in the access port change of described network boundary device;
If comparison is inconsistent, it is determined that the access port change of described network boundary device occurs abnormal.
B25, according to the device described in B24, wherein, described access control module is further adapted for:
If it is determined that exception does not occurs in the access port change of described network boundary device, then generate described network boundary device
Access port change abnormal information does not occurs.
B26, according to the device described in B24, wherein, described access control module is further adapted for:
If it is determined that the access port change of described network boundary device occurs abnormal, then judge whether that changing access port sends out
The network security policy that the network boundary device of changing is corresponding;
If it is not, then close the access port that described network boundary device changes.
B27, according to the device described in any one of B15-B26, wherein, the network boundary device of described enterprise network includes directly
Junction is to each terminal of described enterprise network, it is provided that the equipment of network insertion service.
B28, according to the device described in B27, wherein, the network boundary device of described enterprise network include following at least it
One:
Router, switch, fire wall.
Claims (10)
1. an enterprise network access control method, including:
Whether change at the access port of the network boundary device of enterprise network described in enterprise network external monitoring;
If the access port monitoring the network boundary device of described enterprise network changes, then obtain monitoring result, described
Monitoring result includes the access port situation of change of network boundary device;
Based on default network security policy, described monitoring result is analyzed, determines the access port of described network boundary device
Change is the most abnormal;
According to analysis result, described enterprise network is carried out NS software.
Method the most according to claim 1, wherein,
Described acquisition monitoring result, including: outside described enterprise network, monitoring result is sent to described enterprise network,
Described enterprise network is internal obtains described monitoring result;
Described based on default network security policy, described monitoring result is analyzed, including: at the internal base of described enterprise network
In default network security policy, described monitoring result is analyzed.
Method the most according to claim 2, wherein, includes possessing inside described enterprise network and enters according to network security policy
The network security management platform of row network security assessment ability.
4. according to the method described in any one of claim 1-3, wherein, described at enterprise network described in enterprise network external monitoring
The access port of network boundary device whether change, including:
Outside enterprise network, the information of the access port that the network boundary device of described enterprise network reports is monitored, with
Determine whether the access port of the network boundary device of described enterprise network changes;
Or,
In the information of the access port of the network boundary device of enterprise network described in the outside active obtaining of enterprise network, to determine
Whether the access port of the network boundary device stating enterprise network changes.
Method the most according to claim 4, wherein, the information of described access port includes at least one following:
Domain-name information that access port is corresponding, the IP list that access port is corresponding, information on services that access port is corresponding, access end
The leak that mouth is corresponding.
6. according to the method described in any one of claim 1-5, wherein, described at enterprise network described in enterprise network external monitoring
The access port of network boundary device whether change, including:
At the routing iinformation described in the outside network boundary device in real time or periodically obtaining described enterprise network of enterprise network;
The access port of the network boundary device of described enterprise network is determined according to described routing iinformation;
The access port of the network boundary device of the described enterprise network that scanning determines, it is judged that the network boundary of described enterprise network
Whether the access port of equipment changes.
Method the most according to claim 6, wherein, the network boundary device of the described enterprise network that described scanning determines
Access port, including:
The access port of the network boundary device of the described enterprise network to determining of the rate of scanning according to safety need setting enters
Row scanning.
8. according to the method described in claim 6 or 7, wherein, the network boundary of the described enterprise network that described scanning determines sets
Standby access port, including:
Determine the quantity of the network boundary device place subnet of described enterprise network;
The quantity of the network boundary device place subnet according to described enterprise network enables the scanning thread of the predetermined number of correspondence;
The access port of the network boundary device of described enterprise network is scanned by the scanning thread utilizing described predetermined number.
9. according to the method described in any one of claim 1-8, wherein,
Described default network security policy has various level authority;
Described based on default network security policy, described monitoring result is analyzed, determines the access of described network boundary device
Port change is the most abnormal, including:
The network security plan that network boundary device that access port changes is corresponding is found in default network security policy
Slightly, the first authority that access port that described network boundary device changes is corresponding is determined;
The second authority that access port that described network boundary device changes is corresponding is determined according to described monitoring result;
First authority described in comparison and described second authority, determine that the access port change of described network boundary device is the most different
Often.
10. an enterprise network access control apparatus, including:
Monitoring modular, is suitable to whether the access port of the network boundary device of enterprise network described in enterprise network external monitoring is sent out
Changing;
Acquisition module, if being suitable to the access port generation to the network boundary device of described enterprise network of the described monitoring module monitors
Change, then obtain monitoring result, and described monitoring result includes the access port situation of change of network boundary device;
Analyze module, be suitable to based on default network security policy, described monitoring result is analyzed, determine described network boundary
The access port change of equipment is the most abnormal;
Access control module, is suitable to, according to analysis result, described enterprise network is carried out NS software.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610371825.3A CN106060040B (en) | 2016-05-30 | 2016-05-30 | Enterprise network access control method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610371825.3A CN106060040B (en) | 2016-05-30 | 2016-05-30 | Enterprise network access control method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106060040A true CN106060040A (en) | 2016-10-26 |
| CN106060040B CN106060040B (en) | 2019-11-22 |
Family
ID=57171490
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610371825.3A Active CN106060040B (en) | 2016-05-30 | 2016-05-30 | Enterprise network access control method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106060040B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108833362A (en) * | 2018-05-23 | 2018-11-16 | 邱婧 | A kind of equipment access authority control method, apparatus and system |
| CN109218278A (en) * | 2017-06-29 | 2019-01-15 | 瞻博网络公司 | The dynamic implement of safety regulation |
| CN110519322A (en) * | 2018-05-22 | 2019-11-29 | 广东亿迅科技有限公司 | A kind of method and monitoring system of dynamic push monitoring result |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101022360A (en) * | 2007-03-16 | 2007-08-22 | 北京工业大学 | Local network safety management method based on IEEE 802.1X protocol |
| CN101436945A (en) * | 2008-12-25 | 2009-05-20 | 中兴通讯股份有限公司 | Method, system and apparatus for protecting multicast business fault |
| CN101795261A (en) * | 2009-12-31 | 2010-08-04 | 暨南大学 | Information protection system and method based on mobile data safety |
| CN101958815A (en) * | 2010-10-18 | 2011-01-26 | 北京全路通信信号研究设计院 | Security Ethernet interface on-line monitor system and method |
-
2016
- 2016-05-30 CN CN201610371825.3A patent/CN106060040B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101022360A (en) * | 2007-03-16 | 2007-08-22 | 北京工业大学 | Local network safety management method based on IEEE 802.1X protocol |
| CN101436945A (en) * | 2008-12-25 | 2009-05-20 | 中兴通讯股份有限公司 | Method, system and apparatus for protecting multicast business fault |
| CN101795261A (en) * | 2009-12-31 | 2010-08-04 | 暨南大学 | Information protection system and method based on mobile data safety |
| CN101958815A (en) * | 2010-10-18 | 2011-01-26 | 北京全路通信信号研究设计院 | Security Ethernet interface on-line monitor system and method |
Non-Patent Citations (1)
| Title |
|---|
| 邵新茹: "网络拓扑结构的边界守护系统研究", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109218278A (en) * | 2017-06-29 | 2019-01-15 | 瞻博网络公司 | The dynamic implement of safety regulation |
| CN109218278B (en) * | 2017-06-29 | 2021-06-29 | 瞻博网络公司 | Dynamic implementation of security rules |
| US11070589B2 (en) | 2017-06-29 | 2021-07-20 | Juniper Networks, Inc. | Dynamic implementation of a security rule |
| CN110519322A (en) * | 2018-05-22 | 2019-11-29 | 广东亿迅科技有限公司 | A kind of method and monitoring system of dynamic push monitoring result |
| CN110519322B (en) * | 2018-05-22 | 2022-03-25 | 广东亿迅科技有限公司 | Method for dynamically pushing monitoring result and monitoring system |
| CN108833362A (en) * | 2018-05-23 | 2018-11-16 | 邱婧 | A kind of equipment access authority control method, apparatus and system |
| CN108833362B (en) * | 2018-05-23 | 2021-05-07 | 邱婧 | Equipment access authority control method, device and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106060040B (en) | 2019-11-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10701034B2 (en) | Intelligent sorting for N-way secure split tunnel | |
| US10595215B2 (en) | Reducing redundant operations performed by members of a cooperative security fabric | |
| CA2814261C (en) | Systems and methods for managing a network | |
| CN105847300B (en) | The method for visualizing and device of enterprise network boundary device topology | |
| CA2525343C (en) | Security checking program for communication between networks | |
| CN106060041A (en) | Enterprises network access authority control method and device | |
| US11418955B2 (en) | System and methods for transit path security assured network slices | |
| EP3251301A1 (en) | System and method for a global virtual network | |
| CN109040037A (en) | A kind of safety auditing system based on strategy and rule | |
| CN104158767B (en) | A kind of network admittance device and method | |
| US20060041935A1 (en) | Methodology for configuring network firewall | |
| CN112956158B (en) | Structural data plane monitoring | |
| CN104113443A (en) | Network equipment detection method, device and cloud detection system | |
| CN105871908A (en) | Control method and device of access control strategies of enterprise network boundary equipment | |
| CN106060040A (en) | Enterprise network access control method and device | |
| CN106161362A (en) | A kind of network application means of defence and equipment | |
| KR102036137B1 (en) | Method and apparatus for analyzing firewall policy | |
| Wright et al. | Interoperability and security for converged smart grid networks | |
| GB2523123A (en) | Method and hardware device for remotely connecting to and controlling a private branch exchange | |
| Cisco | Representing Your Network Topology | |
| Ferguson | CompTIA Network+ Review Guide: Exam N10-006 | |
| Design | Building Automation System over IP (BAS/IP) Design and Implementation Guide | |
| Lopes | Methodologies for Integrated Network Monitoring |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 100080 Haidian street, Haidian District, Haidian District, No. 27, 1-4 layer, 1-4 layer, 3-020 Applicant after: Beijing Pipaxing Technology Co., Ltd. Address before: 100097 Beijing City, Haidian District cloud layer 6451 Li Jin Ya Yuan Shanghai 6 Applicant before: Beijing Pipaxing Technology Co., Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |