CN112291192A - Switching control system and method for safely accessing internal network - Google Patents
Switching control system and method for safely accessing internal network Download PDFInfo
- Publication number
- CN112291192A CN112291192A CN202010947647.0A CN202010947647A CN112291192A CN 112291192 A CN112291192 A CN 112291192A CN 202010947647 A CN202010947647 A CN 202010947647A CN 112291192 A CN112291192 A CN 112291192A
- Authority
- CN
- China
- Prior art keywords
- network
- internal network
- user
- internal
- network end
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/2854—Wide area networks, e.g. public data networks
- H04L12/2856—Access arrangements, e.g. Internet access
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Abstract
The invention relates to the field of Internet, in particular to a switching control system and a method for safely accessing an internal network, wherein the system comprises: the network switch is used for switching the user network end between the internal network end and the external network end; and a network management server for judging whether the user network is accessed to the internal network according to the application request of the access internal network and controlling the network switch to execute the corresponding switching action. By using the present invention, the following effects can be achieved: only if the application request of the internal network end passes, the switching from the external network end to the internal network end can be realized, and the internal network end is ensured not to be illegally accessed, thereby ensuring the use safety of the internal network.
Description
Technical Field
The invention relates to the field of internet, in particular to a switching control system and a switching control method for safely accessing an internal network.
Background
In many industries, such as power, finance, education, personnel, certificate, tax, telecommunication, and administrative and public institution departments, there are both internal network applications and internet needs. The two networks are completely physically isolated and if a user wants to switch between an intranet and an extranet, the user needs to manually move the computer from one network to the other.
The network switch can allow a user to switch between internal and external networks through keys, does not need software, only switches RJ45 signals input/output by a network transformer, is simple to install and use and low in price, but is completely determined by the user in the switching process of the internal network and the external network, the switching action of the internal network and the external network is not safely confirmed, and any computer can be easily connected with the internal network.
Disclosure of Invention
In order to solve the above problems, the present invention provides a handover control system and method for securely accessing an internal network.
A handover control system for secure access to an internal network, comprising:
the network switch is used for switching the user network end between the internal network end and the external network end; and
and the network management server judges whether the user network end is accessed to the internal network end or not according to the application request of the access internal network end and controls the network switch to execute corresponding switching actions.
Preferably, the application request for accessing the internal network terminal includes the identity information of the user and the access right of the internal network.
Preferably, when the network management server verifies that the identity information of the user is correct and has the internal network access right, the network management server sends a switching command to the network switch to switch the connection of the user network terminal to the internal network terminal.
Preferably, the network switch is further configured to determine whether the network connection is normal according to whether the user network receives a signal from the internal network, and switch the internal network connected to the user network to the external network if the network connection is not normal.
Preferably, the determining, by the network switch, whether the network connection is normal according to whether the user network receives a signal from the internal network includes:
if the Ethernet interface of the internal network end is open-circuited and the signal line has no signal, judging that the user network end is not connected to the Ethernet interface of the internal network end and judging that the network connection is abnormal;
if the Ethernet interface of the internal network end is not open-circuited and the signal line has no signal, judging that the user network end is in standby or power-off;
if the signal line of the internal network end has signals, the user network end is judged to normally use the network, and the network connection is judged to be normal.
A switching control method for safely accessing an internal network comprises the following steps:
receiving an application request for accessing an internal network end, which is sent by a user network end;
judging whether to access the user network terminal to the internal network terminal according to the application request of the access internal network terminal;
and if the application request accessed to the internal network end passes, switching the connection of the user network end to the internal network end.
Preferably, the application request for accessing the internal network terminal includes the identity information of the user and the access right of the internal network.
Preferably, the switching the connection of the user network to the internal network if the application request for accessing the internal network passes includes:
and when the identity information of the user is verified to be correct and has the internal network access authority, sending a switching command to switch the connection of the user network terminal to the internal network terminal.
Preferably, the method further comprises the following steps:
and judging whether the network connection is normal according to whether the user network terminal receives the signal of the internal network terminal, and if the network connection is abnormal, switching the internal network terminal connected with the user network terminal to an external network terminal.
Preferably, the determining whether the network connection is normal according to whether the user network receives a signal from the internal network includes:
if the Ethernet interface of the internal network end is open-circuited and the signal line has no signal, judging that the user network end is not connected to the Ethernet interface of the internal network end and judging that the network connection is abnormal;
if the Ethernet interface of the internal network end is not open-circuited and the signal line has no signal, judging that the user network end is in standby or power-off;
if the signal line of the internal network end has signals, the user network end is judged to normally use the network, and the network connection is judged to be normal.
By using the present invention, the following effects can be achieved:
1. only if the application request of the internal network end passes, the switching from the external network end to the internal network end can be realized, and the internal network end is ensured not to be illegally accessed, so that the use safety of the internal network is ensured;
2. when the user network end is powered off, standby or disconnected from the network, the network switch automatically closes the port of the internal network and only opens the port of the external network end, so that the unused ports of the internal network can be completely closed, the safety of the internal network end is ensured, and the network safety is greatly improved.
Drawings
The present invention will be described in further detail with reference to the accompanying drawings and specific embodiments.
Fig. 1 is a schematic structural diagram of a handover control system for securely accessing an internal network according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of a handover control method for securely accessing an internal network according to an embodiment of the present invention;
fig. 3 is a schematic flowchart of step S4 in a handover control method for securely accessing an internal network according to an embodiment of the present invention.
Detailed Description
The technical solutions of the present invention will be further described below with reference to the accompanying drawings, but the present invention is not limited to these embodiments.
In the prior art, in the switching process of the internal network terminal and the external network terminal, the user completely determines, the switching action of the internal network terminal and the external network terminal is not safe to confirm, and any computer can be easily connected with the internal network terminal, so that great potential safety hazards exist.
The basic idea of the invention is that a network management server is installed at an external network end, and the network management server determines whether to connect the user network end to the internal network end according to the identity information of the user and the access authority of the internal network, and controls a switcher to execute corresponding actions, thereby ensuring that the internal network end is not illegally accessed.
Based on the above thought, an embodiment of the present invention provides a handover control system for securely accessing an internal network, as shown in fig. 1, including: the network switch is used for switching the user network end between the internal network end and the external network end; and a network management server for judging whether the user network is accessed to the internal network according to the application request of the access internal network and controlling the network switch to execute the corresponding switching action.
In this embodiment, the interface circuit of the ethernet in the network switch is composed of an ethernet physical layer PHY, a transformer and an RJ45 jack, and the ethernet physical layer PHY and the switch are connected by an RMII/RGMII interface.
The MII interface is a media independent interface that is typically applied between the MAC layer and the PHY layer of ethernet. The RMII interface is a simplified board of the MII interface, and the number of connecting lines is reduced from 16 of the MII interface to 8. As shown in fig. 1, the definition of 8 lines of RMII is as follows: TXD [1:0 ]: a data transmission signal line; RXD [1:0 ]: a data receiving signal line; TX _ EN: a data transmission enable signal; RX _ ER: a data reception error prompt signal; CLK _ REF: a 50MHz reference clock provided by an external clock source; CRS _ DV: the signal is formed by combining RX _ DV and CRS in an MII interface.
The 10M/100M Ethernet may employ an RMII interface. 1000M ethernet requires the use of RGMII interface, i.e. a simplified gigabit MII interface, with a transmission rate of up to 1000Mbps, while being compatible with 10/100M ethernet. Compared with the RMII interface, the RGMII interface is 14 in number and is not described in detail here. The network switch supporting 10M/100M ethernet may adopt an 8-way switch, but the network switch supporting 1000M ethernet needs to use a 14-way switch.
In this embodiment, the application request for accessing the internal network includes the identity information of the user and the access right of the internal network. When the network management server verifies that the identity information of the user is correct and has the internal network access authority, a switching command is sent to the network switch, and the user network end is connected and switched to the internal network end.
When the network switch is powered on and works normally, when the user network end is powered on and connected to the network switch, the user network end can be connected with the external network end through the internal network end. The external network end is provided with a network management server which is responsible for network management, if a user wants to connect with the internal network end, the user logs in the network management system to send an application request for accessing the internal network end to connect into the internal network end, and the network management server determines whether the user network end is allowed to be connected with the internal network end according to the identity information of the user and the access authority of the internal network. When the network management server verifies that the identity information of the user is correct and has the internal network access authority, the network management server sends a switching command to the network switch to switch the network connection of the user network terminal to the internal network terminal.
In this embodiment, only when the application request for accessing the internal network passes, the external network can be switched to the internal network, and it is ensured that the internal network is not accessed illegally, thereby ensuring the security of the internal network.
It should be noted that the network management server located at the external network end can provide various user authentication and authorization policies according to different requirements of network security, so as to meet different security requirements.
In this embodiment, the ethernet physical layer interface chip has a time domain reflectometer TDR function, and can determine whether the port is open, short, and a distance of failure. Meanwhile, the Ethernet physical layer PHY has an energy detection function and can detect whether a signal line receives a signal or not, so that whether the network connection is normal or not can be judged. If the network connection is abnormal, the internal network end connected with the user network end is switched to the external network end.
The specific judgment is as follows:
if the Ethernet interface of the internal network end is open-circuited and the signal line has no signal, judging that the user network end is not connected to the Ethernet interface of the internal network end and judging that the network connection is abnormal;
if the Ethernet interface of the internal network end is not open-circuited and the signal line has no signal, judging that the user network end is in standby or power-off;
if the signal line of the internal network end has signals, the user network end is judged to normally use the network, and the network connection is judged to be normal.
When the user is turned off, in standby or the user pulls out the network cable from the computer, the network switch cuts off the connection between the internal network end and the user network end and connects the external network end and the user network end when the network switch detects the network switch through the PHY diagnosis function of the Ethernet physical layer, thereby preventing illegal users from directly connecting the internal network end through the port and ensuring that the internal network end is not illegally accessed.
When the user network end is normally used in the internal network, the network switch keeps the connection between the internal network end and the user network end.
When the user network reboots, wakes up or reconnects the network, the user network needs to submit an application request for accessing the internal network to the network management server again.
When the user network end is powered off, standby or disconnected from the network, the network switch automatically closes the port of the internal network and only opens the port of the external network end, so that the unused ports of the internal network can be completely closed, the safety of the internal network end is ensured, and the network safety is greatly improved.
Based on the above system embodiment, a handover control system for securely accessing an internal network is correspondingly provided, and as shown in fig. 2, the invention further provides a handover control method for securely accessing an internal network, including the following steps:
s1: and receiving an application request for accessing the internal network end, which is sent by the user network end.
The application request for accessing the internal network end comprises the identity information of the user and the access authority of the internal network.
When the network switch is powered on and works normally, when the user network end is powered on and connected to the network switch, the user network end can be connected with the external network end through the internal network end. The external network end is provided with a network management server which is responsible for network management, and if a user wants to connect with the internal network end, the user logs in the network management system to send an application request for accessing the internal network end to connect into the internal network end.
S2: and judging whether the user network terminal is accessed to the internal network terminal or not according to the application request of the access internal network terminal.
And when the identity information of the user is verified to be correct and has the internal network access authority, sending a switching command to switch the connection of the user network terminal to the internal network terminal. Otherwise, when the identity information of the user is verified to be incorrect or not to have the internal network access right, the user network side is kept connected with the external network side.
S3: and if the application request accessed to the internal network end passes, switching the connection of the user network end to the internal network end.
In this embodiment, only when the application request for accessing the internal network passes, the external network can be switched to the internal network, and it is ensured that the internal network is not accessed illegally, thereby ensuring the security of the internal network.
In one embodiment, as shown in fig. 3, the method further comprises the following steps:
s4: and judging whether the network connection is normal according to whether the user network terminal receives the signal of the internal network terminal, and if the network connection is abnormal, switching the internal network terminal connected with the user network terminal to an external network terminal.
Specifically, the determining whether the network connection is normal according to whether the user network receives a signal from the internal network includes:
if the Ethernet interface of the internal network end is open-circuited and the signal line has no signal, judging that the user network end is not connected to the Ethernet interface of the internal network end and judging that the network connection is abnormal;
if the Ethernet interface of the internal network end is not open-circuited and the signal line has no signal, judging that the user network end is in standby or power-off;
if the signal line of the internal network end has signals, the user network end is judged to normally use the network, and the network connection is judged to be normal.
When the user network end is powered off, standby or disconnected from the network, the network switch automatically closes the port of the internal network and only opens the port of the external network end, so that the unused ports of the internal network can be completely closed, the safety of the internal network end is ensured, and the network safety is greatly improved.
Various modifications or additions may be made to the described embodiments or alternatives may be employed by those skilled in the art without departing from the spirit or ambit of the invention as defined in the appended claims.
Claims (10)
1. A handover control system for secure access to an internal network, comprising:
the network switch is used for switching the user network end between the internal network end and the external network end; and
and the network management server judges whether the user network end is accessed to the internal network end or not according to the application request of the access internal network end and controls the network switch to execute corresponding switching actions.
2. The handover control system for securing access to an internal network according to claim 1,
the application request for accessing the internal network end comprises the identity information of the user and the access authority of the internal network.
3. The handover control system for secure access to an internal network according to claim 2,
when the network management server verifies that the identity information of the user is correct and has the internal network access authority, a switching command is sent to the network switch, and the user network end is connected and switched to the internal network end.
4. The handover control system for securing access to an internal network according to claim 1,
the network switch is also used for judging whether the network connection is normal according to whether the user network end receives the signal of the internal network end, and switching the internal network end connected with the user network end to the external network end if the network connection is abnormal.
5. The system as claimed in claim 4, wherein the network switch determines whether the network connection is normal according to whether the user network receives the signal from the internal network, and comprises:
if the Ethernet interface of the internal network end is open-circuited and the signal line has no signal, judging that the user network end is not connected to the Ethernet interface of the internal network end and judging that the network connection is abnormal;
if the Ethernet interface of the internal network end is not open-circuited and the signal line has no signal, judging that the user network end is in standby or power-off;
if the signal line of the internal network end has signals, the user network end is judged to normally use the network, and the network connection is judged to be normal.
6. A switching control method for safely accessing an internal network is characterized by comprising the following steps:
receiving an application request for accessing an internal network end, which is sent by a user network end;
judging whether to access the user network terminal to the internal network terminal according to the application request of the access internal network terminal;
and if the application request accessed to the internal network end passes, switching the connection of the user network end to the internal network end.
7. The handover control method according to claim 6, wherein the request for access to the internal network includes identity information of the user and access rights of the internal network.
8. The method as claimed in claim 7, wherein the switching the ue connection to the internal network if the request for requesting access to the internal network passes comprises:
and when the identity information of the user is verified to be correct and has the internal network access authority, sending a switching command to switch the connection of the user network terminal to the internal network terminal.
9. The handover control method of claim 6, further comprising:
and judging whether the network connection is normal according to whether the user network terminal receives the signal of the internal network terminal, and if the network connection is abnormal, switching the internal network terminal connected with the user network terminal to an external network terminal.
10. The handover control method of claim 9, wherein the determining whether the network connection is normal according to whether the user network receives the signal from the internal network comprises:
if the Ethernet interface of the internal network end is open-circuited and the signal line has no signal, judging that the user network end is not connected to the Ethernet interface of the internal network end and judging that the network connection is abnormal;
if the Ethernet interface of the internal network end is not open-circuited and the signal line has no signal, judging that the user network end is in standby or power-off;
if the signal line of the internal network end has signals, the user network end is judged to normally use the network, and the network connection is judged to be normal.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010947647.0A CN112291192B (en) | 2020-09-10 | 2020-09-10 | Switching control system and method for safely accessing internal network |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010947647.0A CN112291192B (en) | 2020-09-10 | 2020-09-10 | Switching control system and method for safely accessing internal network |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112291192A true CN112291192A (en) | 2021-01-29 |
CN112291192B CN112291192B (en) | 2022-07-26 |
Family
ID=74420387
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010947647.0A Active CN112291192B (en) | 2020-09-10 | 2020-09-10 | Switching control system and method for safely accessing internal network |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112291192B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114745445A (en) * | 2022-04-27 | 2022-07-12 | 深圳绿米联创科技有限公司 | Control method, control device, electronic equipment and storage medium |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2007019284A2 (en) * | 2005-08-05 | 2007-02-15 | Global Serv Inc. | Methods and arrangements for managing automated switching |
CN101277308A (en) * | 2008-05-23 | 2008-10-01 | 杭州华三通信技术有限公司 | Method for insulating inside and outside networks, authentication server and access switch |
CN101860534A (en) * | 2010-05-20 | 2010-10-13 | 北京星网锐捷网络技术有限公司 | Method and system for switching network, access equipment and authentication server |
CN105471866A (en) * | 2015-11-23 | 2016-04-06 | 深圳市联软科技有限公司 | Protection method and apparatus for mobile application |
CN108540462A (en) * | 2018-03-27 | 2018-09-14 | 深圳市永达电子信息股份有限公司 | A kind of security isolation control computer system |
CN108681677A (en) * | 2018-05-14 | 2018-10-19 | 深圳市永达电子信息股份有限公司 | Based on the double net computer methods of USB interface security isolation, apparatus and system |
CN208590001U (en) * | 2018-03-27 | 2019-03-08 | 深圳市永达电子信息股份有限公司 | A kind of security isolation control computer system |
-
2020
- 2020-09-10 CN CN202010947647.0A patent/CN112291192B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2007019284A2 (en) * | 2005-08-05 | 2007-02-15 | Global Serv Inc. | Methods and arrangements for managing automated switching |
CN101277308A (en) * | 2008-05-23 | 2008-10-01 | 杭州华三通信技术有限公司 | Method for insulating inside and outside networks, authentication server and access switch |
CN101860534A (en) * | 2010-05-20 | 2010-10-13 | 北京星网锐捷网络技术有限公司 | Method and system for switching network, access equipment and authentication server |
CN105471866A (en) * | 2015-11-23 | 2016-04-06 | 深圳市联软科技有限公司 | Protection method and apparatus for mobile application |
CN108540462A (en) * | 2018-03-27 | 2018-09-14 | 深圳市永达电子信息股份有限公司 | A kind of security isolation control computer system |
CN208590001U (en) * | 2018-03-27 | 2019-03-08 | 深圳市永达电子信息股份有限公司 | A kind of security isolation control computer system |
CN108681677A (en) * | 2018-05-14 | 2018-10-19 | 深圳市永达电子信息股份有限公司 | Based on the double net computer methods of USB interface security isolation, apparatus and system |
Non-Patent Citations (2)
Title |
---|
厉进等: "具有密码功能的网络面板设计与研究", 《科技创新导报》 * |
童灵华等: "《多智能优化算法的配电网状态估计》", 《电网与清洁能源》 * |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114745445A (en) * | 2022-04-27 | 2022-07-12 | 深圳绿米联创科技有限公司 | Control method, control device, electronic equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN112291192B (en) | 2022-07-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7752672B2 (en) | Methods and apparatus for physical layer security of a network communications link | |
EP1203282B1 (en) | System and method for detecting a device requiring power | |
US7870600B2 (en) | Apparatus and method for secure configuration of shared powerline devices | |
US6021495A (en) | Method and apparatus for authentication process of a star or hub network connection ports by detecting interruption in link beat | |
US8902760B2 (en) | Network system and optional tethers | |
CN101455041B (en) | Detection of network environment | |
JP7191990B2 (en) | Data transfer control method and system based on hardware control logic | |
CA2496939A1 (en) | Network security method and apparatus | |
CN101436934A (en) | Method, system and equipment for controlling user upper wire | |
KR102091642B1 (en) | The System And Method For Electrical Power Supply Control | |
US20080256598A1 (en) | System and method for authenticating a powered device attached to a power sourcing equipment for power provisioning | |
CN112291192B (en) | Switching control system and method for safely accessing internal network | |
US20060250966A1 (en) | Method for local area network security | |
US20130227185A1 (en) | Remote access appliance with communication protocol autosensing feature | |
US20020104009A1 (en) | Portable computer that can be plugged into a backplane | |
EP2195754A1 (en) | Method of enabling access to data protected by firewall | |
US20030083009A1 (en) | Access device internet lock out reature | |
KR101506223B1 (en) | Automatic Reconnection System For Virtualization Service | |
CN111885179B (en) | External terminal protection device and protection system based on file monitoring service | |
CN100429638C (en) | Auto-determination of DTE/DCE connection | |
CN111859434A (en) | External terminal protection device and protection system for providing confidential file transmission | |
CN109600348B (en) | Method and device for safe access of video front-end equipment | |
US20030163561A1 (en) | Environment monitoring system for monitoring environment for installing community ethernet switch | |
US7127738B1 (en) | Local firewall apparatus and method | |
KR20190018799A (en) | System for managing access control based on agent |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |