CN112565209B - Network element equipment access control method and equipment - Google Patents
Network element equipment access control method and equipment Download PDFInfo
- Publication number
- CN112565209B CN112565209B CN202011330784.6A CN202011330784A CN112565209B CN 112565209 B CN112565209 B CN 112565209B CN 202011330784 A CN202011330784 A CN 202011330784A CN 112565209 B CN112565209 B CN 112565209B
- Authority
- CN
- China
- Prior art keywords
- network element
- user
- usb key
- access control
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 60
- 238000012795 verification Methods 0.000 claims abstract description 22
- 230000008569 process Effects 0.000 claims description 14
- 238000012544 monitoring process Methods 0.000 claims description 6
- 238000001914 filtration Methods 0.000 description 6
- KKIMDKMETPPURN-UHFFFAOYSA-N 1-(3-(trifluoromethyl)phenyl)piperazine Chemical compound FC(F)(F)C1=CC=CC(N2CCNCC2)=C1 KKIMDKMETPPURN-UHFFFAOYSA-N 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 238000007726 management method Methods 0.000 description 4
- 238000012546 transfer Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000005336 cracking Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000009977 dual effect Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 231100000279 safety data Toxicity 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0853—Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
Abstract
The application discloses a network element equipment access control method and equipment, which are used for solving the problems that the existing access control mode is easy to be broken, so that a network is in a dangerous place and great risks are brought to network users. The method comprises the steps of receiving an access request of a user; acquiring an access control list configured in advance by a USB KEY connected with the network element equipment according to quintuple information in the access request; authenticating the quintuple information based on the access control list; after the authentication is confirmed to pass, acquiring a PIN code input by the user, and verifying the PIN code input by the user according to the PIN code of the USB KEY acquired in advance; and requesting account information based on the verification result, and determining that the corresponding user is successfully accessed according to the account information. The USB KEY is applied to the network element equipment, the user name and the user password of the network element equipment are authenticated, and only the USB KEY, the PIN code and the account information are possessed at the same time to access, so that the safety and reliability in the access stage are improved.
Description
Technical Field
The present application relates to the field of communications network technologies, and in particular, to a network element device access control method and device.
Background
With the rapid development of communication network technology, the means for controlling access to network element devices are becoming more and more diversified. Currently, access control modes supported by a Network element device include Telnet Protocol access control, Secure Shell (SSH) Protocol access control, Simple Network Management Protocol (SNMP) access control, HyperText Transfer Protocol (HTTP) access control, File Transfer Protocol (FTP) access control, Simple File Transfer Protocol (TFTP) access control, and other access control modes carried on basic protocols such as Telnet, SSH, SNMP, HTTP, FTP, and TFTP. For example, graphical access control based on SNMP, Telnet, and SSH protocols.
In the current complex network environment, when access is performed through these access control methods, network element devices are often subjected to various network attacks. For the above traditional network element device access control manner, a network attacker may forge a source IP address, a protocol number, or a source port containing identity information of other entities, and pretend to be other entities. The access validity check of the access control list of the network element equipment software is bypassed, or the user name and the user password of the network element equipment are obtained by using the modes of network monitoring, brute force cracking and the like, so that the access control authority of the network element equipment is obtained, the network is in a dangerous place, and great risk is brought to network users.
Disclosure of Invention
The embodiment of the application provides a network element equipment access control method and equipment, which are used for solving the problems that the existing access control mode is easy to be broken, so that a network is in a dangerous place and great risks are brought to network users.
An access control method for a network element device provided in an embodiment of the present application includes: the network element equipment receives an access request of a user; acquiring an access control list configured in advance by a USB KEY connected with network element equipment according to quintuple information in the access request; authenticating the quintuple information based on the access control list; after the authentication is confirmed to pass, acquiring a PIN code input by a user, and verifying the PIN code input by the user according to the PIN code of the USB KEY acquired in advance; and requesting account information based on the verification result, and determining that the corresponding user access is successful according to the account information.
In one example, before the network element device receives the access request of the user, the method further includes: determining that a USB KEY is accessed into network element equipment, and configuring a binding command of the USB KEY and the network element equipment; acquiring a PIN code input by a user, and verifying the PIN code input by the user based on the PIN code of the USB KEY acquired in advance; and after the authentication is successful, writing the MAC address of the network element equipment into the USB KEY, and configuring an access control list to the USB KEY for encrypted storage.
In one example, writing the MAC address of the network element device into the USB KEY, and configuring the access control list to the USB KEY for encrypted storage specifically includes: reading the MAC address bound by the USB KEY; if the USB KEY does not have the bound MAC address, encrypting and writing the MAC address of the network element equipment into the USB KEY, binding the MAC address with the USB KEY, and configuring an access control list to the USB KEY for encrypted storage; if the USB KEY has a bound MAC address, judging whether the bound MAC address is the MAC address of the network element equipment; if the bound MAC address is the MAC address of the network element equipment, configuring an access control list to the USB KEY for encrypted storage; if the bound MAC address is not the MAC address of the network element equipment, ending the configuration process.
In one example, the receiving, by the network element device, an access request of a user specifically includes: when monitoring an access request, a service daemon of network element equipment determines a socket corresponding to the access request; and when the socket corresponding to the access request is readable, acquiring quintuple information of the access request through the socket.
In one example, obtaining, according to quintuple information in the access request, an access control list preconfigured in advance by a USB KEY connected to a network element device specifically includes: calling an interface corresponding to the USB KEY connected with the network element equipment according to the quintuple information in the access request; and acquiring an access control list which is pre-configured in the USB KEY through the interface.
In one example, authenticating the five-tuple information based on the access control list specifically includes: judging whether the quintuple information accords with the rules of the access control list or not; if the quintuple information accords with the rules of the access control list, determining that the authentication is successful; and if the five-tuple information does not accord with the rule of the access control list, the user is denied access.
In one example, after the authentication is determined to pass, acquiring a PIN code input by a user specifically includes: creating a corresponding sub-process according to the type of the socket corresponding to the access request, and starting the sub-process; requesting a user to input a PIN code through the sub-process; and acquiring the PIN code input by the user.
In one example, requesting account information based on a verification result, and determining that a corresponding user access is successful according to the account information specifically includes: acquiring account information of a local user based on a successful verification result; and after the account information of the local user is successfully authenticated, determining that the corresponding user is successfully accessed.
In one example, requesting account information based on a verification result, and determining that a corresponding user access is successful according to the account information specifically includes: acquiring account information of a remote server based on a successful verification result and a remote authentication request; and after the account information of the remote server is successfully authenticated, determining that the corresponding user is successfully accessed.
An access control device for a network element device provided in an embodiment of the present application includes: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor to enable the at least one processor to: receiving an access request of a user; acquiring an access control list configured in advance by a USB KEY connected with network element equipment according to quintuple information in the access request; authenticating the quintuple information based on the access control list; after the authentication is confirmed to pass, acquiring a PIN code input by a user, and verifying the PIN code input by the user according to the PIN code of the USB KEY acquired in advance; and requesting account information based on the verification result, and determining that the corresponding user access is successful according to the account information.
The embodiment of the application adopts at least one technical scheme which can achieve the following beneficial effects:
by applying the USB KEY to the network element equipment, unified access management is carried out on different access control modes. The USB KEY is used for storing data encryption, the access control list is written into the USB KEY to ensure the confidentiality of the access control list, a user can normally access the USB KEY only by conforming to the filtering characteristic of the access control list in the USB KEY when accessing, authentication is performed by using a PIN code in the USB KEY, authentication of a user name and a user password of the network element equipment is performed after the PIN code passes verification, access control can be performed only by simultaneously possessing the USB KEY, the PIN code and the user name and the user password of the network element equipment, the security and the reliability in the password authentication stage are improved, the access control security of the network element equipment is greatly improved, and the risk of a network user is reduced.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a flowchart of a network element device access control method according to an embodiment of the present application;
fig. 2 is a flowchart illustrating binding of a USB KEY and a network element device according to an embodiment of the present application;
fig. 3 is a flowchart of another network element device access control method according to an embodiment of the present application;
fig. 4 is a schematic diagram of a specific network element device access control method according to an embodiment of the present application;
fig. 5 is a structural diagram of an access control device of a network element device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the technical solutions of the present application will be described in detail and completely with reference to the following specific embodiments of the present application and the accompanying drawings. It should be apparent that the described embodiments are only some of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In the current complex network environment, network element devices often suffer from various network attacks when accessing a server. For a traditional network element device access control mode, a network attacker can forge a source IP address, a protocol number or a source port containing identity information of other entities to impersonate other entities. The access validity check of the access control list of the network element equipment software is bypassed, or the user name and the user password of the network element equipment are obtained by using the modes of network monitoring, brute force cracking and the like, so that the access control authority of the network element equipment is obtained, the network is in a dangerous place, and great risk is brought to network users.
The embodiment of the application provides a network element equipment access control method and equipment, and unified access management is performed on different access control modes by applying USB KEY to the network element equipment. The USB KEY is used for storing data encryption, the access control list is written into the USB KEY to ensure the confidentiality of the access control list, a user can normally access the USB KEY only by conforming to the filtering characteristic of the access control list in the USB KEY when accessing, authentication is performed by using a PIN code in the USB KEY, authentication of a user name and a user password of the network element equipment is performed after the PIN code passes verification, access control can be performed only by simultaneously possessing the USB KEY, the PIN code and the user name and the user password of the network element equipment, the security and the reliability in the password authentication stage are improved, the access control security of the network element equipment is greatly improved, and the risk of a network user is reduced.
The technical solutions proposed in the embodiments of the present application are described in detail below with reference to the accompanying drawings.
Fig. 1 is a flowchart of a network element device access control method provided in an embodiment of the present application, which specifically includes the following steps:
s101: the network element equipment receives an access request of a user.
And when monitoring the access request from the user, the service daemon of the network element equipment receives the access request of the user.
In the embodiment of the present application, the network element device creates a service daemon for all external access requests, and the service daemon creates a socket of a corresponding type according to an access mode supported by the network element device. When a socket of a certain type is readable, it indicates that there is an access request corresponding to the socket. According to the embodiment of the application, by creating the service daemon process, a single process can monitor all external access requests, so that the method that one process is needed for each service is replaced, the total number of processes in the system is reduced, and all access modes can be uniformly filtered and controlled.
The access mode includes but is not limited to Telnet protocol access control, SSH protocol access control, SNMP protocol access control, HTTP protocol access control, FTP protocol access control, and TFTP protocol access control.
When monitoring an access request of a user, a service daemon of the network element equipment determines a socket corresponding to the access request, and when the socket corresponding to the access request is readable, the service daemon indicates that the access request corresponding to the socket is accessed. Then, the network element device obtains the quintuple information in the access request of the user through the readable socket. The quintuple information generally refers to a source IP address, a source port, a destination IP address, a destination port, and a transport layer protocol.
Before performing access control on the network element device, the USB KEY needs to be bound with the network element device in advance. The embodiment of the present application provides a specific process for binding a USB KEY and a network element device, and as shown in fig. 2, the binding process includes the following steps:
step one, configuring a binding command of the USB KEY and the network element equipment.
The user inserts the USB KEY into the USB interface of the network element equipment, and the network element equipment can correctly identify the USB KEY because the USB KEY does not need to be driven. And the server of the network element equipment determines the USB KEY access and configures a binding command of the USB KEY and the network element equipment according to the instruction of the user.
The USB KEY is low-cost, drive-free and portable hardware computer equipment, is provided with a built-in CPU, a memory and a chip operating system, can store a secret KEY or a digital certificate of a user, can be connected with a terminal through a USB interface, and directly runs in Windows, MAC OS and Linux operating systems.
When the USB KEY is used in a network system, the function of a network terminal is weakened into a data transmission medium, all safety-related operations are finished inside the USB KEY, safety data are well protected, meanwhile, the USB KEY has two functions of data encryption and data storage, and a plurality of hardware encryption modes are provided.
The embodiment of the application organically combines the application characteristics of the USB KEY and the existing access control mode of the network element equipment to form a software and hardware combined access control method of the network element equipment, greatly improves the access control safety of the network element equipment and reduces the risk of network users.
And step two, carrying out PIN code verification.
Each USB KEY has a hardware PIN code, the PIN code is a password required for using the USB KEY, and only a user knowing the PIN code has the right to use the USB KEY, so that only if the user has the USB KEY and the PIN code at the same time, the user can pass the identity authentication.
Before binding the USB KEY, the network element device needs to obtain a PIN code of the USB KEY in advance, and prompts the user to input the PIN code of the USB KEY during binding. And then, the network element equipment verifies whether the PIN code input by the user is correct or not according to the PIN code of the pre-acquired USB KEY, and when the verification is successful, the PIN code input by the user is determined to be correct, so that the USB KEY can be bound.
And step three, setting the MAC address bound by the USB KEY as the MAC address of the network element equipment.
In this embodiment, the network element device needs to read the address binding field of the USB KEY to determine the MAC address bound by the USB KEY. And if the address binding field of the USB KEY is empty, indicating that the USB KEY is not bound with other network element equipment, encrypting and writing the MAC address of the network element equipment into the USB KEY.
If the address binding field of the USB KEY is not empty, determining the MAC address bound by the USB KEY, and if the MAC address bound by the USB KEY is not the MAC address of the network element equipment and indicates that the USB KEY is bound with other network element equipment, ending the binding process of the USB KEY and the network element equipment.
And step four, configuring the access control list to the USB KEY.
In the embodiment of the application, after the MAC address of the network element device is encrypted and written into the USB KEY, or after the MAC address bound to the USB KEY is determined to be the MAC address of the network element device, the network element device configures the access control list into the USB KEY for encryption and storage.
The access control list includes the restriction on data transmission access, and is used for verifying the five-tuple information in the access request and determining whether to receive the data in the access request.
In the embodiment of the application, the network element equipment stores the MAC address of the network element equipment in one address segment of the USB KEY, configures the access control list in the other address segment of the USB KEY, and performs partition reading, so that information written in the USB KEY cannot be influenced mutually.
S102: and acquiring an access control list pre-configured by the USB KEY connected with the network element equipment according to the quintuple information in the access request.
And the network element equipment acquires the access control list configured in the USB KEY in the binding process according to the quintuple information in the access request.
In the embodiment of the present application, a function interface library of the USB KEY is pre-integrated in the network element device. Therefore, when the user accesses the network element device in different access modes, the network element device can call a preset USB KEY function according to the quintuple information in the access request, call an interface corresponding to the USB KEY connected with the network element device through the USB KEY function, and acquire an access control list pre-configured in the USB KEY through the USB KEY interface.
S103: the five-tuple information is authenticated based on the access control list.
And the network element equipment authenticates the quintuple information in the USB KEY access request according to the acquired access control list.
In the embodiment of the application, the network element device authenticates the five-tuple information in the access request through the access control list. If the authentication is successful, the access request is allowed to access, and the network element equipment receives the access request of the USB KEY.
Specifically, the network element device judges whether quintuple information in an access request of a user conforms to a rule of an access control list; and if the quintuple information in the access request of the user accords with the rule of the access control list and indicates that the access request is allowed to be accessed, determining that the authentication is successful. If the quintuple information in the access request of the user does not accord with the rule of the access control list, the access of the user is refused, and the network element equipment refuses to receive the access request of the user.
According to the embodiment of the application, the USB KEY firmware inserted into the USB interface of the network element equipment is used for performing access control authentication on the network element equipment, so that compared with the traditional pure software access control filtering and authentication, the security and reliability of the authentication are effectively improved, the authentication is associated and integrated with various access control modes, the unified management of access control and login passwords is provided, and the potential safety protection problem in various access control mode scenes is effectively solved.
S104: and after the authentication is confirmed to pass, acquiring the PIN code input by the user, and verifying the PIN code input by the user according to the PIN code of the USB KEY acquired in advance.
And after the network element equipment determines that the quintuple information passes the authentication, the network element equipment requests the user to input a PIN code, and verifies the PIN code input by the user according to the PIN code of the USB KEY acquired during binding.
In this embodiment, the network element device may create a corresponding sub-process according to the type of the socket, so as to serve different access modes. Then, the network element equipment determines the type of the socket according to the socket corresponding to the access request of the user, and then creates a corresponding sub-process according to the type of the socket and starts the sub-process; and finally, the network element equipment requests the user to input the PIN through the subprocess, acquires the PIN input by the user, and verifies the PIN input by the user and the PIN of the USB KEY which is acquired in advance.
According to the embodiment of the application, the network element equipment access control filtering and authentication are carried out through the USB KEY firmware, and the identity authentication can be passed only if the user has the USB KEY and the PIN code at the same time, so that the safety and the reliability of the user identity authentication process are improved more effectively compared with the traditional pure software access control filtering and authentication.
S105: and requesting account information based on the verification result, and determining that the corresponding user is successfully accessed according to the account information.
And the network element equipment determines that the user inputs the correct PIN code of the USB KEY according to the PIN code input by the user and the verification result of the PIN code of the USB KEY acquired in advance, and then requests account information of the user. And after the network element equipment judges that the account name and the account password input by the user are correct, determining that the user access corresponding to the account information is successful.
In the embodiment of the application, a user can log in by using a local account and also can log in by using a remote account.
When a local account logs in, after the network element equipment determines that a PIN code input by a user is successfully verified, the network element equipment requests the user to input account information, the user selects and inputs the account information of the local user, and after the network element equipment successfully authenticates the account information of the local user input by the user, the network element equipment determines that the corresponding user successfully accesses.
When a remote account logs in, after the network element equipment determines that a PIN code input by a user is successfully verified, local remote authentication is configured, the user is requested to input account information, the user selects and inputs the account information of a remote server, and after the network element equipment successfully authenticates the account information of the remote server input by the user, the corresponding user is determined to be successfully accessed.
According to the authentication method and the authentication device, the safety and the reliability in the authentication stage are greatly improved through the dual authentication mode of USB KEY authentication and account information authentication of the user.
The embodiment of the present application further provides another flow chart of a network element device access control method, as shown in fig. 3, a user requests access, and a service daemon of the network element device receives quintuple information in the access request of the user and obtains an access control list preconfigured by a USB KEY connected to the network element device; authenticating the quintuple information through the access control list; and after the authentication is determined to pass, the network element equipment acquires the PIN code input by the user, verifies the PIN code input by the user, prompts the user to input account information after the verification is successful, and determines that the corresponding user access is successful according to the account information.
It should be noted that the method shown in fig. 3 is substantially the same as the method shown in fig. 1, and the parts not described in detail in fig. 3 may specifically refer to the related description of fig. 1, which is not described again herein.
The embodiment of the present application further provides a specific schematic diagram of a network element device access control method, as shown in fig. 4:
the USB KEY22 is accessed to the network element device through the USB interface 21 of the network element device 20, and the network element device 20 accesses the access control list of the USB KEY by calling the interface of the USB KEY 22. When a user accesses the network element device 20 in different access modes, and a service daemon of the network element device 20 monitors an access request of the user, a USB KEY interface function is called to read an access control list stored in a USB KEY22, meanwhile, quintuple information in the access request of the user is matched with the access control list, if the access control list allows access to the connection, each protocol server of the network element device receives the connection accessed at this time, prompts the user to input a PIN code of the USB KEY22 for PIN code verification, and requests the user to input local or remote account information after the PIN code is successfully verified, so as to perform account information authentication.
The access mode is specifically Conlose interface access control, Telnet protocol access control, SSH protocol access control, HTTP protocol access control, FTP protocol access control and TFTP protocol access control.
It should be noted that, because the close port access mode in the access modes directly runs on the serial device of the network element device, the close port access mode does not pass through the access control list filtering security access stage, but directly enters the password authentication stage.
Based on the same inventive concept, the foregoing network element device access control method provided in this embodiment of the present application further provides a corresponding network element device access control device, as shown in fig. 5.
Fig. 5 is a schematic structural diagram of an apparatus provided in an embodiment of the present application, which specifically includes:
at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor to cause the at least one processor to: receiving an access request of a user; acquiring an access control list configured in advance by a USB KEY connected with the network element equipment according to quintuple information in the access request; authenticating the quintuple information based on the access control list; after the authentication is confirmed to pass, acquiring a PIN code input by the user, and verifying the PIN code input by the user according to the PIN code of the USB KEY acquired in advance; and requesting account information based on the verification result, and determining that the corresponding user is successfully accessed according to the account information.
The embodiments in the present application are described in a progressive manner, and the same and similar parts among the embodiments can be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.
Claims (10)
1. A network element device access control method, comprising:
the network element equipment receives an access request of a user;
acquiring an access control list configured in advance by a USB KEY connected with network element equipment according to quintuple information in the access request; wherein the access control list is stored in an encrypted manner;
authenticating the quintuple information based on the access control list;
after the authentication is confirmed to pass, acquiring a PIN code input by a user, and verifying the PIN code input by the user according to the PIN code of the USB KEY acquired in advance;
and requesting account information based on the verification result, and determining that the corresponding user access is successful according to the account information.
2. The method of claim 1, wherein before the network element device receives the access request from the user, the method further comprises:
determining that a USB KEY is accessed into network element equipment, and configuring a binding command of the USB KEY and the network element equipment;
acquiring a PIN code input by a user, and verifying the PIN code input by the user based on the PIN code of the USB KEY acquired in advance;
and after the authentication is successful, writing the MAC address of the network element equipment into the USB KEY, and configuring an access control list to the USB KEY for encrypted storage.
3. The method according to claim 2, wherein writing the MAC address of the network element device into the USB KEY, and configuring an access control list to the USB KEY for encrypted storage specifically includes:
reading the MAC address bound by the USB KEY;
if the USB KEY does not have the bound MAC address, encrypting and writing the MAC address of the network element equipment into the USB KEY, binding the MAC address with the USB KEY, and configuring an access control list to the USB KEY for encrypted storage;
if the USB KEY has a bound MAC address, judging whether the bound MAC address is the MAC address of the network element equipment;
if the bound MAC address is the MAC address of the network element equipment, configuring an access control list to the USB KEY for encrypted storage; if the bound MAC address is not the MAC address of the network element equipment, ending the configuration process.
4. The method of claim 1, wherein the receiving, by the network element device, the access request of the user specifically includes:
when monitoring an access request, a service daemon of network element equipment determines a socket corresponding to the access request;
and when the socket corresponding to the access request is readable, acquiring quintuple information of the access request through the socket.
5. The method according to claim 1, wherein obtaining, according to quintuple information in the access request, an access control list preconfigured by a USB KEY connected to the network element device specifically includes:
calling an interface corresponding to the USB KEY connected with the network element equipment according to the quintuple information in the access request;
and acquiring an access control list which is pre-configured in the USB KEY through the interface.
6. The method according to claim 1, wherein authenticating the five-tuple information based on the access control list specifically comprises:
judging whether the quintuple information accords with the rules of the access control list or not;
if the quintuple information accords with the rules of the access control list, determining that the authentication is successful;
and if the five-tuple information does not accord with the rule of the access control list, the user is denied access.
7. The method according to claim 4, wherein obtaining the PIN code input by the user after the authentication is determined to pass specifically comprises:
creating a corresponding sub-process according to the type of the socket corresponding to the access request, and starting the sub-process;
requesting a user to input a PIN code through the sub-process;
and acquiring the PIN code input by the user.
8. The method according to claim 1, wherein the requesting account information based on the verification result and determining that the corresponding user access is successful according to the account information specifically includes:
acquiring account information of a local user based on a successful verification result;
and after the account information of the local user is successfully authenticated, determining that the corresponding user is successfully accessed.
9. The method according to claim 1, wherein the requesting account information based on the verification result and determining that the corresponding user access is successful according to the account information specifically includes:
acquiring account information of a remote server based on a successful verification result and a remote authentication request;
and after the account information of the remote server is successfully authenticated, determining that the corresponding user is successfully accessed.
10. A network element device access control device, comprising:
at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor to enable the at least one processor to:
receiving an access request of a user;
acquiring an access control list configured in advance by a USB KEY connected with network element equipment according to quintuple information in the access request; wherein the access control list is stored in an encrypted manner;
authenticating the quintuple information based on the access control list;
after the authentication is confirmed to pass, acquiring a PIN code input by a user, and verifying the PIN code input by the user according to the PIN code of the USB KEY acquired in advance;
and requesting account information based on the verification result, and determining that the corresponding user access is successful according to the account information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011330784.6A CN112565209B (en) | 2020-11-24 | 2020-11-24 | Network element equipment access control method and equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011330784.6A CN112565209B (en) | 2020-11-24 | 2020-11-24 | Network element equipment access control method and equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112565209A CN112565209A (en) | 2021-03-26 |
| CN112565209B true CN112565209B (en) | 2022-04-08 |
Family
ID=75043418
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011330784.6A Active CN112565209B (en) | 2020-11-24 | 2020-11-24 | Network element equipment access control method and equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112565209B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114826694A (en) * | 2022-04-07 | 2022-07-29 | 北京蓝海在线科技有限公司 | Method and system for controlling data access authority |
Family Cites Families (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8004491B2 (en) * | 2004-10-05 | 2011-08-23 | Jeff Maynard | System for and methods of storing and comparing computer generated continuous vector lines through a non-secure or a secure communication channel |
| CN100580642C (en) * | 2006-02-28 | 2010-01-13 | 国际商业机器公司 | Universal serial bus storage device and access control method thereof |
| CN100574194C (en) * | 2006-12-22 | 2009-12-23 | 华为技术有限公司 | A kind of method of safety management maintenance equipment and device |
| CN101369302B (en) * | 2008-09-24 | 2011-04-27 | 北京飞天诚信科技有限公司 | Method and system for controlling access authority of information safety equipment |
| US8321956B2 (en) * | 2009-06-17 | 2012-11-27 | Microsoft Corporation | Remote access control of storage devices |
| CN102508792B (en) * | 2011-09-30 | 2015-01-21 | 广州尚恩科技股份有限公司 | Method for realizing secure access of data in hard disk |
| JP2014209342A (en) * | 2014-04-23 | 2014-11-06 | 株式会社リコー | Apparatus for short-range radio communication, network system, control method of short-range radio communication processing, and control program of short-range radio communication processing |
| CN104378206B (en) * | 2014-10-20 | 2017-09-12 | 中国科学院信息工程研究所 | A kind of virtual desktop safety certifying method and system based on USB Key |
| CN108243166A (en) * | 2016-12-27 | 2018-07-03 | 航天信息股份有限公司 | A kind of identity identifying method and system based on USBKey |
| CN110516470A (en) * | 2019-07-31 | 2019-11-29 | 中国移动通信集团黑龙江有限公司 | Access control method, device, equipment and storage medium |
-
2020
- 2020-11-24 CN CN202011330784.6A patent/CN112565209B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN112565209A (en) | 2021-03-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8402552B2 (en) | System and method for securely accessing mobile data | |
| US9268545B2 (en) | Connecting mobile devices, internet-connected hosts, and cloud services | |
| EP2283669B1 (en) | Trusted device-specific authentication | |
| US8209394B2 (en) | Device-specific identity | |
| US7640430B2 (en) | System and method for achieving machine authentication without maintaining additional credentials | |
| US20050177724A1 (en) | Authentication system and method | |
| KR101451359B1 (en) | User account recovery | |
| CA2516718A1 (en) | Secure object for convenient identification | |
| US20190342279A1 (en) | Device verification of an installation of an email client | |
| CN101986598B (en) | Authentication method, server and system | |
| JP5827680B2 (en) | One-time password with IPsec and IKE version 1 authentication | |
| CN109388937B (en) | Single sign-on method and sign-on system for multi-factor identity authentication | |
| US9443069B1 (en) | Verification platform having interface adapted for communication with verification agent | |
| US9323911B1 (en) | Verifying requests to remove applications from a device | |
| CN107040501B (en) | Authentication method and device based on platform as a service | |
| CN109150787A (en) | A kind of authority acquiring method, apparatus, equipment and storage medium | |
| CN112565209B (en) | Network element equipment access control method and equipment | |
| CN112464213B (en) | Operating system access control method, device, equipment and storage medium | |
| KR102278808B1 (en) | System for single packet authentication using tcp packet and method thereof | |
| US20230079795A1 (en) | Device to device migration in a unified endpoint management system | |
| CN111079109A (en) | Local security authorization login method and system compatible with multiple browsers | |
| CN108574657B (en) | Server access method, device and system, computing equipment and server | |
| CN112491830B (en) | Ceph distributed block storage access authentication method, medium and device | |
| CN111246480A (en) | Application communication method, system, equipment and storage medium based on SIM card | |
| KR102371181B1 (en) | Communication Security Method Performed in the User Devices installed Agent-Application and the Server-System that Communicated with the User Devices |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |