CN111131273A - Internet access control system for network engineering - Google Patents

Internet access control system for network engineering Download PDF

Info

Publication number
CN111131273A
CN111131273A CN201911377350.9A CN201911377350A CN111131273A CN 111131273 A CN111131273 A CN 111131273A CN 201911377350 A CN201911377350 A CN 201911377350A CN 111131273 A CN111131273 A CN 111131273A
Authority
CN
China
Prior art keywords
network
security
access control
access
software
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN201911377350.9A
Other languages
Chinese (zh)
Inventor
不公告发明人
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Wangsou Technology Co ltd
Original Assignee
Hangzhou Wangsou Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Wangsou Technology Co ltd filed Critical Hangzhou Wangsou Technology Co ltd
Priority to CN201911377350.9A priority Critical patent/CN111131273A/en
Publication of CN111131273A publication Critical patent/CN111131273A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Abstract

The invention discloses an internet access control system for network engineering, which comprises: the system comprises a client, a strategy executor, a security server, an isolation network and a repair server; the client is client software installed on system terminal equipment, the policy executor is network access equipment in a network, the security server is a core server of a network security access control system, the isolation network is a relatively independent network with enhanced security, and the repair server is a bug repair server of the system. According to the invention, the whole network is changed from passive single-point defense to active comprehensive defense by authenticating, checking, isolating, repairing, managing and monitoring the access network terminal equipment, so that the potential risk hidden danger can be discovered and prevented before malicious behaviors occur, and the network safety is effectively improved.

Description

Internet access control system for network engineering
Technical Field
The invention relates to the technical field of network access control, in particular to an internet access control system for network engineering.
Background
The internet access control system is a control mode for requesting or accessing network resources for terminal equipment, can be communicated with a communication bridge between the terminal equipment and the internet, is a serious disaster area of network security in the current development of the internet era, and cannot adjust security strategies in time to adapt to new security challenges when new security situation changes, so that the network access control system is in urgent need of protection.
Although the existing internet access control system invests a large amount of manpower, material resources and financial resources and establishes safety systems such as identity authentication, firewall, intrusion detection and the like, the systems are specific to the specific safety field and lack an integrated safety system structure capable of being flexibly configured, so that the system can only carry out access control during passive single point, can not discover and eliminate potential safety hazards in advance and reduces the safety of network access control.
Disclosure of Invention
The invention aims to solve the defects in the prior art and provides an Internet access control system for network engineering.
In order to achieve the purpose, the invention adopts the following technical scheme: an internet access control system for network engineering, comprising: the system comprises a client, a strategy executor, a security server, an isolation network and a repair server;
the client, namely client software installed on system terminal equipment, is used for acquiring data such as identity authentication information, terminal security state information and the like of a user terminal and transmitting the data to a system server;
the policy executor is a network access device in the network, and is used for executing access control on the terminal device;
the security server, namely a core server of the network security access control system, is used for defining, setting and managing the network security policy of the protected network;
the isolation network, namely a relatively independent network with enhanced security, is used for keeping the internal network protected as much as possible and isolating the terminal with potential security hazard;
the repair server, namely the bug repair server of the system, is used for helping the terminal equipment which does not pass the security detection to eliminate the potential safety hazard and enabling the terminal equipment to access the protected internet network resources.
As a further description of the above technical solution:
the security server comprises a security state checking module;
the security state checking module consists of a user identity authentication unit, a system state checking unit and a network access control unit;
the user identity authentication unit can check the legality of a user trying to access internet resources, so that the illegal internet access under the unauthorized condition is prevented, and the legality of an access control system is ensured;
the system state checking unit can collect various types of safety state data of the terminal system and compare the safety state data with the safety strategy, so that the equipment is ensured to meet the specified safety level, and the risk possibly brought to the network by the system loophole of the equipment is reduced;
the network access control unit can control the access counting or refusing of the terminal equipment which sends the access request, and the terminal equipment which is accessed to the internet is ensured to reach the level which accords with the security policy.
As a further description of the above technical solution:
the security server also comprises a security policy management module;
the security policy management module consists of a system integrity management unit, a software state management unit and other software management units;
the integrity of the security patch in the network system can be checked through the system integrity management unit, the terminal with qualified security patch check is accessed to the network, and the terminal with unqualified security patch check is refused to be accessed to the network;
the software state management unit can check the security state of the antivirus software and the firewall software of the terminal equipment to ensure that the security software of the terminal equipment is in a normal available state;
the software in the terminal equipment can be subjected to custom addition, modification and deletion operations through other software management units, so that the software in the terminal equipment is ensured to meet the actual requirements of access control.
As a further description of the above technical solution:
the repair server comprises a system bug self-checking module and a bug positioning and repairing module;
the system vulnerability self-checking module is used for carrying out comprehensive self-checking on short boards and vulnerabilities existing on hardware and software of the terminal equipment, so that the phenomenon of information leakage after the terminal equipment is accessed to a network is prevented, and the safety of an access control system is ensured;
the vulnerability positioning and repairing module is used for accurately positioning the position of each vulnerability and each short board, and timely repairing the vulnerability and the short board by using a mode conforming to a safety management strategy so as to ensure the health of software and hardware of the terminal equipment.
An internet access control method for network engineering comprises the following steps:
s01: the user terminal equipment requests to access and visit the protected network;
s02: the access control system carries out authentication and identification on the identity information of the user side and judges the validity of the access user;
s03: the strategy executor detects the software and hardware security state of the access user end equipment;
s04: the security server receives the security state information of the user terminal equipment, performs security authentication and inspection, and judges whether the user terminal system is in compliance;
s05: and acquiring the checking result of software, hardware and the system of the user terminal, and monitoring the access network in real time.
As a further description of the above technical solution:
in step S02, when the authentication information of the ue is illegal, the access request of the ue is denied to access the network;
when the authentication information of the client device is legal, the access request of the client device is allowed to access the network.
As a further description of the above technical solution:
in step S04, when the security status of the ue does not conform to the specified security policy, the ue is isolated and guided to the repair area of the network, the repair is performed to the security level, and the security status is continuously checked;
when the security state of the customer premise equipment conforms to the specified security policy, the customer premise equipment can be directly accessed to the network.
Advantageous effects
The invention provides an internet access control system for network engineering. The method has the following beneficial effects:
(1): the internet access control system changes the whole network from passive single-point defense to active comprehensive defense by authenticating, checking, isolating, repairing, managing and monitoring the access network terminal equipment, can discover and prevent malicious behaviors before the occurrence of the malicious behaviors, eliminates potential risk hidden dangers and effectively improves the network security.
(2): the internet access control system changes distributed management into centralized management, can carry out omnibearing decision management on the software and hardware safety state of the accessed terminal equipment in the network system, accelerates the transmission efficiency of network data, and further effectively improves the network health state.
Drawings
Fig. 1 is a schematic overall structure diagram of an internet access control system for network engineering according to the present invention;
FIG. 2 is a schematic diagram of a security server of the present invention;
FIG. 3 is a schematic diagram of a security status checking module according to the present invention;
FIG. 4 is a schematic diagram of a security policy management module of the present invention;
FIG. 5 is a schematic diagram of a repair server in accordance with the present invention;
fig. 6 is a flowchart illustrating an internet access control method for network engineering according to the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments.
As shown in fig. 1 to 6, an internet access control system for network engineering includes: the system comprises a client, a strategy executor, a security server, an isolation network and a repair server;
the system comprises a client, a system server and a system server, wherein the client is client software installed on system terminal equipment and is used for acquiring data such as identity authentication information, terminal safety state information and the like of a user terminal and transmitting the data to the system server;
the strategy executor is a network access device in the network and is used for executing access control on the terminal device;
the security server is a core server of the network security access control system and is used for defining, setting and managing the network security policy of the protected network;
the isolation network is a relatively independent network with enhanced security and is used for keeping the internal network protected as much as possible and isolating a terminal with potential safety hazard;
and the repair server, namely a bug repair server of the system, is used for helping the terminal equipment which does not pass the security detection to eliminate the potential safety hazard and enabling the terminal equipment to access the protected internet network resources.
The security server comprises a security state checking module;
the security state checking module consists of a user identity authentication unit, a system state checking unit and a network access control unit;
the user identity authentication unit can check the legality of a user trying to access internet resources, so that the illegal internet access under the unauthorized condition is prevented, and the legality of an access control system is ensured;
the system state checking unit can collect various types of safety state data of the terminal system and compare the safety state data with the safety strategy, so that the equipment is ensured to meet the specified safety level, and the risk possibly brought to the network by the system loophole of the equipment is reduced;
the network access control unit can control the access counting or refusing of the terminal equipment which sends the access request, and the terminal equipment which is accessed to the internet is ensured to reach the level which accords with the security policy.
The security server also comprises a security policy management module;
the security policy management module consists of a system integrity management unit, a software state management unit and other software management units;
the integrity of the security patch in the network system can be checked through the system integrity management unit, the terminal with qualified security patch check is accessed to the network, and the terminal with unqualified security patch check is refused to be accessed to the network;
the software state management unit can check the security state of the antivirus software and the firewall software of the terminal equipment to ensure that the security software of the terminal equipment is in a normal available state;
the software in the terminal equipment can be subjected to custom addition, modification and deletion operations through other software management units, so that the software in the terminal equipment is ensured to meet the actual requirements of access control.
The repair server comprises a system bug self-checking module and a bug positioning and repairing module;
the system vulnerability self-checking module is used for carrying out comprehensive self-checking on short boards and vulnerabilities existing on hardware and software of the terminal equipment, preventing the terminal equipment from information leakage after being accessed to a network, and ensuring the safety of an access control system;
the vulnerability positioning and repairing module is used for accurately positioning the position of each vulnerability and each short board, and timely repairing the vulnerability and the short board by using a mode conforming to a safety management strategy so as to ensure the health of software and hardware of the terminal equipment.
An internet access control method for network engineering comprises the following steps:
s01: the user terminal equipment requests to access and visit the protected network;
s02: the access control system carries out authentication and identification on the identity information of the user side and judges the validity of the access user;
s03: the strategy executor detects the software and hardware security state of the access user end equipment;
s04: the security server receives the security state information of the user terminal equipment, performs security authentication and inspection, and judges whether the user terminal system is in compliance;
s05: and acquiring the checking result of software, hardware and the system of the user terminal, and monitoring the access network in real time.
In step S02, when the authentication information of the ue is illegal, the access request of the ue is denied to access the network;
when the authentication information of the client device is legal, the access request of the client device is allowed to access the network.
In step S04, when the security status of the ue does not conform to the specified security policy, the ue is isolated and guided to the repair area of the network, and the repair is performed to reach the security level, and the security status is continuously checked;
when the security state of the customer premise equipment conforms to the specified security policy, the customer premise equipment can be directly accessed to the network.
In the description herein, references to the description of "one embodiment," "an example," "a specific example" or the like are intended to mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
The above description is only for the preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art should be considered to be within the technical scope of the present invention, and the technical solutions and the inventive concepts thereof according to the present invention should be equivalent or changed within the scope of the present invention.

Claims (7)

1. An internet access control system for network engineering, comprising: the system comprises a client, a strategy executor, a security server, an isolation network and a repair server;
the client, namely client software installed on system terminal equipment, is used for acquiring data such as identity authentication information of the user terminal, terminal security state information and the like;
the policy executor is a network access device in the network, and is used for executing access control on the terminal device;
the security server, namely a core server of the network security access control system, is used for defining, setting and managing the network security policy of the protected network;
the isolation network, namely a relatively independent network with enhanced security, is used for keeping the internal network protected as much as possible and isolating the terminal with potential security hazard;
the repair server, namely the bug repair server of the system, is used for helping the terminal equipment which does not pass the security detection to eliminate the potential safety hazard.
2. The internet access control system for network engineering as claimed in claim 1, wherein the security server includes a security status check module;
the security state checking module consists of a user identity authentication unit, a system state checking unit and a network access control unit;
the user identity authentication unit can check the legality of the user trying to access the internet resource;
the system state checking unit can collect various types of safety state data of the terminal system and compare the safety state data with the safety strategy;
the network access control unit can control the access counting or refusing of the terminal equipment which sends the access request.
3. The internet access control system for network engineering as claimed in claim 1, wherein the security server further comprises a security policy management module;
the security policy management module consists of a system integrity management unit, a software state management unit and other software management units;
the integrity of the security patch in the network system can be checked through the system integrity management unit;
the software state management unit can check the security state of the antivirus software and the firewall software of the terminal equipment;
the software in the terminal equipment can be subjected to custom addition, modification and deletion operations through other software management units.
4. The internet access control system for network engineering according to claim 1, wherein the repair server comprises a system bug self-checking module and a bug positioning and repairing module;
the system vulnerability self-checking module is used for carrying out comprehensive self-checking on short boards and vulnerabilities existing on hardware and software of the terminal equipment;
the vulnerability positioning and repairing module is used for accurately positioning the position of each vulnerability and each short board and timely repairing the vulnerability and the short boards by using a mode conforming to a security management strategy.
5. An internet access control method for network engineering is characterized by comprising the following steps:
s01: the user terminal equipment requests to access and visit the protected network;
s02: the access control system carries out authentication and identification on the identity information of the user side and judges the validity of the access user;
s03: the strategy executor detects the software and hardware security state of the access user end equipment;
s04: the security server receives the security state information of the user terminal equipment, performs security authentication and inspection, and judges whether the user terminal system is in compliance;
s05: and acquiring the checking result of software, hardware and the system of the user terminal, and monitoring the access network in real time.
6. The internet access control method for network engineering of claim 5, wherein in step S02, when the authentication information of the client device is illegal, the access request of the client device is denied to access the network;
when the authentication information of the client device is legal, the access request of the client device is allowed to access the network.
7. The internet access control method for network engineering of claim 5, wherein in step S04, when the security status of the ue does not conform to the specified security policy, the ue is isolated and guided to the repair area of the network, the repair is performed to the security level, and the check of the security status is continued;
when the security state of the customer premise equipment conforms to the specified security policy, the customer premise equipment can be directly accessed to the network.
CN201911377350.9A 2019-12-27 2019-12-27 Internet access control system for network engineering Withdrawn CN111131273A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911377350.9A CN111131273A (en) 2019-12-27 2019-12-27 Internet access control system for network engineering

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911377350.9A CN111131273A (en) 2019-12-27 2019-12-27 Internet access control system for network engineering

Publications (1)

Publication Number Publication Date
CN111131273A true CN111131273A (en) 2020-05-08

Family

ID=70504019

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911377350.9A Withdrawn CN111131273A (en) 2019-12-27 2019-12-27 Internet access control system for network engineering

Country Status (1)

Country Link
CN (1) CN111131273A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112839031A (en) * 2020-12-24 2021-05-25 江苏天创科技有限公司 Industrial control network security protection system and method
CN115174379A (en) * 2022-07-27 2022-10-11 西安热工研究院有限公司 Vulnerability repair method and device of industrial control network and storage medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112839031A (en) * 2020-12-24 2021-05-25 江苏天创科技有限公司 Industrial control network security protection system and method
CN115174379A (en) * 2022-07-27 2022-10-11 西安热工研究院有限公司 Vulnerability repair method and device of industrial control network and storage medium

Similar Documents

Publication Publication Date Title
CN107809433B (en) Asset management method and device
US7693835B2 (en) Client apparatus, device verification apparatus, and verification method
CN110213215B (en) Resource access method, device, terminal and storage medium
CN113536258A (en) Terminal access control method and device, storage medium and electronic equipment
CN106295350B (en) identity verification method and device of trusted execution environment and terminal
CN114553540B (en) Zero trust-based Internet of things system, data access method, device and medium
CN101515931A (en) Method for enhancing the database security based on agent way
CN112653714A (en) Access control method, device, equipment and readable storage medium
CN113114647A (en) Network security risk detection method and device, electronic equipment and storage medium
CN116708210A (en) Operation and maintenance processing method and terminal equipment
CN112115484B (en) Access control method, device, system and medium for application program
CN102740296A (en) Trusted network access method and system for mobile terminal
CN111131273A (en) Internet access control system for network engineering
CN110602054A (en) Proxy-based privilege certificate authentication protection method and device
CN116319024A (en) Access control method and device of zero trust system and zero trust system
CN111131303A (en) Request data verification system and method
CN110881186B (en) Illegal device identification method and device, electronic device and readable storage medium
KR101768942B1 (en) System and method for secure authentication to user access
CN102045310B (en) Industrial Internet intrusion detection as well as defense method and device
US9432357B2 (en) Computer network security management system and method
CN110086812B (en) Safe and controllable internal network safety patrol system and method
CN107426213A (en) The method and system that a kind of limitation SSR management platforms log in
CN111556024B (en) Reverse access control system and method
CN111064731B (en) Identification method and identification device for access authority of browser request and terminal
CN110535886B (en) Method, apparatus, system, device and medium for detecting man-in-the-middle attacks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
WW01 Invention patent application withdrawn after publication

Application publication date: 20200508

WW01 Invention patent application withdrawn after publication