CN108173838A - A kind of control auditing method accessed the network equipment - Google Patents

A kind of control auditing method accessed the network equipment Download PDF

Info

Publication number
CN108173838A
CN108173838A CN201711429107.8A CN201711429107A CN108173838A CN 108173838 A CN108173838 A CN 108173838A CN 201711429107 A CN201711429107 A CN 201711429107A CN 108173838 A CN108173838 A CN 108173838A
Authority
CN
China
Prior art keywords
user
client
proxy server
accessed
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201711429107.8A
Other languages
Chinese (zh)
Inventor
何金狮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fujian Star Software Co Ltd
Original Assignee
Fujian Star Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fujian Star Software Co Ltd filed Critical Fujian Star Software Co Ltd
Priority to CN201711429107.8A priority Critical patent/CN108173838A/en
Publication of CN108173838A publication Critical patent/CN108173838A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

The present invention provides a kind of control auditing method accessed the network equipment, and the policy information of the user is issued to client by user when client is authenticated, by administrative center;When customer access network resource, the Target IP and port that client is accessed according to user judge the resource whether equipment belongs in the range of user right, if, then change user data message, it is attached with proxy server, and the information such as the Target IP for really accessing user are transmitted on proxy server, proxy server is responsible for monitoring client connection, extract the information such as the ip of the client target device to be connected, and enable corresponding locally applied service, client traffic is forwarded to corresponding local service simultaneously, it is attached again by proxy server and target device, not only whole process is entirely transparent for user, and reduce user's operation difficulty, since the cryptographic protocols such as ssh can also be audited and be controlled by the way of local service.

Description

A kind of control auditing method accessed the network equipment
Technical field
The present invention relates to communication network information security technology area, more particularly to a kind of control accessed the network equipment is examined Meter method.
Background technology
With the rapid development of the network information technology, enterprises and institutions' network size and number of devices expand rapidly, and build Emphasis is gradually from Network Information to the network information security, the operation and maintenance stage that Improve Efficiency is characterized.Enterprises and institutions need The access of special assets is controlled and audited, intercept unauthorized access and malicious attack, order into line command illegal It blocks, filters out all unauthorized access behaviors to target device, and audit to internal staff's maloperation and illegal operation Monitoring, so as to subsequent responsibility tracing, therefore fort machine comes into being.Fort equipment is awarded for Account Administration, authentication, resource The functions such as power, access control operation audit effectively solve enterprises and institutions' problems faced.Traditional fort machine accesses net in bypass mode Network, user want access target equipment to be required for logging on to and be attached operation, this access side on fort machine with target device again Formula needs to change the use habit of user, and operation becomes troublesome, can not settle at one go and be connected directly to target device.
Invention content
The technical problem to be solved in the present invention is to provide a kind of control auditing method for accessing the network equipment, pass through Change the data message of user on flow lead to proxy server in user terminal, then by proxy server and target device into Row connection, not only whole process is entirely transparent for user, but also reduces user's operation difficulty.
The invention is realized in this way:A kind of control auditing method accessed the network equipment installs visitor in user terminal When client is authenticated, client is issued to by administrative center by family end for the policy information of the user;When user visits When asking Internet resources, Target IP and port that client can be accessed according to user judge whether the equipment belongs to user right In the range of resource, if it is, modification user data message, be attached with proxy server, and user is really visited The Target IP asked and port, application layer protocol type are transmitted on proxy server, and proxy server is responsible for monitoring client company It connects, extracts the information such as ip, port, the application layer protocol type of the client target device to be connected, and open according to protocol type With corresponding locally applied service, while client traffic is forwarded to corresponding local service, and connected with target device It connects, and records the operation behavior of user, if it is not, then without any processing.
Further, while the policy information of the user is issued to client by the administrative center, also user is recognized The IP and account number of card are sent to operation behavior of the proxy server for association user.
Further, the policy information is sensitive equipment, account number and access equipment related information.
The invention has the advantages that:The present invention directly changes user by the way of fully transparent forwarding in user terminal Network behavior, be to directly access network resource on user surface, but can change the behavior of user in bottom the method for the present invention (changing user data message), allows it to be connected on proxy server, then is accessed by proxy server and target resource, entirely Process is fully transparent for user, but user is without any perception.And the present invention by client by flow lead Onto proxy server, established and connected with proxy server by user, then be attached by proxy server and target device Mode solves traditional fort machine and needs first to log on on fort machine accesses that target device is cumbersome to ask from fort machine again Topic, reduces user's operation difficulty.
Description of the drawings
The present invention is further illustrated in conjunction with the embodiments with reference to the accompanying drawings.
Fig. 1 is the method for the present invention execution flow chart.
Specific embodiment
The control auditing method accessed the network equipment of the present invention installs client, in user terminal in user terminal Client is installed, when client is authenticated, the policy information of the user is issued to client by administrative center;When When customer access network resource, Target IP and port that client can be accessed according to user judge whether the equipment belongs to use Resource in the extent of competence of family, if it is, modification user data message, is attached with proxy server, and by user Target IP, port, the application layer protocol type information really accessed is transmitted on proxy server, and proxy server is responsible for monitoring Client connects, and extracts ip, port, the application layer protocol type information of the client target device to be connected, and according to agreement Type enables corresponding locally applied service, while client traffic is forwarded to corresponding locally applied service, and and target Equipment is attached, while records the operation behavior of user;It is if it is not, then without any processing.
Wherein, during the proxy server monitoring users connection, local application is forwarded to according to application layer protocol type Service, while established and connected according to user information and target device, proxy server plays the role of forwarding among one, in this way The access of user can all pass through proxy server, be forwarded to locally applied service, then be attached with target device, be taken by agency Business is controlled and is audited to access, and auditing result is sent to administrative center.
Refering to Figure 1, detailed process is as follows:
1st, user is authenticated in client input account;
2nd, by rear, administrative center (closes the resource policy of the user including sensitive equipment, account number and access equipment for certification The information such as connection) client is issued to, while the IP of user authentication and account number are sent to proxy server for closing by administrative center It is combined the operation behavior at family;
3rd, during customer access network resource, Target IP and port that client accesses user are analyzed, and are judged whether Belong to the resource apparatus of the user within the scope of authority;If not processing then;If it is modification user data message with Proxy server is attached, while the Target IP that user is really accessed and port are sent to proxy server row;
4th, proxy server is established according to user information and target device and is connected while monitoring users connect, agency Server plays an intermediate function of forwarding, and the access of such user can all pass through proxy server, and agency service can be right Access is controlled and is audited, and auditing result is sent to administrative center.
To sum up, the present invention directly changes the network behavior of user, user by the way of fully transparent forwarding in user terminal It is to directly access network resource on surface, but the behavior that can change user in bottom the method for the present invention (changes user data Message), it is allowed to be connected on proxy server, then accessed by proxy server and target resource, whole process is for user It is fully transparent, user is without any perception.And the present invention by client by flow lead to proxy server, by User establishes with proxy server and connects, then solves traditional fort by the mode that proxy server and target device are attached Machine needs first to log on to accesses the problem of target device is cumbersome from fort machine again on fort machine, reduce user's operation hardly possible Degree.
Although specific embodiments of the present invention have been described above, those familiar with the art should manage Solution, our described specific embodiments are merely exemplary rather than for the restriction to the scope of the present invention, are familiar with this The equivalent modification and variation that the technical staff in field is made in the spirit according to the present invention, should all cover the present invention's In scope of the claimed protection.

Claims (3)

1. a kind of control auditing method accessed the network equipment, it is characterised in that:Client is installed in user terminal, in client When end is authenticated, the policy information of the user is issued to client by administrative center;When customer access network resource When, Target IP and port that client can be accessed according to user judge the money whether equipment belongs in the range of user right Source, if it is, modification user data message, be attached with proxy server, and user is really accessed Target IP, Port, application layer protocol type information are transmitted on proxy server, and proxy server is responsible for monitoring client connection, extraction visitor Ip, port, the application layer protocol type information of the family end target device to be connected, and corresponding local is enabled according to protocol type Application service, while client traffic is forwarded to corresponding locally applied service, and be attached with target device, remember simultaneously Employ the operation behavior at family;It is if it is not, then without any processing.
2. a kind of control auditing method accessed the network equipment according to claim 1, it is characterised in that:The management While the policy information of the user is issued to client by center, the IP of user authentication and account number are also sent to agency service Device is used for the operation behavior of association user.
3. a kind of control auditing method accessed the network equipment according to claim 1 or 2, it is characterised in that:It is described Policy information is sensitive equipment, account number and access equipment related information.
CN201711429107.8A 2017-12-26 2017-12-26 A kind of control auditing method accessed the network equipment Pending CN108173838A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711429107.8A CN108173838A (en) 2017-12-26 2017-12-26 A kind of control auditing method accessed the network equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711429107.8A CN108173838A (en) 2017-12-26 2017-12-26 A kind of control auditing method accessed the network equipment

Publications (1)

Publication Number Publication Date
CN108173838A true CN108173838A (en) 2018-06-15

Family

ID=62520732

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711429107.8A Pending CN108173838A (en) 2017-12-26 2017-12-26 A kind of control auditing method accessed the network equipment

Country Status (1)

Country Link
CN (1) CN108173838A (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109067792A (en) * 2018-09-25 2018-12-21 杭州安恒信息技术股份有限公司 The method and apparatus for realizing resources accessing control based on reverse proxy
CN109408326A (en) * 2018-09-30 2019-03-01 福建星瑞格软件有限公司 The method and system of monitoring data library security audit product treatment SQL message efficiency
CN109600395A (en) * 2019-01-23 2019-04-09 山东超越数控电子股份有限公司 A kind of device and implementation method of terminal network access control system
CN109672744A (en) * 2018-12-28 2019-04-23 中电福富信息科技有限公司 A kind of image fort machine method and system of user's unaware
CN109714345A (en) * 2018-12-28 2019-05-03 中电福富信息科技有限公司 A kind of character fort machine method and system of user's unaware
CN113328877A (en) * 2021-05-06 2021-08-31 北京天空卫士网络安全技术有限公司 Method and device for determining port protocol
CN113347217A (en) * 2020-02-18 2021-09-03 北京沃东天骏信息技术有限公司 Network request auditing method and device
CN113992381A (en) * 2021-10-22 2022-01-28 北京天融信网络安全技术有限公司 Authorization method, device, authorization platform and storage medium
CN115118640A (en) * 2022-07-26 2022-09-27 北京安华金和科技有限公司 Database audit processing method and system in presence of proxy equipment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101588360A (en) * 2009-07-03 2009-11-25 深圳市安络大成科技有限公司 Associated equipment and method for internal network security management
US7634572B2 (en) * 2004-12-22 2009-12-15 Slipstream Data Inc. Browser-plugin based method for advanced HTTPS data processing
CN101877695A (en) * 2009-04-30 2010-11-03 中国移动通信集团江西有限公司 System and method for controlling access right
CN203057192U (en) * 2012-12-10 2013-07-10 浙江省电力公司 Cross-platform security audit device
CN104270334A (en) * 2014-06-13 2015-01-07 国家电网公司 SSH (Secure Shell) network security access protocol monitoring method
CN106936846A (en) * 2017-04-10 2017-07-07 北京明朝万达科技股份有限公司 A kind of method for network access control and device based on WFP platforms

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7634572B2 (en) * 2004-12-22 2009-12-15 Slipstream Data Inc. Browser-plugin based method for advanced HTTPS data processing
CN101877695A (en) * 2009-04-30 2010-11-03 中国移动通信集团江西有限公司 System and method for controlling access right
CN101588360A (en) * 2009-07-03 2009-11-25 深圳市安络大成科技有限公司 Associated equipment and method for internal network security management
CN203057192U (en) * 2012-12-10 2013-07-10 浙江省电力公司 Cross-platform security audit device
CN104270334A (en) * 2014-06-13 2015-01-07 国家电网公司 SSH (Secure Shell) network security access protocol monitoring method
CN106936846A (en) * 2017-04-10 2017-07-07 北京明朝万达科技股份有限公司 A kind of method for network access control and device based on WFP platforms

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109067792A (en) * 2018-09-25 2018-12-21 杭州安恒信息技术股份有限公司 The method and apparatus for realizing resources accessing control based on reverse proxy
CN109408326A (en) * 2018-09-30 2019-03-01 福建星瑞格软件有限公司 The method and system of monitoring data library security audit product treatment SQL message efficiency
CN109408326B (en) * 2018-09-30 2021-11-30 福建星瑞格软件有限公司 Method and system for monitoring SQL message processing efficiency of database security audit product
CN109672744A (en) * 2018-12-28 2019-04-23 中电福富信息科技有限公司 A kind of image fort machine method and system of user's unaware
CN109714345A (en) * 2018-12-28 2019-05-03 中电福富信息科技有限公司 A kind of character fort machine method and system of user's unaware
CN109714345B (en) * 2018-12-28 2021-05-14 中电福富信息科技有限公司 Character bastion machine method and system without perception of user
CN109600395A (en) * 2019-01-23 2019-04-09 山东超越数控电子股份有限公司 A kind of device and implementation method of terminal network access control system
CN113347217A (en) * 2020-02-18 2021-09-03 北京沃东天骏信息技术有限公司 Network request auditing method and device
CN113328877A (en) * 2021-05-06 2021-08-31 北京天空卫士网络安全技术有限公司 Method and device for determining port protocol
CN113992381A (en) * 2021-10-22 2022-01-28 北京天融信网络安全技术有限公司 Authorization method, device, authorization platform and storage medium
CN115118640A (en) * 2022-07-26 2022-09-27 北京安华金和科技有限公司 Database audit processing method and system in presence of proxy equipment
CN115118640B (en) * 2022-07-26 2022-11-01 北京安华金和科技有限公司 Database auditing processing method and system in presence of proxy equipment

Similar Documents

Publication Publication Date Title
CN108173838A (en) A kind of control auditing method accessed the network equipment
EP3641225B1 (en) Policy-driven compliance
US8667556B2 (en) Method and apparatus for building and managing policies
US9076013B1 (en) Managing requests for security services
EP3149582B1 (en) Method and apparatus for a scoring service for security threat management
Kelbert et al. Data usage control enforcement in distributed systems
CN103001999A (en) Private cloud server and client architecture without utilizing a routing server
CN107612736A (en) A kind of web browser operation audit method based on container
DE202013102441U1 (en) System for checking digital certificates
CN113114632B (en) Can peg graft formula intelligence financial auditing platform
CN103188336A (en) Virtual desktop-based operation and maintenance management method
CN110226155A (en) Context property is collected and handled on host
US20020103878A1 (en) System for automated configuration of access to the internet
CN109617753A (en) A kind of platform management method, system and electronic equipment and storage medium
US9888014B2 (en) Enforcing security for sensitive data on database client hosts
RU2415466C1 (en) Method of controlling identification of users of information resources of heterogeneous computer network
CN114218194A (en) Data bank safety system
CN109672744A (en) A kind of image fort machine method and system of user's unaware
Liu et al. DACAS: integration of attribute-based access control for northbound interface security in SDN
WO2023239849A1 (en) Internet protocol (ip) whitelisting for signed uniform resource locators (urls)
CN106529216A (en) Software authorization system based on public storage platforms and software authorization method
CN101730087A (en) Usim service access method and usim card
US10523715B1 (en) Analyzing requests from authenticated computing devices to detect and estimate the size of network address translation systems
CN105656840A (en) Network security permission authentication system and method based on permission control
Luo et al. Practice and exploration of remote access to digital resources in libraries

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20180615