CN106411852B - Distributed terminal access control method and device - Google Patents

Distributed terminal access control method and device Download PDF

Info

Publication number
CN106411852B
CN106411852B CN201610797251.6A CN201610797251A CN106411852B CN 106411852 B CN106411852 B CN 106411852B CN 201610797251 A CN201610797251 A CN 201610797251A CN 106411852 B CN106411852 B CN 106411852B
Authority
CN
China
Prior art keywords
switch
management server
control rule
end equipment
service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610797251.6A
Other languages
Chinese (zh)
Other versions
CN106411852A (en
Inventor
周迪
赵晖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang Uniview Technologies Co Ltd
Original Assignee
Zhejiang Uniview Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang Uniview Technologies Co Ltd filed Critical Zhejiang Uniview Technologies Co Ltd
Priority to CN201610797251.6A priority Critical patent/CN106411852B/en
Publication of CN106411852A publication Critical patent/CN106411852A/en
Application granted granted Critical
Publication of CN106411852B publication Critical patent/CN106411852B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • H04L63/0218Distributed architectures, e.g. distributed firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the application discloses a distributed terminal access control method and a distributed terminal access control device, wherein corresponding control rules based on service types are respectively set in all switches of a distributed monitoring system, and the corresponding control rules are updated based on the service type change of front-end equipment, so that all the switches are respectively used for carrying out service-level access control on the self-connected front-end equipment according to the corresponding control rules, normally forwarding messages conforming to the control rules, discarding the messages not conforming to the control rules, realizing accurate control of terminal access, timely updating the control rules in all the switches based on the service type change of the front-end equipment, and avoiding storage burden brought by a large amount of set control rules to server equipment.

Description

Distributed terminal access control method and device
Technical Field
The present application relates to the field of monitoring data transmission, and in particular, to a method and an apparatus for controlling access of a distributed terminal.
Background
With the development of IP (Internet Protocol ) video monitoring service, customers increasingly pay attention to the security protection of video monitoring systems. Usually, an intruder firstly uses a vulnerability scanning tool to scan a port of target equipment, the port scanning generally connects messages to each known port and part of common service ports of the target equipment, judges whether the equipment uses the port according to the response type of the received messages, and then provides a service port vulnerability through analysis to further initiate intrusion attack.
In the prior art, a defense solution based on a control rule is provided, so that a monitoring system has a certain self-defense function, a service port is automatically hidden, access requirements of any front-end equipment in the system on service management and the like of certain equipment in the system need to be filtered by the control rule, the equipment such as a client and the like is allowed to access the service port of target equipment through pre-centralized authorization of a video management service network server, a closed-loop safe service environment is formed in the whole system, and potential safety hazards can be effectively eliminated.
Specifically, in the prior art, the video management server defaults to open a "registration port" for the front-end device and a "login port" for the client, and only after the terminal device is successfully registered, the "IP address" of the front-end device is allowed to access other service ports of the video management server.
The control rule can be implemented by iptables distribution or service level code control, and the like, which is specifically described as follows.
Fig. 1 is a schematic view of an application scenario of a monitoring system in the prior art.
In the initial state, the control rule in effect in the video management server is as follows:
destination port of the device Source device Controlling behavior
5060、80 All of Allowing "source device" to access "destination port of the device"
After the IPC1 is successfully registered, the video management server records the mask of the IPC1, and changes the effective control rule of the video management server to allow the IPC1 to access all ports of the device, which is as follows:
Figure BDA0001106693470000021
correspondingly, the service server records the mask of IPC1, and the control rule that it takes effect is changed to allow IPC1 and the video management server to access all ports of the device, which is as follows:
Figure BDA0001106693470000022
the applicant finds in the course of implementing the present application that the above-mentioned prior art treatment solutions have at least the following problems:
the number of front-end devices in the video monitoring system is large, correspondingly, the number of rules to be configured in devices such as a video management server and the like is increased, the number of filtering rules supported by the server device is limited, generally only 1000 rules are supported, and when the number of the front-end devices exceeds the maximum number of the rules supported by the server device, the server device cannot provide normal service.
Disclosure of Invention
The embodiment of the application provides a distributed terminal access control method and a distributed terminal access control device, and the corresponding control rules based on service types are respectively set in all switches of a distributed monitoring system, so that all switches respectively carry out service-level access control on self-connected front-end equipment according to the corresponding control rules, the accurate control of terminal access is realized, and the storage burden brought to server equipment by a large amount of control rules is avoided.
In order to achieve the above technical objective, the present application provides a distributed terminal admission control method, which is applied to a distributed monitoring system that at least includes a management server, a plurality of switches, and a front-end device, where the front-end device accesses the distributed monitoring system through the switch, and a control rule is configured in the switch, and the method specifically includes:
when the front-end equipment connected with the switch starts a new service, the switch updates the control rule configured by the switch according to a control rule updating instruction sent by the management server, wherein the control rule updating instruction comprises access authority information opened when the management server executes the new service on the front-end equipment;
the switch judges whether the forwarding information of the received message of the new service sent by the front-end equipment connected with the switch per se meets the updated control rule or not;
if the service message is not matched with the service message, the switch discards the service message.
Preferably, the initial content of the control rule configured in the switch is:
and in the received messages sent by the self-connected front-end equipment, only the registration messages are allowed to be forwarded to the management server, and the rest messages are discarded.
Preferably, before the front-end device connected to the switch starts a new service operation, the method further includes:
when the control rule configured by the switch is initial content, the switch identifies whether the received message sent by the front-end equipment connected with the switch is a registration message or not;
if the identification result is yes, the switch adds the network address information of the switch and the port information connected with the front-end equipment into the message, and forwards the message to the management server, so that the management server registers the front-end equipment, and stores the network address information and the port information of the switch after the registration is successful;
and when the switch receives a registration confirmation instruction returned by the management server, the switch sends the registration confirmation instruction to the front-end equipment.
Preferably, the processing procedure of the control rule update indication specifically includes:
when the front-end equipment connected with the switch starts a new service, the management server determines a port of equipment allowing the front-end equipment to access in the new service;
the management server generates a control rule item which takes the network address information of the front-end equipment as source address information, the network address information of the equipment allowing the front-end equipment to access as destination address information and the port information of the equipment port allowing the front-end equipment to access as destination port information;
and the management server sends a control rule updating instruction carrying the control rule item to the switch according to the network address information of the switch corresponding to the front-end equipment, so that the switch updates the content corresponding to the port connected with the front-end equipment in the control rule of the switch.
Preferably, the method further comprises:
when the front-end equipment connected with the switch finishes the service, the switch deletes the control rule content corresponding to the finished service in the control rules configured by the switch according to the control rule deletion instruction sent by the management server.
On the other hand, an embodiment of the present application further provides a switch, which is applied to a distributed monitoring system that at least includes a management server, a plurality of switches, and a front-end device, where the front-end device accesses the distributed monitoring system through the switch, and a control rule is configured in the switch, where the switch specifically includes:
the communication module is used for communicating with the front-end equipment connected with the switch and the management server;
the management module is configured to update a control rule currently configured by the switch according to a control rule update instruction sent by the management server and received by the communication module when a front-end device connected to the switch starts a new service, where the control rule update instruction includes access right information opened by the management server when the management server executes the new service on the front-end device;
the judging module is used for judging whether the forwarding information of the new service message, which is received by the communication module and sent by the front-end equipment connected with the switch, conforms to the control rule updated by the management module;
and the processing module is used for informing the communication module to forward the service message to a corresponding interface when the judgment result of the judgment module is in conformity, or discarding the service message when the judgment result of the judgment module is in nonconformity.
Preferably, the initial content of the control rule configured in the switch is:
and in the received messages sent by the self-connected front-end equipment, only the registration messages are allowed to be forwarded to the management server, and the rest messages are discarded.
Preferably, the first and second liquid crystal materials are,
the judging module is further configured to identify whether a message received by the communication module and sent by a front-end device connected to the communication module is a registration message when the control rule configured by the switch is an initial content;
the communication module is further configured to add, when the identification result of the determination module is yes, the network address information of the switch and the port information of the switch connected to the front-end device to the message, forward the message to the management server, so that the management server registers the front-end device, store the network address information and the port information of the switch after the registration is successful, and send, when receiving a registration confirmation instruction returned by the management server, the registration confirmation instruction to the front-end device.
Preferably, the processing procedure of the control rule update indication specifically includes:
when the front-end equipment connected with the switch starts a new service, the management server determines a port of equipment allowing the front-end equipment to access in the new service;
the management server generates a control rule item which takes the network address information of the front-end equipment as source address information, the network address information of the equipment allowing the front-end equipment to access as destination address information and the port information of the equipment port allowing the front-end equipment to access as destination port information;
and the management server sends a control rule updating instruction carrying the control rule item to the switch according to the network address information of the switch corresponding to the front-end equipment, so that the switch updates the content corresponding to the port connected with the front-end equipment in the control rule of the switch.
Preferably, the first and second liquid crystal materials are,
the management module is further configured to delete, when the front-end device connected to the switch ends a service, a control rule content corresponding to the ended service from the control rules configured by the switch according to the control rule deletion instruction sent by the management server and received by the communication module.
Compared with the prior art, the technical scheme provided by the embodiment of the application has the beneficial technical effects that:
the embodiment of the application discloses a distributed terminal access control method and a distributed terminal access control device, wherein corresponding control rules based on service types are respectively set in all switches of a distributed monitoring system, and the corresponding control rules are updated based on the service type change of front-end equipment, so that all the switches are respectively used for carrying out service-level access control on the self-connected front-end equipment according to the corresponding control rules, normally forwarding messages conforming to the control rules, discarding the messages not conforming to the control rules, realizing accurate control of terminal access, timely updating the control rules in all the switches based on the service type change of the front-end equipment, and avoiding storage burden brought by a large amount of set control rules to server equipment.
Drawings
In order to more clearly illustrate the technical solutions of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
Fig. 1 is a schematic view of an application scenario of a monitoring system in the prior art;
fig. 2 is a schematic flowchart of a distributed terminal admission control method according to an embodiment of the present application;
fig. 3 is a schematic diagram of a networking structure of a distributed monitoring system according to an embodiment of the present application;
fig. 4 is a schematic flowchart of a distributed terminal admission control method in a specific application scenario according to an embodiment of the present application;
FIG. 5 is a schematic diagram of an application scenario in which IPC1 performs various business processes in a specific scenario provided in the embodiment of the present application;
fig. 6 is a schematic view of a scenario in which a video management server configures control rules (the aforementioned white list) to multiple switches in a specific application scenario according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of a switch according to an embodiment of the present application.
Detailed Description
As stated in the background of the present application, in the prior art, when the control rules are set on the server, corresponding filtering operations need to be processed by the server, which increases the processing load of the server, and as the number of front-end devices increases, the number of control rules to be configured in the server also increases greatly, which not only increases the processing load of the server for rule screening, but also causes some control rules to be unable to be configured on the server and causes control policies to be unable to be implemented due to the number limitation of rules stored in the server itself.
The inventor of the present application expects that, through the method provided by the present application, corresponding control rules based on the service types are respectively set in each switch of the distributed monitoring system, and the corresponding control rules are updated based on the service type change of the front-end device, on one hand, the filtering processing burden of the server is distributed to each switch for processing by configuring the processing rules in the switch, and on the other hand, the management server performs modification adjustment of the control rules based on the service type change of the front-end device, thereby ensuring accurate execution and timely adjustment of access control.
As shown in fig. 2, a schematic flow chart of a distributed terminal admission control method provided in an embodiment of the present application is applied to a distributed monitoring system that at least includes a management server, a plurality of switches, and a front-end device, where the front-end device accesses the distributed monitoring system through the switch, and the switch is configured with a control rule. Specifically, the method comprises the following steps:
step S201, when the front-end device connected to the switch starts a new service, the switch updates the control rule configured by the switch according to the control rule update instruction sent by the management server.
Wherein, the control rule update indication includes the access authority information opened by the management server when executing the new service to the front-end device.
The processing of this step is an update process of the control rule, that is, the control rule is updated in a targeted manner due to the change of the service type of the front-end device (a new service is started). Since the front-end device may generate message interaction with a new network-side device or a new interface after starting a new service, the content of the corresponding control rule needs to be adjusted.
It should be further noted that, before the adjustment is performed, the initial content of the control rule configured in the switch is:
and in the received messages sent by the self-connected front-end equipment, only the registration messages are allowed to be forwarded to the management server, and the rest messages are discarded.
According to the initial content, before the registered front-end equipment is not legally verified, the switch only allows the forwarding of the registration message, because the front-end equipment cannot have legal service interaction except registration before registering in the management server, by the control rule, illegal messages can be prevented from being transmitted to the management server, and the problem of loopholes in the background technology is also avoided.
Correspondingly, before this step, a registration process of the front-end device is further included, which is specifically described as follows:
when the control rule configured by the switch is the initial content, the switch identifies whether the received message sent by the front-end equipment connected with the switch is a registration message.
If the judgment result is negative, directly discarding, and if the identification result is positive, the switch adds the network address information of the switch and the port information connected with the front-end equipment to the message and forwards the message to the management server. Through the registration message, the management server registers the corresponding front-end equipment, and stores the network address information and the port information of the switch carried in the registration message after the registration is successful so as to facilitate the subsequent control rule interaction.
And when the switch receives a registration confirmation instruction returned by the management server, the switch sends the registration confirmation instruction to the front-end equipment. The registration process of the front-end equipment is completed, the management server side controls the service type of the front-end equipment, when the front-end equipment needs to start a new service, a request needs to be made to the management server, correspondingly, when the management server confirms that the service can be started, the management server also timely knows the latest change of the service type in the front-end equipment, and correspondingly, the adjustment process of the management rule can be triggered.
Specifically, in the corresponding management rule adjustment process, the specific processing procedure of the control rule update instruction is as follows:
the processing procedure of the control rule update indication specifically includes:
as described above, the management server side controls the service type of the front-end device, and when the front-end device connected to the switch starts a new service, the management server determines the device to which the front-end device is allowed to access and the device port to which the front-end device is allowed to access in the new service.
Based on the above processing, the management server learns the latest change of the service type in the front-end device in time, and therefore triggers the corresponding control rule adjustment process.
Firstly, the management server generates a control rule item which takes the network address information of the front-end device as source address information, the network address information of the device which allows the front-end device to access as destination address information, and the port information of the device port which allows the front-end device to access as destination port information. The network address information of the front-end device may be obtained through a registration message or a current service adjustment request, and the network address information of the device to which the front-end device is allowed to access and the port information of the device port to which the front-end device is allowed to access may be determined according to the foregoing steps.
Then, the management server sends a control rule update instruction carrying the control rule item to the switch according to the network address information of the switch corresponding to the front-end device, so that the switch updates the content corresponding to the port connected with the front-end device in the control rule of the switch. The network address information of the switch corresponding to the front-end equipment and the information of the port connected with the front-end equipment are sent to the management server after the switch is added to the registration message.
Through the above processing procedure, the switch completes the adjustment of the new service for the front-end equipment to the self-configured control rule.
Step S202, the switch determines whether the forwarding information of the received new service packet sent by the front-end device connected to the switch itself conforms to the updated control rule.
The switch performs access control on the message sent by the front-end equipment according to the updated control rule.
If yes, executing step S203;
if not, go to step S204.
Step S203, the switch forwards the service packet to a corresponding interface.
Step S204, the switch discards the service message.
It should be further explained that the above processing procedure is to adjust the control rule of the newly added service, but in a specific application scenario, there is also a case where the front-end device releases the existing service, and in such a case, the control rule corresponding to the released service needs to be deleted, and the specific procedure is as follows:
as described above, the management server side controls the service type of the front-end device, and when the front-end device connected to the switch ends the service, the management server also determines the device that allows the front-end device to access in the released service and the device port that allows the front-end device to access.
Based on the above processing, the management server knows the latest change of the service type in the front-end device in time, so the switch deletes the control rule content corresponding to the terminated service in the control rule configured by the switch according to the control rule deletion instruction sent by the management server.
By the deletion processing, the control rules are ensured to be adjusted in time according to the change of the service types of the front-end equipment, meanwhile, useless control rules are deleted in time, the illegal messages are prevented from being forwarded through the loopholes generated by the control rules, and the safety of the monitoring system is maintained.
Compared with the prior art, the technical scheme provided by the embodiment of the application has the beneficial technical effects that:
the embodiment of the application discloses a distributed terminal access control method and a distributed terminal access control device, wherein corresponding control rules based on service types are respectively set in all switches of a distributed monitoring system, and the corresponding control rules are updated based on the service type change of front-end equipment, so that all the switches are respectively used for carrying out service-level access control on the self-connected front-end equipment according to the corresponding control rules, normally forwarding messages conforming to the control rules, discarding the messages not conforming to the control rules, realizing accurate control of terminal access, timely updating the control rules in all the switches based on the service type change of the front-end equipment, and avoiding storage burden brought by a large amount of set control rules to server equipment.
The technical solutions in the present application will be described clearly and completely with reference to the accompanying drawings in the present application, and it is obvious that the described embodiments are some, not all embodiments of the present application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Next, a case where the switch performs access control of the front-end device by using a control rule in the distributed monitoring system will be described by taking the networking structure of the distributed monitoring system shown in fig. 3 as an example.
In the distributed monitoring system, a video management server (IP address 192.168.1.11) serves as a management server, and three switches are connected in a distributed manner through a switch SW4(IP address 192.168.1.1): SW1(IP address 192.168.2.1), SW2(IP address 192.168.3.1), SW3(IP address 192.168.4.1), IPC1(IP address 192.168.2.22) accesses SW1 through port Ethernet0/1, IPC2(IP address 192.168.3.23) accesses SW2 through port Ethernet0/2, and IPC3(IP address 192.168.4.24) accesses SW3 through port Ethernet 0/3. The registration port of the video management server is 5061.
In this embodiment, the control rule is specifically described by taking an ACL rule as an example, in an actual application scenario, control rules in other formats may also be applied to the technical solution provided in this embodiment, and such a change does not affect the protection scope of this application.
As shown in fig. 4, a schematic flow chart of a distributed terminal admission control method in a specific application scenario proposed in the embodiment of the present application is shown, where the method specifically includes:
step S401, initializing ACL rules on each switch.
In the initial state, or in the case of the front-end device to which the switch is securely accessed by default, the ACL rules only allow the registration message to pass through. The ACL rules in this case are also configured or activated by the video management server, which receives the national standard registration port of the head-end equipment as UDP port 5061, as previously described.
Correspondingly, taking the switch SW1 as an example, initially, the content of the ACL rule configured in the SW1 is specifically as follows:
Figure BDA0001106693470000121
that is, port Ethernet0/1 applies a 3001 rule to allow any source registration message to be sent to the 5061 port.
The SW2 and SW3 are configured in the same way as SW1, and are not repeated here.
Step S402, the switch receives the registration message of the front-end equipment.
SW1 will be explained as an example.
IPC1 sends a registration message to SW1, where the destination IP is the IP address of the video management server, the destination port is 5061, and 34010600001320000001 is the code of the international equipment of IPC 1. Then, the content example of the corresponding registration packet is specifically as follows:
Figure BDA0001106693470000122
Figure BDA0001106693470000131
SW1 receives the above-mentioned message from IPC1 from Ethernet0/1 port, and finds out the key REGISTER by analyzing the message field, and confirms it as the registration message.
In step S403, the switch attaches its own IP address and local port number (switch physical port) to the registration packet, and then forwards the packet to the video management server.
The SW1 attaches its own IP address and local port number (switch physical port) to the above registration message, as shown in bold and underlined font below. After the modification of the registration message is completed, SW1 sends the modified message to the video management server according to the message destination IP.
And S404, after receiving the registration message, the video management server performs authentication.
And the video management server authenticates the registration message according to the added equipment information and confirms whether the front-end equipment corresponding to the registration message is legal equipment.
If the authentication is successful, step S405 is performed.
If the authentication fails, the registration request of the front-end device is rejected, and the process is not the content concerned by the application and is not described herein again.
In step S405, the video management server extracts the information added by the switch (i.e., the SWIP and SWPORT information) from the registration message, and obtains the access switch address and the physical port of IPC 1.
Step S406, the video management server sends a registration success message response to the IPC1 through SW 1.
The video management server completes the registration process of the front-end equipment IPC.
After that, when the IPC starts each service, step S407 is executed.
Step S407, the front-end device initiates a new service request to the video management server.
Step S408, based on the new service request, the video management server performs authorization response to the front-end equipment.
Step S409, the video management server sends a control rule update instruction to the switch.
The video management server sends an ACL rule to the switch according to the authorization change condition of the new service of the front-end equipment, and instructs the corresponding access switch to update the corresponding control rule, namely, a white list of related service permissions, such as an IP and a port list, is released on the access port of the front-end equipment. Based on the updated control rule, the message matching the white list (message source IP address, source port, destination IP address, destination port) is allowed to pass through by the switch, and other messages are discarded.
In a specific application scenario, the video management server may specifically send the ACL rules in an SNMP message or telnet manner, or may select another manner as needed, and such a change does not affect the protection scope of the present application.
And step S410, the switch adjusts the locally configured control rule according to the received ACL rule.
Hereinafter, specific adjustment procedures of the control rules based on different service types are illustrated as follows, and for convenience of description and comparison, the control rules on SW1 are also illustrated as an example.
When the IPC1 starts the upgrade service, the video management server determines that the IPC1 needs to access 21 ports (fixed allocation) of the video management server, and therefore, the corresponding ACL rule is issued, and the adjustment result of the control rule in SW1 is as follows:
Figure BDA0001106693470000151
that is, the port Ethernet0/1 applies 3002 rule to allow any source registration message to be sent to 5061 port, and allows IPC1 message to be sent to Web port 80, ftp port 21 of video management server (IP 192.168.1.11).
When the IPC1 starts UDP or tcp live service, the video management server determines that the IPC1 needs to access 10000, 10001, 10002 ports of the MS (media forwarding server), and therefore, issues the corresponding ACL rule, and the adjustment result of the control rule in SW1 is as follows:
Figure BDA0001106693470000152
Figure BDA0001106693470000161
that is, the port Ethernet0/1 applies 3002 rule, allows any source of registered message to be sent to 5061 port, allows IPC1 to be sent to Web port 80 of video management server (IP of 192.168.1.11), ftp port 21, allows IPC1 to be sent to UDP and TCP ports 10000, 10001, 10002 of media forwarding server (IP of 192.168.1.21).
When IPC1 storage is configured, the video management server determines that IPC1 needs to access 3260 port (fixed port) of the storage device, and therefore, the corresponding ACL rule is issued, and the adjustment result of the control rule in SW1 is as follows:
Figure BDA0001106693470000162
Figure BDA0001106693470000171
that is, the port Ethernet0/1 applies 3002 rules to allow any source of registered packets to be sent to 5061 port, packets sent by IPC1 to be sent to Web port 80 of video management server (IP 192.168.1.11), ftp port 21, UDP and TCP ports 10000, 10001, 10002 allowing packets sent by IPC1 to be sent to media forwarding server (IP 192.168.1.21), and TCP port 3260 allowing packets sent by IPC1 to be sent to storage device (IP 192.168.1.31).
Further, based on the ACL rules, the present embodiment provides an ACL rule adjustment method in a service release scenario.
If IPC1 releases live service at this time, a configuration delete live service whitelist is issued:
Figure BDA0001106693470000172
Figure BDA0001106693470000181
that is, the port Ethernet0/1 applies 3002 rules to allow any source of registration packets to be sent to the 5061 port, packets sent by IPC1 to be sent to the Web port 80 of the video management server (IP 192.168.1.11), the ftp port 21, and packets sent by IPC1 to be sent to the TCP port 3260 of the storage device (IP 192.168.1.31).
Step S411, based on the updated ACL rule, the switch filters the received message.
As shown in fig. 5, which is a schematic diagram of an application scenario in which IPC1 performs multiple service processes in a specific scenario proposed in the embodiment of the present application. Switch SW1 performs matched filtering on IPC1 messages according to the above rules, allowing IPC1 to access ports and devices in the white list, and discarding messages that do not conform to the white list.
The foregoing description process takes SW1 as an example, and in a specific application scenario, each front-end device may access through different switches, and the video management server sends a white list rule to multiple security admission switches to implement distributed service-level admission.
Fig. 6 is a schematic view illustrating a scenario where a video management server configures a control rule (the aforementioned white list) to a plurality of switches in a specific application scenario proposed in the embodiment of the present application.
As shown in FIG. 6, after IPC2 initiates registration, SW2 modifies the registration message to attach the IP address of SW2 and IPC2 access port Ethernet0/2,
after IPC3 initiates registration, SW3 modifies the registration message to attach the IP address of SW2 and IPC2 access port Ethernet0/3,
after the video management server passes the registration and authentication, when the IPC new service is started each time, the corresponding IPC2 white list is issued to SW2, and the corresponding IPC3 white list is issued to SW 3. And SW2 and SW3 add configuration corresponding ACL rules. The specific processing is described with reference to the foregoing description.
Specifically, an example of the ACL rule configured by the switch SW2 is as follows:
that is, the port Ethernet0/2 applies 3002 rules to allow any source of registered packets to be sent to 5061 port, packets sent by IPC2 to be sent to Web port 80 of video management server (IP 192.168.1.11), ftp port 21, UDP and TCP ports 10000, 10001, 10002 allowing packets sent by IPC2 to be sent to media forwarding server (IP 192.168.1.21), and TCP port 3260 allowing packets sent by IPC2 to be sent to storage device (IP 192.168.1.31).
The ACL rules configured by switch SW3 are as follows:
Figure BDA0001106693470000201
that is, the port Ethernet0/3 applies 3002 rules to allow any source of registered packets to be sent to 5061 port, packets sent by IPC3 to be sent to Web port 80 of video management server (IP 192.168.1.11), ftp port 21, UDP and TCP ports 10000, 10001, 10002 allowing packets sent by IPC3 to be sent to media forwarding server (IP 192.168.1.21), and TCP port 3260 allowing packets sent by IPC3 to be sent to storage device (IP 192.168.1.31).
Compared with the prior art, the technical scheme provided by the embodiment of the application has the beneficial technical effects that:
the embodiment of the application discloses a distributed terminal access control method and a distributed terminal access control device, wherein corresponding control rules based on service types are respectively set in all switches of a distributed monitoring system, and the corresponding control rules are updated based on the service type change of front-end equipment, so that all the switches are respectively used for carrying out service-level access control on the self-connected front-end equipment according to the corresponding control rules, normally forwarding messages conforming to the control rules, discarding the messages not conforming to the control rules, realizing accurate control of terminal access, timely updating the control rules in all the switches based on the service type change of the front-end equipment, and avoiding storage burden brought by a large amount of set control rules to server equipment.
In order to more clearly illustrate the solutions provided by the foregoing embodiments of the present application, based on the same inventive concept as the foregoing method, the embodiments of the present application further provide a switch, whose schematic structural diagram is shown in fig. 7. The switch is applied to a distributed monitoring system at least comprising a management server, a plurality of switches and front-end equipment, wherein the front-end equipment is accessed to the distributed monitoring system through the switch, a control rule is configured in the switch, and the switch specifically comprises:
a communication module 71, configured to communicate with the front-end device connected to the switch and the management server;
a management module 72, configured to update a control rule currently configured by the switch according to a control rule update instruction sent by the management server and received by the communication module 71 when a front-end device connected to the switch starts a new service, where the control rule update instruction includes access right information opened when the management server executes the new service on the front-end device;
a determining module 73, configured to determine whether forwarding information of the new service packet, which is received by the communication module 71 and sent by the front-end device connected to the switch, conforms to the control rule updated by the management module 72;
a processing module 74, configured to notify the communication module 71 to forward the service packet to a corresponding interface when the determination result of the determining module 73 is in agreement, or discard the service packet when the determination result of the determining module 73 is not in agreement.
Preferably, the initial content of the control rule configured in the switch is:
and in the received messages sent by the self-connected front-end equipment, only the registration messages are allowed to be forwarded to the management server, and the rest messages are discarded.
Preferably, the first and second liquid crystal materials are,
the determining module 73 is further configured to, when the control rule configured by the switch is an initial content, identify whether a message received by the communication module 71 and sent by the front-end device connected to the communication module is a registration message;
the communication module 71 is further configured to, if the identification result of the determining module 73 is yes, add the network address information of the switch and the port information of the switch connected to the front-end device to the message, and forward the message to the management server, so that the management server registers the front-end device, and after the registration is successful, store the network address information and the port information of the switch, and, when receiving a registration confirmation instruction returned by the management server, send the registration confirmation instruction to the front-end device.
Preferably, the processing procedure of the control rule update indication specifically includes:
when the front-end equipment connected with the switch starts a new service, the management server determines a port of equipment allowing the front-end equipment to access in the new service;
the management server generates a control rule item which takes the network address information of the front-end equipment as source address information, the network address information of the equipment allowing the front-end equipment to access as destination address information and the port information of the equipment port allowing the front-end equipment to access as destination port information;
and the management server sends a control rule updating instruction carrying the control rule item to the switch according to the network address information of the switch corresponding to the front-end equipment, so that the switch updates the content corresponding to the port connected with the front-end equipment in the control rule of the switch.
Preferably, the first and second liquid crystal materials are,
the management module 72 is further configured to, when the front-end device connected to the switch ends a service, delete a control rule content corresponding to the ended service from the control rules configured by the switch according to the control rule deletion instruction sent by the management server and received by the communication module 71.
Compared with the prior art, the technical scheme provided by the embodiment of the application has the beneficial technical effects that:
the embodiment of the application discloses a distributed terminal access control method and a distributed terminal access control device, wherein corresponding control rules based on service types are respectively set in all switches of a distributed monitoring system, and the corresponding control rules are updated based on the service type change of front-end equipment, so that all the switches are respectively used for carrying out service-level access control on the self-connected front-end equipment according to the corresponding control rules, normally forwarding messages conforming to the control rules, discarding the messages not conforming to the control rules, realizing accurate control of terminal access, timely updating the control rules in all the switches based on the service type change of the front-end equipment, and avoiding storage burden brought by a large amount of set control rules to server equipment.
Through the above description of the embodiments, it is clear to those skilled in the art that the embodiments of the present invention may be implemented by hardware, or by software plus a necessary general hardware platform. Based on such understanding, the technical solution of the embodiment of the present invention may be embodied in the form of a software product, where the software product may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.), and includes several instructions to enable a computer device (which may be a personal computer, a server, or a network-side device, etc.) to execute the method described in each embodiment of the present invention.
Those skilled in the art will appreciate that the figures are merely schematic representations of one preferred implementation scenario and that the blocks or flow diagrams in the figures are not necessarily required to implement embodiments of the present invention.
Those skilled in the art will appreciate that the modules in the devices in the implementation scenario may be distributed in the devices in the implementation scenario according to the description of the implementation scenario, or may be located in one or more devices different from the present implementation scenario with corresponding changes. The modules of the implementation scenario may be combined into one module, or may be further split into a plurality of sub-modules.
The sequence numbers of the embodiments of the present invention are only for description, and do not represent the advantages and disadvantages of the implementation scenarios.
The above disclosure is only a few specific implementation scenarios of the embodiments of the present invention, but the embodiments of the present invention are not limited thereto, and any variations that can be considered by those skilled in the art should fall within the scope of the business limitations of the embodiments of the present invention.

Claims (10)

1. A distributed terminal admission control method is applied to a distributed monitoring system at least comprising a management server, a plurality of switches and front-end equipment, wherein the front-end equipment is accessed to the distributed monitoring system through the switches, and control rules based on service types are configured in the switches, and the method specifically comprises the following steps:
when the front-end equipment connected with the switch starts a new service, the switch updates the control rule configured by the switch according to a control rule updating instruction sent by the management server, wherein the control rule updating instruction comprises access authority information opened when the management server executes the new service on the front-end equipment;
the switch judges whether the forwarding information of the received message of the new service sent by the front-end equipment connected with the switch per se meets the updated control rule or not;
if the service message is not matched with the service message, the switch discards the service message.
2. The method of claim 1, wherein the initial content of the control rule configured in the switch is:
and in the received messages sent by the self-connected front-end equipment, only the registration messages are allowed to be forwarded to the management server, and the rest messages are discarded.
3. The method of claim 2, wherein before the switch-connected front-end device initiates a new traffic operation, further comprising:
when the control rule configured by the switch is initial content, the switch identifies whether the received message sent by the front-end equipment connected with the switch is a registration message or not;
if the identification result is yes, the switch adds the network address information of the switch and the port information connected with the front-end equipment into the message, and forwards the message to the management server, so that the management server registers the front-end equipment, and stores the network address information and the port information of the switch after the registration is successful;
and when the switch receives a registration confirmation instruction returned by the management server, the switch sends the registration confirmation instruction to the front-end equipment.
4. The method according to claim 3, wherein the processing procedure of the control rule update indication is specifically:
when the front-end equipment connected with the switch starts a new service, the management server determines the equipment allowing the front-end equipment to access and the equipment port allowing the front-end equipment to access in the new service;
the management server generates a control rule item which takes the network address information of the front-end equipment as source address information, the network address information of the equipment allowing the front-end equipment to access as destination address information and the port information of the equipment port allowing the front-end equipment to access as destination port information;
and the management server sends a control rule updating instruction carrying the control rule item to the switch according to the network address information of the switch corresponding to the front-end equipment, so that the switch updates the content corresponding to the port connected with the front-end equipment in the control rule of the switch.
5. The method of claim 1, further comprising:
when the front-end equipment connected with the switch finishes the service, the switch deletes the control rule content corresponding to the finished service in the control rules configured by the switch according to the control rule deletion instruction sent by the management server.
6. The switch is applied to a distributed monitoring system at least comprising a management server, a plurality of switches and a front-end device, wherein the front-end device accesses the distributed monitoring system through the switch, a control rule based on a service type is configured in the switch, and the switch specifically comprises:
the communication module is used for communicating with the front-end equipment connected with the switch and the management server;
the management module is configured to update a control rule currently configured by the switch according to a control rule update instruction sent by the management server and received by the communication module when a front-end device connected to the switch starts a new service, where the control rule update instruction includes access right information opened by the management server when the management server executes the new service on the front-end device;
the judging module is used for judging whether the forwarding information of the new service message, which is received by the communication module and sent by the front-end equipment connected with the switch, conforms to the control rule updated by the management module;
and the processing module is used for informing the communication module to forward the service message to the corresponding interface when the judgment result of the judgment module is in conformity, and discarding the service message when the judgment result of the judgment module is not in conformity.
7. The switch of claim 6, wherein the initial content of the control rule configured in the switch is:
and in the received messages sent by the self-connected front-end equipment, only the registration messages are allowed to be forwarded to the management server, and the rest messages are discarded.
8. The switch of claim 7,
the judging module is further configured to identify whether a message received by the communication module and sent by a front-end device connected to the communication module is a registration message when the control rule configured by the switch is an initial content;
the communication module is further configured to add, when the identification result of the determination module is yes, the network address information of the switch and the port information of the switch connected to the front-end device to the message, forward the message to the management server, so that the management server registers the front-end device, store the network address information and the port information of the switch after the registration is successful, and send, when receiving a registration confirmation instruction returned by the management server, the registration confirmation instruction to the front-end device.
9. The switch according to claim 8, wherein the processing procedure of the control rule update indication is specifically:
when the front-end equipment connected with the switch starts a new service, the management server determines a port of equipment allowing the front-end equipment to access in the new service;
the management server generates a control rule item which takes the network address information of the front-end equipment as source address information, the network address information of the equipment allowing the front-end equipment to access as destination address information and the port information of the equipment port allowing the front-end equipment to access as destination port information;
and the management server sends a control rule updating instruction carrying the control rule item to the switch according to the network address information of the switch corresponding to the front-end equipment, so that the switch updates the content corresponding to the port connected with the front-end equipment in the control rule of the switch.
10. The switch of claim 6,
the management module is further configured to delete, when the front-end device connected to the switch ends a service, a control rule content corresponding to the ended service from the control rules configured by the switch according to the control rule deletion instruction sent by the management server and received by the communication module.
CN201610797251.6A 2016-08-31 2016-08-31 Distributed terminal access control method and device Active CN106411852B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610797251.6A CN106411852B (en) 2016-08-31 2016-08-31 Distributed terminal access control method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610797251.6A CN106411852B (en) 2016-08-31 2016-08-31 Distributed terminal access control method and device

Publications (2)

Publication Number Publication Date
CN106411852A CN106411852A (en) 2017-02-15
CN106411852B true CN106411852B (en) 2020-01-14

Family

ID=58002047

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610797251.6A Active CN106411852B (en) 2016-08-31 2016-08-31 Distributed terminal access control method and device

Country Status (1)

Country Link
CN (1) CN106411852B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109218323A (en) * 2018-09-28 2019-01-15 山东超越数控电子股份有限公司 A kind of remote configuring method for firewall box
CN110830484A (en) * 2019-11-13 2020-02-21 深圳市信锐网科技术有限公司 Data message processing method and device, intranet switch and storage medium
CN112417402B (en) * 2020-11-27 2024-04-12 亿企赢网络科技有限公司 Authority control method, authority control device, authority control equipment and storage medium
CN113489639B (en) * 2021-06-16 2022-12-02 杭州深渡科技有限公司 Gateway multi-interface data communication method and system

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1764971A1 (en) * 2005-09-20 2007-03-21 Accenture Global Services GmbH Third party access gateway for telecommunications services
CN101453377A (en) * 2008-12-15 2009-06-10 华为技术有限公司 Method, apparatus and system for suppressing redundant interaction of access node control protocol
CN102316119A (en) * 2011-10-12 2012-01-11 杭州华三通信技术有限公司 Security control method and equipment
CN102333099A (en) * 2011-10-27 2012-01-25 杭州华三通信技术有限公司 Security control method and equipment
CN102571511A (en) * 2010-12-29 2012-07-11 中国移动通信集团山东有限公司 Local area network access control system and method, and server
CN103684848A (en) * 2013-10-24 2014-03-26 浙江中控研究院有限公司 Non-management type industrial Ethernet switch capable of automatic configuration and realization method of switch
CN105009521A (en) * 2013-12-23 2015-10-28 华为技术有限公司 Message processing method and gateway
CN105491007A (en) * 2015-11-13 2016-04-13 浙江宇视科技有限公司 Video monitoring system safe admission method and apparatus
CN105812257A (en) * 2014-12-29 2016-07-27 中兴通讯股份有限公司 Business chain router management system and use method thereof
CN105871772A (en) * 2015-01-18 2016-08-17 吴正明 Working method of SDN network architecture aimed at network attack

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9894100B2 (en) * 2014-12-30 2018-02-13 Fortinet, Inc. Dynamically optimized security policy management

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1764971A1 (en) * 2005-09-20 2007-03-21 Accenture Global Services GmbH Third party access gateway for telecommunications services
CN101453377A (en) * 2008-12-15 2009-06-10 华为技术有限公司 Method, apparatus and system for suppressing redundant interaction of access node control protocol
CN102571511A (en) * 2010-12-29 2012-07-11 中国移动通信集团山东有限公司 Local area network access control system and method, and server
CN102316119A (en) * 2011-10-12 2012-01-11 杭州华三通信技术有限公司 Security control method and equipment
CN102333099A (en) * 2011-10-27 2012-01-25 杭州华三通信技术有限公司 Security control method and equipment
CN103684848A (en) * 2013-10-24 2014-03-26 浙江中控研究院有限公司 Non-management type industrial Ethernet switch capable of automatic configuration and realization method of switch
CN105009521A (en) * 2013-12-23 2015-10-28 华为技术有限公司 Message processing method and gateway
CN105812257A (en) * 2014-12-29 2016-07-27 中兴通讯股份有限公司 Business chain router management system and use method thereof
CN105871772A (en) * 2015-01-18 2016-08-17 吴正明 Working method of SDN network architecture aimed at network attack
CN105491007A (en) * 2015-11-13 2016-04-13 浙江宇视科技有限公司 Video monitoring system safe admission method and apparatus

Also Published As

Publication number Publication date
CN106411852A (en) 2017-02-15

Similar Documents

Publication Publication Date Title
US11349881B2 (en) Security-on-demand architecture
US10630725B2 (en) Identity-based internet protocol networking
US9231911B2 (en) Per-user firewall
US11722458B2 (en) Method and system for restricting transmission of data traffic for devices with networking capabilities
US9215237B2 (en) Communication system, control device, communication method, and program
US7886335B1 (en) Reconciliation of multiple sets of network access control policies
CN109964469B (en) Method and system for updating white lists at a network node
KR20170015340A (en) Method and network element for improved access to communication networks
CN106411852B (en) Distributed terminal access control method and device
US20160352731A1 (en) Network access control at controller
US20200036682A1 (en) Communication apparatus and communication system
US10595320B2 (en) Delegating policy through manufacturer usage descriptions
EP3375163A1 (en) Methods and systems for dynamic creation of access control lists
EP3800564A1 (en) Secure communication method and system using network socket proxying
US20040158643A1 (en) Network control method and equipment
JP2006074705A (en) Device for controlling communication service
JP2022519433A (en) Zero Trust Wireless Surveillance Systems and Methods for Behavior-Based Monitoring of Radio Frequency Environments
CN105656927B (en) A kind of safety access method and system
KR101992985B1 (en) An access control system of controlling hard-coded passwords and commands for enhancing security of the servers
CN105915565B (en) Authentication method, device and system
US20240007440A1 (en) Persistent IP address allocation for virtual private network (VPN) clients
CN113992412B (en) Implementation method of cloud native firewall and related equipment
US20230319684A1 (en) Resource filter for integrated networks
US20220278960A1 (en) Systems and methods for dynamic access control for devices over communications networks
CN117914505A (en) Method and equipment for controlling terminal to safely access Internet and intranet

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant