CN108173838A - A kind of control auditing method accessed the network equipment - Google Patents
A kind of control auditing method accessed the network equipment Download PDFInfo
- Publication number
- CN108173838A CN108173838A CN201711429107.8A CN201711429107A CN108173838A CN 108173838 A CN108173838 A CN 108173838A CN 201711429107 A CN201711429107 A CN 201711429107A CN 108173838 A CN108173838 A CN 108173838A
- Authority
- CN
- China
- Prior art keywords
- user
- client
- proxy server
- accessed
- target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
Abstract
The present invention provides a kind of control auditing method accessed the network equipment, and the policy information of the user is issued to client by user when client is authenticated, by administrative center;When customer access network resource, the Target IP and port that client is accessed according to user judge the resource whether equipment belongs in the range of user right, if, then change user data message, it is attached with proxy server, and the information such as the Target IP for really accessing user are transmitted on proxy server, proxy server is responsible for monitoring client connection, extract the information such as the ip of the client target device to be connected, and enable corresponding locally applied service, client traffic is forwarded to corresponding local service simultaneously, it is attached again by proxy server and target device, not only whole process is entirely transparent for user, and reduce user's operation difficulty, since the cryptographic protocols such as ssh can also be audited and be controlled by the way of local service.
Description
Technical field
The present invention relates to communication network information security technology area, more particularly to a kind of control accessed the network equipment is examined
Meter method.
Background technology
With the rapid development of the network information technology, enterprises and institutions' network size and number of devices expand rapidly, and build
Emphasis is gradually from Network Information to the network information security, the operation and maintenance stage that Improve Efficiency is characterized.Enterprises and institutions need
The access of special assets is controlled and audited, intercept unauthorized access and malicious attack, order into line command illegal
It blocks, filters out all unauthorized access behaviors to target device, and audit to internal staff's maloperation and illegal operation
Monitoring, so as to subsequent responsibility tracing, therefore fort machine comes into being.Fort equipment is awarded for Account Administration, authentication, resource
The functions such as power, access control operation audit effectively solve enterprises and institutions' problems faced.Traditional fort machine accesses net in bypass mode
Network, user want access target equipment to be required for logging on to and be attached operation, this access side on fort machine with target device again
Formula needs to change the use habit of user, and operation becomes troublesome, can not settle at one go and be connected directly to target device.
Invention content
The technical problem to be solved in the present invention is to provide a kind of control auditing method for accessing the network equipment, pass through
Change the data message of user on flow lead to proxy server in user terminal, then by proxy server and target device into
Row connection, not only whole process is entirely transparent for user, but also reduces user's operation difficulty.
The invention is realized in this way:A kind of control auditing method accessed the network equipment installs visitor in user terminal
When client is authenticated, client is issued to by administrative center by family end for the policy information of the user;When user visits
When asking Internet resources, Target IP and port that client can be accessed according to user judge whether the equipment belongs to user right
In the range of resource, if it is, modification user data message, be attached with proxy server, and user is really visited
The Target IP asked and port, application layer protocol type are transmitted on proxy server, and proxy server is responsible for monitoring client company
It connects, extracts the information such as ip, port, the application layer protocol type of the client target device to be connected, and open according to protocol type
With corresponding locally applied service, while client traffic is forwarded to corresponding local service, and connected with target device
It connects, and records the operation behavior of user, if it is not, then without any processing.
Further, while the policy information of the user is issued to client by the administrative center, also user is recognized
The IP and account number of card are sent to operation behavior of the proxy server for association user.
Further, the policy information is sensitive equipment, account number and access equipment related information.
The invention has the advantages that:The present invention directly changes user by the way of fully transparent forwarding in user terminal
Network behavior, be to directly access network resource on user surface, but can change the behavior of user in bottom the method for the present invention
(changing user data message), allows it to be connected on proxy server, then is accessed by proxy server and target resource, entirely
Process is fully transparent for user, but user is without any perception.And the present invention by client by flow lead
Onto proxy server, established and connected with proxy server by user, then be attached by proxy server and target device
Mode solves traditional fort machine and needs first to log on on fort machine accesses that target device is cumbersome to ask from fort machine again
Topic, reduces user's operation difficulty.
Description of the drawings
The present invention is further illustrated in conjunction with the embodiments with reference to the accompanying drawings.
Fig. 1 is the method for the present invention execution flow chart.
Specific embodiment
The control auditing method accessed the network equipment of the present invention installs client, in user terminal in user terminal
Client is installed, when client is authenticated, the policy information of the user is issued to client by administrative center;When
When customer access network resource, Target IP and port that client can be accessed according to user judge whether the equipment belongs to use
Resource in the extent of competence of family, if it is, modification user data message, is attached with proxy server, and by user
Target IP, port, the application layer protocol type information really accessed is transmitted on proxy server, and proxy server is responsible for monitoring
Client connects, and extracts ip, port, the application layer protocol type information of the client target device to be connected, and according to agreement
Type enables corresponding locally applied service, while client traffic is forwarded to corresponding locally applied service, and and target
Equipment is attached, while records the operation behavior of user;It is if it is not, then without any processing.
Wherein, during the proxy server monitoring users connection, local application is forwarded to according to application layer protocol type
Service, while established and connected according to user information and target device, proxy server plays the role of forwarding among one, in this way
The access of user can all pass through proxy server, be forwarded to locally applied service, then be attached with target device, be taken by agency
Business is controlled and is audited to access, and auditing result is sent to administrative center.
Refering to Figure 1, detailed process is as follows:
1st, user is authenticated in client input account;
2nd, by rear, administrative center (closes the resource policy of the user including sensitive equipment, account number and access equipment for certification
The information such as connection) client is issued to, while the IP of user authentication and account number are sent to proxy server for closing by administrative center
It is combined the operation behavior at family;
3rd, during customer access network resource, Target IP and port that client accesses user are analyzed, and are judged whether
Belong to the resource apparatus of the user within the scope of authority;If not processing then;If it is modification user data message with
Proxy server is attached, while the Target IP that user is really accessed and port are sent to proxy server row;
4th, proxy server is established according to user information and target device and is connected while monitoring users connect, agency
Server plays an intermediate function of forwarding, and the access of such user can all pass through proxy server, and agency service can be right
Access is controlled and is audited, and auditing result is sent to administrative center.
To sum up, the present invention directly changes the network behavior of user, user by the way of fully transparent forwarding in user terminal
It is to directly access network resource on surface, but the behavior that can change user in bottom the method for the present invention (changes user data
Message), it is allowed to be connected on proxy server, then accessed by proxy server and target resource, whole process is for user
It is fully transparent, user is without any perception.And the present invention by client by flow lead to proxy server, by
User establishes with proxy server and connects, then solves traditional fort by the mode that proxy server and target device are attached
Machine needs first to log on to accesses the problem of target device is cumbersome from fort machine again on fort machine, reduce user's operation hardly possible
Degree.
Although specific embodiments of the present invention have been described above, those familiar with the art should manage
Solution, our described specific embodiments are merely exemplary rather than for the restriction to the scope of the present invention, are familiar with this
The equivalent modification and variation that the technical staff in field is made in the spirit according to the present invention, should all cover the present invention's
In scope of the claimed protection.
Claims (3)
1. a kind of control auditing method accessed the network equipment, it is characterised in that:Client is installed in user terminal, in client
When end is authenticated, the policy information of the user is issued to client by administrative center;When customer access network resource
When, Target IP and port that client can be accessed according to user judge the money whether equipment belongs in the range of user right
Source, if it is, modification user data message, be attached with proxy server, and user is really accessed Target IP,
Port, application layer protocol type information are transmitted on proxy server, and proxy server is responsible for monitoring client connection, extraction visitor
Ip, port, the application layer protocol type information of the family end target device to be connected, and corresponding local is enabled according to protocol type
Application service, while client traffic is forwarded to corresponding locally applied service, and be attached with target device, remember simultaneously
Employ the operation behavior at family;It is if it is not, then without any processing.
2. a kind of control auditing method accessed the network equipment according to claim 1, it is characterised in that:The management
While the policy information of the user is issued to client by center, the IP of user authentication and account number are also sent to agency service
Device is used for the operation behavior of association user.
3. a kind of control auditing method accessed the network equipment according to claim 1 or 2, it is characterised in that:It is described
Policy information is sensitive equipment, account number and access equipment related information.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711429107.8A CN108173838A (en) | 2017-12-26 | 2017-12-26 | A kind of control auditing method accessed the network equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711429107.8A CN108173838A (en) | 2017-12-26 | 2017-12-26 | A kind of control auditing method accessed the network equipment |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108173838A true CN108173838A (en) | 2018-06-15 |
Family
ID=62520732
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711429107.8A Pending CN108173838A (en) | 2017-12-26 | 2017-12-26 | A kind of control auditing method accessed the network equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108173838A (en) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109067792A (en) * | 2018-09-25 | 2018-12-21 | 杭州安恒信息技术股份有限公司 | The method and apparatus for realizing resources accessing control based on reverse proxy |
CN109408326A (en) * | 2018-09-30 | 2019-03-01 | 福建星瑞格软件有限公司 | The method and system of monitoring data library security audit product treatment SQL message efficiency |
CN109600395A (en) * | 2019-01-23 | 2019-04-09 | 山东超越数控电子股份有限公司 | A kind of device and implementation method of terminal network access control system |
CN109672744A (en) * | 2018-12-28 | 2019-04-23 | 中电福富信息科技有限公司 | A kind of image fort machine method and system of user's unaware |
CN109714345A (en) * | 2018-12-28 | 2019-05-03 | 中电福富信息科技有限公司 | A kind of character fort machine method and system of user's unaware |
CN113328877A (en) * | 2021-05-06 | 2021-08-31 | 北京天空卫士网络安全技术有限公司 | Method and device for determining port protocol |
CN113347217A (en) * | 2020-02-18 | 2021-09-03 | 北京沃东天骏信息技术有限公司 | Network request auditing method and device |
CN113992381A (en) * | 2021-10-22 | 2022-01-28 | 北京天融信网络安全技术有限公司 | Authorization method, device, authorization platform and storage medium |
CN115118640A (en) * | 2022-07-26 | 2022-09-27 | 北京安华金和科技有限公司 | Database audit processing method and system in presence of proxy equipment |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101588360A (en) * | 2009-07-03 | 2009-11-25 | 深圳市安络大成科技有限公司 | Associated equipment and method for internal network security management |
US7634572B2 (en) * | 2004-12-22 | 2009-12-15 | Slipstream Data Inc. | Browser-plugin based method for advanced HTTPS data processing |
CN101877695A (en) * | 2009-04-30 | 2010-11-03 | 中国移动通信集团江西有限公司 | System and method for controlling access right |
CN203057192U (en) * | 2012-12-10 | 2013-07-10 | 浙江省电力公司 | Cross-platform security audit device |
CN104270334A (en) * | 2014-06-13 | 2015-01-07 | 国家电网公司 | SSH (Secure Shell) network security access protocol monitoring method |
CN106936846A (en) * | 2017-04-10 | 2017-07-07 | 北京明朝万达科技股份有限公司 | A kind of method for network access control and device based on WFP platforms |
-
2017
- 2017-12-26 CN CN201711429107.8A patent/CN108173838A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7634572B2 (en) * | 2004-12-22 | 2009-12-15 | Slipstream Data Inc. | Browser-plugin based method for advanced HTTPS data processing |
CN101877695A (en) * | 2009-04-30 | 2010-11-03 | 中国移动通信集团江西有限公司 | System and method for controlling access right |
CN101588360A (en) * | 2009-07-03 | 2009-11-25 | 深圳市安络大成科技有限公司 | Associated equipment and method for internal network security management |
CN203057192U (en) * | 2012-12-10 | 2013-07-10 | 浙江省电力公司 | Cross-platform security audit device |
CN104270334A (en) * | 2014-06-13 | 2015-01-07 | 国家电网公司 | SSH (Secure Shell) network security access protocol monitoring method |
CN106936846A (en) * | 2017-04-10 | 2017-07-07 | 北京明朝万达科技股份有限公司 | A kind of method for network access control and device based on WFP platforms |
Cited By (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109067792A (en) * | 2018-09-25 | 2018-12-21 | 杭州安恒信息技术股份有限公司 | The method and apparatus for realizing resources accessing control based on reverse proxy |
CN109408326A (en) * | 2018-09-30 | 2019-03-01 | 福建星瑞格软件有限公司 | The method and system of monitoring data library security audit product treatment SQL message efficiency |
CN109408326B (en) * | 2018-09-30 | 2021-11-30 | 福建星瑞格软件有限公司 | Method and system for monitoring SQL message processing efficiency of database security audit product |
CN109672744A (en) * | 2018-12-28 | 2019-04-23 | 中电福富信息科技有限公司 | A kind of image fort machine method and system of user's unaware |
CN109714345A (en) * | 2018-12-28 | 2019-05-03 | 中电福富信息科技有限公司 | A kind of character fort machine method and system of user's unaware |
CN109714345B (en) * | 2018-12-28 | 2021-05-14 | 中电福富信息科技有限公司 | Character bastion machine method and system without perception of user |
CN109600395A (en) * | 2019-01-23 | 2019-04-09 | 山东超越数控电子股份有限公司 | A kind of device and implementation method of terminal network access control system |
CN113347217A (en) * | 2020-02-18 | 2021-09-03 | 北京沃东天骏信息技术有限公司 | Network request auditing method and device |
CN113328877A (en) * | 2021-05-06 | 2021-08-31 | 北京天空卫士网络安全技术有限公司 | Method and device for determining port protocol |
CN113992381A (en) * | 2021-10-22 | 2022-01-28 | 北京天融信网络安全技术有限公司 | Authorization method, device, authorization platform and storage medium |
CN115118640A (en) * | 2022-07-26 | 2022-09-27 | 北京安华金和科技有限公司 | Database audit processing method and system in presence of proxy equipment |
CN115118640B (en) * | 2022-07-26 | 2022-11-01 | 北京安华金和科技有限公司 | Database auditing processing method and system in presence of proxy equipment |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108173838A (en) | A kind of control auditing method accessed the network equipment | |
EP3641225B1 (en) | Policy-driven compliance | |
US8667556B2 (en) | Method and apparatus for building and managing policies | |
US9076013B1 (en) | Managing requests for security services | |
EP3149582B1 (en) | Method and apparatus for a scoring service for security threat management | |
Kelbert et al. | Data usage control enforcement in distributed systems | |
CN103001999A (en) | Private cloud server and client architecture without utilizing a routing server | |
CN107612736A (en) | A kind of web browser operation audit method based on container | |
DE202013102441U1 (en) | System for checking digital certificates | |
CN113114632B (en) | Can peg graft formula intelligence financial auditing platform | |
CN103188336A (en) | Virtual desktop-based operation and maintenance management method | |
CN110226155A (en) | Context property is collected and handled on host | |
US20020103878A1 (en) | System for automated configuration of access to the internet | |
CN109617753A (en) | A kind of platform management method, system and electronic equipment and storage medium | |
US9888014B2 (en) | Enforcing security for sensitive data on database client hosts | |
RU2415466C1 (en) | Method of controlling identification of users of information resources of heterogeneous computer network | |
CN114218194A (en) | Data bank safety system | |
CN109672744A (en) | A kind of image fort machine method and system of user's unaware | |
Liu et al. | DACAS: integration of attribute-based access control for northbound interface security in SDN | |
WO2023239849A1 (en) | Internet protocol (ip) whitelisting for signed uniform resource locators (urls) | |
CN106529216A (en) | Software authorization system based on public storage platforms and software authorization method | |
CN101730087A (en) | Usim service access method and usim card | |
US10523715B1 (en) | Analyzing requests from authenticated computing devices to detect and estimate the size of network address translation systems | |
CN105656840A (en) | Network security permission authentication system and method based on permission control | |
Luo et al. | Practice and exploration of remote access to digital resources in libraries |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180615 |