CN112003862A - Terminal safety protection method, device, system and storage medium - Google Patents

Terminal safety protection method, device, system and storage medium Download PDF

Info

Publication number
CN112003862A
CN112003862A CN202010860336.0A CN202010860336A CN112003862A CN 112003862 A CN112003862 A CN 112003862A CN 202010860336 A CN202010860336 A CN 202010860336A CN 112003862 A CN112003862 A CN 112003862A
Authority
CN
China
Prior art keywords
terminal
information
security scanning
security
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010860336.0A
Other languages
Chinese (zh)
Other versions
CN112003862B (en
Inventor
宗润
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Maipu Communication Technology Co Ltd
Original Assignee
Maipu Communication Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Maipu Communication Technology Co Ltd filed Critical Maipu Communication Technology Co Ltd
Priority to CN202010860336.0A priority Critical patent/CN112003862B/en
Publication of CN112003862A publication Critical patent/CN112003862A/en
Application granted granted Critical
Publication of CN112003862B publication Critical patent/CN112003862B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/02Standardisation; Integration
    • H04L41/0213Standardised network management protocols, e.g. simple network management protocol [SNMP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/255Maintenance or indexing of mapping tables
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/618Details of network addresses
    • H04L2101/622Layer-2 addresses, e.g. medium access control [MAC] addresses
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Virology (AREA)
  • General Health & Medical Sciences (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application provides a terminal security protection method, device, system and storage medium, and relates to the technical field of network security. The system comprises a controller and an access device, and the method applied to the controller comprises the following steps: acquiring terminal information of a terminal; sending a security scanning task to the access equipment based on the terminal information; the access equipment performs security scanning on the terminal based on the security scanning task to obtain a security scanning result of the terminal; generating protection configuration information based on the security scanning result, and sending the protection configuration information to the access device; and performing protection configuration on the access equipment based on the protection configuration information. According to the method, the device and the terminal discovery are matched with the access device to perform edge distributed scanning to discover and monitor the terminal risk, so that real-time protection of a risk entrance is realized, and the safety of terminal safety protection is improved.

Description

Terminal safety protection method, device, system and storage medium
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method, an apparatus, a system, and a storage medium for protecting terminal security.
Background
In local area networks such as various parks and office buildings, a large number of terminals exist, the types of the terminals are various, the terminals change frequently, and the safety conditions of the terminals are unknown, so that the whole network is exposed to huge risks, and administrators need to identify and protect the safety threats of the terminals besides limiting the access permissions of the terminals.
The traditional method for protecting the local area network terminal is strictly controlled access, and before the terminal accesses the network, the terminal is allowed to access through a series of processes such as updating a system bug patch, installing and updating antivirus software, forcibly scanning viruses, scanning terminal bugs and the like. The method has certain implementability for offices with relatively fixed personnel and terminals, but has the problems of complex management, strict condition limitation, process leak, untimely risk discovery and the like, and basically has no implementability for places with frequent change of personnel and terminals, thereby causing the problem of lower security of the multi-terminal local area network.
Disclosure of Invention
In view of this, an object of the embodiments of the present application is to provide a method, an apparatus, a system and a storage medium for terminal security protection, so as to solve the problem of low security of a multi-terminal local area network caused by tedious management, untimely risk discovery and the like in the prior art.
The embodiment of the application provides a terminal safety protection method, which is applied to a controller in a terminal safety protection system, wherein the terminal safety protection system comprises a controller and access equipment, the access equipment is respectively connected with the controller and a plurality of terminals, and the method comprises the following steps: acquiring terminal information of the terminal; sending a security scanning task to the access equipment based on the terminal information; the access equipment performs security scanning on the terminal based on the security scanning task to obtain a security scanning result of the terminal; generating protection configuration information based on the security scanning result, and sending the protection configuration information to the access device; and performing protection configuration on the access equipment based on the protection configuration information.
In the implementation mode, the method automatically discovers and updates the terminal in the network through the controller, improves the safety protection real-time performance of the network where the terminal is located, does not need the terminal to install log collection related tools or perform related configuration, can collect terminal information without the terminal generating behaviors to perform terminal safety protection scanning and configuration, improves the efficiency and the applicability of terminal safety protection, further, directly reduces the cost of a server required by scanning software installation on the terminal through the access equipment, improves the scanning performance, reduces the flow impact caused by scanning message transmission in the network, and solves the problem that the scanning software and the terminal network are not easy to be communicated.
Optionally, the acquiring the terminal information of the terminal includes: acquiring equipment information of all equipment in a network where the terminal safety protection system is located based on a link layer discovery protocol, wherein the equipment information comprises the connection relation between all the equipment and the access equipment; and acquiring the forwarding database table information and the address resolution protocol table information of all the equipment based on the equipment information, and acquiring the terminal information based on the forwarding database table information and the address resolution protocol table information.
In the implementation mode, the network topology structure determination device information is acquired based on the link layer discovery protocol, and then the terminal information can be acquired in real time based on the forwarding database table information and the address resolution protocol table information of all devices, so that the real-time performance and the automation degree of the terminal information acquisition are ensured.
Optionally, the method further comprises: receiving the change information of the forwarding database table and the change information of the address resolution protocol table reported by the terminal; and updating the terminal information of the terminal based on the change information of the forwarding database table and the change information of the address resolution protocol table.
In the implementation mode, the change information of the forwarding database table and the change information of the address resolution protocol table reported by the terminal keep updating the terminal information in real time in the safety protection process, so that the real-time performance of safety protection configuration is further improved, and the safety of the terminal and the network is improved.
Optionally, the sending a security scanning task to the access device based on the terminal information includes: generating the security scanning task based on the terminal information, wherein the security scanning task comprises at least one of an internet protocol address, a media access control address and access port information of the terminal; and sending the security scanning task to the access equipment through a specified protocol, wherein the specified protocol comprises a simple network management protocol and a network configuration protocol.
In the implementation mode, the controller generates a security scanning task to be executed by the access device based on the terminal information, and the security scanning task includes an internet protocol address, a media access control address, access port information and the like of the terminal which needs to be subjected to security scanning, so that the accuracy of security scanning is improved.
Optionally, the performing, by the access device, security scanning on the terminal based on the security scanning task includes: controlling the access equipment to start appointed security scanning software based on the security scanning task; and controlling the access equipment to perform security scanning on the terminal through the access interface of the terminal based on access port information through the security scanning software.
In the implementation mode, when the terminal is safely scanned through the access equipment based on the access port information, the terminal does not have an adaptation requirement, the universality is realized, and the implementation convenience of the terminal safety protection method is improved.
Optionally, the generating protection configuration information based on the security scanning result and sending the protection configuration information to the access device includes: analyzing the safety scanning result based on a safety feature library to obtain risk list information; generating the protection configuration information based on the risk list information and a protection policy; and sending the protection configuration information to the access equipment through a specified protocol, wherein the specified protocol comprises a simple network management protocol and a network configuration protocol.
In the implementation mode, the protection configuration information is obtained through the security feature library and the security scanning result, and the security of the security protection is improved.
Optionally, all the devices are configured with a simple network management protocol or a network configuration protocol.
In the implementation mode, the terminal and the related equipment thereof can be matched with the controller for automatic discovery and data updating only by supporting a simple network management protocol or a network configuration protocol, and other complex scanning or uploading tools do not need to be matched on the terminal, so that the instantaneity and the simplicity of terminal data acquisition are improved.
The embodiment of the application further provides a terminal safety protection device, which is applied to a controller in a terminal safety protection system, the terminal safety protection system further comprises an access device, the access device is respectively connected with the controller and a plurality of terminals, and the controller comprises: the terminal information acquisition module is used for acquiring the terminal information of the terminal; a security scanning task sending module, configured to send a security scanning task to the access device based on the terminal information; the security scanning module is used for carrying out security scanning on the terminal through the access equipment based on the security scanning task to obtain a security scanning result of the terminal; a protection configuration sending module, configured to generate protection configuration information based on the security scanning result and send the protection configuration information to the access device; and the configuration module is used for carrying out protection configuration on the access equipment based on the protection configuration information.
In the implementation mode, the method automatically discovers and updates the terminal in the network through the controller, improves the safety protection real-time performance of the network where the terminal is located, does not need the terminal to install log collection related tools or perform related configuration, can collect terminal information without the terminal generating behaviors to perform terminal safety protection scanning and configuration, improves the efficiency and the applicability of terminal safety protection, further, directly reduces the cost of a server required by scanning software installation on the terminal through the access equipment, improves the scanning performance, reduces the flow impact caused by scanning message transmission in the network, and solves the problem that the scanning software and the terminal network are not easy to be communicated.
Optionally, the terminal information obtaining module is specifically configured to: acquiring equipment information of all equipment in a network where the terminal safety protection system is located based on a link layer discovery protocol, wherein the equipment information comprises the connection relation between all the equipment and the access equipment; and acquiring the forwarding database table information and the address resolution protocol table information of all the equipment based on the equipment information, and acquiring the terminal information based on the forwarding database table information and the address resolution protocol table information.
In the implementation mode, the network topology structure determination device information is acquired based on the link layer discovery protocol, and then the terminal information can be acquired in real time based on the forwarding database table information and the address resolution protocol table information of all devices, so that the real-time performance and the automation degree of the terminal information acquisition are ensured.
Optionally, the terminal information obtaining module is specifically configured to: receiving the change information of the forwarding database table and the change information of the address resolution protocol table reported by the terminal; and updating the terminal information of the terminal based on the change information of the forwarding database table and the change information of the address resolution protocol table.
In the implementation mode, the change information of the forwarding database table and the change information of the address resolution protocol table reported by the terminal keep updating the terminal information in real time in the safety protection process, so that the real-time performance of safety protection configuration is further improved, and the safety of the terminal and the network is improved.
Optionally, the security scanning task sending module is specifically configured to: generating the security scanning task based on the terminal information, wherein the security scanning task comprises at least one of an internet protocol address, a media access control address and access port information of the terminal; and sending the security scanning task to the access equipment through a specified protocol, wherein the specified protocol comprises a simple network management protocol and a network configuration protocol.
In the implementation mode, the controller generates a security scanning task to be executed by the access device based on the terminal information, and the security scanning task includes an internet protocol address, a media access control address, access port information and the like of the terminal which needs to be subjected to security scanning, so that the accuracy of security scanning is improved.
Optionally, the security scanning module is specifically configured to: controlling the access equipment to start appointed security scanning software based on the security scanning task; and controlling the access equipment to perform security scanning on the terminal through the access interface of the terminal based on access port information through the security scanning software.
In the implementation mode, when the terminal is safely scanned through the access equipment based on the access port information, the terminal does not have an adaptation requirement, the universality is realized, and the implementation convenience of the terminal safety protection method is improved.
Optionally, the guard configuration sending module is specifically configured to: analyzing the safety scanning result based on a safety feature library to obtain risk list information; generating the protection configuration information based on the risk list information and a protection policy; and sending the protection configuration information to the access equipment through a specified protocol, wherein the specified protocol comprises a simple network management protocol and a network configuration protocol.
In the implementation mode, the protection configuration information is obtained through the security feature library and the security scanning result, and the security of the security protection is improved.
Optionally, all the devices are configured with a simple network management protocol or a network configuration protocol.
In the implementation mode, the terminal and the related equipment thereof can be matched with the controller to realize automatic discovery and data update of the terminal only by supporting a simple network management protocol or a network configuration protocol, and other complex scanning or uploading tools do not need to be matched on the terminal, so that the instantaneity and the simplicity of terminal data acquisition are improved.
The embodiment of the application also provides a terminal safety protection system, which comprises a controller and access equipment, wherein the access equipment is respectively connected with the controller and a plurality of terminals; the controller is used for acquiring terminal information of the terminal; the controller is used for sending a security scanning task to the access equipment based on the terminal information; the access device is used for carrying out security scanning on the terminal based on the security scanning task to obtain a security scanning result of the terminal; the controller is configured to generate protection configuration information based on the security scanning result and send the protection configuration information to the access device; the access device is further configured to perform protection configuration based on the protection configuration information.
The embodiment of the present application further provides a readable storage medium, in which computer program instructions are stored, and the computer program instructions are read by a processor and executed to perform the steps in any of the above implementation manners.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic connection diagram of a terminal security protection system according to an embodiment of the present application.
Fig. 2 is a schematic flowchart of a terminal security protection method according to an embodiment of the present application.
Fig. 3 is a schematic flow chart of security analysis according to an embodiment of the present application.
Fig. 4 is a schematic block diagram of a terminal safety protection device according to an embodiment of the present disclosure.
Icon: 10-terminal safety protection system; 11-terminal discovery device; 12-safety protection equipment; 13-an access device; 30-terminal safety protection device; 31-a terminal information acquisition module; 32-a security scanning task sending module; 33-a security scanning module; 34-a guard configuration sending module; 35-configuration module.
Detailed Description
The technical solution in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
The applicant researches and discovers that the existing terminal security protection method allows access through a series of processes such as updating system vulnerability patches, installing and updating antivirus software, forcibly scanning viruses, scanning terminal vulnerabilities and the like before the terminal accesses a network due to strict control access, so that the problems of complex management, severe condition limitation, process vulnerabilities, untimely risk discovery and the like exist, and the method has no feasibility basically for places where personnel and terminals frequently change. Further, in the aspect of security scanning and security configuration, in the prior art, a terminal log and a firewall log are generally collected and stored, then an administrator triggers the system to analyze and identify the collected log through a certain retrieval instruction, and the administrator performs further comprehensive analysis on the analysis result to find and process abnormal behaviors of the terminal. In the terminal safety protection support method, the terminal itself needs to support the log collected by the system, such as installing a collection tool in advance, and the network flow between terminals in the local area network needs to pass through a firewall, so that the firewall log can be available for analysis; the risk analysis can be triggered only by actively sending a retrieval instruction at the front end by an administrator, and the real-time performance is poor; meanwhile, the method depends on deep participation of an administrator, needs comprehensive analysis capability and capability of processing threats, and meanwhile, the management capability of the administrator also influences the misjudgment rate of security problems.
In order to solve the above problem, the embodiment of the present application provides a terminal security protection method applied to a controller in a terminal security protection system 10.
Referring to fig. 1, fig. 1 is a schematic connection diagram of a terminal security protection system according to an embodiment of the present disclosure.
The terminal security system 10 includes a controller composed of a terminal discovery device 11 and a security device 12, and an access device 13. The access device 13 is connected to the terminal discovery device 11, the security device 12 and the terminal, respectively.
Optionally, the terminal in this embodiment refers in particular to an office PC (Personal Computer), a notebook Computer, a smart phone, a projector, a telephone, a printer, a server, and the like, and for the universality of the terminal security protection method in this embodiment, the scheme does not require any adaptation of the terminal except for the basic communication configuration.
The terminal discovery device 11 may be any electronic device provided with device discovery software and terminal discovery software in the present embodiment.
The device Discovery software is configured to discover devices and topology information in a network according to protocols such as a Link Layer Discovery Protocol (LLDP) of the devices, and the terminal Discovery software is configured to acquire information of Media Access Control (MAC) addresses (Media Access Control addresses), terminal types, terminal IP (Internet Protocol) addresses, Access locations (Access devices, Access ports), and the like of the terminals by acquiring information of FDB (Forwarding DataBase) tables and Address Resolution Protocol (ARP) tables on all the devices, and receive change information of the FDB tables and the ARP tables actively reported by the devices.
The Link Layer Discovery Protocol (LLDP) is a vendor-independent two-layer protocol that allows network devices to advertise their device identities and capabilities in the local subnet. It provides a standard link layer discovery approach. The LLDP protocol allows information about the main capabilities, Management address, device id, interface id, etc. of a device accessing the network to be sent to other devices in the same lan, and when a device receives information from other devices in the network, the information is stored in the form of MIB (Management information Base). Therefore, in this embodiment, the LLDP is used to obtain the device information.
The access device 13 receives MAC address information from all its ports, forms a MAC address table and maintains it. When the access device 13 receives a frame of data, it will decide whether to filter or forward the frame of data according to its own MAC address table, and at this time, the maintained MAC address table is the FDB address table.
The address Resolution protocol (arp) is a TCP/IP protocol for acquiring a physical address according to an IP address. When the terminal discovery software sends information, the terminal discovery software broadcasts an ARP request containing a target IP address to all terminals on a local area network, and receives a return message so as to determine the physical address of the target terminal; after receiving the return message, the IP address and the physical address are stored in the local ARP cache and are kept for a certain time, and the ARP cache is directly inquired when the next request is made so as to save resources.
It should be understood that the terminal discovery device 11 may be one electronic device having both the device discovery software and the terminal discovery software, or may be a combination of a plurality of electronic devices having the device discovery software and the terminal discovery software, respectively.
The security device 12 may be any electronic device provided with a security feature library, security scanning software, security analysis software, and security protection software in this embodiment.
The contents of the security feature library include, but are not limited to, virus feature information, risk port feature information, threat software feature information, risk system version feature information, system vulnerability feature information, and the like. The safety scanning software provides terminal safety scanning task management, communicates with the access equipment to perform terminal safety scanning, and analyzes and stores a safety scanning result. And the security analysis software is used for comprehensively analyzing the security scanning result of the terminal on the basis of the security feature library and identifying various threats and risk information of the terminal. The security protection software provides a management function of a security protection strategy, an administrator can arrange the security protection strategy through a front-end interface, and the protection system performs configuration processing such as isolation blocking, port security protection and the like on the terminal according to the protection strategy.
It should be understood that safety shield apparatus 12 may be one electronic device having both the security feature library, the security scanning software, and the security analysis software, or a combination of multiple electronic devices each having a security feature library, the security scanning vest, and the security analysis software.
The access device 13 is an entrance of the terminal access network, and may be a communication device such as a switch or a router. The access device 13 in this embodiment installs security scanning software similar to but not limited to nmap (network mapper), and can scan terminal operating system information, installed software information, opened TCP (Transmission Control Protocol)/UDP (User Datagram Protocol) port information, and the like.
Optionally, the terminal security protection system 10 of this embodiment may further include an AAA server, where the AAA server obtains the terminal information through the access device 13, and actively reports the terminal information to the terminal discovery device 11, and meanwhile, provides a policy function of denying access to the risk terminal in conjunction with the security protection system.
Based on the terminal security protection system 10, please refer to fig. 2, and fig. 2 is a schematic flowchart of a terminal security protection method provided in an embodiment of the present application, where the terminal security protection method is applied to a controller in the terminal security protection system, and the specific steps may be as follows:
step S21: and acquiring terminal information of the terminal.
Specifically, the obtaining of the terminal information of the terminal may include the following sub-steps:
step S211: and acquiring equipment information of all equipment in a network where the terminal safety protection system is located based on a link layer discovery protocol.
In this embodiment, an administrator may create a terminal discovery task through the terminal discovery device 11, the terminal discovery device 11 starts device discovery software based on the terminal discovery task, collects LLDP information of connected IP devices through an SNMP (Simple Network Management Protocol) or NetConf (Network Configuration) Protocol function, and expands and discovers adjacent devices according to the LLDP information, and so on, and finally discovers all devices and topology information of the entire Network.
Step S212: and acquiring forwarding database table information and address resolution protocol table information of all the devices based on the device information, and acquiring terminal information based on the forwarding database table information and the address resolution protocol table information.
Further, in addition to performing one-time discovery on the terminal connected to the access device 13, the terminal connected to the access device 13 may also be updated in real time, and the specific steps may include:
step S213: and receiving the change information of the forwarding database table and the change information of the address resolution protocol table reported by the terminal.
It should be understood that in the present embodiment, the terminal discovery device 11 and the communication between the security device 12 and the terminal are performed by the transmission of the access device 13.
Step S214: and updating the terminal information of the terminal based on the change information of the forwarding database table and the change information of the address resolution protocol table.
It should be understood that steps S211-S212 and S213-S214 are not strictly ordered according to the magnitude of the numbers, and S213-S214 are an alternative embodiment.
Alternatively, step S21 may be performed by the terminal discovery device 11 in the controller.
For step S21 or the whole terminal safety protection method, it is necessary for the terminal discovery device 11 to start and configure SNMP or NetConf functions for all devices in the same local area network in order to discover the device and the terminal.
Step S22: and sending a security scanning task to the access equipment based on the terminal information.
Specifically, the sending of the security scanning task to the access device based on the terminal information may include the following sub-steps:
step S221: and generating a security scanning task based on the terminal information, wherein the security scanning task comprises at least one of an internet protocol address, a media access control address and access port information of the terminal.
The security scanning task may be generated by security scanning software, and optionally, the security scanning software in this embodiment may be a security scanning tool having a security scanning function required by any terminal security protection, such as Nmap, Nessus, Codenomicon, and APPSCAN.
Step S222: and sending the security scanning task to the access equipment through a specified protocol, wherein the specified protocol comprises a simple network management protocol and a network configuration protocol.
Optionally, step S22 is performed by safety shield apparatus 12 in the controller.
Step S23: and carrying out security scanning on the terminal through the access equipment based on the security scanning task to obtain a security scanning result of the terminal.
After the access device 13 starts the security scanning software based on the security scanning task, the access device performs security scanning on the terminal based on the access interface of the terminal.
The access device 13 may send the security scan result to the security protection device 12 through a File Transfer Protocol (FTP), NetConf, SNMP, or other Protocol.
Because the access device 13 is directly connected with the terminal, the network is naturally opened, a good and efficient scanning condition is created for the security scanning software similar to the Nmap, the terminal does not need to have the adaptation of security, and the universality is realized. Step S24: and generating protection configuration information based on the security scanning result, and sending the protection configuration information to the access equipment.
Referring to fig. 3, fig. 3 is a schematic flow chart of a security analysis according to an embodiment of the present application, which includes the following specific steps:
step S241: and analyzing the safety scanning result based on the safety feature library to obtain risk list information.
The security scanning software in the security protection device 12 analyzes and stores the basic data of the security scanning result and then notifies the security analysis software to perform analysis processing, and the security analysis software performs comprehensive analysis based on the security feature library and the security scanning result to obtain detailed risk list information. The security analysis software may be, but is not limited to, software having a security analysis function, such as OpenSOC, infiit.e, Splunk, and alien value OTX.
Step S242: and generating protection configuration information based on the risk list information and the protection strategy.
The security protection software in the security protection device 12 generates a specific protection configuration according to the protection policy and the risk list information, where the protection configuration may be a security domain-based and policy-based terminal protection configuration mode.
Step S243: and sending the protection configuration information to the access equipment through a specified protocol, wherein the specified protocol comprises a simple network management protocol and a network configuration protocol.
Optionally, step S24 is performed by safety shield apparatus 12 in the controller.
Step S25: and performing protection configuration on the access equipment based on the protection configuration information.
The protection configuration in this embodiment may include, but is not limited to, a terminal account configuration, a browser configuration, a firewall configuration, a patch management configuration, a permission configuration, a storage configuration, and the like.
In order to cooperate with the terminal security protection method provided in the embodiment of the present application, the embodiment further provides a terminal security protection device 30, which is applied to a controller in the terminal security protection system 10.
Referring to fig. 4, fig. 4 is a schematic block diagram of a terminal safety protection device according to an embodiment of the present disclosure.
Terminal safety guard 30 includes:
a terminal information obtaining module 31, configured to obtain terminal information of a terminal;
a security scanning task sending module 32, configured to send a security scanning task to the access device based on the terminal information;
the security scanning module 33 is configured to perform security scanning on the terminal through the access device based on the security scanning task to obtain a security scanning result of the terminal;
a protection configuration sending module 34, configured to generate protection configuration information based on the security scanning result and send the protection configuration information to the access device;
a configuration module 35, configured to perform protection configuration on the access device based on the protection configuration information.
Optionally, the terminal information obtaining module 31 is specifically configured to: acquiring equipment information of all equipment in a network where a terminal safety protection system is located based on a link layer discovery protocol, wherein the equipment information comprises the connection relation between all the equipment and access equipment; and acquiring forwarding database table information and address resolution protocol table information of all the devices based on the device information, and acquiring terminal information based on the forwarding database table information and the address resolution protocol table information.
Optionally, the terminal information obtaining module 31 is specifically configured to: receiving the change information of a forwarding database table and the change information of an address resolution protocol table reported by a terminal; and updating the terminal information of the terminal based on the change information of the forwarding database table and the change information of the address resolution protocol table.
Optionally, the security scan task sending module 32 is specifically configured to: generating a security scanning task based on the terminal information, wherein the security scanning task comprises at least one of an internet protocol address, a media access control address and access port information of the terminal; and sending the security scanning task to the access equipment through a specified protocol, wherein the specified protocol comprises a simple network management protocol and a network configuration protocol.
Optionally, the security scanning module 33 is specifically configured to: controlling the access equipment to start appointed security scanning software based on the security scanning task; and controlling the access equipment to perform security scanning on the terminal through the access interface of the terminal based on the access port information through the security scanning software.
Optionally, the protection configuration sending module 34 is specifically configured to: analyzing the safety scanning result based on the safety feature library to obtain risk list information; generating protection configuration information based on the risk list information and the protection strategy; and sending the protection configuration information to the access equipment through a specified protocol, wherein the specified protocol comprises a simple network management protocol and a network configuration protocol.
Optionally, all devices are configured with a simple network management protocol or a network configuration protocol.
The embodiment of the present application further provides an electronic device, which includes a memory and a processor, where the memory stores program instructions, and when the processor reads and runs the program instructions, the processor executes the steps in any one of the methods of the terminal security protection method provided in this embodiment.
It should be understood that the electronic device may be a Personal Computer (PC), a tablet PC, a smart phone, a Personal Digital Assistant (PDA), or other electronic device having a logical computing function.
The embodiment of the application also provides a readable storage medium, wherein the readable storage medium stores computer program instructions, and the computer program instructions are read by a processor and run to execute the steps in the terminal security protection method.
To sum up, the embodiment of the present application provides a terminal security protection method, apparatus, system and storage medium, where the method is applied to a controller in a terminal security protection system, where the terminal security protection system includes the controller and an access device, the access device is respectively connected to the controller and a plurality of terminals, and the method includes: acquiring terminal information of the terminal; sending a security scanning task to the access equipment based on the terminal information; the access equipment performs security scanning on the terminal based on the security scanning task to obtain a security scanning result of the terminal; generating protection configuration information based on the security scanning result, and sending the protection configuration information to the access device; and performing protection configuration on the access equipment based on the protection configuration information.
In the implementation mode, the method automatically discovers and updates the terminal in the network through the controller, improves the safety protection real-time performance of the network where the terminal is located, does not need the terminal to install log collection related tools or perform related configuration, can collect terminal information without the terminal generating behaviors to perform terminal safety protection scanning and configuration, improves the efficiency and the applicability of terminal safety protection, further, directly reduces the cost of a server required by scanning software installation on the terminal through the access equipment, improves the scanning performance, reduces the flow impact caused by scanning message transmission in the network, and solves the problem that the scanning software and the terminal network are not easy to be communicated.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus may be implemented in other manners. The apparatus embodiments described above are merely illustrative, and for example, the block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of devices according to various embodiments of the present application. In this regard, each block in the block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams, and combinations of blocks in the block diagrams, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Therefore, the present embodiment further provides a readable storage medium, in which computer program instructions are stored, and when the computer program instructions are read and executed by a processor, the computer program instructions perform the steps of any of the block data storage methods. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a RanDom Access Memory (RAM), a magnetic disk, or an optical disk.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

Claims (10)

1. A terminal safety protection method is applied to a controller in a terminal safety protection system, the terminal safety protection system comprises the controller and an access device, the access device is respectively connected with the controller and a plurality of terminals, and the method comprises the following steps:
acquiring terminal information of the terminal;
sending a security scanning task to the access equipment based on the terminal information;
the access equipment performs security scanning on the terminal based on the security scanning task to obtain a security scanning result of the terminal;
generating protection configuration information based on the security scanning result, and sending the protection configuration information to the access device;
and performing protection configuration on the access equipment based on the protection configuration information.
2. The method of claim 1, wherein the obtaining the terminal information of the terminal comprises:
acquiring equipment information of all equipment in a network where the terminal safety protection system is located based on a link layer discovery protocol, wherein the equipment information comprises the connection relation between all the equipment and the access equipment;
and acquiring the forwarding database table information and the address resolution protocol table information of all the equipment based on the equipment information, and acquiring the terminal information based on the forwarding database table information and the address resolution protocol table information.
3. The method of claim 2, further comprising:
receiving the change information of the forwarding database table and the change information of the address resolution protocol table reported by the terminal;
and updating the terminal information of the terminal based on the change information of the forwarding database table and the change information of the address resolution protocol table.
4. The method of claim 1, wherein the sending a security scanning task to the access device based on the terminal information comprises:
generating the security scanning task based on the terminal information, wherein the security scanning task comprises at least one of an internet protocol address, a media access control address and access port information of the terminal;
and sending the security scanning task to the access equipment through a specified protocol, wherein the specified protocol comprises a simple network management protocol and a network configuration protocol.
5. The method of claim 4, wherein the securely scanning, by the access device, the terminal based on the security scanning task comprises:
controlling the access equipment to start appointed security scanning software based on the security scanning task;
and controlling the access equipment to perform security scanning on the terminal through the access interface of the terminal based on access port information through the security scanning software.
6. The method of claim 1, wherein generating protection configuration information based on the security scan result and sending the protection configuration information to the access device comprises:
analyzing the safety scanning result based on a safety feature library to obtain risk list information;
generating the protection configuration information based on the risk list information and a protection policy;
and sending the protection configuration information to the access equipment through a specified protocol, wherein the specified protocol comprises a simple network management protocol and a network configuration protocol.
7. The method according to any of claims 1-6, wherein all devices are configured with simple network management protocol or network configuration protocol.
8. The utility model provides a terminal safety device which characterized in that is applied to the controller in the terminal safety protection system, the terminal safety protection system still includes access equipment, access equipment is connected with controller and a plurality of terminal respectively, the controller includes:
the terminal information acquisition module is used for acquiring the terminal information of the terminal;
a security scanning task sending module, configured to send a security scanning task to the access device based on the terminal information;
the security scanning module is used for carrying out security scanning on the terminal through the access equipment based on the security scanning task to obtain a security scanning result of the terminal;
a protection configuration sending module, configured to generate protection configuration information based on the security scanning result and send the protection configuration information to the access device;
and the configuration module is used for carrying out protection configuration on the access equipment based on the protection configuration information.
9. A terminal safety protection system is characterized by comprising a controller and access equipment, wherein the access equipment is respectively connected with the controller and a plurality of terminals;
the controller is used for acquiring terminal information of the terminal;
the controller is used for sending a security scanning task to the access equipment based on the terminal information;
the access device is used for carrying out security scanning on the terminal based on the security scanning task to obtain a security scanning result of the terminal;
the controller is configured to generate protection configuration information based on the security scanning result and send the protection configuration information to the access device;
the access device is further configured to perform protection configuration based on the protection configuration information.
10. A storage medium having stored thereon computer program instructions for executing the steps of the method according to any one of claims 1 to 7 when executed by a processor.
CN202010860336.0A 2020-08-24 2020-08-24 Terminal safety protection method, device, system and storage medium Active CN112003862B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010860336.0A CN112003862B (en) 2020-08-24 2020-08-24 Terminal safety protection method, device, system and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010860336.0A CN112003862B (en) 2020-08-24 2020-08-24 Terminal safety protection method, device, system and storage medium

Publications (2)

Publication Number Publication Date
CN112003862A true CN112003862A (en) 2020-11-27
CN112003862B CN112003862B (en) 2022-08-12

Family

ID=73471412

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010860336.0A Active CN112003862B (en) 2020-08-24 2020-08-24 Terminal safety protection method, device, system and storage medium

Country Status (1)

Country Link
CN (1) CN112003862B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113676489A (en) * 2021-09-13 2021-11-19 深信服科技股份有限公司 Threat file handling method, device and medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140059443A1 (en) * 2012-08-26 2014-02-27 Joseph Akwo Tabe Social network for media topics of information relating to the science of positivism
US20150082399A1 (en) * 2013-09-17 2015-03-19 Auburn University Space-time separated and jointly evolving relationship-based network access and data protection system
US20150101055A1 (en) * 2013-05-30 2015-04-09 Tencent Technology (Shenzhen) Company Limited Method, system and terminal device for scanning virus
CN106982434A (en) * 2017-03-03 2017-07-25 上海斐讯数据通信技术有限公司 A kind of wireless LAN safety cut-in method and device
CN108931968A (en) * 2018-07-25 2018-12-04 安徽三实信息技术服务有限公司 A kind of network security protection system and its means of defence applied in industrial control system
CN109981344A (en) * 2019-02-19 2019-07-05 新华三技术有限公司 Scan method, device and network forwarding equipment
CN110493195A (en) * 2019-07-23 2019-11-22 上海文化广播影视集团有限公司 A kind of network access control method and system

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140059443A1 (en) * 2012-08-26 2014-02-27 Joseph Akwo Tabe Social network for media topics of information relating to the science of positivism
US20150101055A1 (en) * 2013-05-30 2015-04-09 Tencent Technology (Shenzhen) Company Limited Method, system and terminal device for scanning virus
US20150082399A1 (en) * 2013-09-17 2015-03-19 Auburn University Space-time separated and jointly evolving relationship-based network access and data protection system
CN106982434A (en) * 2017-03-03 2017-07-25 上海斐讯数据通信技术有限公司 A kind of wireless LAN safety cut-in method and device
CN108931968A (en) * 2018-07-25 2018-12-04 安徽三实信息技术服务有限公司 A kind of network security protection system and its means of defence applied in industrial control system
CN109981344A (en) * 2019-02-19 2019-07-05 新华三技术有限公司 Scan method, device and network forwarding equipment
CN110493195A (en) * 2019-07-23 2019-11-22 上海文化广播影视集团有限公司 A kind of network access control method and system

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
ASHBOURN等: "nCircle IP360.", 《SC MAGAZINE: FOR IT SECURITY PROFESSIONALS》 *
EDWARD S. CHANG等: "Managing cyber security vulnerabilities in large networks", 《BELL LABS TECHNICAL JOURNAL》 *
阳子轩等: "数字校园网络接入控制系统设计与实现", 《中国教育信息化》 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113676489A (en) * 2021-09-13 2021-11-19 深信服科技股份有限公司 Threat file handling method, device and medium

Also Published As

Publication number Publication date
CN112003862B (en) 2022-08-12

Similar Documents

Publication Publication Date Title
US10476891B2 (en) Monitoring access of network darkspace
CN110493195B (en) Network access control method and system
EP2715975B1 (en) Network asset information management
EP4027604A1 (en) Security vulnerability defense method and device
EP1723745B1 (en) Isolation approach for network users associated with elevated risk
US7150044B2 (en) Secure self-organizing and self-provisioning anomalous event detection systems
JP6246943B2 (en) Storage medium, apparatus and method for network forensics
AU2004282937B2 (en) Policy-based network security management
EP1591868B1 (en) Method and apparatus for providing network security based on device security status
US20050193429A1 (en) Integrated data traffic monitoring system
CN106899612B (en) Method for automatically detecting ARP spoofing of fake host
CN114598525A (en) IP automatic blocking method and device for network attack
WO2018116123A1 (en) Protecting against unauthorized access to iot devices
US11652833B2 (en) Detection of anomalous count of new entities
RU2679219C1 (en) Method of protection of service server from ddos attack
Ubaid et al. Mitigating address spoofing attacks in hybrid SDN
CN112003862B (en) Terminal safety protection method, device, system and storage medium
US11621972B2 (en) System and method for protection of an ICS network by an HMI server therein
Fanfara et al. Autonomous hybrid honeypot as the future of distributed computer systems security
KR20080099593A (en) System, server and method for analyzing integrated authentication-logs based on 802.1x
Regenold et al. Enhancing enterprise security through cost-effective and highly customizable network monitoring
Mokhov et al. Toward automated MAC spoofer investigations
Cardoso et al. Towards Autonomic Minimization of Security Vulnerabilities Exploitation in Hybrid Network Environments
Riebach et al. Combining IDS and Honeynet Methods for Improved Detection and Automatic Isolation of Compromised Systems
KR100730966B1 (en) Method for detecting non-approval roundabout route on network and system therefor

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant