CN111917736A - Network security management method, computing device and readable storage medium - Google Patents
Network security management method, computing device and readable storage medium Download PDFInfo
- Publication number
- CN111917736A CN111917736A CN202010669140.3A CN202010669140A CN111917736A CN 111917736 A CN111917736 A CN 111917736A CN 202010669140 A CN202010669140 A CN 202010669140A CN 111917736 A CN111917736 A CN 111917736A
- Authority
- CN
- China
- Prior art keywords
- user terminal
- security management
- network
- access information
- management system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5007—Internet protocol [IP] addresses
- H04L61/5014—Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
The invention discloses a network security management method, which is suitable for being executed in a computing device, wherein the computing device is connected with a data storage device and a security management server and manages a mobile terminal accessed to a target network, the security management server acquires network access information of a user terminal accessed to the target network at intervals of first preset time and stores the acquired network access information into the data storage device, and the network security management method comprises the following steps: authenticating network access information of a user terminal in the data storage device; if the authentication of the network access information fails, sending an authentication failure message to the user terminal, and deleting a physical address corresponding to the user terminal from an allowed list of the address management server; and if the authentication is successful, maintaining the state of the physical address corresponding to the user terminal in the permission list so as to maintain the communication connection between the user terminal and the target network. The invention also discloses a corresponding computing device and a readable storage medium.
Description
Technical Field
The present invention relates to the field of network security, and in particular, to a network security management method, a computing device, and a readable storage medium.
Background
The data security of the enterprise office network is improved to a very important position, the existing office network access is basically user identity verification based on domain Authentication (AD) and Certificate Authentication (CA), after employees pass Office Automation (OA) account passwords and perform identity authentication, and after certificate issuing by an internal CA system of an enterprise, users can access the internal network of the enterprise to perform data access. Therefore, a Data Leakage Protection technology (DLP) is gradually becoming one of the most important security technologies in the market at present, but after an enterprise implements a DLP technical scheme, since a terminal computer is held by employees, the employees may not start the DLP or use a company computer, or even modify the computer at will, and destroy or delete a DLP client in a manner of deleting a process or reinstalling an operating system, etc., the DLP client cannot operate normally, the company is completely uncontrollable, the company limits terminal devices accessing a network to be virtual, and office network Data still cannot be effectively protected.
Disclosure of Invention
To this end, the present invention provides a network security management method, a computing device and a readable storage medium in an attempt to solve or at least alleviate the problems presented above.
According to an aspect of the present invention, there is provided a network security management method adapted to be executed in a computing device adapted to manage a mobile terminal accessing a target network and to connect a data storage device and a security management server, the security management server acquiring network entry information of a user terminal accessing the target network at every first predetermined time and storing the acquired network entry information in the data storage device, the method comprising: authenticating the network access information of the user terminal in the data storage equipment every second preset time; if the authentication of the network access information fails, sending an authentication failure message to the user terminal, and deleting a physical address corresponding to the user terminal from an allowed list of the address management server; and if the authentication is successful, maintaining the state of the physical address corresponding to the user terminal in the permission list so as to maintain the communication connection between the user terminal and the target network.
Optionally, in the network security management method according to the present invention, the security management server is installed with a server of the security management system, the user terminal is installed with a client of the security management system, and acquiring the network access information of the user terminal at each first predetermined time interval is implemented by a heartbeat mechanism between the server of the security management system and the client of the security management system.
Optionally, in the network security management method according to the present invention, the network access information includes a login terminal account, a host name, a communication time between a server and a client of the security management system, a physical address, and a security management system version, and if the network access information fails to be authenticated, sending an authentication failure message to the user terminal includes: authenticating a login terminal account, a host name, communication time between a server side and a client side of a safety management system, a physical address and a safety management system version in the network access information; and if any item of information fails to be authenticated, sending an authentication failure message carrying the item of information to the terminal.
Optionally, in the network security management method according to the present invention, the method further includes: adding the physical address information of the new user terminal into a white list when the new user terminal accesses a target network; adding the physical address information of the new user terminal into an allowed list of an address management server through a white list; after the new user terminal is connected to the target network, deleting the physical address information of the new user terminal from the white list; and pushing an installation program of the client of the security management system to the new user terminal so as to obtain the network access information of the new user terminal through the security management system at a later period.
Optionally, in the network security management method according to the present invention, the network access information corresponding to the physical address in the address management server permission list is authenticated according to the network access information of the user terminal in the data storage device at intervals of a third predetermined time, and the physical address that fails in authentication is removed from the permission list.
Optionally, in the network security management method according to the present invention, the security management system is a data leakage protection system.
Optionally, in the network security management method according to the present invention, the address management server is implemented by a DHCP.
Optionally, in the network security management method according to the present invention, the first predetermined time interval is 3 minutes.
According to still another aspect of the present invention, there is provided a network security management system, including: the safety management server is suitable for acquiring the network access information of the user terminal accessed to the target network at intervals of first preset time intervals, and the safety management server is provided with a server side of a safety management system; the data storage equipment is suitable for storing the network access information of the user terminal; the authentication management server is suitable for authenticating the network access information of the user terminal in the data storage equipment at intervals of second preset time, sending an authentication failure message to the user terminal if the network access information authentication fails, deleting the physical address corresponding to the user terminal from an allowed list of the address management server, and maintaining the state of the physical address corresponding to the user terminal in the allowed list if the authentication succeeds; and the address management server manages the state of the user terminal connected with the target network according to the physical address of the user terminal in the permission list.
Optionally, in the network security management system according to the present invention, the method further includes: the user terminal is provided with a client of the safety management system and is suitable for providing network access information for the safety management server through a heartbeat mechanism between the client of the safety management system and the client of the safety management system.
Optionally, in the network security management system according to the present invention, the network access information includes a login terminal account, a host name, a communication time between a server and a client of the security management system, a physical address, and a security management system version, and the authentication management server is adapted to, if the network access information fails to authenticate, send an authentication failure message to the user terminal: sequentially authenticating a login terminal account, a host name, communication time between a server side and a client side of the security management system, a physical address and a security management system version in the network access information; and if any item of information fails to be authenticated, sending an authentication failure message carrying the item of information to the terminal.
Optionally, in the network security management system according to the present invention, the authentication server is further adapted to, when a new user terminal accesses the target network: adding the physical address information of the new user terminal into a white list; adding the physical address information of the new user terminal into an allowed list of an address management server through a white list; after the new user terminal is connected to the target network, deleting the physical address information of the new user terminal from the white list; and pushing an installation program of the client of the security management system to the new user terminal so as to obtain the network access information of the new user terminal through the security management system at a later period.
Optionally, in the network security management system according to the present invention, the authentication server is adapted to authenticate the network access information corresponding to the physical address in the address management server permission list according to the network access information of the user terminal in the data storage device every third predetermined time interval, and remove the physical address that fails in authentication from the permission list.
According to yet another aspect of the invention, there is provided a computing device comprising: at least one processor; and a memory storing program instructions, wherein the program instructions are configured to be executed by the at least one processor, the program instructions comprising instructions for performing the network security management method described above.
According to still another aspect of the present invention, there is provided a readable storage medium storing program instructions that, when read and executed by a computing device, cause the computing device to execute the above-described network security management method.
According to the network security management method, the network access information of the user terminal accessed to the target network is authenticated at preset time intervals, the physical address of the user terminal failed in authentication is deleted from the permission list of the address management server in time, the network connection of the user terminal is disconnected in time, the compliance and the legality of the terminal accessed to the target network can be monitored in real time by dynamically maintaining the permission list of the address management server, the network connection is disconnected in time for illegal users, and therefore the security management of company network data access is achieved.
Because the network access information of the user terminal is acquired through the client of the security management service installed in the terminal, the problem that the user terminal privately deactivates or uninstalls the client of the security management service is prevented, because if the user terminal deactivates or uninstalls the client of the security management service, the network access information of the user terminal cannot be normally acquired, so that the user terminal is deleted from the permission list and finally cannot access the target network.
Drawings
To the accomplishment of the foregoing and related ends, certain illustrative aspects are described herein in connection with the following description and the annexed drawings, which are indicative of various ways in which the principles disclosed herein may be practiced, and all aspects and equivalents thereof are intended to be within the scope of the claimed subject matter. The above and other objects, features and advantages of the present disclosure will become more apparent from the following detailed description read in conjunction with the accompanying drawings. Throughout this disclosure, like reference numerals generally refer to like parts or elements.
FIG. 1 shows a schematic diagram of a network security management system 100 according to one embodiment of the invention;
FIG. 2 illustrates a block diagram of a computing device 200, according to one embodiment of the invention;
FIG. 3 illustrates a flow diagram of a network security management method 300 according to one embodiment of the invention;
fig. 4 shows a flow diagram of a method 400 for a new user terminal to access a target network according to one embodiment of the invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
Fig. 1 is a schematic diagram of a network security management system 100 according to an embodiment of the present invention, which includes a security management server 110, a data storage device 120, an authentication management server 130, and an address management server 140, and are communicatively connected to each other to collectively manage an access problem of a user terminal 150 that has pre-access to a target network, so as to prevent data leakage of the target network.
It should be noted that the network security management system in fig. 1 is only an example, in a specific practice, the network connection manner of the security management server 110, the data storage device 120, the authentication management server 130, and the address management server 140 may be a wireless connection or a wired connection, when the network scale is large, multiple servers may also be deployed, and the user terminal 150 that is to access the target network may select a wireless connection or a wired connection manner to access the target network according to a specific situation, where the data storage device 120 may be a single computing device having a communication function, or a data storage device located in the security management server 110 or the authentication management server 130, and the deployment manner of the data storage device 120 is not limited in the present invention.
The server of the security management system is installed in the security management server 110, the client of the security management system is installed in the user terminal 150 which is pre-accessed to the target network, and the security management server 110 acquires the network access information of the user terminal through the heartbeat mechanism of the server and the client of the security management system, wherein the time interval is the time interval for sending the heartbeat packet between the server and the client, so that the network access information of the user terminal which is not started or is not installed with the security management client cannot be acquired.
The authentication management server 130 manages an allowed list of the address management server 140, authenticates the network access information of each user terminal in the data storage device 120 at intervals of a certain time, and deletes a physical address corresponding to a user terminal from the allowed list if the network access information authentication of the user fails, so that the user cannot acquire an IP address through the address management server and cannot connect to a target network; if the network access information of a certain user terminal is successfully authenticated, the physical address of the user terminal is added into the permission list, and if the physical address of the user terminal is already in the permission list, the state that the physical address of the user terminal is in the permission list is maintained, so that the connection between the user terminal and the target network is ensured.
The address management server 140 performs IP address allocation management according to the permission list, and if the physical address of a certain user terminal is not in the permission list, the user terminal cannot obtain an IP address, and thus cannot access the target network.
According to the security management scheme of the invention, the user terminal can access the target network only after being authenticated by the network access information, and the network access information of the user terminal is acquired through the heartbeat mechanism of the client and the server of the security management system, if the user terminal unloads and deactivates the client of the security management system at will, the user terminal cannot access the target network through the network access information authentication, an enterprise can realize security protection on internal data of the enterprise according to the security management scheme of the invention, prevent any non-trusted user terminal from maliciously accessing the enterprise network, and simultaneously effectively prevent enterprise staff from unloading and deactivating the security management system, so that the enterprise can monitor the operation of the enterprise staff on the internal data of the enterprise through the security management system.
Fig. 2 shows a block diagram of a computing device 200 according to an embodiment of the present invention, where the security management server 110, the data storage device 120, the authentication management server 130, and the address management server 140 in the network security management system shown in fig. 1 can all be implemented by the computing device 200, it should be noted that the computing device 200 shown in fig. 2 is only an example, and in practice, a computing device for implementing the content recommendation method of the present invention may be any type of device, and the hardware configuration thereof may be the same as the computing device 200 shown in fig. 2 or different from the computing device 200 shown in fig. 2. In practice, the computing device for implementing the content recommendation method of the present invention may add or delete hardware components of the computing device 200 shown in fig. 2, and the present invention does not limit the specific hardware configuration of the computing device.
As shown in FIG. 2, in a basic configuration 202, a computing device 200 typically includes a system memory 206 and one or more processors 204. A memory bus 208 may be used for communication between the processor 204 and the system memory 206.
Depending on the desired configuration, the processor 204 may be any type of processing, including but not limited to: a microprocessor (μ P), a microcontroller (μ C), a Digital Signal Processor (DSP), or any combination thereof. The processor 204 may include one or more levels of cache, such as a level one cache 210 and a level two cache 212, a processor core 214, and registers 216. Example processor cores 214 may include Arithmetic Logic Units (ALUs), Floating Point Units (FPUs), digital signal processing cores (DSP cores), or any combination thereof. The example memory controller 218 may be used with the processor 204, or in some implementations the memory controller 218 may be an internal part of the processor 204.
Depending on the desired configuration, system memory 206 may be any type of memory, including but not limited to: volatile memory (such as RAM), non-volatile memory (such as ROM, flash memory, etc.), or any combination thereof. The physical memory in the computing device is usually referred to as a volatile memory RAM, and data in the disk needs to be loaded into the physical memory to be read by the processor 204. System memory 206 may include an operating system 220, one or more applications 222, and program data 224. In some implementations, the application 222 can be arranged to execute instructions on the operating system with the program data 224 by the one or more processors 204. Operating system 220 may be, for example, Linux, Windows, or the like, which includes program instructions for handling basic system services and for performing hardware-dependent tasks. The application 222 includes program instructions for implementing various user-desired functions, and the application 222 may be, for example, but not limited to, a browser, instant messenger, a software development tool (e.g., an integrated development environment IDE, a compiler, etc.), and the like. When the application 222 is installed into the computing device 200, a driver module may be added to the operating system 220.
When the computing device 200 is started, the processor 204 reads program instructions of the operating system 220 from the memory 206 and executes them. Applications 222 run on top of operating system 220, utilizing the interface provided by operating system 220 and the underlying hardware to implement various user-desired functions. When the user starts the application 222, the application 222 is loaded into the memory 206, and the processor 204 reads the program instructions of the application 222 from the memory 206 and executes the program instructions.
Computing device 200 may also include an interface bus 240 that facilitates communication from various interface devices (e.g., output devices 242, peripheral interfaces 244, and communication devices 246) to the basic configuration 202 via the bus/interface controller 230. The example output device 242 includes a graphics processing unit 248 and an audio processing unit 250. They may be configured to facilitate communication with various external devices, such as a display or speakers, via one or more a/V ports 252. Example peripheral interfaces 244 can include a serial interface controller 254 and a parallel interface controller 256, which can be configured to facilitate communications with external devices such as input devices (e.g., keyboard, mouse, pen, voice input device, touch input device) or other peripherals (e.g., printer, scanner, etc.) via one or more I/O ports 258. An example communication device 246 may include a network controller 260, which may be arranged to facilitate communications with one or more other computing devices 262 over a network communication link via one or more communication ports 264.
A network communication link may be one example of a communication medium. Communication media may typically be embodied by computer readable instructions, data structures, program modules, and may include any information delivery media, such as carrier waves or other transport mechanisms, in a modulated data signal. A "modulated data signal" may be a signal that has one or more of its data set or its changes made in such a manner as to encode information in the signal. By way of non-limiting example, communication media may include wired media such as a wired network or private-wired network, and various wireless media such as acoustic, Radio Frequency (RF), microwave, Infrared (IR), or other wireless media. The term computer readable media as used herein may include both storage media and communication media.
In the computing device 200 according to the present invention, the application 222 includes instructions for performing the network security management method 300 of the present invention, which may instruct the processor 204 to perform the network security management method 300 of the present invention.
Fig. 3 shows a flow diagram of a network security management method 300 according to one embodiment of the invention. The method 300 obtains the network access information of the user terminal through step S310, where the network access information is obtained through the security management server 110, the security management server is installed with a server of the security management system, and the user terminal is installed with a client of the security management system. According to an embodiment of the present invention, the security management system is a Data Leakage Protection (DLP) system, the security management server installs a service end of the DLP, the user terminal installs a client of the DLP, the security management server obtains network access information of the client through a heartbeat mechanism of the DLP service end and the client, the network access information includes information such as a login terminal account, a host name, a communication time between the service end and the client of the security management system, a physical address, and a security management system version, and the security management server stores or updates the obtained network access information in the Data storage device 120.
According to an embodiment of the present invention, the network access information of each user in the data storage device can be converted as shown in table 1 below.
TABLE 1
The security management server obtains the network access information of the user terminal through the heartbeat mechanism of the client and the server of the security management system, and stores the network access information into the data storage device, if the network access information of the user terminal is stored in the data storage device, the record information is updated, the heartbeat packet is correspondingly stored or updated every time the heartbeat packet is received, and the time interval of the heartbeat packet is 1 minute for example.
Step S320 is executed every predetermined time, that is, the authentication management server authenticates the network access information of the user terminal, including the authentication of information such as the login terminal account, the host name, the communication time between the server and the client of the security management system, the physical address, and the security management system version. The predetermined time may be greater than the time interval of the heartbeat packet, and according to an embodiment of the present invention, the authentication of the network access information is performed every 3 minutes.
Continuing to take the user terminal in table 1 as an example, if all items in the network access information of the user terminal a are successfully authenticated, step S350 is performed to maintain the state of the physical address information 00-01-6C-06-a6-29 of the user terminal a in the permission list of the address management server.
The authentication management server finds that the login terminal account is abnormal when authenticating the network access information of the user terminal B, and proceeds to step S330 to send an authentication failure message that the login terminal account is abnormal to the user terminal B.
Step S340 is then performed to delete the physical address information of the user terminal B from the permission list of the address management server. Since the address management server only assigns addresses to the ues in the allowed list, the deleted ue B will not be able to acquire network addresses, and thus cannot access the target network.
Similarly, after the authentication of the security management system version in the network access information of the user terminal C fails, the authentication server sends an authentication failure message of the security management system version error to the user terminal C, and deletes the physical address information from the permission class table, which finally results in that the user terminal C cannot connect to the target network.
According to the data in table 1, the communication time between the server and the client of the security management system of the user terminal D exceeds the predetermined time, which indicates that the user terminal D has not sent the heartbeat packet to the security management server for a long time, and D may be a client that has privately disabled or uninstalled the security management service system, at this time, the authentication server will send an authentication failure message that the communication time between the server and the client of the security management system is overtime to the user terminal D, and delete its physical address information from the permission list, and the user terminal D cannot connect to the target network.
In this embodiment, after the authentication of the network access information, the physical address entry information in the permission list is changed from table 2 to table 3, and the physical address information of the user terminal B, C, D is deleted.
A flow diagram of a process 400 for a new user terminal to join a target network in accordance with one embodiment of the present invention is shown in fig. 4. The process starts in step S410, and in step S410, the physical address information of the user terminal is added to a white list, and the physical address of the user terminal in the white list is an allowed list that can be directly synchronized to the address management server, without being authenticated by the network access information.
Taking the user terminal C in table 1 as an example, because the physical address of the user terminal C is deleted from the permission list, in order to access the target network again, the user terminal C is added to the white list under the condition that the user terminal is confirmed to be safe for network access after being authenticated by corresponding network management department personnel.
And then adding the physical address to an allowed list of the address management server through a white list in step S420, at this time, the address management server may allocate an available network address to the user terminal C, and after the user terminal C successfully accesses the network, the process proceeds to step S430, and the installation file of the security management system client pushed by the authentication server is received, so that the installation is completed.
Step S440 is then performed to delete the user terminal C from the white list.
At this time, the version of the security management system of the user terminal C has installed the version meeting the authentication requirement, and then the security management authentication is performed through the method 300, that is, the network access information in the data storage device is updated through the heartbeat packets of the client and the server of the security management system, the authentication of the network access information by the authentication server is waited, and if the authentication is successful, the physical address of C is added to the permission list of the address management server, so as to ensure the normal connection between C and the target network. The detailed steps are described with reference to the steps in method 300.
In addition, in the network security management method of the present invention, at regular intervals, the permission list of the address management server is checked according to the network access information of the user terminal in the data storage device, and the physical address that fails to be authenticated is removed from the permission list, which can correct the problem of failure of updating information in the permission list due to loss of temporary messages and other reasons in the authentication process of the method 300, and mainly prevent the user terminal that fails to be authenticated from accessing the target network normally, because such situations are few, according to an embodiment of the present invention, the process can be executed once every 24 hours.
According to the network security management method, the network access information of the user terminal accessed to the target network is authenticated at preset time intervals, the physical address of the user terminal failed in authentication is deleted from the permission list of the address management server in time, the network connection of the user terminal is disconnected in time, the compliance and the legality of the terminal accessed to the target network can be monitored in real time by dynamically maintaining the permission list of the address management server, the network connection is disconnected in time for illegal users, and therefore the security management of company network data access is achieved.
Because the network access information of the user terminal is acquired through the client of the security management service installed in the terminal, the problem that the user terminal privately deactivates or uninstalls the client of the security management service is prevented, because if the user terminal deactivates or uninstalls the client of the security management service, the network access information of the user terminal cannot be normally acquired, so that the user terminal is deleted from the permission list and finally cannot access the target network.
The various techniques described herein may be implemented in connection with hardware or software or, alternatively, with a combination of both. Thus, the method and apparatus of the invention, or the method of the invention
Certain aspects or portions of the methods and apparatus may take the form of program code (i.e., instructions) embodied in tangible media, such as removable hard disks, U.S. disks, floppy disks, CD-ROMs, or any other machine-readable storage medium, wherein, when the program is loaded into and executed by a machine, such as a computer, the machine becomes an apparatus for practicing the invention.
In the case of program code execution on programmable computers, the computing device will generally include a processor, a storage medium readable by the processor (including volatile and non-volatile memory and/or storage elements), at least one input device, and at least one output device. Wherein the memory is configured to store program code; the processor is configured to execute the network security management method of the present invention according to instructions in the program code stored in the memory.
By way of example, and not limitation, readable media may comprise readable storage media and communication media. Readable storage media store information such as computer readable instructions, data structures, program modules or other data. Communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media. Combinations of any of the above are also included within the scope of readable media.
In the description provided herein, algorithms and displays are not inherently related to any particular computer, virtual system, or other apparatus. Various general purpose systems may also be used with examples of this invention. The required structure for constructing such a system will be apparent from the description above. Moreover, the present invention is not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
It should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules or units or components of the devices in the examples disclosed herein may be arranged in a device as described in this embodiment or alternatively may be located in one or more devices different from the devices in this example. The modules in the foregoing examples may be combined into one module or may be further divided into multiple sub-modules.
The invention also includes:
a7, the method of any one of a1-a6, wherein the address management server is implemented by DHCP.
A8, the method of any one of A1-A7, wherein the first predetermined time interval is 3 minutes.
B11, the security management system according to B9 or B10, wherein the network access information includes login terminal account, host name, communication time between server and client of the security management system, physical address, and security management system version, the authentication management server is adapted to, if the network access information fails to authenticate, when sending an authentication failure message to the user terminal:
sequentially authenticating a login terminal account, a host name, communication time between a server side and a client side of the security management system, a physical address and a security management system version in the network access information;
and if any item of information fails to be authenticated, sending an authentication failure message carrying the item of information to the terminal.
B12, the security management system according to any one of B9-B11, wherein the authentication server is further adapted to, when a new user terminal accesses a target network:
adding the physical address information of the new user terminal into a white list;
adding the physical address information of the new user terminal into an allowed list of an address management server through the white list;
after the new user terminal is connected to a target network, deleting the physical address information of the new user terminal from a white list;
and pushing an installation program of the client of the security management system to the new user terminal so as to obtain the network access information of the new user terminal through the security management system at a later period.
B13, the security management system according to any one of B9-B12, wherein the authentication server is adapted to authenticate the network access information corresponding to the physical address in the address management server permission list according to the network access information of the user terminal in the data storage device every third predetermined time interval, and remove the physical address that failed authentication from the permission list.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
Furthermore, some of the described embodiments are described herein as a method or combination of method elements that can be performed by a processor of a computer system or by other means of performing the described functions. A processor having the necessary instructions for carrying out the method or method elements thus forms a means for carrying out the method or method elements. Further, the elements of the apparatus embodiments described herein are examples of the following apparatus: the apparatus is used to implement the functions performed by the elements for the purpose of carrying out the invention.
As used herein, unless otherwise specified the use of the ordinal adjectives "first", "second", "third", etc., to describe a common object, merely indicate that different instances of like objects are being referred to, and are not intended to imply that the objects so described must be in a given sequence, either temporally, spatially, in ranking, or in any other manner.
While the invention has been described with respect to a limited number of embodiments, those skilled in the art, having benefit of this description, will appreciate that other embodiments can be devised which do not depart from the scope of the invention as described herein. Furthermore, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes, and may not have been selected to delineate or circumscribe the inventive subject matter. Accordingly, many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the appended claims. The present invention has been disclosed in an illustrative rather than a restrictive sense, and the scope of the present invention is defined by the appended claims.
Claims (10)
1. A network security management method adapted to be executed in a computing device adapted to manage a mobile terminal accessing a target network, the computing device connecting a data storage device and a security management server, the security management server acquiring network entry information of a user terminal accessing the target network at intervals of a first predetermined time and storing the acquired network entry information in the data storage device, wherein the method comprises:
authenticating the network access information of the user terminal in the data storage equipment every second preset time;
if the authentication of the network access information fails, sending an authentication failure message to the user terminal, and deleting a physical address corresponding to the user terminal from an allowed list of an address management server;
and if the authentication is successful, maintaining the state of the physical address corresponding to the user terminal in an allowed list so as to maintain the communication connection between the user terminal and the target network.
2. The method of claim 1, wherein the security management server is installed with a server of a security management system, the user terminal is installed with a client of the security management system, and the obtaining of the network access information of the user terminal at each first predetermined time interval is achieved through a heartbeat mechanism between the server of the security management system and the client of the security management system.
3. The method of claim 1 or 2, wherein the network access information comprises a login terminal account, a host name, communication time between a server and a client of a security management system, a physical address, and a security management system version, and if the network access information fails to be authenticated, the sending of the authentication failure message to the user terminal comprises:
authenticating a login terminal account, a host name, communication time between a server side and a client side of the security management system, a physical address and a security management system version in the network access information;
and if any item of information fails to be authenticated, sending an authentication failure message carrying the item of information to the terminal.
4. The method of any of claims 1-3, further comprising:
adding physical address information of a new user terminal into a white list when the new user terminal accesses a target network;
adding the physical address information of the new user terminal into an allowed list of an address management server through the white list;
after the new user terminal is connected to a target network, deleting the physical address information of the new user terminal from a white list;
and pushing an installation program of the client of the security management system to the new user terminal so as to obtain the network access information of the new user terminal through the security management system at a later period.
5. The method of any of claims 1-4, further comprising:
and authenticating the network access information corresponding to the physical address in the address management server permission list according to the network access information of the user terminal in the data storage device every third preset time, and removing the physical address failed in authentication from the permission list.
6. The method of any one of claims 2-5, wherein the security management system is a data leakage prevention system.
7. A network security management system, comprising:
the system comprises a safety management server and a network access control server, wherein the safety management server is suitable for acquiring network access information of a user terminal accessed to a target network at intervals of first preset time intervals, and is provided with a server side of a safety management system;
the data storage equipment is suitable for storing the network access information of the user terminal;
the authentication management server is suitable for authenticating the network access information of the user terminal in the data storage equipment at intervals of second preset time, sending an authentication failure message to the user terminal if the network access information authentication fails, deleting the physical address corresponding to the user terminal from an allowed list of the address management server, and maintaining the state of the physical address corresponding to the user terminal in the allowed list if the authentication succeeds;
and the address management server manages the state of the user terminal connected with the target network according to the physical address of the user terminal in the permission list.
8. The security management system of claim 7, further comprising:
the system comprises a user terminal, wherein the user terminal is provided with a client of a safety management system and is suitable for providing network access information for a safety management server through a heartbeat mechanism between the client of the safety management system and the client of the safety management system.
9. A computing device, comprising:
at least one processor; and
a memory storing program instructions, wherein the program instructions are configured to be executed by the at least one processor, the program instructions comprising instructions for performing the method of any of claims 1-6.
10. A readable storage medium storing program instructions that, when read and executed by a computing device, cause the computing device to perform the method of any of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010669140.3A CN111917736B (en) | 2020-07-13 | 2020-07-13 | Network security management method, computing device and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010669140.3A CN111917736B (en) | 2020-07-13 | 2020-07-13 | Network security management method, computing device and readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111917736A true CN111917736A (en) | 2020-11-10 |
| CN111917736B CN111917736B (en) | 2023-04-18 |
Family
ID=73227053
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010669140.3A Active CN111917736B (en) | 2020-07-13 | 2020-07-13 | Network security management method, computing device and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111917736B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114339489A (en) * | 2021-12-28 | 2022-04-12 | 深圳创维数字技术有限公司 | Method, device and medium for terminal to complete server authentication in PON system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101909059A (en) * | 2010-07-30 | 2010-12-08 | 北京星网锐捷网络技术有限公司 | Method and system for deleting residual client information and authentication server |
| CN102271133A (en) * | 2011-08-11 | 2011-12-07 | 北京星网锐捷网络技术有限公司 | Authentication method, device and system |
| WO2014189262A1 (en) * | 2013-05-24 | 2014-11-27 | Strix Inc. | User terminal authentication method of access point apparatus |
| CN108881308A (en) * | 2018-08-09 | 2018-11-23 | 下代互联网重大应用技术(北京)工程研究中心有限公司 | A kind of user terminal and its authentication method, system, medium |
-
2020
- 2020-07-13 CN CN202010669140.3A patent/CN111917736B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101909059A (en) * | 2010-07-30 | 2010-12-08 | 北京星网锐捷网络技术有限公司 | Method and system for deleting residual client information and authentication server |
| CN102271133A (en) * | 2011-08-11 | 2011-12-07 | 北京星网锐捷网络技术有限公司 | Authentication method, device and system |
| WO2014189262A1 (en) * | 2013-05-24 | 2014-11-27 | Strix Inc. | User terminal authentication method of access point apparatus |
| CN108881308A (en) * | 2018-08-09 | 2018-11-23 | 下代互联网重大应用技术(北京)工程研究中心有限公司 | A kind of user terminal and its authentication method, system, medium |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114339489A (en) * | 2021-12-28 | 2022-04-12 | 深圳创维数字技术有限公司 | Method, device and medium for terminal to complete server authentication in PON system |
| CN114339489B (en) * | 2021-12-28 | 2023-11-21 | 深圳创维数字技术有限公司 | Method, equipment and medium for terminal to finish server authentication in PON system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111917736B (en) | 2023-04-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| USRE49585E1 (en) | Certificate based profile confirmation | |
| US8566571B2 (en) | Pre-boot securing of operating system (OS) for endpoint evaluation | |
| US8359464B2 (en) | Quarantine method and system | |
| US10187386B2 (en) | Native enrollment of mobile devices | |
| US9916446B2 (en) | Anonymized application scanning for mobile devices | |
| US20200329032A1 (en) | Secure gateway onboarding via mobile devices for internet of things device management | |
| US9917862B2 (en) | Integrated application scanning and mobile enterprise computing management system | |
| US10778666B2 (en) | Co-existence of management applications and multiple user device management | |
| WO2019134234A1 (en) | Rooting-prevention log-in method, device, terminal apparatus, and storage medium | |
| CN112118269A (en) | Identity authentication method, system, computing equipment and readable storage medium | |
| CN111917736B (en) | Network security management method, computing device and readable storage medium | |
| US11868476B2 (en) | Boot-specific key access in a virtual device platform | |
| JP3851263B2 (en) | Preventing recurrence of multiple system outages | |
| CN117931515A (en) | Techniques for instance persistence data across cloud shells | |
| JP2006324994A (en) | Network access control system | |
| US11153320B2 (en) | Invariant detection using distributed ledgers | |
| JP2020072368A (en) | Whitelist management device, whitelist management method, and program | |
| CN114491663A (en) | Method and device for obtaining evidence of website server | |
| CN115879106A (en) | Method and device for managing and controlling mobile storage equipment | |
| JP2011113294A (en) | Terminal management system and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |