CN111327577A - Switch-based security access method and device - Google Patents
Switch-based security access method and device Download PDFInfo
- Publication number
- CN111327577A CN111327577A CN201811542703.1A CN201811542703A CN111327577A CN 111327577 A CN111327577 A CN 111327577A CN 201811542703 A CN201811542703 A CN 201811542703A CN 111327577 A CN111327577 A CN 111327577A
- Authority
- CN
- China
- Prior art keywords
- switch
- port
- management platform
- accessed
- unique identifier
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N7/00—Television systems
- H04N7/18—Closed-circuit television [CCTV] systems, i.e. systems in which the video signal is not broadcast
- H04N7/181—Closed-circuit television [CCTV] systems, i.e. systems in which the video signal is not broadcast for receiving images from a plurality of remote sources
Landscapes
- Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention discloses a safe access method and a safe access device based on a switch.A management platform sends an operation instruction for switching to a monitoring mode to the switch, and switches the switch to the monitoring mode, wherein the port of the switch, which is accessed to front-end equipment, is switched to a monitoring state, and the port, which is not accessed to the front-end equipment, is switched to a disabled state; receiving the unique identifier of the front-end equipment accessed to the switch port sent by the switch in the monitoring mode, comparing the unique identifier with the unique identifier corresponding to the locally stored switch port, realizing the safe access of the accessed front-end equipment, setting the switch port in a forbidden state if the unique identifier is inconsistent, triggering an alarm, confirming whether the front-end equipment accessed to the switch port is safe or not when the alarm is received, setting the port to allow the front-end equipment to be accessed under the condition of ensuring the safety, and switching the switch port to the monitoring state again. The invention realizes the safe access to the accessed front-end equipment.
Description
Technical Field
The invention belongs to the technical field of equipment access security, and particularly relates to a security access method and device based on a switch.
Background
In a video monitoring system, a switch plays an important role as an access layer device, and front-end devices in the video monitoring system, such as a network camera, are accessed to a management platform at a back end through the switch. Although some technologies related to security admission exist in the current video monitoring management platform and the front-end equipment, the switch does not play a corresponding role as an important network node. In particular, the access-layer switch, which is a network node closest to the head-end device, should perform its security admission role.
The video monitoring management platform and the front-end equipment can ensure the safe access of the equipment by means of password authentication, safety certificate authentication and the like at present. As a network device with wide application, there are many technical implementation means in network security, such as: safety protection of MAC address flooding attack, protection of broadcast storm attack, safety protection of loop attack and the like.
In networking of a video monitoring system, at present, only a safe access scheme between a video monitoring management platform and front-end equipment exists, and a technical means for the video monitoring management platform to perform safe management on the accessed front-end equipment through a switch is lacked. And the security technology of the existing switch mostly aims at the universal network security, and a security control means for adapting the access of the video monitoring network equipment is lacked.
Disclosure of Invention
The invention aims to provide a safety access method and a safety access device based on a switch, which are used for controlling the front-end equipment to be safely accessed to a video monitoring management platform on the switch accessed by the front-end equipment, preventing network attack behaviors carried out at the side of the switch and improving the safety of a video monitoring system.
In order to achieve the purpose, the technical scheme of the invention is as follows:
a security access method based on a switch is applied to a management platform of a video monitoring system, and comprises the following steps:
after the switch is accessed to the management platform, writing the information of the equipment where the management platform is located into the switch;
sending an operation instruction for switching to a monitoring mode to the switch, and after the switch passes the verification through the recorded information of the equipment where the management platform is located, switching the switch to the monitoring mode, wherein at the moment, a port of the switch, which is accessed to the front-end equipment, is switched to a monitoring state, and a port of the switch, which is not accessed to the front-end equipment, is switched to a forbidden state;
receiving a unique identifier of front-end equipment accessed to a switch port, which is sent by a switch in a monitoring mode, comparing the unique identifier with a unique identifier corresponding to the locally stored switch port, if the unique identifier is consistent, not operating, if the unique identifier is inconsistent, setting the switch port to a forbidden state, triggering an alarm, and if the unique identifier corresponding to the locally stored switch port does not exist, storing the unique identifier of the front-end equipment into the locally stored unique identifier corresponding to the locally stored switch port;
when receiving the alarm, confirming whether the front-end equipment accessed to the switch port is safe, setting the port to allow the front-end equipment to access under the condition of determining the safety, and switching the switch port to the monitoring state again.
Further, the switch-based security admission method further includes:
receiving a unique identifier of front-end equipment accessed to a port, which is sent when the switch port monitors abnormality in a monitoring state, setting the switch port in a forbidden state, and triggering an alarm;
when receiving the alarm, confirming whether the front-end equipment accessed to the switch port is safe, setting the port to allow the front-end equipment to access under the condition of determining the safety, and switching the switch port to the monitoring state again.
Further, the switch-based security admission method further includes:
and sending an operation instruction for switching to a normal mode to the switch, clearing the unique identifier corresponding to each port of the switch, switching the switch to the normal mode, and switching each port of the switch to an enabling state.
Furthermore, after the switch is connected to the management platform, the information of the device where the management platform is located is written into the switch, and then the management platform is bound with the switch;
wherein the binding of the management platform and the switch comprises:
the switch and the equipment where the management platform is located are strongly bound, and the switch cannot be bound by other management platforms unless the management platform actively deletes or modifies the binding mode of the switch;
or the switch and the equipment where the management platform is located realize weak binding, and the switch responds to the binding request of other management platforms to realize binding when the switch is not bound by other management platforms or fails to communicate with the bound management platforms.
Further, the switch-based security admission method further includes:
after receiving the unique identifier of the front-end equipment accessed to the port, which is sent when the switch port monitors the abnormality in the monitoring state, checking whether the monitored abnormality is in an allowed range, and when the monitored abnormality is in the allowed range, not giving an alarm; otherwise, if the monitored abnormality is not in the allowable range, the alarm is sent to the management platform.
The invention also provides a safety access device based on the switch, which is applied to a management platform of a video monitoring system, and comprises the following components:
the binding module is used for writing the information of the equipment where the management platform is located into the switch after the switch is connected to the management platform;
the switching module is used for sending an operating instruction for switching to a monitoring mode to the switch, and switching the switch to the monitoring mode after the switch passes the verification of the recorded information of the equipment where the management platform is located, wherein at the moment, the port of the switch, which is accessed to the front-end equipment, is switched to a monitoring state, and the port, which is not accessed to the front-end equipment, is switched to a disabled state;
the monitoring module is used for receiving the unique identifier of the front-end equipment accessed to the switch port, which is sent by the switch in the monitoring mode, comparing the unique identifier with the unique identifier corresponding to the locally stored switch port, if the unique identifier is consistent, the operation is not carried out, if the unique identifier is inconsistent, the switch port is set to be in a forbidden state, an alarm is triggered, and if the unique identifier corresponding to the locally stored switch port does not exist, the unique identifier of the front-end equipment is stored in the unique identifier corresponding to the locally stored switch port;
and the alarm processing module is used for confirming whether the front-end equipment accessed to the port of the switch is safe or not when the alarm is received, setting the port to allow the front-end equipment to be accessed under the condition of confirming the safety, and switching the port of the switch to a monitoring state again.
Further, the monitoring module is further configured to:
receiving a unique identifier of front-end equipment accessed to a port, which is sent when the switch port monitors abnormality in a monitoring state, setting the switch port in a forbidden state, and triggering an alarm;
the alarm processing module is further configured to, when an alarm is received, confirm whether the front-end device accessed to the switch port is safe, set the port to allow the front-end device to access under the condition that the safety is determined, and switch the switch port to the monitoring state again.
Further, the switching module is further configured to:
and sending an operation instruction for switching to a normal mode to the switch, clearing the unique identifier corresponding to each port of the switch, switching the switch to the normal mode, and switching each port of the switch to an enabling state.
Furthermore, after the switch is accessed to the management platform, the binding module writes the information of the equipment where the management platform is located into the switch, and then binds the management platform with the switch;
wherein the binding of the management platform and the switch comprises:
the switch and the equipment where the management platform is located are strongly bound, and the switch cannot be bound by other management platforms unless the management platform actively deletes or modifies the binding mode of the switch;
or the switch and the equipment where the management platform is located realize weak binding, and the switch responds to the binding request of other management platforms to realize binding when the switch is not bound by other management platforms or fails to communicate with the bound management platforms.
Further, the monitoring module is further configured to:
after receiving the unique identifier of the front-end equipment accessed to the port, which is sent when the switch port monitors the abnormality in the monitoring state, checking whether the monitored abnormality is in an allowed range, and when the monitored abnormality is in the allowed range, not giving an alarm; otherwise, if the monitored abnormality is not in the allowable range, the alarm is sent to the management platform.
The invention provides a security access method and a security access device based on a switch, which ensure the security of access equipment through a port state switching mechanism on the switch, wherein the switch has two working modes, namely a normal mode and a monitoring mode, so as to cope with different security occasions. There are two binding modes between the exchanger and the management platform to improve the safety level between the management platform and the exchanger. In the invention, the switch is used as a monitoring device to be accessed to the monitoring platform, which is more beneficial to monitoring and managing the switch. The invention judges whether the access equipment is abnormal or not by monitoring the port state of the switch, the identification of the access equipment, the bandwidth and the like, thereby effectively reducing the pollution of abnormal messages to the network environment, reducing the invalid flow of the network environment and purifying the network environment.
Drawings
FIG. 1 is a schematic diagram of a video surveillance system according to an embodiment of the present invention;
fig. 2 is a flowchart of a security admission method based on a switch according to an embodiment of the present invention;
fig. 3 is a schematic diagram illustrating a change of a port state of a switch according to an embodiment of the present invention.
Detailed Description
The technical solutions of the present invention are further described in detail below with reference to the drawings and examples, which should not be construed as limiting the present invention.
As shown in fig. 1, a general video monitoring system includes a video monitoring management platform (hereinafter referred to as a management platform), a front-end device, and a switch for connecting the front-end device to the video monitoring system. The management platform can be a special management server, or a video management server adopting a video monitoring system, a Network Video Recorder (NVR), and the like. The general idea of the technical scheme is that the switch accessed by the front-end equipment interacts with the management platform to control the front-end equipment to be safely accessed to the video monitoring management platform.
As shown in fig. 2, a security access method based on a switch is applied to a management platform of a video monitoring system, and includes:
and step S1, writing the information of the equipment where the management platform is located into the switch after the switch is connected to the management platform.
The switch of the embodiment needs to register and keep alive to the management platform, so that the switch is ensured to be on line normally. Namely, the switch is used as a monitoring device in a video monitoring system to strengthen management. And after the switch is accessed to the management platform, writing the information of the equipment where the management platform is located into the switch so as to verify the information when the management platform operates the switch in the subsequent step.
In addition, in this embodiment, when the management platform adds the switch device, a binding mode needs to be set, the binding mode is divided into a strong binding mode and a weak binding mode, and the default binding mode is a weak binding mode.
The strong binding is that after the switch accesses the management platform, the switch writes the information (for example, MAC address) of the device where the management platform is located into the switch, and if the management platform does not actively delete the accessed switch, the switch cannot be added by other management platforms, that is, unless the management platform actively deletes or modifies the binding mode of the switch, the switch cannot be bound by other management platforms.
The weak binding is that after the switch is connected to the management platform, the information (such as the MAC address) of the device where the management platform is located is written into the switch and kept alive normally, if a binding request of other management platforms is subsequently received, whether the switch is bound or whether the bound management platform can normally communicate is judged, if the switch is not bound by other management platforms or fails to communicate with the bound management platforms, the switch responds to the binding request of other management platforms, and the switch can be bound by other management platforms.
In this embodiment, the MAC address of the device where the management platform is located is written into the switch, which may also be an IP address and a name of the device where the management platform is located, or a unique character string generated by using a hash algorithm according to the MAC and the IP address.
Step S2, an operation instruction for switching to the monitoring mode is sent to the switch, after the switch passes the verification through the recorded information of the device where the management platform is located, the switch is switched to the monitoring mode, at this time, the port of the switch, which is accessed to the front-end device, is switched to the monitoring state, and the port, which is not accessed to the front-end device, is switched to the disabled state.
The switch of the embodiment has two working modes, namely a normal mode and a monitoring mode, and the switch is defaulted to the normal mode when being accessed to the management platform, namely, the switch does not perform security detection on the front-end equipment accessed under the port of the switch. The normal mode can be used in a stage with low safety requirement or project maintenance, at this time, equipment may often access the management platform, if the monitoring mode is started, the management platform may receive more alarm messages, which need to be confirmed by an administrator of the management platform one by one, and the workload is large, which is not favorable for the administrator to maintain. Therefore, when the management platform adds the switch device, the default mode is the normal mode, that is, all the ports are in the enabled state, and the switch does not check the accessed device.
When the equipment is completely accessed to the management platform, the management platform is in a stable stage, and a management platform administrator can operate the switch through the management platform to start a monitoring mode.
When the switch receives a request that the management platform requires to switch to the monitoring mode, the switch judges the validity of the received request (for example, whether the management platform is the current management platform accessed by the switch is judged through the MAC address, and verification can be performed through a user name or a password), and if the verification is passed, the switch starts the monitoring mode to perform exception monitoring on the port. The ports of the switch of this embodiment have three states, which are a Disable state (disabled state), an Enable state (enabled state), and a Monitor state (monitoring state), where the Disable state and the Enable state are two commonly used states, and this embodiment adds one Monitor state. The port of the switch which is accessed to the front-end equipment is switched to a monitoring state, and the port which is not accessed to the front-end equipment is switched to a forbidden state.
When the switch is in the monitoring mode, the monitoring range includes but is not limited to port Up/Down, bandwidth occupation change, device feature (for example, MAC address) change, message type change, etc.
Step S3, receiving the unique identifier of the front-end device accessed to the switch port sent by the switch in the monitoring mode, comparing the unique identifier with the unique identifier corresponding to the locally stored switch port, if the unique identifier is consistent, not operating, if the unique identifier is inconsistent, setting the switch port in a disabled state, triggering an alarm, and if the unique identifier corresponding to the locally stored switch port does not exist, storing the unique identifier of the front-end device in the locally stored unique identifier corresponding to the locally stored switch port.
The present embodiment sets the status of the front-end device not accessed under the port to Disable status, i.e. closes the port. When the port in the state is accessed by the front-end equipment, the front-end equipment cannot normally communicate, and when the port is manually set to the Enable state on the management platform by an administrator, the accessed front-end equipment can normally access the network and communicate.
When the switch is switched to the monitoring mode, the Monitor state is set for the port of the switch, which is accessed with the front-end equipment, namely the port of the switch is accessed with the front-end equipment, and the state is the monitoring state. At this time, the switch pushes the unique identifier of the front-end device accessed on the port to the management platform. When receiving the message, the management platform compares the message with the unique identifier corresponding to the locally stored switch port. The unique identifier corresponding to the locally stored switch port is the unique identifier of the front-end device accessed by the switch port, where the management platform is locally stored. It should be noted that the unique identifier of the front-end device accessed on the switch port may be an MAC address of the front-end device, or a unique character string calculated by a hash algorithm between the MAC address and the device name, as long as the unique identifier represents the front-end device, and the present invention is not limited to this, and the MAC address is described as an example below.
If the MAC address of the front-end equipment accessed to the switch port is consistent with the MAC address corresponding to the switch port locally stored by the management platform, the MAC information of the switch port on the management platform is not modified, and the switch is considered to be safe access.
If the MAC address corresponding to the locally stored switch port is not consistent, but the MAC address corresponding to the locally stored switch port is empty, that is, the MAC address corresponding to the locally stored switch port does not exist, the MAC address of the front-end device is written into the MAC address of the front-end device accessed to the switch port stored in the management platform. At this time, when the monitoring mode is started, the management platform records the MAC address corresponding to the switch port.
If the MAC addresses are not consistent, but the MAC address corresponding to the locally stored switch port is not null, it indicates that the MAC address of the accessed front-end device is changed, and the following processing is required:
firstly, the port of the switch is set to a Disable state (namely, a disabled state), and an alarm is triggered.
I.e. the port is prohibited from accessing any device and an alarm is issued.
For example, when the port is in Monitor state and the front-end device accessed by the switch port is changed, the MAC address of the device is reported to the management platform, and the port is set to Disable state. At this time, if the MAC address of the newly accessed device is different from the MAC address originally pushed to the management platform, and the management platform confirms the MAC security of the device originally pushed to the platform, the switch will write the MAC address confirmed by the management platform into the port corresponding to the switch, and at the same time, the switch will set the port to be in the Monitor state. When the switch is in next inspection, the switch can monitor the replaced equipment, and the abnormal detection process is repeated, and a new MAC address is pushed to the management platform for re-confirmation. If the original device is determined to be unsafe by the management platform, the port is set to a Disable state, a new access device cannot be detected, and the detection process can be retriggered only by manually setting the port to an Enable state by a management platform administrator.
If the MAC address of the newly accessed device is the same as the MAC address originally pushed to the management platform, the switch will not be able to monitor the replaced device if the management platform confirms that the originally pushed MAC address is safe. Aiming at the situation, the situation can be ensured only by manpower, or other safety verification information is added, so that the situation is avoided. For example, the reported information may include other information such as CPU, chip, etc. besides the MAC information.
Step S4, when receiving the alarm, determining whether the front-end device accessed to the switch port is safe, setting the port to allow the front-end device to access under the condition of determining the safety, and switching the switch port to the monitoring state again.
After the management platform receives the alarm, the management platform confirms whether the front-end equipment accessed to the port of the switch is safe or not.
When the management platform confirms that the accessed front-end equipment is safe, the switch port is switched to the Monitor state again. If the management platform confirms that it is not secure, the port will be in a disabled state.
In another embodiment of the present invention, a security admission method based on a switch further includes:
receiving an MAC address of front-end equipment accessed to a port, which is sent when the switch port monitors abnormality in a monitoring state, setting the switch port in a forbidden state, and triggering an alarm;
when receiving the alarm, confirming whether the front-end equipment accessed to the switch port is safe, setting the port to allow the front-end equipment to access under the condition of determining the safety, and switching the switch port to the monitoring state again.
When the switch port is in Monitor state, if the port monitors abnormal, the monitoring range includes but is not limited to port Up/Down, bandwidth occupation change, device feature (for example, MAC address) change, message type change, etc., at this time, the MAC address of the front-end device accessed under the port is pushed to the management platform, and the management platform determines whether it is safe or not. At this time, the port is set to Disable state, and when the management platform confirms the security of the accessed front-end equipment, the management platform switches to Monitor state again. If the management platform confirms that it is not safe, the port will be in a disabled state. If the port is required to be accessed to the device normally, an administrator is required to manually set the port to an Enable state on the management platform.
For example, after the monitoring mode is started, when the MAC address of the access device in the subsequent port changes (the source MAC address of the message received by the port is extracted and compared with the MAC address stored by the switch), or when the state of the port changes Up/Down, for example, when the device is powered off or a network cable is plugged or unplugged, or when the bandwidth occupied by the port changes suddenly (for example, a code stream suddenly increases or decreases), or the type of the message in the port changes, the switch pushes an alarm to the management platform, and the management platform administrator determines whether the access device is safe, and at this time, the switch sets the port, which has detected an abnormality, to a Disable state, that is, the port cannot normally communicate, and only when the management platform administrator confirms that the port is safe, the switch switches the port from the Disable state back to the Monitor state.
The switch of the embodiment supports setting a monitoring mode or a normal mode for a specified port individually, wherein the port comprises a physical port or a logical port (such as VLAN, aggregation, and the like).
In order to reduce the number of times of abnormal alarm of the switch, the security access method based on the switch in the technical scheme further comprises the following steps:
after receiving the MAC address of the front-end equipment accessed to the port sent when the switch port monitors the abnormity in the monitoring state, checking whether the monitored abnormity is in an allowable range, and when the monitored abnormity is in the allowable range, not alarming. Otherwise, if the monitored abnormality is not in the allowable range, the alarm is sent to the management platform.
For example, for the case of sudden bandwidth occupation by a port, the following strategy may be adopted: detecting an interactive message of a front-end device and a management platform, aiming at the characteristics of the video monitoring field, detecting a message of a specific protocol (SIP or SOAP), analyzing an INVITE message in the SIP message and the SDP content in the SOAP message, wherein the SDP carries the code stream size of a live service or a playback service of a current request, comparing the data with the bandwidth tested by an actual port, if the data is within a specified threshold range (for example, fluctuation is within a 10% range), determining that the flow is not abnormal, not alarming, otherwise, determining that the flow is abnormal, and alarming and pushing the alarm to the management platform.
And judging whether the protocol type of the message in the port belongs to the protocol message in the monitoring field or not, and if a large amount of messages in the non-monitoring field appear, considering that the access equipment is abnormal. For example, during a live period, most of the traffic of the port should belong to RTP messages, and if a large amount of non-RTP messages occupy the bandwidth at this time, it is considered that the access device is abnormal, and an alarm should be given to the management platform.
In another embodiment of the present invention, an operation instruction for switching to the normal mode is sent to the switch, the MAC address corresponding to each port of the switch is cleared, the switch is switched to the normal mode, and each port of the switch is switched to the enabled state.
When the switch switches from the monitoring mode back to the normal mode, the management platform will clear the corresponding MAC address in each port of the switch. Meanwhile, when the switch receives a command of switching to the normal mode issued by the management platform, the switch switches the ports in the Disable state and the Monitor state to the Enable state, and the switch is recovered to the working mode of the ordinary switch.
As shown in fig. 3, the switching process of the states of the ports of the switch is explained in detail:
① the switch is set from normal mode to Monitor mode by the manual operation of management platform, at this time, if there is front end equipment access on the port, the port is switched from Enable state to Monitor state.
② the monitoring state of the port is cancelled by the manual operation of the management platform, and the Monitor state is switched to the Enable state.
③ when the port in Monitor state detects abnormality, it switches the port from Monitor state to Disable state and pushes abnormality alarm to the management platform, at this time, the device accessed by the port can not communicate normally.
④ when the administrator confirms the switch port safety, the management platform informs the switch to switch the Disable state to Monitor state, at this time, the device accessed by the port can communicate normally.
⑤ when the management platform sets the switch port status to Enable manually or when the switch switches from Monitor mode to normal mode, the Monitor status switches to Enable status, at which time the port allows normal access to the device.
⑥ when the management platform manually sets the switch port status to Disable or when the switch switches from normal mode to monitor mode, if there is no access device on the port, the port status will switch to Disable state, where the port does not allow access to the device.
In addition, the switch is used as a monitoring device to be accessed to the management platform, so that the management platform can issue some security strategies aiming at the video monitoring field to the switch, and the security access accuracy of the switch is improved.
Corresponding to the above method, there is also provided an embodiment of a switch-based security access device, which is applied to a management platform of a video monitoring system, where the switch-based security access device includes:
the binding module is used for writing the information of the equipment where the management platform is located into the switch after the switch is connected to the management platform;
the switching module is used for sending an operating instruction for switching to a monitoring mode to the switch, and switching the switch to the monitoring mode after the switch passes the verification of the recorded information of the equipment where the management platform is located, wherein at the moment, the port of the switch, which is accessed to the front-end equipment, is switched to a monitoring state, and the port, which is not accessed to the front-end equipment, is switched to a disabled state;
the monitoring module is used for receiving the unique identifier of the front-end equipment accessed to the switch port, which is sent by the switch in the monitoring mode, comparing the unique identifier with the unique identifier corresponding to the locally stored switch port, if the unique identifier is consistent, the operation is not carried out, if the unique identifier is inconsistent, the switch port is set to be in a forbidden state, an alarm is triggered, and if the unique identifier corresponding to the locally stored switch port does not exist, the unique identifier of the front-end equipment is stored in the unique identifier corresponding to the locally stored switch port;
and the alarm processing module is used for confirming whether the front-end equipment accessed to the port of the switch is safe or not when the alarm is received, setting the port to allow the front-end equipment to be accessed under the condition of confirming the safety, and switching the port of the switch to a monitoring state again.
In this embodiment, the monitoring module is further configured to:
receiving a unique identifier of front-end equipment accessed to a port, which is sent when the switch port monitors abnormality in a monitoring state, setting the switch port in a forbidden state, and triggering an alarm;
the alarm processing module is further configured to, when an alarm is received, confirm whether the front-end device accessed to the switch port is safe, set the port to allow the front-end device to access under the condition that the safety is determined, and switch the switch port to the monitoring state again.
The switching module in this embodiment is further configured to:
and sending an operation instruction for switching to a normal mode to the switch, clearing the unique identifier corresponding to each port of the switch, switching the switch to the normal mode, and switching each port of the switch to an enabling state.
In this embodiment, after the switch is accessed to the management platform, the binding module writes the information of the device where the management platform is located into the switch, and then binds the management platform with the switch;
wherein the binding of the management platform and the switch comprises:
the switch and the equipment where the management platform is located are strongly bound, and the switch cannot be bound by other management platforms unless the management platform actively deletes or modifies the binding mode of the switch;
or the switch and the equipment where the management platform is located realize weak binding, and the switch responds to the binding request of other management platforms to realize binding when the switch is not bound by other management platforms or fails to communicate with the bound management platforms.
In this embodiment, the monitoring module is further configured to:
after receiving the unique identifier of the front-end equipment accessed to the port, which is sent when the switch port monitors the abnormality in the monitoring state, checking whether the monitored abnormality is in an allowed range, and when the monitored abnormality is in the allowed range, not giving an alarm; otherwise, if the monitored abnormality is not in the allowable range, the alarm is sent to the management platform.
The above embodiments are only for illustrating the technical solution of the present invention and not for limiting the same, and those skilled in the art can make various corresponding changes and modifications according to the present invention without departing from the spirit and the essence of the present invention, but these corresponding changes and modifications should fall within the protection scope of the appended claims.
Claims (10)
1. A safety access method based on a switch is applied to a management platform of a video monitoring system, and is characterized in that the safety access method based on the switch comprises the following steps:
after the switch is accessed to the management platform, writing the information of the equipment where the management platform is located into the switch;
sending an operation instruction for switching to a monitoring mode to the switch, and after the switch passes the verification through the recorded information of the equipment where the management platform is located, switching the switch to the monitoring mode, wherein at the moment, a port of the switch, which is accessed to the front-end equipment, is switched to a monitoring state, and a port of the switch, which is not accessed to the front-end equipment, is switched to a forbidden state;
receiving a unique identifier of front-end equipment accessed to a switch port, which is sent by a switch in a monitoring mode, comparing the unique identifier with a unique identifier corresponding to the locally stored switch port, if the unique identifier is consistent, not operating, if the unique identifier is inconsistent, setting the switch port to a forbidden state, triggering an alarm, and if the unique identifier corresponding to the locally stored switch port does not exist, storing the unique identifier of the front-end equipment into the locally stored unique identifier corresponding to the locally stored switch port;
when receiving the alarm, confirming whether the front-end equipment accessed to the switch port is safe, setting the port to allow the front-end equipment to access under the condition of determining the safety, and switching the switch port to the monitoring state again.
2. The switch-based security admission method of claim 1, further comprising:
receiving a unique identifier of front-end equipment accessed to a port, which is sent when the switch port monitors abnormality in a monitoring state, setting the switch port in a forbidden state, and triggering an alarm;
when receiving the alarm, confirming whether the front-end equipment accessed to the switch port is safe, setting the port to allow the front-end equipment to access under the condition of determining the safety, and switching the switch port to the monitoring state again.
3. The switch-based security admission method of claim 1, further comprising:
and sending an operation instruction for switching to a normal mode to the switch, clearing the unique identifier corresponding to each port of the switch, switching the switch to the normal mode, and switching each port of the switch to an enabling state.
4. The switch-based security admission method according to claim 1, characterized in that after the switch is accessed to the management platform, the information of the device where the management platform is located is written into the switch, and then the management platform is bound with the switch;
wherein the binding of the management platform and the switch comprises:
the switch and the equipment where the management platform is located are strongly bound, and the switch cannot be bound by other management platforms unless the management platform actively deletes or modifies the binding mode of the switch;
or the switch and the equipment where the management platform is located realize weak binding, and the switch responds to the binding request of other management platforms to realize binding when the switch is not bound by other management platforms or fails to communicate with the bound management platforms.
5. The switch-based security admission method of claim 2, further comprising:
after receiving the unique identifier of the front-end equipment accessed to the port, which is sent when the switch port monitors the abnormality in the monitoring state, checking whether the monitored abnormality is in an allowed range, and when the monitored abnormality is in the allowed range, not giving an alarm; otherwise, if the monitored abnormality is not in the allowable range, the alarm is sent to the management platform.
6. The utility model provides a safety access device based on switch, is applied to the management platform of video monitoring system, its characterized in that, safety access device based on switch includes:
the binding module is used for writing the information of the equipment where the management platform is located into the switch after the switch is connected to the management platform;
the switching module is used for sending an operating instruction for switching to a monitoring mode to the switch, and switching the switch to the monitoring mode after the switch passes the verification of the recorded information of the equipment where the management platform is located, wherein at the moment, the port of the switch, which is accessed to the front-end equipment, is switched to a monitoring state, and the port, which is not accessed to the front-end equipment, is switched to a disabled state;
the monitoring module is used for receiving the unique identifier of the front-end equipment accessed to the switch port, which is sent by the switch in the monitoring mode, comparing the unique identifier with the unique identifier corresponding to the locally stored switch port, if the unique identifier is consistent, the operation is not carried out, if the unique identifier is inconsistent, the switch port is set to be in a forbidden state, an alarm is triggered, and if the unique identifier corresponding to the locally stored switch port does not exist, the unique identifier of the front-end equipment is stored in the unique identifier corresponding to the locally stored switch port;
and the alarm processing module is used for confirming whether the front-end equipment accessed to the port of the switch is safe or not when the alarm is received, setting the port to allow the front-end equipment to be accessed under the condition of confirming the safety, and switching the port of the switch to a monitoring state again.
7. The switch-based security admission apparatus of claim 6, wherein the monitoring module is further configured to:
receiving a unique identifier of front-end equipment accessed to a port, which is sent when the switch port monitors abnormality in a monitoring state, setting the switch port in a forbidden state, and triggering an alarm;
the alarm processing module is further configured to, when an alarm is received, confirm whether the front-end device accessed to the switch port is safe, set the port to allow the front-end device to access under the condition that the safety is determined, and switch the switch port to the monitoring state again.
8. The switch-based security admission apparatus of claim 6, wherein the switching module is further configured to:
and sending an operation instruction for switching to a normal mode to the switch, clearing the unique identifier corresponding to each port of the switch, switching the switch to the normal mode, and switching each port of the switch to an enabling state.
9. The switch-based security access device of claim 6, wherein the binding module further binds the management platform with the switch after writing the information of the device where the management platform is located into the switch after the switch is accessed to the management platform;
wherein the binding of the management platform and the switch comprises:
the switch and the equipment where the management platform is located are strongly bound, and the switch cannot be bound by other management platforms unless the management platform actively deletes or modifies the binding mode of the switch;
or the switch and the equipment where the management platform is located realize weak binding, and the switch responds to the binding request of other management platforms to realize binding when the switch is not bound by other management platforms or fails to communicate with the bound management platforms.
10. The switch-based security admission apparatus of claim 7, wherein the monitoring module is further configured to:
after receiving the unique identifier of the front-end equipment accessed to the port, which is sent when the switch port monitors the abnormality in the monitoring state, checking whether the monitored abnormality is in an allowed range, and when the monitored abnormality is in the allowed range, not giving an alarm; otherwise, if the monitored abnormality is not in the allowable range, the alarm is sent to the management platform.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811542703.1A CN111327577B (en) | 2018-12-17 | 2018-12-17 | Switch-based security access method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811542703.1A CN111327577B (en) | 2018-12-17 | 2018-12-17 | Switch-based security access method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111327577A true CN111327577A (en) | 2020-06-23 |
| CN111327577B CN111327577B (en) | 2022-10-04 |
Family
ID=71171125
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811542703.1A Active CN111327577B (en) | 2018-12-17 | 2018-12-17 | Switch-based security access method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111327577B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113037502A (en) * | 2021-05-25 | 2021-06-25 | 广东信通通信有限公司 | Switch safety access method, device, storage medium and network system |
| CN114338100A (en) * | 2021-12-14 | 2022-04-12 | 佳源科技股份有限公司 | Access control method of switch |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102215246A (en) * | 2010-04-12 | 2011-10-12 | 江苏联优信息科技有限公司 | Fire-fighting monitoring sensing network system and device |
| CN102333094A (en) * | 2011-10-12 | 2012-01-25 | 杭州华三通信技术有限公司 | Safety control method and equipment |
| CN103929376A (en) * | 2014-04-30 | 2014-07-16 | 尹志超 | Terminal admission control method based on switch port management |
| US20170352230A1 (en) * | 2006-11-15 | 2017-12-07 | Cfph, Llc | Verifying a first device is in communications with a server by storing a value from the first device and accessing the value from a second device |
| CN108521399A (en) * | 2018-02-24 | 2018-09-11 | 浙江远望通信技术有限公司 | A kind of video monitoring safety cut-in method based on equipment feature recognition and white list |
-
2018
- 2018-12-17 CN CN201811542703.1A patent/CN111327577B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170352230A1 (en) * | 2006-11-15 | 2017-12-07 | Cfph, Llc | Verifying a first device is in communications with a server by storing a value from the first device and accessing the value from a second device |
| CN102215246A (en) * | 2010-04-12 | 2011-10-12 | 江苏联优信息科技有限公司 | Fire-fighting monitoring sensing network system and device |
| CN102333094A (en) * | 2011-10-12 | 2012-01-25 | 杭州华三通信技术有限公司 | Safety control method and equipment |
| CN103929376A (en) * | 2014-04-30 | 2014-07-16 | 尹志超 | Terminal admission control method based on switch port management |
| CN108521399A (en) * | 2018-02-24 | 2018-09-11 | 浙江远望通信技术有限公司 | A kind of video monitoring safety cut-in method based on equipment feature recognition and white list |
Non-Patent Citations (1)
| Title |
|---|
| 石涛: "《平安城市视频监控业务的系统设计与实现》", 《中国优秀博硕士学位论文全文数据库(硕士)信息科技辑》 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113037502A (en) * | 2021-05-25 | 2021-06-25 | 广东信通通信有限公司 | Switch safety access method, device, storage medium and network system |
| CN113037502B (en) * | 2021-05-25 | 2021-09-21 | 广东信通通信有限公司 | Switch safety access method, device, storage medium and network system |
| CN114338100A (en) * | 2021-12-14 | 2022-04-12 | 佳源科技股份有限公司 | Access control method of switch |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111327577B (en) | 2022-10-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101247217B (en) | Method, unit and system for preventing address resolution protocol flux attack | |
| US5727146A (en) | Source address security for both training and non-training packets | |
| US11729183B2 (en) | System and method for providing secure in-vehicle network | |
| WO2017073089A1 (en) | Communication device, system, and method | |
| WO2009140889A1 (en) | Data transmission control method and data transmission control apparatus | |
| CN111327577B (en) | Switch-based security access method and device | |
| CN102291239B (en) | Remote authentication method, system, agent component and authentication servers | |
| CN112788035B (en) | Network attack warning method of UPF terminal under 5G and terminal | |
| JP4152866B2 (en) | Storage device, storage device system, and communication control method | |
| CN111669371B (en) | Network attack restoration system and method suitable for power network | |
| CN112615858A (en) | Internet of things equipment monitoring method, device and system | |
| CN106407793A (en) | Security access monitoring method of USB equipment | |
| CN110912985B (en) | Network link scheduling method and related equipment | |
| JP2003152806A (en) | Switch connection control system for communication path | |
| CN113839885B (en) | Message flow monitoring system and method based on switch | |
| CN108471428B (en) | DDoS attack active defense technology and equipment applied to CDN system | |
| JP2004005377A (en) | Method for preventing recurrence of multiplex system outage | |
| CN111885179A (en) | External terminal protection device and protection system based on file monitoring service | |
| US10257269B2 (en) | Selectively disabling operation of hardware components based on network changes | |
| CN113722142B (en) | Method and device for analyzing reasons of insufficient memory, electronic equipment and storage medium | |
| CN117041760B (en) | Communication network switching device, system and method | |
| JP4437259B2 (en) | Network management method and network management system | |
| CN113194013B (en) | Control method, device and storage medium for terminal equipment to access network | |
| CN115442093A (en) | Verification system of video command platform | |
| CN111400780A (en) | Safety reinforcement management device for industrial control terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |