CN111901147B - Network access control method and device - Google Patents
Network access control method and device Download PDFInfo
- Publication number
- CN111901147B CN111901147B CN202010600445.9A CN202010600445A CN111901147B CN 111901147 B CN111901147 B CN 111901147B CN 202010600445 A CN202010600445 A CN 202010600445A CN 111901147 B CN111901147 B CN 111901147B
- Authority
- CN
- China
- Prior art keywords
- policy
- terminal
- network data
- network
- transmission
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0889—Techniques to speed-up the configuration process
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0803—Configuration setting
- H04L41/084—Configuration by using pre-existing information, e.g. using templates or copying from other elements
- H04L41/0846—Configuration by using pre-existing information, e.g. using templates or copying from other elements based on copy from other elements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0893—Assignment of logical groups to network elements
Abstract
The application relates to a method and a device for controlling network access, wherein the method comprises the following steps: receiving a policy acquisition instruction, wherein the policy acquisition instruction is used for instructing a first terminal to acquire a target network policy from a trusted management server, the target network policy is used for controlling first network data on the first terminal, the target network policy is generated through a first policy learning process executed on a second terminal, and the first policy learning process is a process of learning a first access log on the second terminal; obtaining a target network policy from the trusted management server in response to the policy obtaining indication; sending policy validation information to a trusted management server, wherein the policy validation information is used for indicating that a target network policy is confirmed to be valid on a first terminal; and executing the target network policy to control the first network data on the first terminal. The method and the device solve the technical problem that the configuration efficiency of the network access strategy is low in the related technology.
Description
Technical Field
The present application relates to the field of computers, and in particular, to a method and an apparatus for controlling network access.
Background
In the field of trusted computing, a trusted management server configures a control policy for each terminal to control access operation of network data on the terminal. In the current configuration mode, the trusted management server selects configured contents to each terminal item by item for different terminals respectively, and the configuration efficiency of the mode is low.
In view of the above problems, no effective solution has been proposed.
Disclosure of Invention
The application provides a method and a device for controlling network access, which are used for at least solving the technical problem of low configuration efficiency of a network access policy in the related art.
According to an aspect of an embodiment of the present application, there is provided a method for controlling network access, including:
receiving a policy acquisition instruction, wherein the policy acquisition instruction is used for instructing a first terminal to acquire a target network policy from a trusted management server, the target network policy is used for controlling first network data on the first terminal, the target network policy is generated through a first policy learning process executed on a second terminal, the first policy learning process is a process of learning a first access log on the second terminal, and the first access log comprises a control operation on second network data on the second terminal;
obtaining the target network policy from the trusted management server in response to the policy obtaining indication;
sending policy validation information to the trusted management server, wherein the policy validation information is used for indicating that the target network policy is confirmed to be valid on the first terminal;
and executing the target network policy to control the first network data on the first terminal.
Optionally, the controlling first network data on the first terminal using the target network policy includes:
intercepting the first network data on the first terminal;
determining whether the first terminal is in a policy learning mode;
under the condition that the first terminal is determined to be in a strategy learning mode, matching the first network data with the target network strategy to obtain a first matching result;
generating a second access log corresponding to the first matching result;
and reporting the second access log and releasing the first network data.
Optionally, determining whether the first terminal is in a policy learning mode comprises:
receiving a starting instruction, wherein the starting instruction is used for instructing the first terminal to start a second strategy learning process;
starting the second strategy learning process in response to the starting instruction, and determining that the first terminal is in the strategy learning mode;
and in the case of receiving a shutdown indication, shutting down the second policy learning process and determining that the first terminal is not in the policy learning mode.
Optionally, after determining whether the first terminal is in a policy learning mode, the method further comprises:
under the condition that the first terminal is not in the strategy learning mode, matching the first network data with the target network strategy to obtain a second matching result;
and controlling the first network data according to the second matching result.
Optionally, matching the first network data with the target network policy to obtain the second matching result includes:
detecting whether a first transmission address list included in the target network policy includes a transmission address of the first network data, wherein the first transmission address list is used for recording a transmission address allowing transmission of the first network data;
under the condition that the transmission address of the first network data is not included in the first transmission address list, detecting whether a transmission address of the first network data is included in a second transmission address list included in the target network policy, wherein the second transmission address list is used for recording the transmission address of the first network data which is not allowed to be transmitted;
under the condition that the first transmission address list includes the transmission address of the first network data or the second transmission address list does not include the transmission address of the first network data, detecting whether a transmission port list included in the target network policy includes a transmission port of the first network data, wherein the transmission port list is used for recording the transmission port which is not allowed to transmit the first network data;
setting a data identifier of the first network data as a target identifier under the condition that the second transmission address list comprises the transmission address of the first network data or the transmission port list comprises the transmission port of the first network data, wherein the target identifier is used for indicating to intercept the first network data;
determining not to set the data identifier of the first network data in the case that the transmission port of the first network data is not included in the transmission port list.
Optionally, the detecting whether the transmission port list includes the transmission port of the first network data includes:
detecting a transmission protocol of the first network data;
determining a transmission mode of the first network data under the condition that the transmission protocol of the first network data is a first transmission protocol, wherein the transmission mode comprises the steps of sending the first network data and receiving the first network data;
determining not to set a data identifier of the first network data under the condition that the transmission mode of the first network data is to send the first network data;
and detecting whether a transmission port of the first network data is included in the transmission port list or not when the transmission protocol of the first network data is a second transmission protocol or the transmission mode of the first network data is to receive the first network data.
Optionally, the controlling the first network data according to the matching result includes:
determining whether the target identifier is set by the first network data;
intercepting the first network data and generating an audit log under the condition that the target identifier is determined to be set in the first network data; reporting the audit log to the trusted management server;
and in the case that the first network data is determined not to set the target identifier, releasing the first network data.
Optionally, before receiving the policy acquisition indication, the method further includes:
determining, by the trusted management server, one or more terminals, wherein the one or more terminals include the first terminal;
determining a policy template corresponding to the one or more terminals through the trusted management server;
generating, by the trusted management server, the target network policy using the policy template;
sending, by the trusted management server, the policy acquisition indication to the one or more terminals, where the policy acquisition indication is used to instruct the one or more terminals to acquire the target network policy from the trusted management server.
According to another aspect of the embodiments of the present application, there is also provided a network access control apparatus, including:
a receiving module, configured to receive a policy acquisition instruction, where the policy acquisition instruction is used to instruct a first terminal to acquire a target network policy from a trusted management server, where the target network policy is used to control first network data on the first terminal, and the target network policy is generated through a first policy learning process executed on a second terminal, where the first policy learning process is a process of learning a first access log on the second terminal, and the first access log includes a control operation performed on second network data on the second terminal;
an obtaining module, configured to obtain the target network policy from the trusted management server in response to the policy obtaining instruction;
a first sending module, configured to send policy validation information to the trusted management server, where the policy validation information is used to indicate that the target network policy is validated on the first terminal;
and the first control module is used for executing the target network strategy to control the first network data on the first terminal.
According to another aspect of the embodiments of the present application, there is also provided a storage medium including a stored program which, when executed, performs the above-described method.
According to another aspect of the embodiments of the present application, there is also provided an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the method described above through the computer program.
In the embodiment of the application, receiving a policy acquisition instruction is adopted, where the policy acquisition instruction is used to instruct a first terminal to acquire a target network policy from a trusted management server, the target network policy is used to control first network data on the first terminal, the target network policy is generated through a first policy learning process executed on a second terminal, the first policy learning process is a process of learning a first access log on the second terminal, and the first access log includes a control operation performed on second network data on the second terminal; obtaining a target network policy from the trusted management server in response to the policy obtaining indication; sending policy validation information to a trusted management server, wherein the policy validation information is used for indicating that a target network policy is confirmed to be valid on a first terminal; the method comprises the steps of executing a target network strategy to control first network data on a first terminal, generating the target network strategy through a first strategy learning process executed on a second terminal and used for learning a network control strategy on the second terminal, and configuring the target network strategy for the first terminal except the second terminal, so that after the target network strategy takes effect on the first terminal, the first terminal can control operation on the first network data through executing the target network strategy, repeated operation during selection of the control strategy is avoided, the aim of rapidly configuring the control strategy of network access is fulfilled, the technical effect of improving configuration efficiency of the network access strategy is achieved, and the technical problem that the configuration efficiency of the network access strategy is low in related technologies is solved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the invention and together with the description, serve to explain the principles of the invention.
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without inventive exercise.
Fig. 1 is a schematic diagram of a hardware environment of a control method of network access according to an embodiment of the present application;
fig. 2 is a flow chart of an alternative method of controlling network access according to an embodiment of the present application;
fig. 3 is a schematic diagram of a network control policy validation process according to an alternative embodiment of the present application;
FIG. 4 is a schematic diagram of a network policy configuration process according to an alternative embodiment of the present application;
FIG. 5 is a schematic diagram of a backup process of an access log according to an embodiment of the application;
FIG. 6 is a schematic diagram of a process for processing a network packet according to an alternative embodiment of the present application;
FIG. 7 is a schematic diagram of a policy learning process according to an alternative embodiment of the present application;
fig. 8 is a schematic diagram of an alternative network access control device according to an embodiment of the present application;
fig. 9 is a block diagram of a terminal according to an embodiment of the present application.
Detailed Description
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only partial embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It should be understood that the data so used may be interchanged under appropriate circumstances such that embodiments of the application described herein may be implemented in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Optionally, in this embodiment, fig. 1 is a schematic diagram of a hardware environment of a configuration method of a network access policy according to an embodiment of the present application, and the configuration method of the network access policy may be applied to the hardware environment formed by the terminal 101 and the server 103 shown in fig. 1. As shown in fig. 1, a server 103 is connected to a terminal 101 through a network, which may be used to provide services (such as game services, application services, etc.) for the terminal or a client installed on the terminal, and a database may be provided on the server or separately from the server for providing data storage services for the server 103, and the network includes but is not limited to: the server 103 may be, but is not limited to, a wide area network, a metropolitan area network, or a local area network, and is used as a management center for managing an object access control policy on the terminal 101, including: configure, delete, start, close, etc., and the terminal 101 is not limited to a PC, a mobile phone, a tablet computer, etc. The configuration method of the network access policy according to the embodiment of the present application may be executed by the server 103, the terminal 101, or both the server 103 and the terminal 101. The method for the terminal 101 to configure the network access policy according to the embodiment of the present application may also be executed by a client installed thereon.
According to an aspect of embodiments of the present application, an embodiment of a method for controlling network access is provided. Fig. 2 is a flowchart of an alternative network access control method according to an embodiment of the present application, and as shown in fig. 2, the method may include the following steps:
step S202, receiving a policy acquisition instruction, where the policy acquisition instruction is used to instruct a first terminal to acquire a target network policy from a trusted management server, the target network policy is used to control first network data on the first terminal, the target network policy is generated through a first policy learning process executed on a second terminal, the first policy learning process is a process of learning a first access log on the second terminal, and the first access log includes a control operation performed on second network data on the second terminal;
step S204, responding to the strategy acquisition instruction to acquire the target network strategy from the trusted management server;
step S206, sending policy validation information to the trusted management server, wherein the policy validation information is used for indicating that the target network policy is confirmed to be valid on the first terminal;
step S208, the target network policy is executed to control the first network data on the first terminal.
Through the steps S202 to S208, the target network policy is generated through the first policy learning process executed on the second terminal and used for learning the network control policy on the second terminal, and the target network policy is configured to the first terminal other than the second terminal, so that after the target network policy becomes effective on the first terminal, the first terminal can control the operation of the first network data by executing the target network policy, thereby avoiding repeated operation during selection of the control policy, achieving the purpose of rapidly configuring the control policy for network access, achieving the technical effect of improving the configuration efficiency of the network access policy, and further solving the technical problem of low configuration efficiency of the network access policy in the related art.
Optionally, in this embodiment, the method for configuring the network access policy may be, but is not limited to being, executed by the terminal 101. For the terminal 101, the server 103 may serve as a management center to provide management services of the object access control policy thereto, and the terminal 101 may also serve as a server to provide services for other terminals, such as: multimedia playing services, multimedia production services, live broadcast services, gaming services, shopping services, financial services, and the like. The terminal 101 may also include, but is not limited to, a mobile phone, a tablet, a smart wearable device, a smart home device, a PC, and the like.
In the technical solution provided in step S202, the target network policy is used to control first network data, where the first network data may be, but is not limited to, first network data received by the first terminal, and may also be first network data sent by the first terminal.
Optionally, in this embodiment, the target network policy is generated by a first policy learning process executed on the second terminal, where the first policy learning process is a process of learning a first access log on the second terminal, and the first access log includes a control operation performed on second network data on the second terminal. When the first policy learning process is executed on the second terminal to learn the first access log on the second terminal, the target network policy corresponding to the first policy learning process can be generated. The generated target network policy can be configured to other terminals besides the second terminal, such as the first terminal, so that the first terminal can control the operation of accessing the first object.
Optionally, in this embodiment, the first terminal may obtain, but is not limited to be notified of the policy acquisition indication in a heartbeat manner.
In the technical solution provided in step S204, after the first terminal receives the policy obtaining instruction and knows the target network policy that needs to be obtained, the first terminal may obtain the target network policy from the trusted management server in a manner of sending a request, but not limited to. Such as: the first terminal sends a request to the trusted management server to request a target network policy from the trusted management server, the trusted management server responds to the request of the first terminal to provide the target network policy to the first terminal, and the first terminal obtains the target network policy.
In an optional embodiment, a manner in which a network control policy is validated on a terminal is provided, fig. 3 is a schematic diagram of a process for validating a network control policy according to an optional embodiment of the present application, and as shown in fig. 3, a management center (equivalent to the above-mentioned trusted management server) issues a network control policy (the policy includes a blacklist IP, a whitelist IP, a blacklist PORT, and a whitelist PORT) to the terminal, the terminal sends the received network control policy and the like to an Xbase service program, the Xbase program parses a policy file, and finally issues the policy to a kernel module of the terminal for execution. The management center can send all the strategies in the strategy template to the terminal, and the terminal carries out the integral replacement of the strategy table.
In the technical solution provided in step S206, after the first terminal acquires the target network policy from the trusted management server, the first terminal sends policy validation information indicating that the target network policy is validated on the first terminal to the trusted management server, so that the trusted management server knows that the target network policy is validated on the first terminal.
Optionally, in this embodiment, after the target network policy on the first terminal takes effect, the second access log may be further uploaded to the trusted management server.
In an optional implementation manner, a configuration process of a network policy is provided, fig. 4 is a schematic diagram of a configuration process of a network policy according to an optional implementation manner of the present application, as shown in fig. 4, a terminal is selected on a trusted management server, and network control content (which may be in a manner of selecting a template or in an input manner) is input, where the network control content includes a white list, a black list, and a port list, the trusted management server creates a policy and notifies the terminal to acquire the policy through heartbeat, the terminal provides the policy for the terminal in response to a policy acquisition request sent by the terminal, the terminal confirms the acquired policy template and confirms that the policy is in effect to the trusted management server, and after the policy on the terminal is in effect, the trusted management server receives a second access log reported by the terminal. The selected policy template and the second access log reported by the terminal can be written into the database.
In the technical solution provided in step S208, the first terminal may control the first network data using the target network policy, where the first network data may include, but is not limited to: first network data received by the first terminal and first network data transmitted by the first terminal, and so on.
As an optional embodiment, the controlling the first network data on the first terminal using the target network policy includes:
s11, intercepting the first network data on the first terminal;
s12, determining whether the first terminal is in a strategy learning mode;
s13, matching the first network data with the target network strategy to obtain a first matching result under the condition that the first terminal is determined to be in a strategy learning mode;
s14, generating a second access log corresponding to the first matching result;
and S15, reporting the second access log and releasing the first network data.
Optionally, in this embodiment, different operations are performed on the intercepted first network data when the first terminal is in different modes, and if the first terminal is in the policy learning mode, the first network data is matched with the target network policy to obtain a first matching result, and a second access log is generated and reported.
Optionally, in this embodiment, the policy learning mode may be, but is not limited to, a network control learning mode, and the learning mode executed on the terminal may further include: a full-disc learning mode, an access control learning mode, a white list learning mode, and the like. And only if the first terminal is determined to be in the network control learning mode, the first terminal executes matching operation on the first network data and the target network strategy, and generates and reports a second access log. The first terminal may perform, but is not limited to, corresponding operations in other learning modes, such as: the first terminal directly executes release operation on the first network data in the full-disk learning mode and generates and reports logs of the full-disk learning mode.
Optionally, in this embodiment, the trusted management server may backup the acquired second access log reported by the first terminal. Fig. 5 is a schematic diagram of a backup process of a second access log according to an embodiment of the present application, and as shown in fig. 5, the number of days for obtaining a reserved log file by reading a configuration file, and backup the log every morning every day within a reservation term, to determine whether a memory space is sufficient, and if so, backup the log to a local sql file. And if the memory space is insufficient, detecting the disk space at regular time, initiating a space warning to prompt an administrator, and manually processing the space by the administrator.
As an alternative embodiment, determining whether the first terminal is in the policy learning mode comprises:
s21, receiving a starting instruction, wherein the starting instruction is used for instructing the first terminal to start a second strategy learning process;
s22, responding to the start instruction to start the second policy learning process, and determining that the first terminal is in the policy learning mode;
s23, when receiving a shutdown instruction, shutting down the second policy learning process, and determining that the first terminal is not in the policy learning mode.
Optionally, in this embodiment, the execution of the second policy learning process by the first terminal is equivalent to the first terminal being in the policy learning mode.
Optionally, in this embodiment, the first terminal may start or close the second policy learning process according to an instruction of the trusted management server, second access logs generated in the second policy learning process may be uploaded to the trusted management server by the first terminal, and the trusted management server may generate a policy template by using the second access logs to configure a network control policy for other terminals.
Optionally, in this embodiment, the second policy learning process may be, but is not limited to, a process of learning a target network policy, the first terminal is in a network-controlled learning state in the second policy learning process, and in the network-controlled learning state, the first terminal may perform a releasing operation on the intercepted first network data, and select whether to report the second access log according to different first matching results. Such as: and if the first matching result indicates that the first network data is matched with the target network policy, releasing the first network data and generating a second access log for reporting, and if the first matching result indicates that the first network data is not matched with the target network policy, releasing the first network data but not generating the second access log.
As an optional embodiment, after determining whether the first terminal is in the policy learning mode, the method further includes:
s31, matching the first network data with the target network strategy to obtain a second matching result under the condition that the first terminal is not in the strategy learning mode;
and S32, controlling the first network data according to the second matching result.
Optionally, in this embodiment, after the target network policy takes effect, the first terminal may use the target network policy to control the first network data on the first terminal, match the first network data intercepted from the first terminal with the target network policy, and process the first network data according to a matching result, thereby implementing control on the first network data. And if the first terminal is not in the strategy learning mode, matching the first network data with the target network strategy to obtain a second matching result, and controlling the first network data according to the second matching result, wherein the control mode can be but not limited to the releasing or intercepting operation of the first network data and the like.
As an optional embodiment, matching the first network data with the target network policy, and obtaining the second matching result includes:
s41, detecting whether a first transport address list included in the target network policy includes a transport address of the first network data, where the first transport address list is used to record a transport address allowing transmission of the first network data;
s42, in a case that the transmission address of the first network data is not included in the first transmission address list, detecting whether a transmission address of the first network data is included in a second transmission address list included in the target network policy, where the second transmission address list is used to record a transmission address at which transmission of the first network data is not allowed;
s43, detecting whether a transmission port list included in the target network policy includes a transmission port of the first network data when the first transmission address list includes a transmission address of the first network data, or when the second transmission address list does not include a transmission address of the first network data, where the transmission port list is used to record a transmission port that is not allowed to transmit the first network data;
s44, setting a data identifier of the first network data as a target identifier when the second transmission address list includes the transmission address of the first network data, or when the transmission port list includes the transmission port of the first network data, where the target identifier is used to indicate to intercept the first network data;
s45, determining not to set the data identifier of the first network data when the transmission port list does not include the transmission port of the first network data.
Optionally, in this embodiment, the target network policy may include, but is not limited to: the device comprises a first transmission address list, a second transmission address list and a transmission port list, wherein the first transmission address list is used for recording transmission addresses allowing transmission of first network data, the second transmission address list is used for recording transmission addresses not allowing transmission of the first network data, and the transmission port list is used for recording transmission ports not allowing transmission of the first network data.
Optionally, in this embodiment, the process of matching the first network data with the target network policy may be, but is not limited to, preferentially matching the first transport address list, determining whether the transport address of the first network data is a transport address allowing transmission of the first network data, and if the transport address of the first network data is not included in the first transport address list, matching the second transport address list, and determining whether the transport address of the first network data is a transport address not allowing transmission of the first network data. And for the detected transmission address allowing the transmission of the first network data and the transmission address not detecting that the transmission of the first network data is not allowed, matching the transmission port of the first network data with the transmission port list to determine whether the transmission port is allowed to transmit the first network data.
Optionally, in this embodiment, if the second transmission address list includes the transmission address of the first network data, or the transmission port list includes the transmission port of the first network data, it is considered that the first network data is not allowed to be transmitted, and the data identifier of the first network data is set as the target identifier for indicating to intercept the first network data. And if the transmission port of the first network data is not included in the transmission port list, the first network data is considered to be allowed to be transmitted, and the data identification of the first network data is determined not to be set.
As an optional embodiment, detecting whether a transmission port of the first network data is included in the transmission port list includes:
s51, detecting the transmission protocol of the first network data;
s52, determining a transmission mode of the first network data when a transmission protocol of the first network data is a first transmission protocol, where the transmission mode includes sending the first network data and receiving the first network data;
s53, determining not to set a data identifier of the first network data when the transmission mode of the first network data is to send the first network data;
s54, when the transmission protocol of the first network data is the second transmission protocol, or the transmission mode of the first network data is to receive the first network data, detecting whether the transmission port list includes the transmission port of the first network data.
Optionally, in this embodiment, in the process of detecting whether the transmission port list includes the transmission port of the first network data, the transmission protocol of the first network data is first distinguished, if the transmission protocol is the first transmission protocol, it is further necessary to distinguish whether the transmission mode of the first network data is sending or receiving, and if the transmission mode is sending, the data identifier of the first network data is not set. If the receiving is yes or the transmission protocol of the first network data is the second transmission protocol, whether the transmission port list comprises the transmission port of the first network data or not is detected, and the data identification is set according to the detection result.
Optionally, in this embodiment, the first transport protocol may include, but is not limited to, a TCP protocol, and the second transport protocol may include, but is not limited to, a UDP protocol.
Optionally, in this embodiment, the transmission port of the first network data may refer to, but is not limited to, a local port of the first network data, that is, a port of the first terminal.
As an alternative embodiment, processing the first network data according to the matching result includes:
s61, determining whether the target identifier is set in the first network data;
s62, intercepting the first network data under the condition that the first network data is determined to be provided with the target identification;
s63, if the first network data is determined not to set the target identification, the first network data is released.
Optionally, in this embodiment, the first network data is processed according to whether the target identifier is set for the first network data, if the target identifier is set, the interception is performed, otherwise, the first network data is released.
Optionally, in this embodiment, the target identifier may also be referred to as a discard identifier. The data with the target identification set can be intercepted and discarded. The data without the target identifier set is subjected to the operation of releasing.
In an optional embodiment, a process of processing a network packet by a terminal is provided, where a control policy configured on the terminal may be executed by, but not limited to, a kernel, the terminal stores the control policy by maintaining an access control policy library, the kernel updates the access control policy library after receiving the policy, and if the policy is a delete policy, the cache library may be emptied. Fig. 6 is a schematic diagram of a processing procedure of a network packet according to an alternative embodiment of the present application, and as shown in fig. 6, a kernel intercepts a network packet on a terminal and determines whether a learning mode is currently activated for the terminal.
If the terminal does not start the learning mode currently, the kernel firstly processes the IP of the network data packet. It is checked whether the current IP of the network packet is in the IP whitelist (corresponding to the first transport address list described above). If the current IP is in the IP white list, skipping the process of judging the IP black list, namely, indicating that the IP is not limited by the black list once the current IP is in the white list; if the current IP is not in the IP white list, whether the current IP is in the limited range of the IP black list (equivalent to the second transmission address list) is judged. If the current IP is in the IP blacklist, setting a data packet discarding identifier (namely, intercepted), and reporting an audit log of a blocking type; and if the current IP is not in the blacklist limit range, judging the port policy.
And when the IP is in the white list or when the IP is not in the white list and is not in the black list, the judgment on the port policy is carried out. If the network data packet is the UDP protocol, check if the local "port" (corresponding to the transmission port of the network data) is in the blacklist of sending down. If yes, intercepting, otherwise skipping, and reporting an audit log. If the network packet is the TCP protocol, it is checked whether the current packet flow is in the receive or transmit phase (i.e., whether the checking procedure is in a transmit or receive state). If the current processing data packet is in the receiving stage, checking whether the port is in a delivered blacklist. If yes, the interception is carried out, otherwise, the interception is skipped. If the currently processed data packet is in the sending phase, no processing is done. I.e. the restrictions on the port, whether TCP or UDP protocol, are checked against the home port.
In the learning mode, the issued network control strategies are all invalid (do not play any role). Audit log information generated in the learning mode is reported to the buffer area in real time through the log module, and the type of the audit log is set as learning. The application layer program uploads the generated audit log data to the audit database from the buffer in real time.
As an optional embodiment, before receiving the policy acquisition instruction, the method further includes:
s71, determining the first terminal through the trusted management server;
s72, determining a policy template corresponding to the first terminal through the trusted management server;
s73, generating the target network policy by the trusted management server by using the policy template;
s74, sending the policy obtaining instruction to the first terminal through the trusted management server, where the policy obtaining instruction is used to instruct the first terminal to obtain the target network policy from the trusted management server.
Optionally, in this embodiment, the terminal and the policy template configured with the network control policy each time may be selected by the trusted management server.
Optionally, in this embodiment, the target network policy includes: a transport address white list, a transport address black list, and a transport port black list, among others.
In an optional implementation, a policy learning process is provided, fig. 7 is a schematic diagram of a policy learning process according to an optional implementation of the present application, as shown in fig. 7, a terminal is selected on a trusted management server, the trusted management server determines whether the terminal is in a learning state, if the terminal is not in the learning state, an open learning policy (equivalent to the above start instruction) is created and the terminal is notified to acquire the policy, the terminal opens a network learning mode and sends an open confirmation to the trusted management server, in the network learning process, the terminal reports a log generated in the learning process, and the trusted management server collects the log reported by the terminal. After the learning time is over, the trusted management server selects a terminal and judges whether the terminal is in a learning state, if so, the trusted management server creates a closing learning strategy (equivalent to the closing instruction) and notifies the terminal to acquire the strategy, and if the terminal acquires the closing learning strategy, the terminal closes the learning mode and performs closing confirmation on the trusted management server. After the learning mode is closed, a strategy template can be generated in the credible management server, and the generated strategy template allows editing, modifying and other operations.
Optionally, in this optional embodiment, the policy generated by the trusted management server, the on state and the off state of the learning mode acknowledged by the terminal report, the log reported by the terminal, and the generated policy template may all be written into the database for storage.
Optionally, in this optional embodiment, the terminal needs to be in an online state in the learning mode, and does not perform other learning tasks, and if other learning tasks are being performed (for example, access learning task, white list learning task, full-disc learning task, etc.), an exception may be prompted.
Optionally, in this optional embodiment, the terminal may be notified to acquire the learning mode policy through a heartbeat, but not limited to. After the terminal starts the learning mode, the log sent to the trusted management server can mark the log state as the learning mode state.
Alternatively, in this alternative embodiment, the off button of the current terminal that is set to the learning mode in the learning mode is clickable. After the terminal confirms that the learning mode is closed, the terminal can click for multiple times to generate a strategy template. And the generated strategy template can be edited and modified online.
It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present application is not limited by the order of acts described, as some steps may occur in other orders or concurrently depending on the application. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required in this application.
Through the description of the foregoing embodiments, it is clear to those skilled in the art that the method according to the foregoing embodiments may be implemented by software plus a necessary general hardware platform, and certainly may also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present application.
According to another aspect of the embodiments of the present application, there is also provided a network access control apparatus for implementing the network access control method. Fig. 8 is a schematic diagram of an alternative network access control device according to an embodiment of the present application, and as shown in fig. 8, the device may include:
a receiving module 82, configured to receive a policy acquisition instruction, where the policy acquisition instruction is used to instruct a first terminal to acquire a target network policy from a trusted management server, the target network policy is used to control first network data on the first terminal, the target network policy is generated through a first policy learning process executed on a second terminal, the first policy learning process is a process of learning a first access log on the second terminal, and the first access log includes a control operation performed on second network data on the second terminal;
an obtaining module 84, configured to obtain the target network policy from the trusted management server in response to the policy obtaining instruction;
a first sending module 86, configured to send policy validation information to the trusted management server, where the policy validation information is used to indicate that the target network policy is validated on the first terminal;
a first control module 88, configured to execute the target network policy to control the first network data on the first terminal.
It should be noted that the receiving module 82 in this embodiment may be configured to execute the step S202 in this embodiment, the obtaining module 84 in this embodiment may be configured to execute the step S204 in this embodiment, the first sending module 86 in this embodiment may be configured to execute the step S206 in this embodiment, and the first control module 88 in this embodiment may be configured to execute the step S208 in this embodiment.
It should be noted here that the modules described above are the same as the examples and application scenarios implemented by the corresponding steps, but are not limited to the disclosure of the above embodiments. It should be noted that the modules described above as a part of the apparatus may operate in a hardware environment as shown in fig. 1, and may be implemented by software or hardware.
Through the module, the target network strategy is generated through a first strategy learning process executed on the second terminal and used for learning the network control strategy on the second terminal, and is configured to the first terminal except the second terminal, so that after the target network strategy takes effect on the first terminal, the first terminal can control the operation of the first network data through executing the target network strategy, the repeated operation during the selection of the control strategy is avoided, the aim of rapidly configuring the control strategy of network access is fulfilled, the technical effect of improving the configuration efficiency of the network access strategy is achieved, and the technical problem of low configuration efficiency of the network access strategy in the related technology is solved.
As an alternative embodiment, the control module comprises:
the intercepting unit is used for intercepting the first network data on the first terminal;
a first determination unit configured to determine whether the first terminal is in a policy learning mode;
the matching unit is used for matching the first network data with the target network strategy to obtain a first matching result under the condition that the first terminal is determined to be in a strategy learning mode;
the generating unit is used for generating a second access log corresponding to the first matching result;
and the reporting unit is used for reporting the second access log and releasing the first network data.
As an alternative embodiment, the determining unit is configured to:
receiving a starting instruction, wherein the starting instruction is used for instructing the first terminal to start a second strategy learning process;
starting the second strategy learning process in response to the starting instruction, and determining that the first terminal is in the strategy learning mode;
and in the case of receiving a shutdown indication, shutting down the second policy learning process and determining that the first terminal is not in the policy learning mode.
As an alternative embodiment, the apparatus further comprises:
the matching module is used for matching the first network data with the target network strategy to obtain a second matching result under the condition that the first terminal is not in the strategy learning mode after the first terminal is determined to be in the strategy learning mode;
and the second control module is used for controlling the first network data according to the second matching result.
As an alternative embodiment, the matching module comprises:
a first detecting unit, configured to detect whether a transport address of the first network data is included in a first transport address list included in the target network policy, where the first transport address list is used to record a transport address allowing transmission of the first network data;
a second detecting unit, configured to detect, when a transport address of the first network data is not included in the first transport address list, whether a transport address of the first network data is included in a second transport address list included in the target network policy, where the second transport address list is used to record a transport address at which transmission of the first network data is not allowed;
a third detecting unit, configured to detect whether a transmission port list included in the target network policy includes a transmission port of the first network data when the first transmission address list includes a transmission address of the first network data, or when the second transmission address list does not include the transmission address of the first network data, where the transmission port list is used to record a transmission port that is not allowed to transmit the first network data;
a setting unit, configured to set a data identifier of the first network data as a target identifier when the second transmission address list includes the transmission address of the first network data, or the transmission port list includes the transmission port of the first network data, where the target identifier is used to indicate that the first network data is intercepted;
a second determining unit, configured to determine that the data identifier of the first network data is not set when the transmission port of the first network data is not included in the transmission port list.
As an alternative embodiment, the third detecting unit is configured to:
detecting a transmission protocol of the first network data;
determining a transmission mode of the first network data under the condition that the transmission protocol of the first network data is a first transmission protocol, wherein the transmission mode comprises the steps of sending the first network data and receiving the first network data;
determining not to set a data identifier of the first network data under the condition that the transmission mode of the first network data is to send the first network data;
and detecting whether the transmission port list includes the transmission port of the first network data or not under the condition that the transmission protocol of the first network data is a second transmission protocol or the transmission mode of the first network data is to receive the first network data.
As an alternative embodiment, the second control module comprises:
a third determining unit, configured to determine whether the target identifier is set in the first network data;
the processing unit is used for intercepting the first network data and generating an audit log under the condition that the target identifier is determined to be set in the first network data; reporting the audit log to the trusted management server;
a releasing unit, configured to release the first network data when it is determined that the target identifier is not set in the first network data.
As an alternative embodiment, the apparatus further comprises:
a first determining module, configured to determine, by the trusted management server, one or more terminals before receiving a policy acquisition instruction, where the one or more terminals include the first terminal;
the second determining module is used for determining the strategy template corresponding to the one or more terminals through the trusted management server;
a generation module for generating the target network policy by the trusted management server using the policy template;
a second sending module, configured to send the policy obtaining indication to the one or more terminals through the trusted management server, where the policy obtaining indication is used to indicate the one or more terminals to obtain the target network policy from the trusted management server.
It should be noted that the modules described above are the same as examples and application scenarios realized by corresponding steps, but are not limited to what is disclosed in the foregoing embodiments. It should be noted that the modules described above as a part of the apparatus may be operated in a hardware environment as shown in fig. 1, and may be implemented by software, or may be implemented by hardware, where the hardware environment includes a network environment.
According to another aspect of the embodiments of the present application, there is also provided a server or a terminal for implementing the control method of network access.
Fig. 9 is a block diagram of a terminal according to an embodiment of the present application, and as shown in fig. 9, the terminal may include: one or more processors 901 (only one of which is shown), a memory 903, and a transmitting device 905, as shown in fig. 9, the terminal may further include an input/output device 907.
The memory 903 may be used to store software programs and modules, such as program instructions/modules corresponding to the method and apparatus for controlling network access in this embodiment, and the processor 901 executes various functional applications and data processing by running the software programs and modules stored in the memory 903, that is, the method for controlling network access is implemented. The memory 903 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 903 may further include memory located remotely from the processor 901, which may be connected to the terminal over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The above-mentioned transmission device 905 is used for receiving or sending data via a network, and can also be used for data transmission between a processor and a memory. Examples of the network may include a wired network and a wireless network. In one example, the transmission device 905 includes a Network adapter (NIC) that can be connected to a router via a Network cable and other Network devices so as to communicate with the internet or a local area Network. In one example, the transmission device 905 is a Radio Frequency (RF) module used to communicate with the internet in a wireless manner.
The memory 903 is used for storing, among other things, application programs.
The processor 901 may call an application stored in the memory 903 through the transmission device 905 to perform the following steps:
receiving a policy acquisition instruction, wherein the policy acquisition instruction is used for instructing a first terminal to acquire a target network policy from a trusted management server, the target network policy is used for controlling first network data on the first terminal, the target network policy is generated through a first policy learning process executed on a second terminal, the first policy learning process is a process of learning a first access log on the second terminal, and the first access log comprises a control operation performed on second network data on the second terminal;
obtaining the target network policy from the trusted management server in response to the policy obtaining indication;
sending policy validation information to the trusted management server, wherein the policy validation information is used for indicating that the target network policy is confirmed to be valid on the first terminal;
and executing the target network policy to control the first network data on the first terminal.
By adopting the embodiment of the application, a scheme for controlling network access is provided. The target network strategy is generated through a first strategy learning process executed on a second terminal and used for learning the network control strategy on the second terminal, and is configured to a first terminal except the second terminal, so that after the target network strategy takes effect on the first terminal, the first terminal can control the operation of first network data through executing the target network strategy, the repeated operation during the selection of the control strategy is avoided, the aim of rapidly configuring the control strategy of network access is achieved, the technical effect of improving the configuration efficiency of the network access strategy is achieved, and the technical problem of low configuration efficiency of the network access strategy in the related technology is solved.
Optionally, for a specific example in this embodiment, reference may be made to the example described in the foregoing embodiment, and this embodiment is not described herein again.
It can be understood by those skilled in the art that the structure shown in fig. 9 is only an illustration, and the terminal may be a terminal device such as a smart phone (e.g., an Android phone, an iOS phone, etc.), a tablet computer, a palm computer, and a Mobile Internet Device (MID), a PAD, etc. Fig. 9 is a diagram illustrating a structure of the electronic device. For example, the terminal may also include more or fewer components (e.g., network interfaces, display devices, etc.) than shown in FIG. 9, or have a different configuration than shown in FIG. 9.
Those skilled in the art will appreciate that all or part of the steps in the methods of the above embodiments may be implemented by a program instructing hardware associated with the terminal device, where the program may be stored in a computer-readable storage medium, and the storage medium may include: flash disks, Read-Only memories (ROMs), Random Access Memories (RAMs), magnetic or optical disks, and the like.
Embodiments of the present application also provide a storage medium. Alternatively, in this embodiment, the storage medium may be a program code for executing a method for controlling network access.
Optionally, in this embodiment, the storage medium may be located on at least one of a plurality of network devices in a network shown in the above embodiment.
Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps:
receiving a policy acquisition instruction, wherein the policy acquisition instruction is used for instructing a first terminal to acquire a target network policy from a trusted management server, the target network policy is used for controlling first network data on the first terminal, the target network policy is generated through a first policy learning process executed on a second terminal, the first policy learning process is a process of learning a first access log on the second terminal, and the first access log comprises a control operation on second network data on the second terminal;
obtaining the target network policy from the trusted management server in response to the policy obtaining indication;
sending policy validation information to the trusted management server, wherein the policy validation information is used for indicating that the target network policy is confirmed to be valid on the first terminal;
and executing the target network policy to control the first network data on the first terminal.
Optionally, the specific examples in this embodiment may refer to the examples described in the above embodiments, and this embodiment is not described herein again.
Optionally, in this embodiment, the storage medium may include, but is not limited to: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic disk, or an optical disk, and various media capable of storing program codes.
The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.
The integrated unit in the above embodiments, if implemented in the form of a software functional unit and sold or used as a separate product, may be stored in the above computer-readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or a part of or all or part of the technical solution contributing to the prior art may be embodied in the form of a software product stored in a storage medium, and including instructions for causing one or more computer devices (which may be personal computers, servers, network devices, or the like) to execute all or part of the steps of the method described in the embodiments of the present application.
In the above embodiments of the present application, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed client may be implemented in other manners. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one type of division of logical functions, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one position, or may be distributed on multiple network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The foregoing is only a preferred embodiment of the present application and it should be noted that those skilled in the art can make several improvements and modifications without departing from the principle of the present application, and these improvements and modifications should also be considered as the protection scope of the present application.
Claims (10)
1. A method for controlling network access, comprising:
receiving a policy acquisition instruction, wherein the policy acquisition instruction is used for instructing a first terminal to acquire a target network policy from a trusted management server, the target network policy is used for controlling first network data on the first terminal, the target network policy is generated through a first policy learning process executed on a second terminal, the first policy learning process is a process of learning a first access log on the second terminal, and the first access log comprises a control operation performed on second network data on the second terminal;
obtaining the target network policy from the trusted management server in response to the policy obtaining indication;
sending policy validation information to the trusted management server, wherein the policy validation information is used for indicating that the target network policy is confirmed to be valid on the first terminal;
executing the target network policy to control the first network data on the first terminal: intercepting the first network data on the first terminal; determining whether the first terminal is in a policy learning mode; under the condition that the first terminal is determined to be in a strategy learning mode, matching the first network data with the target network strategy to obtain a first matching result; generating a second access log corresponding to the first matching result; and reporting the second access log and releasing the first network data.
2. The method of claim 1, wherein determining whether the first terminal is in a policy learning mode comprises:
receiving a starting instruction, wherein the starting instruction is used for instructing the first terminal to start a second strategy learning process;
starting the second strategy learning process in response to the starting instruction, and determining that the first terminal is in the strategy learning mode;
and in the case of receiving a shutdown indication, shutting down the second policy learning process and determining that the first terminal is not in the policy learning mode.
3. The method of claim 1, wherein after determining whether the first terminal is in a policy learning mode, the method further comprises:
under the condition that the first terminal is not in the strategy learning mode, matching the first network data with the target network strategy to obtain a second matching result;
and controlling the first network data according to the second matching result.
4. The method of claim 3, wherein matching the first network data with the target network policy to obtain the second matching result comprises:
detecting whether a first transmission address list included in the target network policy includes a transmission address of the first network data, wherein the first transmission address list is used for recording a transmission address allowing transmission of the first network data;
under the condition that the transmission address of the first network data is not included in the first transmission address list, detecting whether a second transmission address list included in the target network policy includes the transmission address of the first network data, wherein the second transmission address list is used for recording the transmission addresses which are not allowed to transmit the first network data;
under the condition that the transmission address of the first network data is included in the first transmission address list or the transmission address of the first network data is not included in the second transmission address list, detecting whether a transmission port of the first network data is included in a transmission port list included in the target network policy or not, wherein the transmission port list is used for recording transmission ports which are not allowed to transmit the first network data;
setting a data identifier of the first network data as a target identifier under the condition that the second transmission address list comprises the transmission address of the first network data or the transmission port list comprises the transmission port of the first network data, wherein the target identifier is used for indicating to intercept the first network data;
determining not to set the data identifier of the first network data in the case that the transmission port of the first network data is not included in the transmission port list.
5. The method of claim 4, wherein detecting whether a transmission port of the first network data is included in the transmission port list comprises:
detecting a transmission protocol of the first network data;
determining a transmission mode of the first network data under the condition that the transmission protocol of the first network data is a first transmission protocol, wherein the transmission mode comprises the steps of sending the first network data and receiving the first network data;
determining not to set a data identifier of the first network data under the condition that the transmission mode of the first network data is to send the first network data;
and detecting whether a transmission port of the first network data is included in the transmission port list or not when the transmission protocol of the first network data is a second transmission protocol or the transmission mode of the first network data is to receive the first network data.
6. The method of claim 4, wherein controlling the first network data according to the second matching result comprises:
determining whether the target identifier is set by the first network data;
intercepting the first network data and generating an audit log under the condition that the target identifier is determined to be set in the first network data; reporting the audit log to the trusted management server;
and in the case that the first network data is determined not to set the target identifier, releasing the first network data.
7. The method of claim 1, wherein prior to receiving the policy acquisition indication, the method further comprises:
determining, by the trusted management server, the first terminal;
determining a strategy template corresponding to the first terminal through the trusted management server;
generating, by the trusted management server, the target network policy using the policy template;
sending the policy acquisition instruction to the first terminal through the trusted management server, wherein the policy acquisition instruction is used for instructing the first terminal to acquire the target network policy from the trusted management server.
8. A network access control apparatus, comprising:
a receiving module, configured to receive a policy acquisition instruction, where the policy acquisition instruction is used to instruct a first terminal to acquire a target network policy from a trusted management server, where the target network policy is used to control first network data on the first terminal, and the target network policy is generated through a first policy learning process executed on a second terminal, where the first policy learning process is a process of learning a first access log on the second terminal, and the first access log includes a control operation performed on second network data on the second terminal;
an obtaining module, configured to obtain the target network policy from the trusted management server in response to the policy obtaining instruction;
a first sending module, configured to send policy validation information to the trusted management server, where the policy validation information is used to indicate that the target network policy is validated on the first terminal;
a first control module, configured to execute the target network policy to control first network data on the first terminal: intercepting the first network data on the first terminal; determining whether the first terminal is in a policy learning mode; under the condition that the first terminal is determined to be in a strategy learning mode, matching the first network data with the target network strategy to obtain a first matching result; generating a second access log corresponding to the first matching result; and reporting the second access log, and releasing the first network data.
9. A storage medium, characterized in that the storage medium comprises a stored program, wherein the program when executed performs the method of any of the preceding claims 1 to 7.
10. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor executes the method of any of the preceding claims 1 to 7 by means of the computer program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010600445.9A CN111901147B (en) | 2020-06-28 | 2020-06-28 | Network access control method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010600445.9A CN111901147B (en) | 2020-06-28 | 2020-06-28 | Network access control method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111901147A CN111901147A (en) | 2020-11-06 |
| CN111901147B true CN111901147B (en) | 2022-08-30 |
Family
ID=73207869
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010600445.9A Active CN111901147B (en) | 2020-06-28 | 2020-06-28 | Network access control method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111901147B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114679290B (en) * | 2021-05-20 | 2023-03-24 | 腾讯云计算(北京)有限责任公司 | Network security management method and electronic equipment |
| CN113630779B (en) * | 2021-08-17 | 2023-06-02 | 中国联合网络通信集团有限公司 | Network connection management method and device and terminal |
| CN113904939B (en) * | 2021-10-27 | 2023-07-28 | 中国联合网络通信集团有限公司 | Method, device and storage medium for managing target terminal |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101662480A (en) * | 2009-09-01 | 2010-03-03 | 卡斯柯信号有限公司 | Log system based on access control |
| CN103249115A (en) * | 2013-05-07 | 2013-08-14 | 中国联合网络通信集团有限公司 | Policy configuration method and device |
| CN103988571A (en) * | 2012-03-01 | 2014-08-13 | 艾迪威尔有限责任公司 | Method, system, and recording medium for analyzing wireless network load reduction policy |
| CN109510842A (en) * | 2018-12-29 | 2019-03-22 | 北京威努特技术有限公司 | A kind of method and device of industry control network file Mandatory Access Control configuration |
| CN109600395A (en) * | 2019-01-23 | 2019-04-09 | 山东超越数控电子股份有限公司 | A kind of device and implementation method of terminal network access control system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8514749B2 (en) * | 2010-03-10 | 2013-08-20 | Microsoft Corporation | Routing requests for duplex applications |
-
2020
- 2020-06-28 CN CN202010600445.9A patent/CN111901147B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101662480A (en) * | 2009-09-01 | 2010-03-03 | 卡斯柯信号有限公司 | Log system based on access control |
| CN103988571A (en) * | 2012-03-01 | 2014-08-13 | 艾迪威尔有限责任公司 | Method, system, and recording medium for analyzing wireless network load reduction policy |
| CN103249115A (en) * | 2013-05-07 | 2013-08-14 | 中国联合网络通信集团有限公司 | Policy configuration method and device |
| CN109510842A (en) * | 2018-12-29 | 2019-03-22 | 北京威努特技术有限公司 | A kind of method and device of industry control network file Mandatory Access Control configuration |
| CN109600395A (en) * | 2019-01-23 | 2019-04-09 | 山东超越数控电子股份有限公司 | A kind of device and implementation method of terminal network access control system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111901147A (en) | 2020-11-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111901147B (en) | Network access control method and device | |
| US11206451B2 (en) | Information interception processing method, terminal, and computer storage medium | |
| US11196742B2 (en) | Method, system, and device for communicating data between devices to control one of the devices | |
| US8874082B2 (en) | Apparatus and methods for protecting data on a wireless device | |
| US7353394B2 (en) | System and method for digital signature authentication of SMS messages | |
| US11489853B2 (en) | Distributed threat sensor data aggregation and data export | |
| CN103607385A (en) | Method and apparatus for security detection based on browser | |
| JP2015092374A5 (en) | ||
| CN104660557B (en) | operation processing method and device | |
| US11876829B2 (en) | Method for emulating a known attack on a target computer network | |
| CN110768951B (en) | Method and device for verifying system vulnerability, storage medium and electronic device | |
| CN110677381A (en) | Penetration testing method and device, storage medium and electronic device | |
| CN110880983A (en) | Penetration testing method and device based on scene, storage medium and electronic device | |
| CN113778879B (en) | Interface fuzzy test method and device | |
| CN105554137A (en) | Backup system and method | |
| CN110881024A (en) | Vulnerability detection method and device, storage medium and electronic device | |
| US8555384B1 (en) | System and method for gathering data for detecting fraudulent transactions | |
| CN110768948A (en) | Vulnerability detection method and device, storage medium and electronic device | |
| CN110807209B (en) | Data processing method, device and storage medium | |
| CN108028843A (en) | Passive type web application firewalls | |
| CN110768950A (en) | Permeation instruction sending method and device, storage medium and electronic device | |
| CN113079157A (en) | Method and device for acquiring network attacker position and electronic equipment | |
| CN113117339B (en) | Data processing method, device, server and storage medium | |
| CN112711518B (en) | Log uploading method and device | |
| KR101874815B1 (en) | Method for examining change of dns address and terminal apparatus for the same |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |