CN111556024A - Reverse access control system and method - Google Patents
Reverse access control system and method Download PDFInfo
- Publication number
- CN111556024A CN111556024A CN202010245751.5A CN202010245751A CN111556024A CN 111556024 A CN111556024 A CN 111556024A CN 202010245751 A CN202010245751 A CN 202010245751A CN 111556024 A CN111556024 A CN 111556024A
- Authority
- CN
- China
- Prior art keywords
- unit
- client
- server
- network
- validity check
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
The invention relates to a reverse access control method, S1, according to the type of the application server operating system, the application server installs the server end system; s2, the client registration unit extracts the serial number of the server CPU, and injects the unique ID of the server into the client system to complete the registration of the client system; s3, making the computer terminal become a computer terminal in the authorization network; s4, the interrupt strategy setting unit sets an interrupt strategy and sends interrupt strategy information to the interrupt strategy receiving and pushing unit; s5, pushing the information to the client side interruption strategy receiving unit; s6, the client interrupt strategy receiving unit receives the interrupt strategy information; and S7, the client daemon module carries out validity check. The invention verifies the client daemon module installed in the computer terminal and the server which is not easy to forge, thereby preventing the computer terminal in the authorized network from being connected to the external information equipment or the network through the network interface in an unauthorized way.
Description
Technical Field
The invention relates to the technical field of information security of computer terminals in a network, in particular to a reverse access control system and a reverse access control method.
Background
With the vigorous development of information technology, governments and enterprises rely more and more on information systems to process various works, and in order to guarantee the information security of the unit, local area networks physically isolated from the outside are built by part of governments and enterprises so as to prevent the internal information of the unit in the internal information system from being leaked. However, due to environmental and human factors, information in the authorized network may be transferred to the external network through an abnormal network channel, thereby causing great loss to the government or the enterprise.
In order to avoid the above situation, the unit generally adopts the access control technology to control the network connection of the device. At present, the access control technology at home and abroad mainly comprises a network access control technology and a network addressing technology. The network admission control technology comprises an MAC address binding technology, an 802.1X access control technology, a DHCP address distribution technology and the like, and is mainly used for verifying the legality of a computer terminal accessed into an authorized network and preventing external equipment from being accessed into the authorized network without authorization.
The network addressing technology is used for monitoring and blocking the network access behavior of the equipment, the client system initiates verification to a fixed network address in the Internet, and if the verification is passed, an alarm is generated and the connection between the computer terminal and the network is blocked, so that sensitive information in the computer terminal in the authorized network can be prevented from being leaked through the Internet. However, the network admission control technology and the network addressing technology have the following problems:
(1) the above technologies cannot prevent a computer terminal in an authorized network from connecting to unauthorized devices through a network interface;
(2) network admission control techniques do not prevent computer terminals in an authorized network from accessing other networks;
(3) network addressing technology is adopted to block network connection, if a fixed network address is leaked, a user actively blocks the connection between a computer terminal and the network address, and the technology cannot block the connection between the computer terminal and the Internet;
(4) network addressing techniques do not prevent devices within an authorized network from accessing other networks that are not interconnected with the internet.
Disclosure of Invention
The technical problem solved by the invention is as follows: the system and the method overcome the defects of the prior art, verify the client daemon module installed in the computer terminal and the server which is not easy to forge, prevent the computer terminal in the authorized network from being unauthorized connected to external information equipment or a network through a network interface to cause sensitive information leakage, and protect the safety of the sensitive information.
The technical scheme of the invention is as follows:
a reverse access control system comprising: the system comprises a server-side system and a client-side system, wherein the server-side system comprises a server-side system management module and a server-side daemon module, and the client-side system comprises a client-side daemon module and a client-side tray module;
the server side system management module comprises a client registration unit, an interruption strategy setting unit, an audit log viewing unit and a server side certificate management unit, and is used for an administrator to perform client registration, interruption strategy setting, audit log viewing and server side certificate management;
a client registration unit: after the application server installs a server side system, an administrator extracts the CPU serial number information of the application server in a client registration unit, generates a server unique ID through coding, and injects the server unique ID into the client side system;
an interruption policy setting unit: the administrator sets an interruption strategy;
an audit log viewing unit: the administrator audits the condition that the computer terminal illegally accesses the unauthorized information equipment or the unauthorized network, whether the computer terminal successfully executes the interrupt strategy or not, and whether the configuration information of the computer terminal has abnormal log information or not;
a server-side certificate management unit: the administrator inputs the registration certificate of the server end to ensure the normal operation of a reverse access control system;
the server-side daemon process module comprises an interruption strategy receiving and pushing unit, a server-side validity checking unit and an audit log access unit, and is used for interrupting strategy receiving and pushing, validity checking and audit log access;
the interruption strategy receiving and pushing unit: receiving interrupt strategy information sent by an interrupt strategy setting unit, and pushing the interrupt strategy information to a client interrupt strategy receiving unit;
a server side validity checking unit: receiving a legality checking request sent by a client legality checking unit, and sending a legality checking result to the client legality checking unit;
an audit log access unit: receiving audit log data sent by a client audit log receiving unit and storing the audit log data in a database; receiving a log query request sent by the audit log checking unit, and providing audit log data to the audit log checking unit according to the request content;
the client daemon module comprises a client interrupt strategy receiving unit, a client validity checking unit, a network card data acquisition unit, a network connection control unit, a client audit log receiving unit and a process protection unit, and is used for interrupt strategy receiving, validity checking, network card data acquisition, network connection control, audit log receiving and process protection;
the client side interruption strategy receiving unit: receiving the interrupt strategy information sent by the interrupt strategy receiving and pushing unit, and storing the interrupt strategy information into the computer terminal;
a client validity checking unit: sending a validity check request to a server-side validity check unit, and receiving a validity check result sent by the server-side validity check unit;
a network card data acquisition unit: when the client daemon process module is failed to verify the validity, uploading the IP address and MAC address information of a data packet flowing through a network card to a client audit log receiving unit, and storing the data packet into a local to form a local audit log;
a network connection control unit: executing an interruption strategy according to the interruption strategy received by the client interruption strategy receiving unit and the legality verification result received by the client legality verification unit;
a client audit log receiving unit: the method comprises the steps that a computer terminal interrupts network card drive information, restarts the network card drive to carry out validity check information, stores MAC address information flowing through a network card to the local when the computer terminal is in an unauthorized network or is accessed into unauthorized information equipment, and sends locally stored audit log information to an audit log access unit after judging that the computer terminal is in an authorized network again;
a process protection unit: hiding the client daemon in the task manager to prevent an attacker from stopping the client daemon to cause a client system so as to lose the capability of judging whether the computer terminal is in an authorized network;
the client tray module comprises an exit protection unit, a client audit log checking unit and a configuration change unit and is used for exit protection, audit log checking and configuration change;
an exit protection unit: only the administrator can modify the exit password of the client system and only needs to input the administrator password to exit the client system;
a client audit log checking unit: the interrupt strategy information and the local audit log which are locally stored can be checked, and when the computer terminal is in an unauthorized network environment can be judged according to the local audit log;
a configuration changing unit: the administrator may modify the configuration information of the client system at the configuration change unit.
Further, the setting, by the administrator, the interrupt policy in the interrupt policy setting unit includes: and setting a fixed frequency for continuously carrying out the validity check when the validity check is successful, and setting a fixed frequency for restarting the network card and a fixed frequency for continuously carrying out the validity check when the validity check is failed.
Furthermore, in the audit log viewing unit, the administrator and the audit log unit automatically analyze which computer terminals are in the unauthorized network, and the content of the audit record includes time, place, type, subject, object, operation content, success or failure information, and performs audit log retrieval.
A reverse access control method comprises the following steps,
s1, the application server installs a server end system according to the type of the application server operating system;
s2, the client registration unit extracts the serial number of the server CPU, generates the unique ID of the server through coding, and injects the unique ID of the server into the client system to complete the registration of the client system;
s3, installing a client system containing the unique ID of the server on the computer terminal to enable the computer terminal to become a computer terminal in an authorized network;
s4, the interrupt strategy setting unit sets an interrupt strategy and sends interrupt strategy information to the interrupt strategy receiving and pushing unit;
s5, after receiving the interrupt strategy information, the interrupt strategy receiving and pushing unit pushes the interrupt strategy information to the client interrupt strategy receiving unit;
s6, the client interrupt strategy receiving unit receives the interrupt strategy information;
and S7, the client daemon module carries out validity check.
Further, in S4, the interruption policy includes a policy of validity check success and validity check failure; if the validity check is successful, the client side validity check unit continuously initiates validity check to the server side validity check unit according to the fixed frequency of once time from 10 seconds to 30 seconds; if the validity check fails, the network connection control unit closes the network card, restarts the network card according to the fixed frequency of once time from 10 seconds to 30 seconds, and the client validity check unit initiates a validity check request to the server validity check unit.
Further, in S7, the validity checking process is as follows:
s7.1, the client validity checking unit sends a validity checking request to the server validity checking unit;
s7.2, the server side validity checking unit responds to the validity checking request of the client side validity checking unit and sends a validity checking result to the client side validity checking unit;
s7.3, the client side validity checking unit receives the validity checking result sent by the server side validity checking unit;
s7.4, the network connection control unit executes the interrupt strategy according to the interrupt strategy received by the client interrupt strategy receiving unit and the legality verification result received by the client legality verification unit, and acquires information of the opposite network or the computer by using the network card data acquisition unit;
and S7.5, continuously checking the client system and the server system according to the fixed frequency once in 10-30 seconds, and verifying whether the client system and the server system are connected in the authorized network.
Further, in S7, after the client daemon module performs the validity check, if the server side validity check unit returns a correct unique server ID to the client side validity check unit, the client side validity check unit determines that the computer terminal is in an authorized network environment, and continuously initiates the validity check to the server side validity check unit according to a fixed frequency of once every 10 seconds to 30 seconds.
Further, in S7, if the client validity check unit cannot receive the validity check result, or the server cannot respond to the validity check request of the client validity check unit, or the server validity check unit returns an incorrect server unique ID to the client validity check unit, the client validity check unit of the computer terminal determines that the computer terminal is in an interrupted authorized network or an unauthorized network, the network card data acquisition unit acquires and stores the IP address and MAC address information of the computer of the other party in the client, and the network connection control unit closes the network card.
Further, after the network card is closed, the network connection control unit tries to restart the network card according to a fixed frequency of once every 10 seconds to 30 seconds, and when trying every time, the client side validity check unit initiates a validity check request to the server side validity check unit, and the network card data acquisition unit is used for acquiring IP addresses and MAC address information of the opposite side computer and storing the information in the client side.
Further, the client-side validity checking unit receives the correct unique server ID sent by the server-side validity checking unit again, the client-side audit log receiving unit sends log information generated when the computer terminal is in the interrupted authorized network or in the unauthorized network to the audit log access unit, and an administrator can check whether the computer terminal in the authorized network is connected to external information equipment or the network through the network unauthorized through the audit log checking unit.
Compared with the prior art, the invention has the beneficial effects that:
(1) the invention adopts the client daemon module installed in the computer terminal to carry out verification with the server which is not easy to forge, and can effectively prevent the information equipment in the authorized network from accessing other networks or connecting unauthorized equipment through the network interface;
(2) the invention adopts a perfect audit log function, can effectively audit whether the information equipment in the authorized network has the violation condition of connecting unauthorized equipment through a network interface, and has deterrent effect on information equipment responsible persons and users in the authorized network;
(3) the invention adopts the client daemon module installed on the computer terminal, does not depend on the network, and the user can not avoid the validity check by the method of blocking the network connection;
(4) the invention adopts the process protection function to prevent an attacker from stopping the client daemon process so as to cause the client system to lose the capability of judging whether the computer terminal is in an authorized network;
(5) the unique ID of the server contained in the client system is generated after being coded by the CPU serial number of the server, and the CPU serial number is not easy to forge, so that a user in an authorized network is prevented from trying to forge the server by installing an illegally obtained server end system in an unauthorized network and unauthorized equipment;
(6) the invention prevents the computer terminal in the authorized network from being connected to the external information equipment or the network through the network interface in an unauthorized way from all aspects, and protects the security of sensitive information in the computer terminal in the authorized network; meanwhile, due to the complete audit record function, a strong deterrent force is formed for responsible persons and users of the computer terminal in the authorization network, and the use of the computer terminal in the authorization network is standardized.
Drawings
Fig. 1 is a functional schematic diagram of a reverse access control system of the present invention;
fig. 2 is a schematic diagram illustrating a process of validity check of a reverse access control method according to the present invention;
fig. 3 is a flowchart illustrating a reverse access control method according to an embodiment of the present invention.
Detailed Description
The invention is further illustrated by the following examples.
The method for realizing the reverse access control technology mainly comprises the steps of installing a server side system on a server in an authorized network, generating a client side system containing the serial number information of a server CPU, installing the client side system in an authorized computer terminal, carrying out validity check on the server side through a network card by the client side system installed in the authorized computer terminal and the like, and verifying whether the network environment in which the client side system is installed is the authorized network environment or not and whether connected equipment is authorized equipment or not. If the client system judges that the connected network or equipment is unauthorized network or unauthorized equipment, the network connection of the computer terminal and the unauthorized network or the unauthorized equipment is disconnected, and the information safety in the computer terminal is protected.
As shown in fig. 1, the reverse access control system includes: the system comprises a server-side system and a client-side system, wherein the server-side system comprises a server-side system management module and a server-side daemon module, and the client-side system comprises a client-side daemon module and a client-side tray module;
the server side system management module comprises a client registration unit, an interruption strategy setting unit, an audit log viewing unit and a server side certificate management unit, and is used for an administrator to perform client registration, interruption strategy setting, audit log viewing and server side certificate management;
a client registration unit: after the application server installs a server side system, an administrator extracts the CPU serial number information of the application server in a client registration unit, generates a server unique ID through coding, and injects the server unique ID into the client side system;
an interruption policy setting unit: the administrator sets an interruption strategy;
an audit log viewing unit: the administrator audits the condition that the computer terminal illegally accesses the unauthorized information equipment or the unauthorized network, whether the computer terminal successfully executes the interrupt strategy or not, and whether the configuration information of the computer terminal has abnormal log information or not;
a server-side certificate management unit: the administrator inputs the registration certificate of the server end to ensure the normal operation of a reverse access control system;
the server-side daemon process module comprises an interruption strategy receiving and pushing unit, a server-side validity checking unit and an audit log access unit, and is used for interrupting strategy receiving and pushing, validity checking and audit log access;
the interruption strategy receiving and pushing unit: receiving interrupt strategy information sent by an interrupt strategy setting unit, and pushing the interrupt strategy information to a client interrupt strategy receiving unit;
a server side validity checking unit: receiving a legality checking request sent by a client legality checking unit, and sending a legality checking result to the client legality checking unit;
an audit log access unit: receiving audit log data sent by a client audit log receiving unit and storing the audit log data in a database; receiving a log query request sent by the audit log checking unit, and providing audit log data to the audit log checking unit according to the request content;
the client daemon module comprises a client interrupt strategy receiving unit, a client validity checking unit, a network card data acquisition unit, a network connection control unit, a client audit log receiving unit and a process protection unit, and is used for interrupt strategy receiving, validity checking, network card data acquisition, network connection control, audit log receiving and process protection;
the client side interruption strategy receiving unit: receiving the interrupt strategy information sent by the interrupt strategy receiving and pushing unit, and storing the interrupt strategy information into the computer terminal;
a client validity checking unit: sending a validity check request to a server-side validity check unit, and receiving a validity check result sent by the server-side validity check unit;
a network card data acquisition unit: when the client daemon process module is failed to verify the validity, uploading the IP address and MAC address information of a data packet flowing through a network card to a client audit log receiving unit, and storing the data packet into a local to form a local audit log;
a network connection control unit: executing an interruption strategy according to the interruption strategy received by the client interruption strategy receiving unit and the legality verification result received by the client legality verification unit;
a client audit log receiving unit: the method comprises the steps that a computer terminal interrupts network card drive information, restarts the network card drive to carry out validity check information, stores MAC address information flowing through a network card to the local when the computer terminal is in an unauthorized network or is accessed into unauthorized information equipment, and sends locally stored audit log information to an audit log access unit after judging that the computer terminal is in an authorized network again;
a process protection unit: hiding the client daemon in the task manager to prevent an attacker from stopping the client daemon to cause a client system so as to lose the capability of judging whether the computer terminal is in an authorized network;
the client tray module comprises an exit protection unit, a client audit log checking unit and a configuration change unit and is used for exit protection, audit log checking and configuration change;
an exit protection unit: only the administrator can modify the exit password of the client system and only needs to input the administrator password to exit the client system;
a client audit log checking unit: the interrupt strategy information and the local audit log which are locally stored can be checked, and when the computer terminal is in an unauthorized network environment can be judged according to the local audit log;
a configuration changing unit: the administrator may modify the configuration information of the client system at the configuration change unit.
The setting of the interrupt policy by the administrator in the interrupt policy setting unit includes: and setting a fixed frequency for continuously carrying out the validity check when the validity check is successful, and setting a fixed frequency for restarting the network card and a fixed frequency for continuously carrying out the validity check when the validity check is failed.
In the audit log viewing unit, an administrator simultaneously and automatically analyzes which computer terminals are in an unauthorized network, the content of the audit record comprises time, place, type, subject, object, operation content and success or failure information, and the audit log is retrieved.
An embodiment is selected for the case where the network admission control technique cannot prevent the computer terminal in the authorized network from accessing other networks and unauthorized devices, and the network addressing technique cannot prevent the device in the authorized network from connecting to other networks and unauthorized devices that are not interconnected to the internet.
Example 1
A reverse access control method, the steps are as follows, as shown in figure 3,
s1, the application server installs a server end system according to the type of the application server operating system;
s2, the client registration unit extracts the serial number of the server CPU, generates the unique ID of the server through coding, and injects the unique ID of the server into the installation program of the client system to complete the registration of the client system;
s3, installing a client system containing the unique ID of the server on the computer terminal to enable the computer terminal to become a computer terminal in an authorized network;
s4, the interrupt strategy setting unit sets an interrupt strategy and sends interrupt strategy information to the interrupt strategy receiving and pushing unit;
the interruption strategy comprises a strategy of successful validity check and failed validity check; if the validity check is successful, the client validity check unit continuously initiates validity check to the server validity check unit according to the fixed frequency of once every 10 seconds; if the validity check fails, the network connection control unit closes the network card, restarts the network card according to the fixed frequency once every 10 seconds, and the client-side validity check unit initiates a validity check request to the server-side validity check unit;
s5, after receiving the interrupt strategy information, the interrupt strategy receiving and pushing unit pushes the interrupt strategy information to the client interrupt strategy receiving unit;
s6, the client interrupt strategy receiving unit receives the interrupt strategy information;
s7, the client daemon module performs validity check, the validity check process is as follows, as shown in fig. 2,
s7.1, the client validity checking unit sends a validity checking request to the server validity checking unit;
s7.2, the server side validity checking unit responds to the validity checking request of the client side validity checking unit and sends a validity checking result to the client side validity checking unit;
s7.3, the client side validity checking unit receives the validity checking result sent by the server side validity checking unit;
s7.4, the network connection control unit executes the interrupt strategy according to the interrupt strategy received by the client interrupt strategy receiving unit and the legality verification result received by the client legality verification unit, and acquires information of the opposite network or the computer by using the network card data acquisition unit;
s7.5, continuously checking the fixed-frequency client system and the server system once every 10 seconds to verify whether the client system and the server system are connected in an authorized network;
(a) if the server side validity checking unit returns a correct server unique ID to the client side validity checking unit, the client side validity checking unit judges that the computer terminal is in an authorized network environment, and continuously initiates validity checking to the server side validity checking unit according to the fixed frequency of once every 10 seconds;
(b) if the client side validity checking unit cannot receive the validity checking result, or the server cannot respond to the validity checking request of the client side validity checking unit, or the server side validity checking unit returns an incorrect server unique ID to the client side validity checking unit, the client side validity checking unit of the computer terminal judges that the computer terminal is in an interrupted authorized network or an unauthorized network, the network card data acquisition unit acquires IP (Internet protocol) address and MAC (media access control) address information of the opposite side computer and stores the IP address and MAC address information in the client side, and the network connection control unit closes the network card;
after the network card is closed, the network connection control unit tries to restart the network card according to a fixed frequency of once in 10 seconds, and when trying each time, the client side validity check unit initiates a validity check request to the server side validity check unit, and the network card data acquisition unit is used for acquiring IP addresses and MAC address information of a computer of the other side and storing the information in the client side;
the client-side audit log receiving unit sends log information generated when the computer terminal is in the interrupted authorized network or in the unauthorized network to the audit log access unit, and an administrator can check whether the computer terminal in the authorized network is connected to external information equipment or the network through network unauthorized through the audit log checking unit.
The invention adopts the client daemon module installed in the computer terminal to carry out verification with the server which is not easy to forge, and can effectively prevent the information equipment in the authorized network from accessing other networks or connecting unauthorized equipment through the network interface;
the invention adopts a perfect audit log function, can effectively audit whether the information equipment in the authorized network has the violation condition of connecting unauthorized equipment through a network interface, and has deterrent effect on information equipment responsible persons and users in the authorized network;
the invention adopts the client daemon module installed on the computer terminal, does not depend on the network, and the user can not avoid the validity check by the method of blocking the network connection;
the invention adopts the process protection function to prevent an attacker from stopping the client daemon process so as to cause the client system to lose the capability of judging whether the computer terminal is in an authorized network;
the unique ID of the server contained in the client system is generated after being coded by the CPU serial number of the server, and the CPU serial number is not easy to forge, so that a user in an authorized network is prevented from trying to forge the server by installing an illegally obtained server end system in an unauthorized network and unauthorized equipment;
the invention prevents the computer terminal in the authorized network from being connected to the external information equipment or the network through the network interface in an unauthorized way from all aspects, and protects the security of sensitive information in the computer terminal in the authorized network; meanwhile, due to the complete audit record function, a strong deterrent force is formed for responsible persons and users of the computer terminal in the authorization network, and the use of the computer terminal in the authorization network is standardized.
Although the present invention has been described with reference to the preferred embodiments, it is not intended to limit the present invention, and those skilled in the art can make variations and modifications of the present invention without departing from the spirit and scope of the present invention by using the methods and technical contents disclosed above.
Claims (10)
1. A reverse access control system, comprising: the system comprises a server-side system and a client-side system, wherein the server-side system comprises a server-side system management module and a server-side daemon module, and the client-side system comprises a client-side daemon module and a client-side tray module;
the server side system management module comprises a client registration unit, an interruption strategy setting unit, an audit log viewing unit and a server side certificate management unit, and is used for an administrator to perform client registration, interruption strategy setting, audit log viewing and server side certificate management;
a client registration unit: after the application server installs a server side system, an administrator extracts the CPU serial number information of the application server in a client registration unit, generates a server unique ID through coding, and injects the server unique ID into the client side system;
an interruption policy setting unit: the administrator sets an interruption strategy;
an audit log viewing unit: the administrator audits the condition that the computer terminal illegally accesses the unauthorized information equipment or the unauthorized network, whether the computer terminal successfully executes the interrupt strategy or not, and whether the configuration information of the computer terminal has abnormal log information or not;
a server-side certificate management unit: the administrator inputs the registration certificate of the server end to ensure the normal operation of a reverse access control system;
the server-side daemon process module comprises an interruption strategy receiving and pushing unit, a server-side validity checking unit and an audit log access unit, and is used for interrupting strategy receiving and pushing, validity checking and audit log access;
the interruption strategy receiving and pushing unit: receiving interrupt strategy information sent by an interrupt strategy setting unit, and pushing the interrupt strategy information to a client interrupt strategy receiving unit;
a server side validity checking unit: receiving a legality checking request sent by a client legality checking unit, and sending a legality checking result to the client legality checking unit;
an audit log access unit: receiving audit log data sent by a client audit log receiving unit and storing the audit log data in a database; receiving a log query request sent by the audit log checking unit, and providing audit log data to the audit log checking unit according to the request content;
the client daemon module comprises a client interrupt strategy receiving unit, a client validity checking unit, a network card data acquisition unit, a network connection control unit, a client audit log receiving unit and a process protection unit, and is used for interrupt strategy receiving, validity checking, network card data acquisition, network connection control, audit log receiving and process protection;
the client side interruption strategy receiving unit: receiving the interrupt strategy information sent by the interrupt strategy receiving and pushing unit, and storing the interrupt strategy information into the computer terminal;
a client validity checking unit: sending a validity check request to a server-side validity check unit, and receiving a validity check result sent by the server-side validity check unit;
a network card data acquisition unit: when the client daemon process module is failed to verify the validity, uploading the IP address and MAC address information of a data packet flowing through a network card to a client audit log receiving unit, and storing the data packet into a local to form a local audit log;
a network connection control unit: executing an interruption strategy according to the interruption strategy received by the client interruption strategy receiving unit and the legality verification result received by the client legality verification unit;
a client audit log receiving unit: the method comprises the steps that a computer terminal interrupts network card drive information, restarts the network card drive to carry out validity check information, stores MAC address information flowing through a network card to the local when the computer terminal is in an unauthorized network or is accessed into unauthorized information equipment, and sends locally stored audit log information to an audit log access unit after judging that the computer terminal is in an authorized network again;
a process protection unit: hiding the client daemon in the task manager to prevent an attacker from stopping the client daemon to cause a client system so as to lose the capability of judging whether the computer terminal is in an authorized network;
the client tray module comprises an exit protection unit, a client audit log checking unit and a configuration change unit and is used for exit protection, audit log checking and configuration change;
an exit protection unit: only the administrator can modify the exit password of the client system and only needs to input the administrator password to exit the client system;
a client audit log checking unit: the interrupt strategy information and the local audit log which are locally stored can be checked, and when the computer terminal is in an unauthorized network environment can be judged according to the local audit log;
a configuration changing unit: the administrator may modify the configuration information of the client system at the configuration change unit.
2. The reverse access control system of claim 1, wherein the administrator setting the interruption policy at the interruption policy setting unit comprises: and setting a fixed frequency for continuously carrying out the validity check when the validity check is successful, and setting a fixed frequency for restarting the network card and a fixed frequency for continuously carrying out the validity check when the validity check is failed.
3. The reverse access control system of claim 1, wherein in the audit log viewing unit, the administrator simultaneously analyzes automatically which computer terminals are in the unauthorized network, the content of the audit record includes time, place, type, subject, object, operation content, success or failure information, and performs the audit log retrieval.
4. A reverse access control method is characterized in that: the steps are as follows, and the method comprises the following steps,
s1, the application server installs a server end system according to the type of the application server operating system;
s2, the client registration unit extracts the serial number of the server CPU, generates the unique ID of the server through coding, and injects the unique ID of the server into the client system to complete the registration of the client system;
s3, installing a client system containing the unique ID of the server on the computer terminal to enable the computer terminal to become a computer terminal in an authorized network;
s4, the interrupt strategy setting unit sets an interrupt strategy and sends interrupt strategy information to the interrupt strategy receiving and pushing unit;
s5, after receiving the interrupt strategy information, the interrupt strategy receiving and pushing unit pushes the interrupt strategy information to the client interrupt strategy receiving unit;
s6, the client interrupt strategy receiving unit receives the interrupt strategy information;
and S7, the client daemon module carries out validity check.
5. The reverse access control method according to claim 4, wherein in S4, the interruption policy includes a policy of validity check success and validity check failure; if the validity check is successful, the client side validity check unit continuously initiates validity check to the server side validity check unit according to the fixed frequency of once time from 10 seconds to 30 seconds; if the validity check fails, the network connection control unit closes the network card, restarts the network card according to the fixed frequency of once time from 10 seconds to 30 seconds, and the client validity check unit initiates a validity check request to the server validity check unit.
6. The reverse access control method of claim 4, wherein in S7, the validity check procedure is as follows:
s7.1, the client validity checking unit sends a validity checking request to the server validity checking unit;
s7.2, the server side validity checking unit responds to the validity checking request of the client side validity checking unit and sends a validity checking result to the client side validity checking unit;
s7.3, the client side validity checking unit receives the validity checking result sent by the server side validity checking unit;
s7.4, the network connection control unit executes the interrupt strategy according to the interrupt strategy received by the client interrupt strategy receiving unit and the legality verification result received by the client legality verification unit, and acquires information of the opposite network or the computer by using the network card data acquisition unit;
and S7.5, continuously checking the client system and the server system according to the fixed frequency once in 10-30 seconds, and verifying whether the client system and the server system are connected in the authorized network.
7. The reverse access control method of claim 4, wherein in S7, after the client daemon module performs the validity check, if the server side validity check unit returns a correct server unique ID to the client side validity check unit, the client side validity check unit determines that the computer terminal is in an authorized network environment, and continuously initiates the validity check to the server side validity check unit according to a fixed frequency of once every 10 seconds to 30 seconds.
8. The reverse access control method according to claim 4, wherein in S7, if the client validity check unit cannot receive the validity check result, or the server cannot respond to the validity check request of the client validity check unit, or the server validity check unit returns an incorrect server unique ID to the client validity check unit, the client validity check unit of the computer terminal determines that the computer terminal is in an interrupted authorized network or in an unauthorized network, the network card data acquisition unit acquires the IP address and MAC address information of the computer of the other party and stores the information in the client, and the network connection control unit closes the network card.
9. The reverse access control method according to claim 8, wherein after the network card is closed, the network connection control unit attempts to restart the network card at a fixed frequency of once from 10 seconds to 30 seconds, and during each attempt, the client side validity check unit initiates a validity check request to the server side validity check unit, and the network card data acquisition unit is used to acquire and store the IP address and MAC address information of the opposite computer in the client side.
10. The reverse access control method according to claim 9, wherein the client-side validity checking unit receives the correct server unique ID sent by the server-side validity checking unit again, the client-side audit log receiving unit sends log information generated when the computer terminal is in the interrupted authorized network or in the unauthorized network to the audit log access unit, and the administrator can check whether the computer terminal in the authorized network is connected to the external information device or the network through the network unauthorized through the audit log checking unit.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010245751.5A CN111556024B (en) | 2020-03-31 | 2020-03-31 | Reverse access control system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010245751.5A CN111556024B (en) | 2020-03-31 | 2020-03-31 | Reverse access control system and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111556024A true CN111556024A (en) | 2020-08-18 |
| CN111556024B CN111556024B (en) | 2022-07-05 |
Family
ID=72003784
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010245751.5A Active CN111556024B (en) | 2020-03-31 | 2020-03-31 | Reverse access control system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111556024B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112738221A (en) * | 2020-12-28 | 2021-04-30 | 中国建设银行股份有限公司 | Auditing method and device for object storage flow |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20130262857A1 (en) * | 2012-04-01 | 2013-10-03 | Authentify, Inc. | Secure authentication in a multi-party system |
| CN103634270A (en) * | 2012-08-21 | 2014-03-12 | 中国电信股份有限公司 | A method for identifying validity of an access point, a system thereof and an access point discriminating server |
| CN104954343A (en) * | 2014-03-31 | 2015-09-30 | 腾讯科技(深圳)有限公司 | Verification information processing method, server and system |
| CN107426339A (en) * | 2017-09-04 | 2017-12-01 | 珠海迈越信息技术有限公司 | A kind of cut-in method, the apparatus and system of data interface channel |
| CN107637049A (en) * | 2015-05-20 | 2018-01-26 | 高通股份有限公司 | Extend the registration to the client application on different neighbouring client devices |
| CN109286599A (en) * | 2017-07-20 | 2019-01-29 | 北京展讯高科通信技术有限公司 | Data security protection method, smart machine, server and readable storage medium storing program for executing |
-
2020
- 2020-03-31 CN CN202010245751.5A patent/CN111556024B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20130262857A1 (en) * | 2012-04-01 | 2013-10-03 | Authentify, Inc. | Secure authentication in a multi-party system |
| WO2013151851A2 (en) * | 2012-04-01 | 2013-10-10 | Authentify, Inc. | Secure authentication in a multi-party system |
| CN103634270A (en) * | 2012-08-21 | 2014-03-12 | 中国电信股份有限公司 | A method for identifying validity of an access point, a system thereof and an access point discriminating server |
| CN104954343A (en) * | 2014-03-31 | 2015-09-30 | 腾讯科技(深圳)有限公司 | Verification information processing method, server and system |
| CN107637049A (en) * | 2015-05-20 | 2018-01-26 | 高通股份有限公司 | Extend the registration to the client application on different neighbouring client devices |
| CN109286599A (en) * | 2017-07-20 | 2019-01-29 | 北京展讯高科通信技术有限公司 | Data security protection method, smart machine, server and readable storage medium storing program for executing |
| CN107426339A (en) * | 2017-09-04 | 2017-12-01 | 珠海迈越信息技术有限公司 | A kind of cut-in method, the apparatus and system of data interface channel |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112738221A (en) * | 2020-12-28 | 2021-04-30 | 中国建设银行股份有限公司 | Auditing method and device for object storage flow |
| CN112738221B (en) * | 2020-12-28 | 2022-05-27 | 中国建设银行股份有限公司 | Auditing method and device for object storage flow |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111556024B (en) | 2022-07-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7350234B2 (en) | Intrusion tolerant communication networks and associated methods | |
| US8219496B2 (en) | Method of and apparatus for ascertaining the status of a data processing environment | |
| US20040003190A1 (en) | Remote authentication caching on a trusted client or gateway system | |
| US7930745B2 (en) | Network security system and method | |
| CN114553540B (en) | Zero trust-based Internet of things system, data access method, device and medium | |
| CN102882676A (en) | Method and system for equipment to safely access Internet of things | |
| CN109936555A (en) | A kind of date storage method based on cloud platform, apparatus and system | |
| CN116708210A (en) | Operation and maintenance processing method and terminal equipment | |
| CN111556024B (en) | Reverse access control system and method | |
| US7565690B2 (en) | Intrusion detection | |
| CN113132412B (en) | Computer network security test and inspection method | |
| CN114244568A (en) | Security access control method, device and equipment based on terminal access behavior | |
| CN116192497B (en) | Network access and user authentication safe interaction method based on zero trust system | |
| JP3851263B2 (en) | Preventing recurrence of multiple system outages | |
| CN111131273A (en) | Internet access control system for network engineering | |
| JP4408837B2 (en) | Authentication system | |
| CN105451225A (en) | An access authentication method and an access authentication device | |
| CN115604028A (en) | Cloud server data security protection system | |
| CN113239349B (en) | Network security testing method for power monitoring system | |
| CN113343197A (en) | Industrial internet intrusion detection and defense method and device | |
| CN115017480A (en) | Computer safety protection management and control system based on intelligent control | |
| CN113411319A (en) | Industrial internet distributed system safety access control device | |
| CN110781466A (en) | Equipment safety management method and device, computer equipment and storage medium | |
| CN106997430B (en) | Method and device for preventing linux service equipment from being copied | |
| WO2006021132A1 (en) | Method for protecting the computer data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |