CN112291192A - Switching control system and method for safely accessing internal network - Google Patents

Switching control system and method for safely accessing internal network Download PDF

Info

Publication number
CN112291192A
CN112291192A CN202010947647.0A CN202010947647A CN112291192A CN 112291192 A CN112291192 A CN 112291192A CN 202010947647 A CN202010947647 A CN 202010947647A CN 112291192 A CN112291192 A CN 112291192A
Authority
CN
China
Prior art keywords
network
internal network
user
internal
network end
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010947647.0A
Other languages
Chinese (zh)
Other versions
CN112291192B (en
Inventor
童灵华
厉进
林科
叶夏明
岑彦
周盛路
黄川�
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ningbo Power Supply Co of State Grid Zhejiang Electric Power Co Ltd
Cixi Power Supply Co of State Grid Zhejiang Electric Power Co Ltd
Original Assignee
Ningbo Power Supply Co of State Grid Zhejiang Electric Power Co Ltd
Cixi Power Supply Co of State Grid Zhejiang Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ningbo Power Supply Co of State Grid Zhejiang Electric Power Co Ltd, Cixi Power Supply Co of State Grid Zhejiang Electric Power Co Ltd filed Critical Ningbo Power Supply Co of State Grid Zhejiang Electric Power Co Ltd
Priority to CN202010947647.0A priority Critical patent/CN112291192B/en
Publication of CN112291192A publication Critical patent/CN112291192A/en
Application granted granted Critical
Publication of CN112291192B publication Critical patent/CN112291192B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/2854Wide area networks, e.g. public data networks
    • H04L12/2856Access arrangements, e.g. Internet access
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Abstract

The invention relates to the field of Internet, in particular to a switching control system and a method for safely accessing an internal network, wherein the system comprises: the network switch is used for switching the user network end between the internal network end and the external network end; and a network management server for judging whether the user network is accessed to the internal network according to the application request of the access internal network and controlling the network switch to execute the corresponding switching action. By using the present invention, the following effects can be achieved: only if the application request of the internal network end passes, the switching from the external network end to the internal network end can be realized, and the internal network end is ensured not to be illegally accessed, thereby ensuring the use safety of the internal network.

Description

Switching control system and method for safely accessing internal network
Technical Field
The invention relates to the field of internet, in particular to a switching control system and a switching control method for safely accessing an internal network.
Background
In many industries, such as power, finance, education, personnel, certificate, tax, telecommunication, and administrative and public institution departments, there are both internal network applications and internet needs. The two networks are completely physically isolated and if a user wants to switch between an intranet and an extranet, the user needs to manually move the computer from one network to the other.
The network switch can allow a user to switch between internal and external networks through keys, does not need software, only switches RJ45 signals input/output by a network transformer, is simple to install and use and low in price, but is completely determined by the user in the switching process of the internal network and the external network, the switching action of the internal network and the external network is not safely confirmed, and any computer can be easily connected with the internal network.
Disclosure of Invention
In order to solve the above problems, the present invention provides a handover control system and method for securely accessing an internal network.
A handover control system for secure access to an internal network, comprising:
the network switch is used for switching the user network end between the internal network end and the external network end; and
and the network management server judges whether the user network end is accessed to the internal network end or not according to the application request of the access internal network end and controls the network switch to execute corresponding switching actions.
Preferably, the application request for accessing the internal network terminal includes the identity information of the user and the access right of the internal network.
Preferably, when the network management server verifies that the identity information of the user is correct and has the internal network access right, the network management server sends a switching command to the network switch to switch the connection of the user network terminal to the internal network terminal.
Preferably, the network switch is further configured to determine whether the network connection is normal according to whether the user network receives a signal from the internal network, and switch the internal network connected to the user network to the external network if the network connection is not normal.
Preferably, the determining, by the network switch, whether the network connection is normal according to whether the user network receives a signal from the internal network includes:
if the Ethernet interface of the internal network end is open-circuited and the signal line has no signal, judging that the user network end is not connected to the Ethernet interface of the internal network end and judging that the network connection is abnormal;
if the Ethernet interface of the internal network end is not open-circuited and the signal line has no signal, judging that the user network end is in standby or power-off;
if the signal line of the internal network end has signals, the user network end is judged to normally use the network, and the network connection is judged to be normal.
A switching control method for safely accessing an internal network comprises the following steps:
receiving an application request for accessing an internal network end, which is sent by a user network end;
judging whether to access the user network terminal to the internal network terminal according to the application request of the access internal network terminal;
and if the application request accessed to the internal network end passes, switching the connection of the user network end to the internal network end.
Preferably, the application request for accessing the internal network terminal includes the identity information of the user and the access right of the internal network.
Preferably, the switching the connection of the user network to the internal network if the application request for accessing the internal network passes includes:
and when the identity information of the user is verified to be correct and has the internal network access authority, sending a switching command to switch the connection of the user network terminal to the internal network terminal.
Preferably, the method further comprises the following steps:
and judging whether the network connection is normal according to whether the user network terminal receives the signal of the internal network terminal, and if the network connection is abnormal, switching the internal network terminal connected with the user network terminal to an external network terminal.
Preferably, the determining whether the network connection is normal according to whether the user network receives a signal from the internal network includes:
if the Ethernet interface of the internal network end is open-circuited and the signal line has no signal, judging that the user network end is not connected to the Ethernet interface of the internal network end and judging that the network connection is abnormal;
if the Ethernet interface of the internal network end is not open-circuited and the signal line has no signal, judging that the user network end is in standby or power-off;
if the signal line of the internal network end has signals, the user network end is judged to normally use the network, and the network connection is judged to be normal.
By using the present invention, the following effects can be achieved:
1. only if the application request of the internal network end passes, the switching from the external network end to the internal network end can be realized, and the internal network end is ensured not to be illegally accessed, so that the use safety of the internal network is ensured;
2. when the user network end is powered off, standby or disconnected from the network, the network switch automatically closes the port of the internal network and only opens the port of the external network end, so that the unused ports of the internal network can be completely closed, the safety of the internal network end is ensured, and the network safety is greatly improved.
Drawings
The present invention will be described in further detail with reference to the accompanying drawings and specific embodiments.
Fig. 1 is a schematic structural diagram of a handover control system for securely accessing an internal network according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of a handover control method for securely accessing an internal network according to an embodiment of the present invention;
fig. 3 is a schematic flowchart of step S4 in a handover control method for securely accessing an internal network according to an embodiment of the present invention.
Detailed Description
The technical solutions of the present invention will be further described below with reference to the accompanying drawings, but the present invention is not limited to these embodiments.
In the prior art, in the switching process of the internal network terminal and the external network terminal, the user completely determines, the switching action of the internal network terminal and the external network terminal is not safe to confirm, and any computer can be easily connected with the internal network terminal, so that great potential safety hazards exist.
The basic idea of the invention is that a network management server is installed at an external network end, and the network management server determines whether to connect the user network end to the internal network end according to the identity information of the user and the access authority of the internal network, and controls a switcher to execute corresponding actions, thereby ensuring that the internal network end is not illegally accessed.
Based on the above thought, an embodiment of the present invention provides a handover control system for securely accessing an internal network, as shown in fig. 1, including: the network switch is used for switching the user network end between the internal network end and the external network end; and a network management server for judging whether the user network is accessed to the internal network according to the application request of the access internal network and controlling the network switch to execute the corresponding switching action.
In this embodiment, the interface circuit of the ethernet in the network switch is composed of an ethernet physical layer PHY, a transformer and an RJ45 jack, and the ethernet physical layer PHY and the switch are connected by an RMII/RGMII interface.
The MII interface is a media independent interface that is typically applied between the MAC layer and the PHY layer of ethernet. The RMII interface is a simplified board of the MII interface, and the number of connecting lines is reduced from 16 of the MII interface to 8. As shown in fig. 1, the definition of 8 lines of RMII is as follows: TXD [1:0 ]: a data transmission signal line; RXD [1:0 ]: a data receiving signal line; TX _ EN: a data transmission enable signal; RX _ ER: a data reception error prompt signal; CLK _ REF: a 50MHz reference clock provided by an external clock source; CRS _ DV: the signal is formed by combining RX _ DV and CRS in an MII interface.
The 10M/100M Ethernet may employ an RMII interface. 1000M ethernet requires the use of RGMII interface, i.e. a simplified gigabit MII interface, with a transmission rate of up to 1000Mbps, while being compatible with 10/100M ethernet. Compared with the RMII interface, the RGMII interface is 14 in number and is not described in detail here. The network switch supporting 10M/100M ethernet may adopt an 8-way switch, but the network switch supporting 1000M ethernet needs to use a 14-way switch.
In this embodiment, the application request for accessing the internal network includes the identity information of the user and the access right of the internal network. When the network management server verifies that the identity information of the user is correct and has the internal network access authority, a switching command is sent to the network switch, and the user network end is connected and switched to the internal network end.
When the network switch is powered on and works normally, when the user network end is powered on and connected to the network switch, the user network end can be connected with the external network end through the internal network end. The external network end is provided with a network management server which is responsible for network management, if a user wants to connect with the internal network end, the user logs in the network management system to send an application request for accessing the internal network end to connect into the internal network end, and the network management server determines whether the user network end is allowed to be connected with the internal network end according to the identity information of the user and the access authority of the internal network. When the network management server verifies that the identity information of the user is correct and has the internal network access authority, the network management server sends a switching command to the network switch to switch the network connection of the user network terminal to the internal network terminal.
In this embodiment, only when the application request for accessing the internal network passes, the external network can be switched to the internal network, and it is ensured that the internal network is not accessed illegally, thereby ensuring the security of the internal network.
It should be noted that the network management server located at the external network end can provide various user authentication and authorization policies according to different requirements of network security, so as to meet different security requirements.
In this embodiment, the ethernet physical layer interface chip has a time domain reflectometer TDR function, and can determine whether the port is open, short, and a distance of failure. Meanwhile, the Ethernet physical layer PHY has an energy detection function and can detect whether a signal line receives a signal or not, so that whether the network connection is normal or not can be judged. If the network connection is abnormal, the internal network end connected with the user network end is switched to the external network end.
The specific judgment is as follows:
if the Ethernet interface of the internal network end is open-circuited and the signal line has no signal, judging that the user network end is not connected to the Ethernet interface of the internal network end and judging that the network connection is abnormal;
if the Ethernet interface of the internal network end is not open-circuited and the signal line has no signal, judging that the user network end is in standby or power-off;
if the signal line of the internal network end has signals, the user network end is judged to normally use the network, and the network connection is judged to be normal.
When the user is turned off, in standby or the user pulls out the network cable from the computer, the network switch cuts off the connection between the internal network end and the user network end and connects the external network end and the user network end when the network switch detects the network switch through the PHY diagnosis function of the Ethernet physical layer, thereby preventing illegal users from directly connecting the internal network end through the port and ensuring that the internal network end is not illegally accessed.
When the user network end is normally used in the internal network, the network switch keeps the connection between the internal network end and the user network end.
When the user network reboots, wakes up or reconnects the network, the user network needs to submit an application request for accessing the internal network to the network management server again.
When the user network end is powered off, standby or disconnected from the network, the network switch automatically closes the port of the internal network and only opens the port of the external network end, so that the unused ports of the internal network can be completely closed, the safety of the internal network end is ensured, and the network safety is greatly improved.
Based on the above system embodiment, a handover control system for securely accessing an internal network is correspondingly provided, and as shown in fig. 2, the invention further provides a handover control method for securely accessing an internal network, including the following steps:
s1: and receiving an application request for accessing the internal network end, which is sent by the user network end.
The application request for accessing the internal network end comprises the identity information of the user and the access authority of the internal network.
When the network switch is powered on and works normally, when the user network end is powered on and connected to the network switch, the user network end can be connected with the external network end through the internal network end. The external network end is provided with a network management server which is responsible for network management, and if a user wants to connect with the internal network end, the user logs in the network management system to send an application request for accessing the internal network end to connect into the internal network end.
S2: and judging whether the user network terminal is accessed to the internal network terminal or not according to the application request of the access internal network terminal.
And when the identity information of the user is verified to be correct and has the internal network access authority, sending a switching command to switch the connection of the user network terminal to the internal network terminal. Otherwise, when the identity information of the user is verified to be incorrect or not to have the internal network access right, the user network side is kept connected with the external network side.
S3: and if the application request accessed to the internal network end passes, switching the connection of the user network end to the internal network end.
In this embodiment, only when the application request for accessing the internal network passes, the external network can be switched to the internal network, and it is ensured that the internal network is not accessed illegally, thereby ensuring the security of the internal network.
In one embodiment, as shown in fig. 3, the method further comprises the following steps:
s4: and judging whether the network connection is normal according to whether the user network terminal receives the signal of the internal network terminal, and if the network connection is abnormal, switching the internal network terminal connected with the user network terminal to an external network terminal.
Specifically, the determining whether the network connection is normal according to whether the user network receives a signal from the internal network includes:
if the Ethernet interface of the internal network end is open-circuited and the signal line has no signal, judging that the user network end is not connected to the Ethernet interface of the internal network end and judging that the network connection is abnormal;
if the Ethernet interface of the internal network end is not open-circuited and the signal line has no signal, judging that the user network end is in standby or power-off;
if the signal line of the internal network end has signals, the user network end is judged to normally use the network, and the network connection is judged to be normal.
When the user network end is powered off, standby or disconnected from the network, the network switch automatically closes the port of the internal network and only opens the port of the external network end, so that the unused ports of the internal network can be completely closed, the safety of the internal network end is ensured, and the network safety is greatly improved.
Various modifications or additions may be made to the described embodiments or alternatives may be employed by those skilled in the art without departing from the spirit or ambit of the invention as defined in the appended claims.

Claims (10)

1. A handover control system for secure access to an internal network, comprising:
the network switch is used for switching the user network end between the internal network end and the external network end; and
and the network management server judges whether the user network end is accessed to the internal network end or not according to the application request of the access internal network end and controls the network switch to execute corresponding switching actions.
2. The handover control system for securing access to an internal network according to claim 1,
the application request for accessing the internal network end comprises the identity information of the user and the access authority of the internal network.
3. The handover control system for secure access to an internal network according to claim 2,
when the network management server verifies that the identity information of the user is correct and has the internal network access authority, a switching command is sent to the network switch, and the user network end is connected and switched to the internal network end.
4. The handover control system for securing access to an internal network according to claim 1,
the network switch is also used for judging whether the network connection is normal according to whether the user network end receives the signal of the internal network end, and switching the internal network end connected with the user network end to the external network end if the network connection is abnormal.
5. The system as claimed in claim 4, wherein the network switch determines whether the network connection is normal according to whether the user network receives the signal from the internal network, and comprises:
if the Ethernet interface of the internal network end is open-circuited and the signal line has no signal, judging that the user network end is not connected to the Ethernet interface of the internal network end and judging that the network connection is abnormal;
if the Ethernet interface of the internal network end is not open-circuited and the signal line has no signal, judging that the user network end is in standby or power-off;
if the signal line of the internal network end has signals, the user network end is judged to normally use the network, and the network connection is judged to be normal.
6. A switching control method for safely accessing an internal network is characterized by comprising the following steps:
receiving an application request for accessing an internal network end, which is sent by a user network end;
judging whether to access the user network terminal to the internal network terminal according to the application request of the access internal network terminal;
and if the application request accessed to the internal network end passes, switching the connection of the user network end to the internal network end.
7. The handover control method according to claim 6, wherein the request for access to the internal network includes identity information of the user and access rights of the internal network.
8. The method as claimed in claim 7, wherein the switching the ue connection to the internal network if the request for requesting access to the internal network passes comprises:
and when the identity information of the user is verified to be correct and has the internal network access authority, sending a switching command to switch the connection of the user network terminal to the internal network terminal.
9. The handover control method of claim 6, further comprising:
and judging whether the network connection is normal according to whether the user network terminal receives the signal of the internal network terminal, and if the network connection is abnormal, switching the internal network terminal connected with the user network terminal to an external network terminal.
10. The handover control method of claim 9, wherein the determining whether the network connection is normal according to whether the user network receives the signal from the internal network comprises:
if the Ethernet interface of the internal network end is open-circuited and the signal line has no signal, judging that the user network end is not connected to the Ethernet interface of the internal network end and judging that the network connection is abnormal;
if the Ethernet interface of the internal network end is not open-circuited and the signal line has no signal, judging that the user network end is in standby or power-off;
if the signal line of the internal network end has signals, the user network end is judged to normally use the network, and the network connection is judged to be normal.
CN202010947647.0A 2020-09-10 2020-09-10 Switching control system and method for safely accessing internal network Active CN112291192B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010947647.0A CN112291192B (en) 2020-09-10 2020-09-10 Switching control system and method for safely accessing internal network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010947647.0A CN112291192B (en) 2020-09-10 2020-09-10 Switching control system and method for safely accessing internal network

Publications (2)

Publication Number Publication Date
CN112291192A true CN112291192A (en) 2021-01-29
CN112291192B CN112291192B (en) 2022-07-26

Family

ID=74420387

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010947647.0A Active CN112291192B (en) 2020-09-10 2020-09-10 Switching control system and method for safely accessing internal network

Country Status (1)

Country Link
CN (1) CN112291192B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114745445A (en) * 2022-04-27 2022-07-12 深圳绿米联创科技有限公司 Control method, control device, electronic equipment and storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007019284A2 (en) * 2005-08-05 2007-02-15 Global Serv Inc. Methods and arrangements for managing automated switching
CN101277308A (en) * 2008-05-23 2008-10-01 杭州华三通信技术有限公司 Method for insulating inside and outside networks, authentication server and access switch
CN101860534A (en) * 2010-05-20 2010-10-13 北京星网锐捷网络技术有限公司 Method and system for switching network, access equipment and authentication server
CN105471866A (en) * 2015-11-23 2016-04-06 深圳市联软科技有限公司 Protection method and apparatus for mobile application
CN108540462A (en) * 2018-03-27 2018-09-14 深圳市永达电子信息股份有限公司 A kind of security isolation control computer system
CN108681677A (en) * 2018-05-14 2018-10-19 深圳市永达电子信息股份有限公司 Based on the double net computer methods of USB interface security isolation, apparatus and system
CN208590001U (en) * 2018-03-27 2019-03-08 深圳市永达电子信息股份有限公司 A kind of security isolation control computer system

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007019284A2 (en) * 2005-08-05 2007-02-15 Global Serv Inc. Methods and arrangements for managing automated switching
CN101277308A (en) * 2008-05-23 2008-10-01 杭州华三通信技术有限公司 Method for insulating inside and outside networks, authentication server and access switch
CN101860534A (en) * 2010-05-20 2010-10-13 北京星网锐捷网络技术有限公司 Method and system for switching network, access equipment and authentication server
CN105471866A (en) * 2015-11-23 2016-04-06 深圳市联软科技有限公司 Protection method and apparatus for mobile application
CN108540462A (en) * 2018-03-27 2018-09-14 深圳市永达电子信息股份有限公司 A kind of security isolation control computer system
CN208590001U (en) * 2018-03-27 2019-03-08 深圳市永达电子信息股份有限公司 A kind of security isolation control computer system
CN108681677A (en) * 2018-05-14 2018-10-19 深圳市永达电子信息股份有限公司 Based on the double net computer methods of USB interface security isolation, apparatus and system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
厉进等: "具有密码功能的网络面板设计与研究", 《科技创新导报》 *
童灵华等: "《多智能优化算法的配电网状态估计》", 《电网与清洁能源》 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114745445A (en) * 2022-04-27 2022-07-12 深圳绿米联创科技有限公司 Control method, control device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN112291192B (en) 2022-07-26

Similar Documents

Publication Publication Date Title
US7752672B2 (en) Methods and apparatus for physical layer security of a network communications link
EP1203282B1 (en) System and method for detecting a device requiring power
US7870600B2 (en) Apparatus and method for secure configuration of shared powerline devices
US6021495A (en) Method and apparatus for authentication process of a star or hub network connection ports by detecting interruption in link beat
US8902760B2 (en) Network system and optional tethers
CN101455041B (en) Detection of network environment
JP7191990B2 (en) Data transfer control method and system based on hardware control logic
CA2496939A1 (en) Network security method and apparatus
CN101436934A (en) Method, system and equipment for controlling user upper wire
KR102091642B1 (en) The System And Method For Electrical Power Supply Control
US20080256598A1 (en) System and method for authenticating a powered device attached to a power sourcing equipment for power provisioning
CN112291192B (en) Switching control system and method for safely accessing internal network
US20060250966A1 (en) Method for local area network security
US20130227185A1 (en) Remote access appliance with communication protocol autosensing feature
US20020104009A1 (en) Portable computer that can be plugged into a backplane
EP2195754A1 (en) Method of enabling access to data protected by firewall
US20030083009A1 (en) Access device internet lock out reature
KR101506223B1 (en) Automatic Reconnection System For Virtualization Service
CN111885179B (en) External terminal protection device and protection system based on file monitoring service
CN100429638C (en) Auto-determination of DTE/DCE connection
CN111859434A (en) External terminal protection device and protection system for providing confidential file transmission
CN109600348B (en) Method and device for safe access of video front-end equipment
US20030163561A1 (en) Environment monitoring system for monitoring environment for installing community ethernet switch
US7127738B1 (en) Local firewall apparatus and method
KR20190018799A (en) System for managing access control based on agent

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant