CN110365635B - Access control method and device for illegal endpoint - Google Patents
Access control method and device for illegal endpoint Download PDFInfo
- Publication number
- CN110365635B CN110365635B CN201910435854.5A CN201910435854A CN110365635B CN 110365635 B CN110365635 B CN 110365635B CN 201910435854 A CN201910435854 A CN 201910435854A CN 110365635 B CN110365635 B CN 110365635B
- Authority
- CN
- China
- Prior art keywords
- downlink
- network device
- endpoint
- interface
- connection table
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/12—Discovery or management of network topologies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides an access control method and device of an illegal endpoint, comprising the following steps: acquiring downlink information of each network device in the EPS system; constructing an equipment connection table representing connection relation of each network equipment based on downlink information of each network equipment; and determining the network equipment directly connected with the illegal endpoint accessed to the EPS system according to the equipment connection table, and blocking an interface connected with the illegal endpoint on the network equipment. The method provided by the application can realize the access control of illegal endpoints.
Description
Technical Field
The present application relates to the field of computer communications, and in particular, to an access control method and apparatus for an illegal endpoint.
Background
Various types of endpoints are distributed throughout the network, such as cameras, PCs (Personal computers), switches, servers, routers, firewalls, APs (Wireless Access points), printers, ATMs (Automatic Teller machines), and so on. In order to manage the Endpoints in the network, an EPS System (endpoint detection System) is developed.
The EPS system comprises an EPS server and an EPS scanner, wherein the ESP scanner can scan each end point in the network and report the scanning result to the EPS server. And the EPS server performs validity check on the end point according to the scanning result, and when the check end point is an illegal end point, access control needs to be performed on the illegal end point. Therefore, it is important how to perform access control on the illegal endpoint.
Disclosure of Invention
In view of this, the present application provides an access control method and apparatus for an illegal endpoint, so as to implement access control for the illegal endpoint.
Specifically, the method is realized through the following technical scheme:
according to a first aspect of the present application, there is provided an access control method for an illegal endpoint, the method being applied to an EPS server in an EPS system of an endpoint detection system, the method including:
acquiring downlink information of each network device in the EPS system;
constructing an equipment connection table representing connection relation of each network equipment based on downlink information of each network equipment;
and determining the network equipment directly connected with the illegal endpoint accessed to the EPS system according to the equipment connection table, and blocking an interface connected with the illegal endpoint on the network equipment.
Optionally, the downlink information of the network device includes: an identification of a network device, an identification of a neighbor device of a downlink connection of the network device, a local interface of the downlink on the network device, a neighbor interface of the downlink on the neighbor device;
the device connection table includes: the device connection table items corresponding to the network devices;
the device connection table entry includes: the identifier of the network device and the downlink existence condition of the network device, if the network device has a downlink, the device connection table entry further includes: an identification of a neighbor device of a network device's downlink connection, a local interface of the downlink on the network device, a neighbor interface of the downlink on the neighbor device.
Optionally, the determining, according to the device connection table, an illegal endpoint directly connected network device accessing the EPS system includes:
determining gateway equipment accessed by the illegal endpoint, and taking the gateway equipment as target network equipment;
determining an output interface in a forwarding table entry matched with the address of the illegal endpoint in a forwarding table recorded by the target network equipment;
searching at least one equipment connection table item corresponding to the target network equipment in the equipment connection table, and determining whether the target network equipment has a downlink or not based on the downlink existence condition recorded by the searched equipment connection table item;
if the target network device has a downlink, when the fact that the outgoing interface is the same as a local interface recorded by any device connection table entry in the at least one device connection table entry is determined, taking neighbor devices recorded by any device connection table entry as the target network device, returning the neighbor devices to a forwarding table recorded by the target network device, and determining the outgoing interface in the forwarding table entry matched with the address of the illegal endpoint;
and if the target network equipment does not have a downlink, determining that the target network equipment is the network equipment directly connected with the illegal endpoint.
Optionally, the method further includes:
if the target network device has a downlink, determining that the target network device is a network device directly connected with the illegal endpoint when determining that the outgoing interface is not the same as the local interface recorded by the at least one device connection table entry.
Optionally, the blocking the interface, connected to the illegal endpoint, on the network device includes:
and blocking the determined output interface in the forwarding table entry matched with the address of the illegal endpoint.
According to a second aspect of the present application, there is provided an access control apparatus for an illegal endpoint, the apparatus being applied to an EPS server in an EPS system of an endpoint detection system, the apparatus including:
an obtaining unit, configured to obtain downlink information of each network device in the EPS system;
a constructing unit, configured to construct, based on downlink information of each network device, a device connection table representing connection relationships of each network device;
and the determining unit is used for determining the network equipment directly connected with the illegal endpoint accessed to the EPS system according to the equipment connection table and blocking an interface connected with the illegal endpoint on the network equipment.
Optionally, the downlink information of the network device includes: a network device identification, an identification of a neighbor device of a network device's downlink connection, a local interface of the downlink on the network device, a neighbor interface of the downlink on the neighbor device;
the device connection table includes: the device connection table items corresponding to the network devices;
the device connection table entry includes: the identifier of the network device corresponding to the device connection table entry, and the downlink existence condition of the network device, where if the network device has a downlink, the device connection table entry further includes: an identification of a neighbor device of a network device's downlink connection, a local interface of the downlink on the network device, a neighbor interface of the downlink on the neighbor device.
Optionally, the determining unit is specifically configured to determine a gateway device accessed by the illegal endpoint, and use the gateway device as a target network device; determining an output interface in a forwarding table entry matched with the address of the illegal endpoint in a forwarding table recorded by the target network equipment; searching at least one equipment connection table item corresponding to the target network equipment in the equipment connection table, and determining whether the target network equipment has a downlink or not based on the downlink existence condition recorded by the searched equipment connection table item; if the target network device has a downlink, when the fact that the outgoing interface is the same as a local interface recorded by any device connection table entry in the at least one device connection table entry is determined, taking neighbor devices recorded by any device connection table entry as the target network device, returning the neighbor devices to a forwarding table recorded by the target network device, and determining the outgoing interface in the forwarding table entry matched with the address of the illegal endpoint; and if the target network equipment does not have a downlink, determining that the target network equipment is the network equipment directly connected with the illegal endpoint.
Optionally, the determining unit is further specifically configured to determine that the target network device is a network device directly connected to the illegal endpoint when it is determined that the outgoing interface is not the same as the local interface recorded in the at least one device connection table entry if the target network device has a downlink.
Optionally, the determining unit, when blocking the interface connected to the illegal endpoint on the network device, is specifically configured to block the determined outgoing interface in the forwarding table entry matched with the address of the illegal endpoint.
As can be seen from the above description, the EPS server may calculate the connection relationship between the network devices based on the downlink information reported by each network device, and generate a device connection table for representing the connection relationship between the network devices. The EPS server may determine, based on the device connection table, network devices directly connected to the illegal endpoint by searching step by step from a gateway device connected to the illegal endpoint, and block an interface connecting the illegal endpoint on the determined network devices, thereby implementing access control of the EPS server to the illegal endpoint.
Drawings
FIG. 1a is a block diagram illustrating a network architecture for illegitimate endpoint access control;
FIG. 1b is a networking architecture diagram illustrating another illegitimate endpoint access control;
fig. 2a is a flowchart illustrating an access control method for an illegal endpoint according to an exemplary embodiment of the present application;
fig. 2b is a flowchart illustrating a method for determining an illegitimate end-to-end directly connected network device according to an exemplary embodiment of the present application;
fig. 3 is a diagram illustrating an illegitimate endpoint access control according to an exemplary embodiment of the present application;
fig. 4 is a hardware configuration diagram of an EPS server according to an exemplary embodiment of the present application;
fig. 5 is a block diagram illustrating an access control device of an illegal endpoint according to an exemplary embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
Referring to fig. 1a, fig. 1a is a networking architecture diagram illustrating one type of illegitimate endpoint access control.
The illegal endpoint access controlled networking at least comprises: an EPS server, an EPS scanner, a gateway device, and an endpoint.
The gateway device records endpoint information (such as an IP address, a MAC address, and the like of an endpoint) of an endpoint accessing the gateway device, and the EPS scanner may scan the endpoint information of each endpoint on the gateway device and then report the endpoint information to the EPS server.
The EPS server may check the legitimacy of each endpoint based on the endpoint information of each endpoint, and determine whether the endpoint is legitimate.
When the EPS server determines that a certain endpoint is an illegal endpoint, the EPS server may perform access control on the illegal endpoint.
The following describes the access control method of the traditional illegal endpoint in detail:
usually, a forwarding table entry of an endpoint accessing the gateway device is recorded on the gateway device. For example, the gateway device records an ARP (Address Resolution Protocol) entry corresponding to each endpoint accessing the gateway device. The ARP table entry includes: IP (Internet Protocol) address, MAC (Media Access Control) address, and egress interface of the endpoint. The egress interface is a port on the gateway device that connects to the endpoint.
The traditional illegal endpoint access control method is as follows: the EPS server accesses the gateway equipment, searches an ARP table entry corresponding to the illegal endpoint address in an ARP table recorded by the gateway equipment, and then blocks an output interface recorded by the ARP table entry.
As shown in fig. 1a, when the endpoint is directly connected to the gateway device, the found outgoing interface of the ARP entry is the interface of the illegal endpoint accessing the gateway device, and the interface is blocked, so that the illegal endpoint can be controlled to access the gateway device.
However, in practical applications, the endpoint often accesses the gateway device through the access device, and even the endpoint accesses the gateway device through multiple levels of access devices.
For example, as shown in fig. 1b, fig. 1b is a networking architecture diagram illustrating another illegal endpoint access control.
In the networking shown in fig. 1B, it can be seen that endpoint 1 accesses the gateway device through access device a, and endpoints 2 and 3 access the gateway device through access device B.
Assume that the Port on the gateway device connected to access device a is Port _ a and the Port on the gateway device connected to access device B is Port _ B. The IP addresses of endpoint 1, endpoint 2, and endpoint 3 are IP1, IP2, and IP3, respectively. The MAC addresses of endpoint 1, endpoint 2, and endpoint 3 are MAC1, MAC2, and MAC3, respectively.
The ARP table that the gateway device has is shown in table 1.
| IP address | MAC address | Outlet interface |
| IP1 | MAC1 | Port_A |
| IP2 | MAC2 | port_B |
| IP3 | MAC3 | port_B |
TABLE 1
When the EPS server determines that the endpoint 2 is an illegal endpoint and adopts a traditional access control method for the illegal endpoint 2, the EPS server may search an ARP entry (i.e., an ARP entry shown in the third row of table 1) corresponding to the illegal endpoint 2 in an ARP table (i.e., table 1) recorded by the gateway device, and then block an egress interface Port _ B of the ARP entry.
In the networking shown in fig. 1B, since the access device B connected to Port _ B is connected not only to the endpoint 2 but also to the endpoint 3, when Port _ B is blocked, the endpoint 3 cannot access the gateway device, so that a legal endpoint cannot access the gateway device.
In view of this, the present application provides an access control method for an illegal endpoint, which is suitable for both a network in which a gateway device is directly connected to an endpoint and a network in which an endpoint accesses a gateway through at least one level of access device.
The access control method of the illegal endpoint provided in the present application is described in detail below.
Referring to fig. 2a, fig. 2a is a flowchart illustrating an access control method for an illegal endpoint according to an exemplary embodiment of the present application, where the method may be applied to an EPS server in an EPS system, and may include the following steps.
Step 201: and acquiring downlink information of each network device in the EPS system.
Wherein, the network device may include: gateway devices, access devices, etc. The access device may include a forwarding device, such as a switch, a router, etc., and is not specifically limited herein.
The downlink information of the network device may include: a network device identification, an identification of a neighbor device of a network device's downlink connection, a local interface of the downlink on the network device, a neighbor interface of the downlink on the neighbor device. Of course, the downlink information also includes other information, which is only illustrated by way of example and is not specifically limited.
The network device identifier may include a device identifier of the network device, an IP address of the network device, a MAC address of the network device, and the like, and the network device identifier is not specifically limited herein.
It should be noted that, the downlink described in this application refers to a link used by a network device to connect to a downstream network device.
For example, as shown in fig. 1 b.
The downlink information reported by the gateway device to the EPS server is shown in table 201.
Watch 201
Since access device a is directly connected to endpoint 1, access device a has no downlink. The downlink information reported by the access device a to the EPS server is shown in table 202.
| Network device identification | Local interface | Neighbor device identification | Neighbor interface |
| Access device a identity | Is free of | Is free of | Is free of |
Table 202
Since access device B is directly connected to endpoint 2 and endpoint 3, access device B has no downlink. The downlink information reported by the access device B to the EPS server is shown in table 203.
| Network device identification | Local interface | Neighbor device identification | Neighbor interface |
| Access device B identity | Is free of | Is free of | Is free of |
Watch 203
After the above downlink information is introduced, detailed description is given of "the network device reports its own downlink information".
In implementation, the EPS server maintains device information of each Network device, such as an IP address of the Network device, SNMP (Simple Network Management Protocol) parameters, and the like, and the EPS server can access the Network device based on the device information.
In an optional implementation manner, the network device may send a reporting request to each network device based on the device information of each locally maintained network device, and each network device may report its own downlink information at regular time after receiving the reporting request.
In another optional implementation manner, the network device may also report its own downlink information to the EPS server at regular time.
Certainly, the network device may also report its own downlink information to the EPS server when accessing the EPS server, and when the own downlink changes, the network device may report its own downlink information to the EPS server, so that the EPS server updates the downlink information of the network device.
The reporting of the downlink information by the network device is only exemplarily illustrated and not specifically limited.
Step 202: and constructing a device connection table representing the connection relation of each network device based on the downlink information of each network device.
The EPS server may calculate the connection relationship of each network device based on the downlink information of each network device. The EPS server may then construct a device connection table that characterizes the connection relationships of the network devices.
The device connection table includes a plurality of device connection table entries, and each device connection table entry corresponds to one network device.
The device connection table entry includes: the identifier of the network device corresponding to the device connection table entry, and the downlink existence condition of the network device, where if the network device has a downlink, the device connection table entry further includes: an identification of a neighbor device of a network device's downlink connection, a local interface of the downlink on the network device, a neighbor interface of the downlink on the neighbor device.
Of course, the device connection table entry may further include other information according to actual situations, which is only illustrated by way of example and is not specifically limited.
Still taking the example of fig. 1a as an example, after receiving the table 201 reported by the gateway device, the table 202 reported by the access device a, and the table 203 reported by the access device B, the EPS server may calculate the connection relationship of each network device to form a device connection table, where the device connection table is shown as table 204.
Table 204
It should be noted that the link status indicates whether the network device has a downlink, and if the link status is "yes," it indicates that the network device has a downlink. If the link status is "no," it indicates that the network device has no downlink.
The network device identifier is used to uniquely identify a network device, for example, the network device identifier may be a network device IP address, which is merely exemplary and not limited specifically herein.
Step 203: and determining the network equipment directly connected with the illegal endpoint accessed to the EPS system according to the equipment connection table, and blocking an interface connected with the illegal endpoint on the network equipment.
Referring to fig. 2b, fig. 2b is a flowchart of a method for determining an illegal endpoint direct connection network device according to an exemplary embodiment of the present application, which may specifically refer to step 2031 to step 2036.
Step 2031: and the EPS server determines the gateway equipment accessed by the illegal endpoint, and takes the gateway equipment as target network equipment.
Usually, a forwarding entry of each endpoint accessing the gateway device, such as an ARP entry of each endpoint, is recorded on the gateway device.
The ARP table entry at least comprises: the IP address, MAC address and outgoing interface of the endpoint accessing the gateway device.
For each network device, the EPS server may detect whether an ARP entry corresponding to an illegal endpoint is recorded in an ARP table of the network device. If the ARP table of the network equipment has the ARP table entry corresponding to the non-endpoint, the EPS server can determine that the gateway equipment is the gateway equipment accessed by the illegal endpoint.
Of course, the EPS server may also determine the gateway device accessed by the illegal endpoint in other manners. For example, a list of the endpoints accessing the gateway device is recorded on the gateway device, and the EPS server may determine the gateway device accessed by the illegal endpoint based on the list. The "gateway device that the EPS server determines the illegal endpoint access" is not specifically limited herein.
Step 2032: and the EPS server determines an output interface in a forwarding table item matched with the address of the illegal endpoint in a forwarding table recorded by the target network equipment.
It should be noted that, when the target network device is a gateway device, the forwarding table is an ARP table, and the forwarding table entry is an ARP table entry. When the target network device is an access device, the forwarding table is an MAC table, and the forwarding table entry is an MAC table entry.
When the method is implemented, the EPS server may search a forwarding table entry whose destination address is the illegal endpoint address in a forwarding table recorded by the target network device, and then obtain an output interface recorded by the forwarding table entry.
Step 2033: the EPS server may search for at least one device connection table entry corresponding to the target network device in the device connection table, and determine whether the target network device has a downlink based on a downlink existence condition recorded in the searched device connection table entry.
In implementation, the EPS server may search, in the device connection table, at least one device connection table entry whose network identifier is the target network device identifier.
Then, the EPS server may check the link status of the at least one found device connection entry, indicate that the target network device has a downlink if there is a device connection entry whose link status is "yes" in the at least one device connection entry, and indicate that the target network device does not have a downlink if the link statuses recorded in all the device connection entries are "no".
Step 2034: and if the target network equipment does not have a downlink, determining that the target network equipment is the network equipment directly connected with the illegal endpoint, and blocking the determined output interface in the forwarding table item matched with the address of the illegal endpoint.
Step 2035: if the target network device has a downlink, determining whether the outgoing interface is the same as a local interface recorded in any device connection table entry of the at least one device connection table entry.
Step 2036: if it is determined that the outgoing interface is the same as the local interface recorded in any device connection table entry in the at least one device connection table entry, the neighbor device recorded in any device connection table entry is taken as the target network device, and the process returns to step 2032.
Step 2037: and if the output interface is different from the local interface recorded by the at least one equipment connection table item, determining that the illegal endpoint is directly connected with the target network equipment, and blocking the output interface.
If the target network device has a downlink, the EPS server may detect whether the interface is the same as the local interface recorded in any device connection table entry in the at least one device connection table entry. If the outgoing interface is the same as the local interface recorded in any device connection table entry in the at least one device connection table entry, the neighbor device recorded in any device connection table entry is taken as the target network device, and then the above steps 2032 to 2037 are repeated. And if the output interface is different from the local interface recorded by the at least one equipment connection table entry, blocking the output interface.
It should be noted that, the purpose of "the EPS server determines whether the outgoing interface is the same as the local interface recorded in any device connection table entry in the at least one device connection table entry" is to: and judging whether the outgoing interface is an interface directly connected with an illegal endpoint or an interface connected with a downlink of a downstream neighbor device.
When the output interface is not the same as the local interface recorded by the at least one device connection table entry, it indicates that the output interface is directly connected with the illegal endpoint, and at this time, the output interface can be blocked.
When the outgoing interface is the same as the local interface recorded in any device connection table entry in the at least one device connection table entry, indicating that the outgoing interface is a downlink interface for connecting a downstream neighbor device, at this time, the neighbor device may be taken as a target network device, and step 2032 to step 2037 are repeated.
It should be further noted that, by repeatedly executing steps 2032 to 2037, the EPS server may find each node (i.e., network device) in the path from the gateway device to the illegal endpoint one by one, determine the next node of the node in the path through the found node, and finally find the node directly connected to the illegal endpoint, thereby implementing determination of the network device directly connected to the illegal endpoint.
As can be seen from the above description, the EPS server may calculate the connection relationship between the network devices based on the downlink information reported by each network device, and generate a device connection table for representing the connection relationship between the network devices. The EPS server may determine, based on the device connection table, network devices directly connected to the illegal endpoint by searching step by step from a gateway device connected to the illegal endpoint, and block an interface connecting the illegal endpoint on the determined network devices, thereby implementing access control of the EPS server to the illegal endpoint.
In addition, the EPS server can determine the network device directly connected with the illegal endpoint according to the device connection table, and block the interface connected with the illegal endpoint on the network device directly connected with the illegal endpoint, so that the EPS server only blocks the interface accessed by the illegal endpoint, but does not block the interface accessed by the legal device.
The access control method for an illegal endpoint provided by the present application is described in detail below by taking an access device as an example.
Referring to fig. 3, fig. 3 is a schematic diagram illustrating an illegal endpoint access control according to an exemplary embodiment of the present application.
In fig. 3, the EPS server is connected to the EPS scanner, the EPS server is connected to the gateway 301, and the EPS scanner is connected to the gateway 301.
Gateway 301 is directly connected to Port _ B1 on switch 301 through Port _ A1, and gateway 301 is directly connected to Port _ D1 on switch 302 through Port _ A2.
Switch 301 is directly connected to Port _ C1 on switch 303 through Port _ B2, and switch 301 is directly connected to endpoint 301 through Port _ B3.
Switch 302 is directly connected to endpoint 302 through Port _ D2.
Switch 303 is directly connected to endpoint 303 through Port _ C2.
Assume endpoint 301 has an IP address of IP1 and a MAC address of MAC 1;
the IP address of endpoint 302 is IP2, the MAC address is MAC 2;
the IP address of endpoint 303 is IP3 and the MAC address is MAC 3.
1. The EPS server acquires downlink information of each network device.
Each network device (including the gateway 301, the switch 302, and the switch 303) may send its own downlink information to the EPS server after receiving the report request sent by the EPS server.
Of course, each network device may also periodically send its respective downlink information to the EPS server. And is not particularly limited herein.
The downlink information reported by the gateway device 301 is shown in table 301.
Table 301
The downlink information reported by the switch 301 is shown in table 302.
| Network device identification | Local interface | Neighbor device identification | Neighbor interface |
| Switch 301 | Port_B2 | Switch 303 | Port_C1 |
Table 302
The downlink information reported by the switch 302 is shown in table 303.
| Network device identification | Local interface | Neighbor device identification | Neighbor interface |
| Switch 302 | Is free of | Is free of | Is free of |
Table 303
The downlink information reported by the switch 303 is shown in table 304.
| Network device identification | Local interface | Neighbor device identification | Neighbor interface |
| Switch 303 | Is free of | Is free of | Is free of |
Table 304
2. And the EPS server constructs a device connection table representing the connection relation of each network device based on the downlink information of each network device.
The EPS server may calculate the connection relationships of the gateway 301, the switch 302, and the switch 303 based on the respective downlink information reported by the gateway 301, the switch 302, and the switch 303, and generate a device connection table indicating the 4 device connection relationships. The generated device connection table is shown in table 305.
| Network device identification | Link status | Local interface | Neighbor interface | Neighbor deviceBackup mark |
| Gateway 301 | Is that | Port_A1 | Port_B1 | Switch 301 |
| Gateway 301 | Is that | Port_A2 | Port_D1 | Switch 301 |
| Switch 301 | Is that | Port_B2 | Port_C1 | Switch 303 |
| Switch 302 | Whether or not | Is free of | Is free of | Is free of |
| Switch 303 | Whether or not | Is free of | Is free of | Is free of |
Table 305
3. And the EPS server determines the network equipment directly connected with the illegal endpoint accessed to the EPS system according to the equipment connection table, and blocks an interface connected with the illegal endpoint on the network equipment.
Assume that the illegal endpoints are endpoint 301, endpoint 302, and endpoint 303.
1) For endpoint 301
The EPS server may determine that the gateway accessed by endpoint 301 is gateway 301 based on entry information (such as an ARP table, etc.) on gateway 301. For a specific search method, refer to step 2031, which is not described herein again.
Note that, in the networking shown in fig. 3, the ARP table on the gateway 301 is shown in table 306.
| IP address | MAC address | Outlet interface |
| IP1 | MAC1 | Port_A1 |
| IP2 | MAC2 | Port_A2 |
| IP3 | MAC3 | Port_A1 |
Table 306
The ARP table is only exemplarily illustrated here, and in practical applications, the ARP table entry may further include other information, such as VLAN identifier, and the like, where the content included in the ARP table entry is not specifically limited here.
The EPS server may then access the gateway 301, find an ARP entry (i.e., the second row in table 306) that matches the MAC address (i.e., MAC1) of the endpoint device 301 in the ARP table (i.e., table 306) recorded by the gateway 301, and obtain the egress interface (i.e., Port _ a1) of the found ARP entry.
The EPS server may then look up the device connection table entry corresponding to the gateway 301 in the device connection table shown in table 305 (i.e., the second and third rows in table 305). The EPS server may determine whether the gateway 301 has a downlink based on the "link state" in the second and third rows in the table 305.
Since the "link states" of the second and third rows in table 305 are both "yes", gateway 301 is indicated to have a downlink.
The EPS server can detect whether the found out interface Port _ a1 is the same as the local interface recorded in the second or third row.
In this example, the EPS server may obtain the "neighbor" recorded by the second row (i.e., switch 301) because the outbound interface Port _ a1 is the same as the outbound interface recorded by the second row (i.e., Port _ a 1).
Note that the MAC table on the switch 301 is shown in table 307.
| Destination MAC | Outlet interface |
| MAC1 | Port_B3 |
| MAC3 | Port_B2 |
Table 307
The EPS server may access switch 301, look up the MAC address entry (i.e., the second row in table 307) with the destination address being the MAC address of endpoint 301 (i.e., MAC1) in table 307, and then obtain the outbound interface (i.e., Port _ B3) of the found MAC address entry.
The EPS server may then look up the device connection table entry corresponding to switch 301 (i.e., the fourth row in table 305) in the device connection table shown in table 305. The EPS server may determine whether the switch 301 has a downlink based on the "link state" in the fourth row of the table 305.
Since the fourth row in table 305 has a "link state" of yes, switch 301 is shown to have a downlink.
The EPS server may further detect if the fourth row "local interface" is the same as the found outbound interface (i.e., Port _ B3). In this example, since the EPS server determines that the fourth row "local interface" (i.e., Port _ B2) is not the same as the found outbound interface (Port _ B3). Therefore, the EPS server may determine that switch 301 endpoint 301 is directly connected and the EPS server may block Port _ B3.
2) For endpoint 302:
the EPS server may determine that the gateway accessed by the endpoint 302 is the gateway 301 based on the entry information (such as the ARP table, etc.) on the gateway 301. For a specific search method, refer to step 2031, which is not described herein again.
The EPS server may then access the gateway 301, look up an ARP entry (i.e., the third row in table 306) that matches the MAC (i.e., MAC2) address of the endpoint device 302 in the ARP table (i.e., table 306) recorded by the gateway 301, and obtain the egress interface (i.e., Port _ a2) of the found ARP entry.
The EPS server may then look up the device connection table entry corresponding to the gateway 301 in the device connection table shown in table 305 (i.e., the second and third rows in table 305). The EPS server may determine whether the gateway 301 has a downlink based on the "link state" in the second and third rows in the table 305.
Since the "link states" of the second and third rows in table 305 are both "yes", gateway 301 is indicated to have a downlink.
The EPS server can detect whether the found out interface Port _ a2 is the same as the local interface recorded in the second or third row.
In this example, the EPS server may obtain the "neighbor device" recorded in the third row (i.e., switch 302) because the outbound interface Port _ a2 is the same as the outbound interface recorded in the third row (i.e., Port _ a 2).
Note that the MAC table on the switch 302 is shown in table 308.
| Destination MAC | Outlet interface |
| MAC2 | Port_D2 |
Table 308
The EPS server may access the switch 302, look up a MAC address entry (i.e., the second row in table 308) having a destination address that is the MAC (i.e., MAC2) address of the endpoint 302 in table 308, and then obtain the outbound interface (i.e., Port _ D2) of the found MAC address entry.
The EPS server may then look up the device connection table entry corresponding to the switch 302 in the device connection table shown in table 305 (i.e., the fifth row in table 305). The EPS server may determine whether the switch 301 has a downlink based on the "link state" of the fifth row in the table 305.
Since the "link status" in the fifth row of table 305 is "no", indicating that the switch 302 has no downlink, the EPS server may determine that the switch 302 is directly connected to the illegal endpoint 302, and at this time the EPS server Port blocks the found egress interface Port _ D2.
3) For endpoint 303
The EPS server may determine that the gateway accessed by endpoint 303 is gateway 301 based on entry information (such as an ARP table, etc.) on gateway 301. For a specific search method, refer to step 2031, which is not described herein again.
The EPS server may then access the gateway 301, look up an ARP entry (i.e., the fourth row in table 306) that matches the MAC (i.e., MAC3) address of the endpoint device 303 in the ARP table (i.e., table 306) recorded by the gateway 301, and obtain the egress interface (i.e., Port _ a1) of the found ARP entry.
The EPS server may then look up the device connection table entry corresponding to the gateway 301 in the device connection table shown in table 305 (i.e., the second and third rows in table 305). The EPS server may determine whether the gateway 301 has a downlink based on the "link state" in the second and third rows in the table 305.
Since the "link states" of the second and third rows in table 305 are both "yes", gateway 301 is indicated to have a downlink.
The EPS server can detect whether the found out interface Port _ a1 is the same as the local interface recorded in the second or third row.
In this example, the EPS server may obtain the "neighbor" recorded by the second row (i.e., switch 301) because the outbound interface Port _ a1 is the same as the outbound interface recorded by the second row (i.e., Port _ a 1).
The EPS server may access switch 301, look up a MAC address entry (i.e., the third row in table 307) in table 307 having a destination address that is the MAC address of endpoint 303 (i.e., MAC3), and then obtain the outbound interface (i.e., Port _ B2) of the found MAC address entry.
The EPS server may then look up the device connection table entry corresponding to switch 301 (i.e., the fourth row in table 305) in the device connection table shown in table 305. The EPS server may determine whether the switch 301 has a downlink based on the "link state" in the fourth row of the table 305.
Since the "link states" in the fourth row of table 305 are all "yes," switch 301 is shown to have a downlink.
The EPS server may further detect if the fourth row "local interface" is the same as the found outbound interface (i.e., Port _ B2). In this example, since the EPS server determines that the fourth row "local interface" (i.e., Port _ B2) is the same as the found outbound interface (Port _ B2). Therefore, the EPS server can acquire the "neighbor device" (i.e., switch 303) recorded in the fourth row.
Note that the MAC table on the switch 303 is shown in table 309.
| Destination MAC | Outlet interface |
| MAC3 | Port_C2 |
Watch 309
The EPS server may access switch 303, look up a MAC address entry (i.e., the second row in table 309) having a destination address that is the MAC (i.e., MAC3) address of endpoint 303 in table 309, and then obtain the outbound interface (i.e., Port _ C2) of the found MAC address entry.
The EPS server may then look up the device connection table entry corresponding to switch 303 in the device connection table shown in table 305 (i.e., the sixth row in table 305). The EPS server may determine whether the switch 303 has a downlink based on the "link state" of the sixth row in the table 305.
Since the "link status" in the sixth row of the table 305 is "no", indicating that the switch 303 has no downlink, the EPS server may determine that the switch 303 is directly connected to the illegal endpoint 303, and at this time, the EPS server Port blocks the found egress interface Port _ C2.
Referring to fig. 4, fig. 4 is a hardware structure diagram of an EPS server according to an exemplary embodiment of the present application.
The EPS server includes: a communication interface 401, a processor 402, a machine-readable storage medium 403, and a bus 404; wherein the communication interface 401, the processor 402 and the machine-readable storage medium 403 communicate with each other via a bus 404. The processor 402 may perform the above-described access control method for the illegitimate endpoint by reading and executing machine-executable instructions in the machine-readable storage medium 403 corresponding to control logic for access control of the illegitimate endpoint.
The machine-readable storage medium 403 referred to herein may be any electronic, magnetic, optical, or other physical storage device that can contain or store information such as executable instructions, data, and the like. For example, the machine-readable storage medium may be: volatile memory, non-volatile memory, or similar storage media. In particular, the machine-readable storage medium 403 may be a RAM (random Access Memory), a flash Memory, a storage drive (e.g., a hard disk drive), a solid state disk, any type of storage disk (e.g., a compact disk, a DVD, etc.), or similar storage medium, or a combination thereof.
Referring to fig. 5, fig. 5 is a block diagram illustrating an access control device of an illegal endpoint according to an exemplary embodiment of the present application. The apparatus shown in fig. 5 may be applied to the EPS server shown in fig. 4, and may include the following units.
An obtaining unit 501, configured to obtain downlink information of each network device in the EPS system;
a constructing unit 502, configured to construct, based on downlink information of each network device, a device connection table representing connection relationships of each network device;
a determining unit 503, configured to determine, according to the device connection table, a network device directly connected to an illegal endpoint accessing the EPS system, and block an interface on the network device, where the illegal endpoint is connected to the network device.
Optionally, the downlink information of the network device includes: a network device identification, an identification of a neighbor device of a network device's downlink connection, a local interface of the downlink on the network device, a neighbor interface of the downlink on the neighbor device;
the device connection table includes: the device connection table items corresponding to the network devices;
the device connection table entry includes: the identifier of the network device corresponding to the device connection table entry, and the downlink existence condition of the network device, where if the network device has a downlink, the device connection table entry further includes: an identification of a neighbor device of a network device's downlink connection, a local interface of the downlink on the network device, a neighbor interface of the downlink on the neighbor device.
Optionally, the determining unit 503 is specifically configured to determine a gateway device accessed by the illegal endpoint, and use the gateway device as a target network device; determining an output interface in a forwarding table entry matched with the address of the illegal endpoint in a forwarding table recorded by the target network equipment; searching at least one equipment connection table item corresponding to the target network equipment in the equipment connection table, and determining whether the target network equipment has a downlink or not based on the downlink existence condition recorded by the searched equipment connection table item; if the target network device has a downlink, when the fact that the outgoing interface is the same as a local interface recorded by any device connection table entry in the at least one device connection table entry is determined, taking neighbor devices recorded by any device connection table entry as the target network device, returning the neighbor devices to a forwarding table recorded by the target network device, and determining the outgoing interface in the forwarding table entry matched with the address of the illegal endpoint; and if the target network equipment does not have a downlink, determining that the target network equipment is the network equipment directly connected with the illegal endpoint.
Optionally, the determining unit 503 is further specifically configured to determine that the target network device is a network device directly connected to the illegal endpoint when it is determined that the outgoing interface is not the same as the local interface recorded in the at least one device connection table entry if the target network device has a downlink.
Optionally, the determining unit 503 is specifically configured to block the determined outgoing interface in the forwarding table entry matching the address of the illegal endpoint when blocking the interface connected to the illegal endpoint on the network device.
The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.
Claims (8)
1. An access control method for an illegal endpoint is applied to an EPS server in an EPS system of an endpoint detection system, and the method comprises the following steps:
acquiring downlink information of each network device in the EPS system;
constructing an equipment connection table representing connection relation of each network equipment based on downlink information of each network equipment;
according to the device connection table, determining network devices directly connected with illegal endpoints accessed to the EPS system, and blocking interfaces connected with the illegal endpoints on the network devices;
the device connection table includes: the device connection table items corresponding to the network devices;
the device connection table entry includes: the identifier of the network device and the downlink existence condition of the network device, if the network device has a downlink, the device connection table entry further includes: an identification of a neighbor device of a downlink connection of a network device, a local interface of the downlink on the network device;
the determining, according to the device connection table, an illegal endpoint directly connected network device accessing the EPS system includes:
determining gateway equipment accessed by the illegal endpoint, and taking the gateway equipment as target network equipment;
determining an output interface in a forwarding table entry matched with the address of the illegal endpoint in a forwarding table recorded by the target network equipment;
searching at least one equipment connection table item corresponding to the target network equipment in the equipment connection table, and determining whether the target network equipment has a downlink or not based on the downlink existence condition recorded by the searched equipment connection table item;
if the target network device has a downlink, when the fact that the outgoing interface is the same as a local interface recorded by any device connection table entry in the at least one device connection table entry is determined, taking neighbor devices recorded by any device connection table entry as the target network device, returning the neighbor devices to a forwarding table recorded by the target network device, and determining the outgoing interface in the forwarding table entry matched with the address of the illegal endpoint;
and if the target network equipment does not have a downlink, determining that the target network equipment is the network equipment directly connected with the illegal endpoint.
2. The method of claim 1, wherein the downlink information of the network device comprises: an identification of a network device, an identification of a neighbor device of a downlink connection of the network device, a local interface of the downlink on the network device, a neighbor interface of the downlink on the neighbor device;
if the network device has a downlink, the device connection table entry further includes: the downlink is at a neighbor interface on the neighbor device.
3. The method of claim 1, further comprising:
if the target network device has a downlink, determining that the target network device is a network device directly connected with the illegal endpoint when determining that the outgoing interface is not the same as the local interface recorded by the at least one device connection table entry.
4. The method of claim 1, wherein blocking the interface on the network device that connects the illegitimate endpoint comprises:
and blocking the determined output interface in the forwarding table entry matched with the address of the illegal endpoint.
5. An access control device for an illegal endpoint, which is applied to an EPS server in an EPS system of an endpoint detection system, the device comprising:
an obtaining unit, configured to obtain downlink information of each network device in the EPS system;
a constructing unit, configured to construct, based on downlink information of each network device, a device connection table representing connection relationships of each network device;
a determining unit, configured to determine, according to the device connection table, a network device directly connected to an illegal endpoint accessing the EPS system, and block an interface on the network device, where the illegal endpoint is connected to;
the device connection table includes: the device connection table items corresponding to the network devices;
the device connection table entry includes: the identifier of the network device and the downlink existence condition of the network device, if the network device has a downlink, the device connection table entry further includes: an identification of a neighbor device of a downlink connection of a network device, a local interface of the downlink on the network device;
the determining unit is specifically configured to determine a gateway device to which the illegal endpoint is accessed, and use the gateway device as a target network device; determining an output interface in a forwarding table entry matched with the address of the illegal endpoint in a forwarding table recorded by the target network equipment; searching at least one equipment connection table item corresponding to the target network equipment in the equipment connection table, and determining whether the target network equipment has a downlink or not based on the downlink existence condition recorded by the searched equipment connection table item; if the target network device has a downlink, when the fact that the outgoing interface is the same as a local interface recorded by any device connection table entry in the at least one device connection table entry is determined, taking neighbor devices recorded by any device connection table entry as the target network device, returning the neighbor devices to a forwarding table recorded by the target network device, and determining the outgoing interface in the forwarding table entry matched with the address of the illegal endpoint; and if the target network equipment does not have a downlink, determining that the target network equipment is the network equipment directly connected with the illegal endpoint.
6. The apparatus of claim 5, wherein the downlink information of the network device comprises: a network device identification, an identification of a neighbor device of a network device's downlink connection, a local interface of the downlink on the network device, a neighbor interface of the downlink on the neighbor device;
if the network device has a downlink, the device connection table entry further includes: an identification of a neighbor device of a network device's downlink connection, a local interface of the downlink on the network device, a neighbor interface of the downlink on the neighbor device.
7. The apparatus according to claim 5, wherein the determining unit is further specifically configured to determine that the target network device is a network device directly connected to the illegal endpoint if the target network device has a downlink and the outgoing interface is determined to be different from the local interface recorded in the at least one device connection table entry.
8. The apparatus according to claim 5, wherein the determining unit, when blocking the interface of the network device connected to the illegal endpoint, is specifically configured to block the determined outgoing interface in the forwarding table entry matching the address of the illegal endpoint.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910435854.5A CN110365635B (en) | 2019-05-23 | 2019-05-23 | Access control method and device for illegal endpoint |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910435854.5A CN110365635B (en) | 2019-05-23 | 2019-05-23 | Access control method and device for illegal endpoint |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110365635A CN110365635A (en) | 2019-10-22 |
| CN110365635B true CN110365635B (en) | 2022-04-26 |
Family
ID=68215607
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910435854.5A Active CN110365635B (en) | 2019-05-23 | 2019-05-23 | Access control method and device for illegal endpoint |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110365635B (en) |
Family Cites Families (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP4558139B2 (en) * | 2000-05-02 | 2010-10-06 | 株式会社バッファロー | Network management device |
| JP4221919B2 (en) * | 2001-07-18 | 2009-02-12 | 富士通株式会社 | Method for specifying location of LAN configuration device and search device |
| JP4256834B2 (en) * | 2004-11-16 | 2009-04-22 | 株式会社日立製作所 | Unauthorized device connection position identification device and connection position identification method |
| CN102118271B (en) * | 2011-03-29 | 2013-03-27 | 上海北塔软件股份有限公司 | Method for discovering illegally-accessed equipment |
| CN102497362B (en) * | 2011-12-07 | 2018-01-05 | 北京润通丰华科技有限公司 | The network attack trace back method and device of Abnormal network traffic |
| US9197632B2 (en) * | 2013-03-15 | 2015-11-24 | Kaarya Llc | System and method for account access |
| CN104092576B (en) * | 2014-07-30 | 2018-04-27 | 浙江宇视科技有限公司 | A kind of network topology computational methods and device |
| CN108206792B (en) * | 2016-12-16 | 2020-10-23 | 北京神州泰岳软件股份有限公司 | Topological structure discovery method and device of switch |
| CN108306748B (en) * | 2017-01-12 | 2021-03-30 | 阿里巴巴集团控股有限公司 | Network fault positioning method and device and interaction device |
| CN107888563B (en) * | 2017-10-17 | 2020-07-14 | 北京北信源软件股份有限公司 | Method and device for determining terminal access position |
-
2019
- 2019-05-23 CN CN201910435854.5A patent/CN110365635B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN110365635A (en) | 2019-10-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106412142B (en) | Resource equipment address obtaining method and device | |
| US10469532B2 (en) | Preventing DNS cache poisoning | |
| US7496052B2 (en) | Automatic VLAN ID discovery for ethernet ports | |
| US10601766B2 (en) | Determine anomalous behavior based on dynamic device configuration address range | |
| CN110505621B (en) | Terminal migration processing method and device | |
| CN108259347B (en) | Message transmission method and device | |
| US20080126540A1 (en) | Hierarchical cable modem clone detection | |
| US20120144483A1 (en) | Method and apparatus for preventing network attack | |
| CN106982234A (en) | A kind of ARP attack defense methods and device | |
| CN109561111B (en) | Method and device for determining attack source | |
| US10630700B2 (en) | Probe counter state for neighbor discovery | |
| CN110493366B (en) | Method and device for adding access point into network management | |
| Padmanabhan et al. | DynamIPs: Analyzing address assignment practices in IPv4 and IPv6 | |
| CN107147581B (en) | Maintenance method and device for routing table entry | |
| CN101808097A (en) | Method and equipment for preventing ARP attack | |
| CN110365635B (en) | Access control method and device for illegal endpoint | |
| CN109617920B (en) | Message processing method and device, router and firewall equipment | |
| CN104994186A (en) | Query method, processor and device of media access control address | |
| JP2009118138A (en) | Method for detecting route hijacking, route monitor and system and program for detecting route hijack | |
| US10623421B2 (en) | Detecting IP address theft in data center networks | |
| CN111010362A (en) | Monitoring method and device for abnormal host | |
| US11546235B2 (en) | Action based on advertisement indicator in network packet | |
| US7995595B1 (en) | Method for efficiently detecting node addresses | |
| US10892951B2 (en) | Advanced device matching system | |
| CN1822565A (en) | Network with MAC table overflow protection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20230612 Address after: 310052 11th Floor, 466 Changhe Road, Binjiang District, Hangzhou City, Zhejiang Province Patentee after: H3C INFORMATION TECHNOLOGY Co.,Ltd. Address before: 310052 Changhe Road, Binjiang District, Hangzhou, Zhejiang Province, No. 466 Patentee before: NEW H3C TECHNOLOGIES Co.,Ltd. |
|
| TR01 | Transfer of patent right |