CN107634884B - Cloud networking behavior management system and method based on virtual private dial-up network - Google Patents

Cloud networking behavior management system and method based on virtual private dial-up network Download PDF

Info

Publication number
CN107634884B
CN107634884B CN201710753470.9A CN201710753470A CN107634884B CN 107634884 B CN107634884 B CN 107634884B CN 201710753470 A CN201710753470 A CN 201710753470A CN 107634884 B CN107634884 B CN 107634884B
Authority
CN
China
Prior art keywords
network data
network
equipment
management platform
centralized
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710753470.9A
Other languages
Chinese (zh)
Other versions
CN107634884A (en
Inventor
文曦畅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN201710753470.9A priority Critical patent/CN107634884B/en
Publication of CN107634884A publication Critical patent/CN107634884A/en
Application granted granted Critical
Publication of CN107634884B publication Critical patent/CN107634884B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a cloud networking behavior management system and method based on a virtual private dial-up network, wherein the system comprises: the system comprises forwarding equipment, centralized equipment, a cloud management platform and at least one internet access device, wherein the forwarding equipment and the centralized equipment are in point-to-point connection, and the centralized equipment and the cloud management platform are in link connection; the forwarding equipment is used for acquiring the network data of the internet access equipment and forwarding the network data to the centralized equipment; the centralized equipment is used for receiving the network data uploaded by the forwarding equipment, packaging the network data and sending the processed network data to the cloud management platform; and the cloud management platform is used for receiving and analyzing the processed network data uploaded by the centralized equipment so as to manage the internet surfing behavior of the internet surfing equipment. The invention is provided with the centralized equipment, so that the forwarding equipment can be connected with the centralized equipment only by having a point-to-point function, thereby realizing the establishment of a network tunnel between the forwarding equipment and the cloud management platform and reducing the operation cost of the internet behavior management.

Description

Cloud networking behavior management system and method based on virtual private dial-up network
Technical Field
The invention relates to the technical field of communication, in particular to a cloud networking behavior management system and method based on a virtual private dial-up network.
Background
Currently, many organizations such as enterprises and governments purchase a large number of forwarding devices, such as virtualized forwarding devices, security software for performing endpoint protection, or hardware forwarding devices, and deploy the forwarding devices, such as internet behavior management devices, firewall devices, and the like, and the forwarding devices are generally large in scale and are mostly deployed at network outlets of the organizations.
In the prior art, such a large-scale forwarding device is generally widely applied to the aspects of auditing the internet behavior of an organization, controlling the flow, protecting a server and an intranet, and the like, but the internet behavior management device is generally high in price.
Disclosure of Invention
The invention mainly aims to provide a cloud internet behavior management system and method based on a virtual private dial-up network, and aims to solve the technical problem that the internet behavior management cost is too high by internet behavior management equipment in the prior art.
In order to achieve the above object, the present invention provides a cloud internet behavior management system based on a virtual private dial-up network, the system comprising: the system comprises forwarding equipment, centralized equipment, a cloud management platform and at least one internet access equipment, wherein the internet access equipment is respectively connected with the forwarding equipment, the forwarding equipment and the centralized equipment establish point-to-point connection, and the centralized equipment and the cloud management platform establish link connection;
the forwarding device is configured to acquire network data of the internet access device and forward the network data to the centralized device;
the centralized equipment is used for receiving the network data uploaded by the forwarding equipment, packaging the network data and sending the processed network data to the cloud management platform;
the cloud management platform is used for receiving the processed network data uploaded by the centralized equipment, analyzing and processing the processed network data, and managing the internet surfing behavior of the internet surfing equipment according to the analysis and processing result.
Preferably, the network data includes first authentication information;
the centralized equipment is also used for receiving first authentication information uploaded by the forwarding equipment and authenticating the internet access equipment according to the first authentication information.
Preferably, the central device is further configured to receive the network data uploaded by the forwarding device, perform two-layer tunnel packet encapsulation on the network data, and send a request for establishing a two-layer tunnel to the cloud management platform after the two-layer tunnel packet encapsulation.
Preferably, the cloud management platform comprises a two-layer tunnel network server;
the two-layer tunnel network server is used for receiving a two-layer tunnel establishment request sent by the centralized equipment and establishing a network tunnel with the forwarding equipment according to the two-layer tunnel establishment request.
Preferably, the request for establishing the two-layer tunnel includes second authentication information;
the two-layer tunnel network server is further configured to receive second authentication information sent by the centralized device, and authenticate the internet access device according to the second authentication information.
Further, to achieve the above object, the present invention further provides a cloud internet behavior management method based on a virtual private dial-up network, which is applied to a cloud internet behavior management system of a virtual private dial-up network, and the system includes: the system comprises forwarding equipment, centralized equipment, a cloud management platform and at least one internet access device; the method comprises the following steps:
the forwarding device acquires the network data of the internet access device and forwards the network data to the centralized device;
the centralized equipment receives the network data uploaded by the forwarding equipment, packages the network data and sends the processed network data to the cloud management platform;
and the cloud management platform receives the processed network data uploaded by the centralized equipment, analyzes and processes the processed network data, and manages the internet surfing behavior of the internet surfing equipment according to the analysis and processing result.
Preferably, the network data includes first authentication information;
before the step that the central device receives the network data uploaded by the forwarding device, encapsulates the network data, and sends the processed network data to the cloud management platform, the method comprises the following steps:
and the centralized equipment receives first authentication information uploaded by the forwarding equipment and authenticates the internet access equipment according to the first authentication information.
Preferably, the step of the central device receiving the network data uploaded by the forwarding device and performing encapsulation processing on the network data includes:
and the centralized equipment receives the network data uploaded by the forwarding equipment, performs two-layer tunnel message encapsulation on the network data, and sends a request for establishing a two-layer tunnel to the cloud management platform after encapsulation.
Preferably, the cloud management platform comprises a two-layer tunnel network server;
the cloud management platform receives the processed network data uploaded by the centralized equipment, analyzes and processes the processed network data, and before the step of managing the internet surfing behavior of the internet surfing equipment according to the analysis and processing result, the method comprises the following steps:
and the two-layer tunnel network server receives a two-layer tunnel establishment request sent by the centralized equipment and establishes a network tunnel with the forwarding equipment according to the two-layer tunnel establishment request.
Preferably, the request for establishing the two-layer tunnel includes second authentication information;
before establishing a network tunnel with the forwarding device according to the request for establishing the two-layer tunnel, the method includes:
and the two-layer tunnel network server receives second authentication information sent by the centralized equipment and authenticates the internet-surfing equipment according to the second authentication information.
The invention is provided with the centralized equipment, so that the forwarding equipment can be connected with the centralized equipment only by having a point-to-point function, thereby realizing the establishment of a network tunnel between the forwarding equipment and the cloud management platform and reducing the operation cost of the internet behavior management.
Drawings
Fig. 1 is a block diagram of a first embodiment of a cloud-based internet behavior management system based on a virtual private dial-up network according to the present invention;
FIG. 2 is a network topology diagram of a cloud-based Internet access behavior management system based on a virtual private dial-up network according to the present invention;
fig. 3 is a block diagram of a second embodiment of the cloud internet behavior management system based on the vpn according to the present invention;
fig. 4 is a block diagram illustrating a third embodiment of a cloud-based internet behavior management system based on a virtual private dial-up network according to the present invention;
fig. 5 is a schematic diagram of a structure in which an LAC performs L2TP message encapsulation on a PPPoE message;
fig. 6 is a block diagram illustrating a fourth embodiment of a cloud-based internet behavior management system based on a virtual private dial-up network according to the present invention;
fig. 7 is a block diagram illustrating a fifth embodiment of a virtual private dial-up network-based cloud-based internet behavior management system according to the present invention;
fig. 8 is a schematic flowchart of a first embodiment of a cloud-based internet behavior management method based on a virtual private dial-up network according to the present invention;
fig. 9 is a flowchart illustrating a second embodiment of the cloud-based internet behavior management method based on a virtual private dial-up network according to the present invention;
fig. 10 is a flowchart illustrating a third embodiment of the cloud-based internet behavior management method based on a virtual private dial-up network according to the present invention;
fig. 11 is a schematic flow chart of a fourth embodiment of the cloud internet behavior management method based on the virtual private dial-up network according to the present invention;
fig. 12 is a schematic flowchart of a fifth embodiment of the cloud internet behavior management method based on the vpn according to the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Referring to fig. 1, fig. 1 is a block diagram illustrating a first embodiment of a cloud-based internet behavior management system based on a virtual private dial-up network according to the present invention. The cloud internet behavior management system based on the virtual private dial-up network comprises: the cloud management platform 10, the forwarding device 20, the internet access device 30, and the central device 40, where the forwarding device 20 and the central device 40 perform point-to-point connection, the central device 40 establishes link connection with the cloud management platform 20, and the connection mode between the forwarding device 20 and the internet access device 30 is not limited, and is specifically set according to actual needs, such as wired connection or wireless connection.
In this embodiment, the type of the forwarding device 20 is not limited, and only the forwarding device having the point-to-point connection function is needed, and other devices implementing the same or similar functions may also be used, which is not limited in this embodiment.
The forwarding device 20 is configured to obtain network data of the internet access device, and forward the network data to the centralized device;
it should be noted that, the forwarding device 20 establishes a Point-to-Point connection with the centralized device through Point-to-Point dialing, and in this embodiment, a Point-to-Point over Ethernet (PPPoE) link of an Ethernet is set as an example.
The centralized device 40 is configured to receive the network data uploaded by the forwarding device, perform encapsulation processing on the network data, and send the processed network data to the cloud management platform;
it should be noted that the Concentrator device may establish a point-to-point connection with the forwarding device, may perform encapsulation processing on a point-to-point Protocol packet, and may implement Layer Two Tunneling Protocol (L2 TP) packet encapsulation, where the Concentrator device in this embodiment takes L2TP Access Concentrator (L2TP Access Concentrator, LAC) as an example.
It can be understood that, in this embodiment, the LAC may be deployed in a Network Attached Storage (NAS) and may also be deployed on a PPPoE server, and in this embodiment, the LAC is deployed on the PPPoE server as an example.
As shown in fig. 2, a tenant connects a forwarding device through a company local area network, the forwarding device 20 and the central device 40 establish a Point-to-Point Protocol (PPP) link, the cloud management platform 10 is established on a public network through a physical connection, and the central device and the cloud management platform establish an L2TP link, so that the forwarding device and the cloud management platform establish a PPP tunnel.
The cloud management platform 10 is configured to receive the processed network data uploaded by the central device, analyze the processed network data, and manage the internet access behavior of the internet access device according to an analysis result.
The cloud management platform 10 can be built on a trusted public cloud, such as that provided by traditional telecommunications infrastructure operators, including china mobile, china unicom and chinese telecommunications; a local cloud computing platform under government control may also be included; optionally Ariiyun, Tengchun, etc.
The cloud management platform 10 may further analyze and process network data, so as to implement management of internet access behaviors of the internet access device. The cloud management platform 10 may provide a web page management interface for the internet access device to perform related configuration, such as internet access personnel configuration, internet access browsing management, internet access outgoing management, internet access application management, internet access traffic management, internet access behavior analysis, and other internet access behavior management, and the configuration operation may be a web page operation interface, or may also be other operation modes capable of implementing the same or similar functions, which is not limited herein.
The cloud management platform 10 may provide the analyzed data to the internet access device for display, and the internet access device performs corresponding operation and decision management according to the displayed data. For example, the traffic analysis of the internet access device binds a unique identifier for each internet access device through the cloud management platform, and can accurately analyze the internet access situation of each internet access device through the unique identifier, and perform network monitoring and corresponding management on the user according to the internet access situation. For example, the cloud management platform performs traffic analysis on the internet access device a to obtain the internet access duration of the internet access device a within a certain time, and provides an internet access trend graph within the time, and the traffic management of the internet access device can be performed through the analysis, for example, rules are set, the internet access device a is specified not to provide network service within the set time, and therefore, the accurate control of the internet access device is achieved in view of the situation.
The cloud management platform 10 analyzes and processes the network data, which may include authentication, identification, control and audit of the network data, so as to manage the internet access behavior of the internet access device.
In this embodiment, the cloud management platform 10 authenticates the network data, and the cloud management platform 10 can configure and manage the internet access devices, so as to ensure that the network data of each internet access device is correspondingly processed, for example, 9:00 to 10:00 of the cloud management platform is set to correspondingly process the internet access device B, 11:00 to 12:00 of the cloud management platform is set to correspondingly process the internet access device C, in this case, only the internet access device B can be used at 9:30, and the internet access device B cannot use the cloud management platform until 11:00, and only the internet access device C can be used.
The cloud management platform 10 can control and identify network data, process the network data of each internet access device independently, and separate the network data from each other without influencing each other, thereby realizing the accuracy of processing the network data. For example, the configuration management of the internet access device, the internet access traffic management of the network data of the internet access device D, the internet access browsing management of the network data of the internet access device E, in this case, the internet access traffic analysis of the data of the internet access device D, the upper limit of the virtual channel, the discarding of the traffic exceeding the upper limit of the virtual channel, the lower limit of the virtual channel, the reservation of the necessary network bandwidth for the key application, the identification, recording and blocking of the network data of the internet access device E by the keywords of the search box, the validity of the internet search content, the avoidance of inappropriate keyword search, the provision of corresponding service processing according to different internet access devices, the avoidance of the internet access browsing analysis of the network data of the internet access device D after the internet access traffic management configuration of the internet access device D, and the internet access browsing management configuration of the internet access device E, the network data of the internet access equipment E is not subjected to internet traffic management.
The cloud management platform 10 audits network data, can summarize internet logs, and statistically analyzes visual reports such as a flow trend, a risk trend, a divulgence trend, an efficiency trend and the like, for example, when estimating the internet surfing duration of a user, the influence degree of the network on the work efficiency is estimated, and an internet surfing duration trend graph analyzed and processed on the network data is utilized, so that the trend graph of the internet surfing duration within a period of time is obtained, and the influence procedure of the network on the work efficiency is estimated more visually.
The cloud management platform 10 may also send the analyzed and processed network data to the internet.
The cloud management platform 10 may provide a management interface, provide functions such as a user authentication method, application control rules, and flow control, and may perform rapid backup and migration of configurations.
The cloud management platform 10 may also send the analyzed and processed network data to the internet. The cloud management platform 10 performs address conversion on the private network address of the processed network data, converts the converted network data into a public network address, and sends the processed network data to the internet, thereby implementing real-time sharing of the network data.
The embodiment is provided with the centralized equipment, so that the forwarding equipment can be connected with the centralized equipment only by having a point-to-point function, a network tunnel is established between the forwarding equipment and the cloud management platform, and the running cost of the internet behavior management is reduced.
Referring to fig. 3, fig. 3 is a block diagram of a second embodiment of the cloud internet behavior management system based on the virtual private dial-up network according to the present invention, and the second embodiment of the cloud internet behavior management system based on the virtual private dial-up network according to the present invention is provided based on the first embodiment of the internet behavior management system.
In this embodiment, the network data includes first authentication information;
the centralized device 40' is further configured to receive first authentication information uploaded by the forwarding device, and authenticate the internet access device according to the first authentication information.
It should be noted that before encapsulating the PPPoE messages uploaded by the internet access devices, the forwarding devices may send authentication information, through which the centralized device may send a request for establishing a PPPoE link to the PPPoE server, and determine whether the accessed internet access devices are authorized users, if so, the PPPoE messages are encapsulated by the centralized device, and if not, the PPPoE messages are normally processed and forwarded.
In order to improve network security, the Authentication may be performed on the User accessing the internet, and the Authentication mode may also be implemented by another server, for example, a Remote Authentication Dial-in User Service (Radius) server, where an authorized User account may be stored in the Radius server, the account information is sent to the Radius server by receiving account information of the User accessing the internet, and whether the account information is stored in the Radius server is queried, and the Authentication of the device accessing the internet may be performed by this method, but is not limited to this method and may also be implemented by other methods, which is not limited in this embodiment.
In this embodiment, the cloud management platform authenticates the internet access device that reports the network data through the forwarding device, so that the security of the cloud management platform is improved.
Referring to fig. 4, fig. 4 is a block diagram illustrating a third embodiment of the cloud internet behavior management system based on the virtual private dial-up network according to the present invention.
The central device 40 ″ is further configured to receive the network data uploaded by the forwarding device, perform two-layer tunnel packet encapsulation on the network data, and send a request for establishing a two-layer tunnel to the cloud management platform after the two-layer tunnel packet encapsulation.
The concentrator device 40 ″ may perform a point-to-point connection with the forwarding device, and may further perform L2TP packet encapsulation on PPPoE uploaded by the forwarding device after the concentrator device establishes a PPPoE link with the forwarding device, and send a request for establishing a two-layer tunnel to the cloud management platform after the encapsulation.
In order to implement L2TP message encapsulation for the PPPoE message, an L2TP message is added to the UDP layer of the data message, and as shown in fig. 5, the LAC performs L2TP message encapsulation for the PPPoE message.
After establishing a PPPoE link with a forwarding device, a PPPoE message uploaded by the forwarding device is received, the PPPoE message carries PPPoE information and other link information, such as Virtual Local Area Network (VLAN) and Media Access Control (MAC), after being subjected to Internet Protocol (IP) message encapsulation, and L2TP message encapsulation and User Datagram Protocol (UDP) encapsulation are performed on the basis of the PPPoE message.
In this embodiment, the centralized device performs L2TP message encapsulation on the PPPoE message, so as to convert the PPPoE message into an L2TP message, thereby establishing an L2TP link between the centralized device and the cloud management platform, and implementing security of network data transmission.
Referring to fig. 6, fig. 6 is a block diagram illustrating a fourth embodiment of the cloud internet behavior management system based on the vpn, and the fourth embodiment of the cloud internet behavior management system based on the vpn according to the present invention is provided based on the third embodiment of the internet behavior management system.
In this embodiment, the cloud management platform 10 includes a two-layer tunnel Network Server 50, and the two-layer tunnel Network Server 50 is exemplified by a two-layer tunnel Network Server (L2TP Network Server, LNS).
The layer two tunnel network server 50 is configured to receive a layer two tunnel establishment request sent by the central device 40, and establish a network tunnel with the forwarding device according to the layer two tunnel establishment request.
It should be noted that the LAC is a device attached to the switching network and having the PPP end system and L2TP protocol processing capability. The LAC may be a Network access server NAS, and is mainly used for providing access services to users through a Public Switched Telephone Network (PSTN) or an Integrated Service Digital Network (ISDN) Network. The LAC is located between the LNS and the remote system and is used for transmitting information packets between the LNS and the remote system, encapsulating the information packets received from the remote system according to the L2TP protocol and sending the information packets to the LNS, and decapsulating the information packets received from the LNS and sending the information packets to the remote system. A local connection or PPP link may be employed between the LAC and the remote system.
In order to implement the L2TP link for data transmission, the LNS is an L2TP network server, which is a device on the PPP end system for processing the L2TP protocol server end portion, and can be used as the other end point of the L2TP tunnel, which is a peer device belonging to the LAC, and which is also a logical termination end point of the PPP session tunneled with the LAC.
The LNS may receive a request for establishing a two-layer tunnel sent by the LAC, and establish an L2TP link with the forwarding device according to the two-layer tunnel request.
In order to facilitate the transmission of network data, the LNS may sequentially remove the outer IP encapsulation, L2TP encapsulation, and PPP encapsulation after receiving the L2TP message, so as to obtain the network data information carried by the PPP, that is, the IP data message sent by the internet access device, and forward the network data according to the destination address in the message.
In this embodiment, a two-layer tunnel network server is arranged on a cloud management platform, and an L2TP link is established between a central device and the two-layer tunnel network server, so that an L2TP link is established between a forwarding device and the cloud management platform, and security of network data transmission is achieved.
Referring to fig. 7, fig. 7 is a block diagram illustrating a fifth embodiment of the cloud-based internet behavior management system based on the vpn, and the fifth embodiment of the cloud-based internet behavior management system based on the vpn according to the present invention is provided based on the fourth embodiment of the internet behavior management system.
In this embodiment, the request for establishing the second layer tunnel includes second authentication information;
the two-layer tunnel network server 50' is configured to receive second authentication information sent by the centralized device, and authenticate the internet access device according to the second authentication information.
In order to ensure the security of the system, in this embodiment, the LNS sends the access request information to the Radius server for authentication, and the Radius server returns response information if the Radius server passes authentication. If the Radius server configures an IP frame, a routing frame attribute or designates an address pool name for the internet access device, the response message carries the IP frame, the routing frame or the designated address pool name, the LNS can also select re-Authentication of a Challenge Handshake Authentication Protocol (CHAP) of the remote user, namely secondary Authentication is completed in the LNS, the LNS sends the secondary Authentication information to the RADIUS server for Authentication, the RADIUS server returns response information after Authentication is passed, the LNS processes the information carried in the response message, stores the IP frame, the routing frame or the designated address pool name allocated to the user, the L2TP is successfully connected, and allocates an IP address for the remote user.
In this embodiment, the two-layer tunnel network server verifies the internet access device, thereby implementing network data transmission and system security.
Referring to fig. 8, the present invention provides a cloud internet behavior management system based on a virtual private dial-up network, which is applied to a cloud internet behavior management system of a virtual private dial-up network, and the system includes: the system comprises a cloud management platform, forwarding equipment and at least one internet access device; the forwarding device and the central device are connected point to point, the central device and the cloud management platform establish link connection, the connection mode between the forwarding device and the internet access device is not limited, and the forwarding device and the internet access device are specifically set according to actual needs, for example, wired connection or wireless connection can be adopted.
In this embodiment, the type of the forwarding device is not limited, and only the forwarding device having the point-to-point connection function is needed, and other devices implementing the same or similar functions may also be used, which is not limited in this embodiment.
The cloud internet behavior management method based on the virtual private dial-up network comprises the following steps:
step S10, the forwarding device obtains the network data of the internet access device, and forwards the network data to the centralized device;
it should be noted that the forwarding device establishes a point-to-point connection with the centralized device through point-to-point dialing, and in this embodiment, establishing a PPPoE link is taken as an example.
Step S20, the central device receives the network data uploaded by the forwarding device, encapsulates the network data, and sends the processed network data to the cloud management platform;
it should be noted that the central device may establish a point-to-point connection with the forwarding device, and may perform encapsulation processing on a point-to-point protocol packet, so as to implement L2TP packet encapsulation, where the central device in this embodiment takes LAC as an example.
It can be understood that, in this embodiment, the LAC may be deployed in the NAS, and may also be deployed on the PPPoE server, and in this embodiment, the LAC is deployed on the PPPoE server as an example.
As shown in fig. 2, a tenant connects a forwarding device through a company local area network, the forwarding device 20 establishes a PPP link with the central device 40, the cloud management platform 10 is established on a public network through a physical connection, and the central device establishes an L2TP link with the cloud management platform, so that the forwarding device establishes a PPP tunnel with the cloud management platform.
And step S30, the cloud management platform receives the processed network data uploaded by the centralized equipment, analyzes and processes the processed network data, and manages the internet access behavior of the internet access equipment according to the analysis and processing result.
The cloud management platform can be built on a trusted public cloud, such as a public cloud provided by traditional telecommunication infrastructure operators, including china mobile, china unicom and chinese telecommunications; a local cloud computing platform under government control may also be included; optionally Ariiyun, Tengchun, etc.
The cloud management platform can analyze and process the network data, so that the management of the internet surfing behavior of the internet surfing equipment is realized. The cloud management platform provides a web page management interface for the internet access device to perform relevant configuration, such as internet access personnel configuration, internet access browsing management, internet access outgoing management, internet access application management, internet access traffic management, internet access behavior analysis and other internet access behavior management, and the configuration operation can be a web page operation interface, and can also be other operation modes capable of realizing the same or similar functions, which is not limited herein.
The cloud management platform provides the analyzed data to the internet access equipment for displaying, and the internet access equipment performs corresponding operation and decision management according to the displayed data. For example, the traffic analysis of the internet access device binds a unique identifier for each internet access device through the cloud management platform, and can accurately analyze the internet access situation of each internet access device through the unique identifier, and perform network monitoring and corresponding management on the user according to the internet access situation. For example, the cloud management platform performs traffic analysis on the internet access device a to obtain the internet access duration of the internet access device a within a certain time, and provides an internet access trend graph within the time, and the traffic management of the internet access device can be performed through the analysis, for example, rules are set, the internet access device a is specified not to provide network service within the set time, and therefore, the accurate control of the internet access device is achieved in view of the situation.
The cloud management platform analyzes and processes the network data, and can authenticate, identify, control and audit the network data, so that the management of the internet behavior of the internet equipment is realized.
In this embodiment, the cloud management platform authenticates the network data, and the cloud management platform can configure and manage the internet access devices, so as to ensure that the network data of each internet access device is correspondingly processed, for example, 9:00 to 10:00 of the cloud management platform is used for correspondingly processing the internet access device B, 11:00 to 12:00 of the cloud management platform is used for correspondingly processing the internet access device C, in this case, only the internet access device B can be used at 9:30, and the internet access device B cannot use the cloud management platform until 11:00, and only the internet access device C can be used.
The cloud management platform can control and identify network data, processes the network data of each internet access device independently, and separates the network data from each other without influencing each other, so that the accuracy of processing the network data is realized. For example, the configuration management of the internet access device, the internet access traffic management of the network data of the internet access device D, the internet access browsing management of the network data of the internet access device E, in this case, the internet access traffic analysis of the data of the internet access device D, the upper limit of the virtual channel, the discarding of the traffic exceeding the upper limit of the virtual channel, the lower limit of the virtual channel, the reservation of the necessary network bandwidth for the key application, the identification, recording and blocking of the network data of the internet access device E by the keywords of the search box, the validity of the internet search content, the avoidance of inappropriate keyword search, the provision of corresponding service processing according to different internet access devices, the avoidance of the internet access browsing analysis of the network data of the internet access device D after the internet access traffic management configuration of the internet access device D, and the internet access browsing management configuration of the internet access device E, the network data of the internet access equipment E is not subjected to internet traffic management.
The cloud management platform audits network data, can summarize the log of surfing the net, and statistics analysis goes out flow trend, risk trend, divulgence trend, efficiency trend etc. directly perceived statement, for example in estimating user's online duration to estimate the influence degree of network to work efficiency, utilizes the online duration trend graph of network data analysis processing to obtain the online duration trend graph in a period of time, thus more directly perceived estimation network to work efficiency influence procedure.
The cloud management platform can provide a management interface, provide functions such as a user authentication mode, application control rules and flow control, and can perform rapid backup and migration on the configuration.
The cloud management platform can also send the network data after analysis and processing to the internet. The cloud management platform carries out address conversion on the private network address of the processed network data, converts the converted network data into a public network address, and then sends the processed network data to the Internet, so that real-time sharing of the network data is achieved.
The embodiment is provided with the centralized equipment, so that the forwarding equipment can be connected with the centralized equipment only by having a point-to-point function, a network tunnel is established between the forwarding equipment and the cloud management platform, and the running cost of the internet behavior management is reduced.
Referring to fig. 9, fig. 9 is a flowchart illustrating a second embodiment of the cloud internet behavior management method based on the virtual private dial-up network according to the present invention, and the second embodiment of the cloud internet behavior management method based on the virtual private dial-up network according to the present invention is provided based on the first embodiment of the internet behavior management method.
In this embodiment, the network data includes first authentication information;
before the step S20, the method includes:
step S101, the central device receives first authentication information uploaded by the forwarding device, and authenticates the internet access device according to the first authentication information.
It should be noted that before encapsulating the PPPoE messages uploaded by the internet access devices, the forwarding devices may send authentication information, through which the centralized device may send a request for establishing a PPPoE link to the PPPoE server, and determine whether the accessed internet access devices are authorized users, if so, the PPPoE messages are encapsulated by the centralized device, and if not, the PPPoE messages are normally processed and forwarded.
In order to improve network security, the authentication may be performed on the user accessing the internet, and the authentication mode may also be implemented by another server, for example, a Radius server, where an account of an authorized user may be stored in the Radius server, and the Radius server may query whether the account information is stored in the Radius server by receiving account information of the user accessing the internet, and perform verification on the device accessing the internet by this way, but the present embodiment is not limited to this mode, and may also be implemented by another mode, which is not limited in this embodiment.
In this embodiment, the cloud management platform authenticates the internet access device that reports the network data through the forwarding device, so that the security of the cloud management platform is improved.
Referring to fig. 10, fig. 10 is a schematic flow chart of a third embodiment of the cloud internet behavior management method based on the virtual private dial-up network according to the present invention, and the third embodiment of the cloud internet behavior management method based on the virtual private dial-up network according to the present invention is provided based on the first embodiment of the internet behavior management method.
In this embodiment, the step S20 specifically further includes:
s201: and the centralized equipment receives the network data uploaded by the forwarding equipment, performs two-layer tunnel message encapsulation on the network data, and sends a request for establishing a two-layer tunnel to the cloud management platform after encapsulation.
The centralized device may perform point-to-point connection with the forwarding device, and may further perform L2TP packet encapsulation on PPPoE uploaded by the forwarding device after the centralized device establishes a PPPoE link with the forwarding device, and send a request for establishing a two-layer tunnel to the cloud management platform after the encapsulation.
In order to implement L2TP message encapsulation for the PPPoE message, an L2TP message is added to the UDP layer of the data message, and as shown in fig. 5, the LAC performs L2TP message encapsulation for the PPPoE message.
After establishing a PPPoE link between the LAC and the forwarding device, receiving a PPPoE message uploaded by the forwarding device, where the PPPoE message carries PPPoE information and other link information, such as VLAN and MAC, after performing IP message encapsulation, and performs L2TP message encapsulation on the basis of the PPPoE message.
In this embodiment, the centralized device performs L2TP message encapsulation on the PPPoE message, so as to convert the PPPoE message into an L2TP message, thereby establishing an L2TP link between the centralized device and the cloud management platform, and implementing security of network data transmission.
Referring to fig. 11, fig. 11 is a schematic flow chart of a fourth embodiment of the cloud internet behavior management method based on the virtual private dial-up network according to the present invention, and a fourth embodiment of the cloud internet behavior management method based on the virtual private dial-up network according to the present invention is provided based on the third embodiment of the internet behavior management method.
In this embodiment, the cloud management platform includes a two-layer tunnel network server, where the two-layer tunnel network server takes LNS as an example.
Before the step S30, the method includes:
s202: and the two-layer tunnel network server receives a two-layer tunnel establishment request sent by the centralized equipment and establishes a network tunnel with the forwarding equipment according to the two-layer tunnel establishment request.
It should be noted that the LAC is a device attached to the switching network and having the PPP end system and L2TP protocol processing capability. The LAC may be a network access server NAS, primarily used to provide access services to users over a PSTN or ISDN network. The LAC is located between the LNS and the remote system and is used for transmitting information packets between the LNS and the remote system, encapsulating the information packets received from the remote system according to the L2TP protocol and sending the information packets to the LNS, and decapsulating the information packets received from the LNS and sending the information packets to the remote system. A local connection or PPP link may be employed between the LAC and the remote system.
In order to implement the L2TP link for data transmission, the LNS is an L2TP network server, which is a device on the PPP end system for processing the L2TP protocol server end portion, and can be used as the other end point of the L2TP tunnel, which is a peer device belonging to the LAC, and which is also a logical termination end point of the PPP session tunneled with the LAC.
The LNS receives a request for establishing a two-layer tunnel sent by the LAC, and establishes an L2TP link with the forwarding equipment according to the two-layer tunnel request.
In order to facilitate the transmission of network data, the LNS may sequentially remove the outer IP encapsulation, L2TP encapsulation, and PPP encapsulation after receiving the L2TP message, so as to obtain the network data information carried by the PPP, that is, the IP data message sent by the internet access device, and forward the network data according to the destination address in the message.
In this embodiment, a two-layer tunnel network server is arranged on a cloud management platform, and an L2TP link is established between a central device and the two-layer tunnel network server, so that an L2TP link is established between a forwarding device and the cloud management platform, and security of network data transmission is achieved.
Referring to fig. 12, fig. 12 is a schematic flowchart of a fifth embodiment of the cloud internet behavior management method based on the virtual private dial-up network according to the present invention, and a fifth embodiment of the cloud internet behavior management method based on the virtual private dial-up network according to the present invention is provided based on the fourth embodiment of the internet behavior management method.
In this embodiment, before the establishing a network tunnel with the forwarding device according to the request for establishing a layer two tunnel, the method further includes:
s203: and the two-layer tunnel network server receives second authentication information sent by the centralized equipment and authenticates the internet-surfing equipment according to the second authentication information.
In order to ensure the security of the system, in this embodiment, the LNS sends the access request information to the Radius server for authentication, and the Radius server returns response information if the Radius server passes authentication. If the Radius server configures the IP frame and the routing frame attribute for the internet equipment or designates the address pool name, the response message carries the IP frame, the routing frame or the designated address pool name, the LNS can also select to re-authenticate the remote user CHAP, namely, the LNS completes the secondary authentication, the LNS sends the secondary authentication information to the Radius server for authentication, the Radius server returns the response information if the authentication is passed, the LNS processes the information carried in the response message, stores the IP frame, the routing frame or the designated address pool name allocated to the user, the L2TP is successfully connected, and allocates the IP address for the remote user.
In this embodiment, the two-layer tunnel network server verifies the internet access device, thereby implementing network data transmission and system security.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) as described above and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.

Claims (10)

1. A cloud networking behavior management system based on a virtual private dial-up network is characterized by comprising: the system comprises forwarding equipment, centralized equipment, a cloud management platform and at least one internet access equipment, wherein the internet access equipment is respectively connected with the forwarding equipment, the forwarding equipment and the centralized equipment establish point-to-point connection, and the centralized equipment and the cloud management platform establish link connection; the cloud management platform is built on a public network through physical connection, the concentration device and the cloud management platform establish an L2TP link, and the forwarding device and the cloud management platform establish a PPP tunnel;
the forwarding device is configured to acquire network data of the internet access device and forward the network data to the centralized device;
the centralized equipment is used for receiving the network data uploaded by the forwarding equipment, packaging the network data and sending the processed network data to the cloud management platform;
the cloud management platform is used for receiving the processed network data uploaded by the centralized equipment, analyzing and processing the processed network data, and managing the internet access behavior of the internet access equipment according to an analysis processing result, wherein the cloud management platform authenticates, identifies, controls and audits the network data;
the cloud management platform is further used for independently processing the network data of each internet access device, and performing mutual separation without mutual influence.
2. The virtual private dial-up network based clouded internet behavior management system of claim 1, wherein the network data includes first authentication information;
the centralized equipment is also used for receiving first authentication information uploaded by the forwarding equipment and authenticating the internet access equipment according to the first authentication information.
3. The virtual private dial-up network based cloud networking behavior management system of claim 1,
the centralized equipment is further used for receiving the network data uploaded by the forwarding equipment, performing two-layer tunnel message encapsulation on the network data, and sending a two-layer tunnel establishment request to the cloud management platform after encapsulation.
4. The virtual private dial-up network based clouded internet behavior management system of claim 3, wherein the cloud management platform comprises a two-layer tunnel network server;
the two-layer tunnel network server is used for receiving a two-layer tunnel establishment request sent by the centralized equipment and establishing a network tunnel with the forwarding equipment according to the two-layer tunnel establishment request.
5. The virtual private dial-up network based cloud networking behavior management system of claim 4, wherein the request to establish a two-layer tunnel comprises second authentication information;
the two-layer tunnel network server is further configured to receive second authentication information sent by the centralized device, and authenticate the internet access device according to the second authentication information.
6. A cloud internet behavior management method based on a virtual private dial-up network is applied to a cloud internet behavior management system of the virtual private dial-up network, and the system comprises a forwarding device, a centralized device, a cloud management platform and at least one internet device, and is characterized in that the forwarding device and the centralized device establish a point-to-point protocol link, the cloud management platform is established on a public network through physical connection, the centralized device and the cloud management platform establish an L2TP link, and the forwarding device and the cloud management platform establish a PPP tunnel, and the method comprises the following steps:
the forwarding device acquires the network data of the internet access device and forwards the network data to the centralized device;
the centralized equipment receives the network data uploaded by the forwarding equipment, packages the network data and sends the processed network data to the cloud management platform;
the cloud management platform receives the processed network data uploaded by the centralized equipment, analyzes and processes the processed network data, and manages the internet access behavior of the internet access equipment according to the analysis and processing result, wherein the cloud management platform authenticates, identifies, controls and audits the network data;
the cloud management platform processes the network data of each internet access device independently, and the network data are separated from each other and do not affect each other.
7. The virtual private dial-up network based clouded internet behavior management method according to claim 6, wherein the network data includes first authentication information;
before the step that the central device receives the network data uploaded by the forwarding device, encapsulates the network data, and sends the processed network data to the cloud management platform, the method comprises the following steps:
and the centralized equipment receives first authentication information uploaded by the forwarding equipment and authenticates the internet access equipment according to the first authentication information.
8. The method according to claim 6, wherein the centralized device receives the network data uploaded by the forwarding device, and encapsulates the network data, and specifically includes:
and the centralized equipment receives the network data uploaded by the forwarding equipment, performs two-layer tunnel message encapsulation on the network data, and sends a request for establishing a two-layer tunnel to the cloud management platform after encapsulation.
9. The virtual private dial-up network based cloud surfing behavior management method according to claim 8, wherein said cloud management platform comprises a two-layer tunnel network server;
the cloud management platform receives the processed network data uploaded by the centralized equipment, analyzes and processes the processed network data, and before the step of managing the internet surfing behavior of the internet surfing equipment according to the analysis and processing result, the method comprises the following steps:
and the two-layer tunnel network server receives a two-layer tunnel establishment request sent by the centralized equipment and establishes a network tunnel with the forwarding equipment according to the two-layer tunnel establishment request.
10. The virtual private dial-up network based cloud networking behavior management method according to claim 9, wherein the request for establishing the two-layer tunnel includes second authentication information;
before establishing a network tunnel with the forwarding device according to the request for establishing the two-layer tunnel, the method includes:
and the two-layer tunnel network server receives second authentication information sent by the centralized equipment and authenticates the internet-surfing equipment according to the second authentication information.
CN201710753470.9A 2017-08-28 2017-08-28 Cloud networking behavior management system and method based on virtual private dial-up network Active CN107634884B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710753470.9A CN107634884B (en) 2017-08-28 2017-08-28 Cloud networking behavior management system and method based on virtual private dial-up network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710753470.9A CN107634884B (en) 2017-08-28 2017-08-28 Cloud networking behavior management system and method based on virtual private dial-up network

Publications (2)

Publication Number Publication Date
CN107634884A CN107634884A (en) 2018-01-26
CN107634884B true CN107634884B (en) 2020-12-04

Family

ID=61100938

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710753470.9A Active CN107634884B (en) 2017-08-28 2017-08-28 Cloud networking behavior management system and method based on virtual private dial-up network

Country Status (1)

Country Link
CN (1) CN107634884B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110830317B (en) * 2018-08-07 2023-03-24 深信服科技股份有限公司 Internet access behavior management system, equipment and method

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1617541A (en) * 2004-09-30 2005-05-18 上海金诺网络安全技术发展股份有限公司 Realizing method for virtual special dial network
CN103873444A (en) * 2012-12-14 2014-06-18 中国电信股份有限公司 Method and business switching device for accessing outside network business when mobile terminal VPDN is online
CN104468801A (en) * 2014-12-11 2015-03-25 上海因联企业咨询合伙企业(普通合伙) Free wireless value-added platform and service method thereof
CN105978708A (en) * 2016-04-27 2016-09-28 赛特斯信息科技股份有限公司 System of realizing vCPE virtualization enterprise network based on NFV and method thereof
CN106559399A (en) * 2015-09-30 2017-04-05 北京军地联合网络技术中心 A kind of the Internet mobile terminal synthesis managing and control system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005031527A2 (en) * 2003-09-25 2005-04-07 System Management Arts, Inc. Model-based method and apparatus for determining virtual private network topologies

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1617541A (en) * 2004-09-30 2005-05-18 上海金诺网络安全技术发展股份有限公司 Realizing method for virtual special dial network
CN103873444A (en) * 2012-12-14 2014-06-18 中国电信股份有限公司 Method and business switching device for accessing outside network business when mobile terminal VPDN is online
CN104468801A (en) * 2014-12-11 2015-03-25 上海因联企业咨询合伙企业(普通合伙) Free wireless value-added platform and service method thereof
CN106559399A (en) * 2015-09-30 2017-04-05 北京军地联合网络技术中心 A kind of the Internet mobile terminal synthesis managing and control system
CN105978708A (en) * 2016-04-27 2016-09-28 赛特斯信息科技股份有限公司 System of realizing vCPE virtualization enterprise network based on NFV and method thereof

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
rfc2661- Layer Two Tunneling Protocol "L2TP";Network Working Group;《https://www.rfc-editor.org/》;19990831;全文 *
企业信息化建设中的两种VPDN组网方案;熊秋娥;《现代计算机》;20080831;第119-121、128页 *
配置LAC接入PPPoE用户发起L2TP隧道连接来实现分支与总部互通的示例(RADIUS服务器);关关系列;《https://forum.huawei.com/enterprise/zh/thread-287481.html》;20150422;全文 *

Also Published As

Publication number Publication date
CN107634884A (en) 2018-01-26

Similar Documents

Publication Publication Date Title
CN107959654B (en) Data transmission method and device and mixed cloud system
US10212224B2 (en) Device and related method for dynamic traffic mirroring
US9813447B2 (en) Device and related method for establishing network policy based on applications
US9130826B2 (en) System and related method for network monitoring and control based on applications
US9584393B2 (en) Device and related method for dynamic traffic mirroring policy
US7840205B2 (en) Method and system for peer-to-peer enforcement
US9256636B2 (en) Device and related method for application identification
US9230213B2 (en) Device and related method for scoring applications running on a network
US20140075505A1 (en) System and method for routing selected network traffic to a remote network security device in a network environment
KR100333530B1 (en) Method for configurating VPN(Virtual Private Network) by using NAT(Network Address Translation) and computer readable record medium on which a program therefor is recorded
US8914520B2 (en) System and method for providing enterprise integration in a network environment
US10454880B2 (en) IP packet processing method and apparatus, and network system
KR101458779B1 (en) Content based vlan classification and framework for ethernet network to support content based bridging
CN107404470A (en) Connection control method and device
US20130283050A1 (en) Wireless client authentication and assignment
JP5679343B2 (en) Cloud system, gateway device, communication control method, and communication control program
US20150373688A1 (en) Classification of unauthenticated ip users in a layer-2 broadband aggregation network and optimization of session management in a broadband network gateway
EP4002866A1 (en) A device and method to establish a score for a computer application
CN107634884B (en) Cloud networking behavior management system and method based on virtual private dial-up network
CN113839824A (en) Flow auditing method and device, electronic equipment and storage medium
EP3836487A1 (en) Internet access behavior management system, device and method
JP7383145B2 (en) Network service processing methods, systems and gateway devices
Singh Implementing Cisco Networking Solutions: Configure, implement, and manage complex network designs
KR101712922B1 (en) Virtual Private Network System of Dynamic Tunnel End Type, Manager Apparatus and Virtual Router for the same
Alaoui et al. Use cases of SDN for network security.

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant